Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 05ef4b54b0e61a2c…

MALICIOUS

Office (OOXML)

132.1 KB Created: 2019-04-24 05:54:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-18
MD5: 8692d0ae623fe7842f087adce9c10a2c SHA-1: 0e9205014d11da4aab890c8c677c37a2f4681b93 SHA-256: 05ef4b54b0e61a2cd5b166b3045e8321fd184148e1599dc6676456b06691df53
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is an OOXML document containing VBA macros, specifically triggering Auto_Open and Workbook_Open events. The presence of `CreateObject` and `Environ()` calls, along with a high-confidence heuristic for VBA p-code auto-execution with WinHTTP, indicates the macro attempts to download and execute a second-stage payload. The external relationship points to a template file, suggesting a potential spearphishing attachment vector.

Heuristics 10

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Users\IEUser\AppData\Roaming\Microsoft\Templates\Professioneller Lebenslauf, gestaltet von MOO.dotx
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.150.8.133:8080/macrotest OOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16359 bytes
SHA-256: 7f7f2aacc522416b5efe9482e3a8dfe8b0a888fde6ec5fe5ca1eac04b2ebca65
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
    ' Info gathering functions
    Private Declare PtrSafe Function GetIpAddrTable_API Lib "IpHlpApi" Alias "GetIpAddrTable" _
        (pIPAddrTable As Any, pdwSize As Long, ByVal bOrder As Long) As Long
    
    ' misc functions
    Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" _
        (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
        
    ' proxy functions
    Private Declare PtrSafe Sub AutoProxy_CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _
        (ByVal AutoProxy_lpDest As LongPtr, ByVal AutoProxy_lpSource As LongPtr, ByVal AutoProxy_cbCopy As Long)
    Private Declare PtrSafe Function AutoProxy_SysAllocString Lib "oleaut32" Alias "SysAllocString" _
        (ByVal AutoProxy_pwsz As LongPtr) As LongPtr
    Private Declare PtrSafe Function AutoProxy_GlobalFree Lib "kernel32" Alias "GlobalFree" _
        (ByVal AutoProxy_p As LongPtr) As LongPtr
    Private Declare PtrSafe Function AutoProxy_GetIEProxy Lib "WinHTTP.dll" Alias "WinHttpGetIEProxyConfigForCurrentUser" _
        (ByRef AutoProxy_proxyConfig As AUTOPROXY_IE_PROXY_CONFIG) As Long
    Private Declare PtrSafe Function AutoProxy_GetProxyForUrl Lib "WinHTTP.dll" Alias "WinHttpGetProxyForUrl" _
        (ByVal AutoProxy_hSession As LongPtr, ByVal AutoProxy_pszUrl As LongPtr, ByRef AutoProxy_pAutoProxyOptions As AUTOPROXY_OPTIONS, ByRef AutoProxy_pProxyInfo As AUTOPROXY_INFO) As Long
    Private Declare PtrSafe Function AutoProxy_HttpOpen Lib "WinHTTP.dll" Alias "WinHttpOpen" _
        (ByVal AutoProxy_pszUserAgent As LongPtr, ByVal AutoProxy_dwAccessType As Long, ByVal AutoProxy_pszProxyName As LongPtr, ByVal AutoProxy_pszProxyBypass As LongPtr, ByVal AutoProxy_dwFlags As Long) As LongPtr
    Private Declare PtrSafe Function AutoProxy_HttpClose Lib "WinHTTP.dll" Alias "WinHttpCloseHandle" _
        (ByVal AutoProxy_hInternet As LongPtr) As Long
    
    Private Type AUTOPROXY_IE_PROXY_CONFIG
        AutoProxy_fAutoDetect As Long
        AutoProxy_lpszAutoConfigUrl As LongPtr
        AutoProxy_lpszProxy As LongPtr
        AutoProxy_lpszProxyBypass As LongPtr
    End Type
    Private Type AUTOPROXY_OPTIONS
        AutoProxy_dwFlags As Long
        AutoProxy_dwAutoDetectFlags As Long
        AutoProxy_lpszAutoConfigUrl As LongPtr
        AutoProxy_lpvReserved As LongPtr
        AutoProxy_dwReserved As Long
        AutoProxy_fAutoLogonIfChallenged As Long
    End Type
    Private Type AUTOPROXY_INFO
        AutoProxy_dwAccessType As Long
        AutoProxy_lpszProxy As LongPtr
        AutoProxy_lpszProxyBypass As LongPtr
    End Type
#Else
    ' Info gathering functions
    Private Declare Function GetIpAddrTable_API Lib "IpHlpApi" Alias "GetIpAddrTable" _
        (pIPAddrTable As Any, pdwSize As Long, ByVal bOrder As Long) As Long
    
    ' misc functions
    Private Declare Function WideCharToMultiByte Lib "kernel32" _
        (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
        
    ' proxy functions
    Private Declare Sub AutoProxy_CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _
        (ByVal AutoProxy_lpDest As Long, ByVal AutoProxy_lpSource As Long, ByVal AutoProxy_cbCopy As Long)
    Private Declare Function AutoProxy_SysAllocString Lib "oleaut32" Alias "SysAllocString" _
        (ByVal AutoProxy_pwsz As Long) As Long
    Private Declare Function AutoProxy_GlobalFree Lib "kernel32" Alias "GlobalFree" _
       
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 63488 bytes
SHA-256: 42f25611127af150128c714ba299d674cc745aa77e6732941751eda7f4d0c3f2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.