Malicious Office (OOXML) — malware analysis report

Heuristics 7

• VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
  The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
• AutoOpen macro high OLE_VBA_AUTOOPEN
  AutoOpen macro
• Document_Open macro high OLE_VBA_DOCOPEN
  Document_Open macro
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• VBA project inside OOXML medium OOXML_VBA
  Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignature.bin)
• VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
  The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.appspro.com/Tips/VBA%20Tips.htm

  • http://www.moodle2word.net/question/format/wordtable/preview.php?qname=XXXX&courseID=YYY
  • http://www.Moodle2Word.net/
  • http://ocsp.comodoca.com0
  • http://GEANT.ocsp.sectigo.com0
  • http://ocsp.usertrust.com0
  • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
  • http://schemas.openxmlformats.org/markup-compatibility/2006
  • http://schemas.openxmlformats.org/officeDocument/2006/relationships
  • http://schemas.openxmlformats.org/officeDocument/2006/math
  • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
  • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
  • http://schemas.openxmlformats.org/wordprocessingml/2006/main
  • http://schemas.microsoft.com/office/word/2010/wordml
  • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
  • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
  • http://schemas.microsoft.com/office/word/2006/wordml
  • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
  • http://creativecommons.org/licenses/by-sa/3.0/
  • http://stackoverflow.com/questions/169907/how-do-i-base64-encode-a-string-efficiently-using-excel-vba
  • http://docs.moodle.org/
  • http://msdn2.microsoft.com/en-us/library/ms647732.aspx
  • http://support.microsoft.com/kb/195763/en-us
  • http://stackoverflow.com/questions/169907/how-do-i-base64-encode-a-string-efficiently-using-excel-vba�
  • http://crl.comodoca.com/AAACertificateServices.crl06�4�2�0http://crl.comodo.net/AAACertificateServices.crl0
  • http://crl.comodoca.com/AAACertificateServices.crl04
  • https://sectigo.com/CPS0
  • http://GEANT.crl.sectigo.com/GEANTCodeSigningCA4.crl0{
  • http://GEANT.crt.sectigo.com/GEANTCodeSigningCA4.crt0
  • https://sectigo.com/CPS0P
  • http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
  • http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

Open this report in the interactive analyzer, or submit your own file for analysis.