Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 086172620cf73b4a…

MALICIOUS

Office (OOXML)

103.7 KB Created: 2020-12-10 10:59:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-01-11
MD5: 6370cda3afa0b135d283acf7632bd9ed SHA-1: 6e4dd23ebe16e9e64f7d33566a3ab7f130361459 SHA-256: 086172620cf73b4a7c67bd96073773d5aea8155829f7ce408e7bb1ff3be62711
70 Risk Score

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • External hyperlinks (175) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 175 external hyperlinks — clickable URLs are stored as external relationships. First target: https://paper.seebug.org/1044/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://paper.seebug.org/shiro-rememberme-1-2-4/ Document hyperlink
    • https://github.com/wyzxxz/shiro_rceIn document text (OOXML body / shared strings)
    • http://1234567890.test.ceye.ioIn document text (OOXML body / shared strings)
    • https://www.anquanke.com/post/id/193165Document hyperlink
    • http://www.oniont.cn/index.php/archives/298.htmlDocument hyperlink
    • https://github.com/wuppp/shiro_rce_expIn document text (OOXML body / shared strings)
    • https://blog.riskivy.com/shiro-%e6%9d%83%e9%99%90%e7%bb%95%e8%bf%87%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90%ef%bc%88cve-2020-1957%ef%bc%89/In document text (OOXML body / shared strings)
    • https://blog.riskivy.com/%e6%97%a0%e6%8d%9f%e6%a3%80%e6%b5%8bfastjson-dos%e6%bc%8f%e6%b4%9e%e4%bb%a5%e5%8f%8a%e7%9b%b2%e5%8c%ba%e5%88%86fastjson%e4%b8%8ejackson%e7%bb%84%e4%bb%b6/In document text (OOXML body / shared strings)
    • https://www.anquanke.com/post/id/181874Document hyperlink
    • https://github.com/CaijiOrz/fastjson-1.2.47-RCEDocument hyperlink
    • https://www.freebuf.com/column/207439.htmlDocument hyperlink
    • https://github.com/alibaba/fastjson/blob/master/src/main/java/com/alibaba/fastjson/support/spring/GenericFastJsonRedisSerializer.javaIn document text (OOXML body / shared strings)
    • https://github.com/threedr3am/learnjavabug/tree/master/jackson/src/main/java/com/threedr3am/bug/jacksonIn document text (OOXML body / shared strings)
    • https://www.angelwhu.com/paper/2016/03/15/xstream-deserialization-component-attack-analysis/#0x04-Jenkins������������������In document text (OOXML body / shared strings)
    • https://github.com/TheTwitchy/xxerIn document text (OOXML body / shared strings)
    • https://www.freebuf.com/vuls/215218.htmlDocument hyperlink
    • https://github.com/beanshell/beanshellDocument hyperlink
    • http://beanshell.org/manual/quickstart.html#The_BeanShell_GUIIn document text (OOXML body / shared strings)
    • https://github.com/myzing00/Vulnerability-analysis/tree/master/0917/weaver-oa/CNVD-2019-32204In document text (OOXML body / shared strings)
    • https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1In document text (OOXML body / shared strings)
    • https://weaversrc.vulbox.com/In document text (OOXML body / shared strings)
    • https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql_inject.pyDocument hyperlink
    • https://github.com/jas502n/DBconfigReaderDocument hyperlink
    • https://github.com/taomujian/linbing/blob/master/flask/app/plugins/Weaver%20Ecology%20OA/Weaver_Ecology_Oa_Config.pyIn document text (OOXML body / shared strings)
    • https://github.com/leezp/note/blob/c28f7b232ad5f0ff7ccc672bbedcd34e9e3cca86/20200313%E9%80%9A%E8%BE%BEOA/readme.mdIn document text (OOXML body / shared strings)
    • https://www.zrools.org/2020/04/23/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-%E9%80%9A%E8%BE%BEOA-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E%EF%BC%88%E5%8C%BF%E5%90%8DRCE%EF%BC%89%E5%88%86%E6%9E%90/In document text (OOXML body / shared strings)
    • https://github.com/NS-Sp4ce/TongDaOA-Fake-UserDocument hyperlink
    • https://github.com/zrools/tools/blob/master/python/tongda_v11.4_rce_exp.pyIn document text (OOXML body / shared strings)
    • https://vas.riskivy.com/vuln-detail?id=33In document text (OOXML body / shared strings)
    • http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/Document hyperlink
    • https://github.com/timwhitez/seeyon-OA-A8-GetShellIn document text (OOXML body / shared strings)
    • https://landgrey.me/blog/8/Document hyperlink
    • https://seeyoon.com/seeyonreport/ReportServer?op=fs_load&cmd=fs_signin&_=1560911828892In document text (OOXML body / shared strings)
    • http://foreversong.cn/archives/1378Document hyperlink
    • https://github.com/chaitin/xray/blob/master/pocs/finereport-directory-traversal.ymlIn document text (OOXML body / shared strings)
    • https://shop.finereport.com/plugin/2d36b210-2a59-4940-8c4f-f3f16d58cd66In document text (OOXML body / shared strings)
    • http://shopps.finereport.com/com.fr.plugin.external-1.3.4.zip?e=1561433162&token=GYG9vMioxqbEgx-5HoAMAelD0zGdUrXT4UZ3w-d1:N-PeIkhKkjCY7LHdqelnSvp_LmA=Document hyperlink
    • https://xxxx/seeyonreport/ReportServer?op=imIn document text (OOXML body / shared strings)
    • http://127.0.0.1:18080/smartbi/vision/config.jspIn document text (OOXML body / shared strings)
    • http://127.0.0.1:18080/smartbi/vision/chooser.jsp?key=CONFIG_FILE_DIR&root=C%3A%2FIn document text (OOXML body / shared strings)
    • https://xxxxxxxxxxx/In document text (OOXML body / shared strings)
    • https://www.uedbox.com/post/31092/Document hyperlink
    • https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html?m=1Document hyperlink
    • https://github.com/milo2012/CVE-2018-13379In document text (OOXML body / shared strings)
    • https://github.com/milo2012/CVE-2018-13382In document text (OOXML body / shared strings)
    • https://xxxxxx:10443/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websessionIn document text (OOXML body / shared strings)
    • https://xxxxxxxx:10443/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpndIn document text (OOXML body / shared strings)
    • https://xxxxx:10443/sslvpn/js/login.js?q=5f9a6877fd1f78da768239aae6e739c2In document text (OOXML body / shared strings)
    • https://www.anquanke.com/post/id/185773In document text (OOXML body / shared strings)
    • https://github.com/projectzeroindia/CVE-2019-11510In document text (OOXML body / shared strings)
    +153 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 22016 bytes
SHA-256: a70aa8c6db61711ba128ab4e748323df0072aa4f58bb0c595c8d14e91b0e0ea1