Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0b22c12b7eaeea3a…

MALICIOUS

Office (OOXML)

153.1 KB Created: 2019-11-01 07:42:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-08-25
MD5: 641091e50a1961ec40915291260f5150 SHA-1: 866e8b963cee2c1e60009d45cfe031c3ecf7d8d5 SHA-256: 0b22c12b7eaeea3a0405d4a21077cb816fd52c418a0be394633b58dafb67c2a1
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands upon opening. ClamAV detection further confirms its malicious nature as a downloader. The VBA code itself is heavily obfuscated and truncated, but the presence of the Shell() call and the AutoOpen macro strongly suggests it's intended to download and execute a secondary payload.

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 60327 bytes
SHA-256: 7a996be78da72c875978bcad2712b0294faf01553cecc5f92c2a206d7ab46663
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "d34847"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Attribute VB_Name = "h45oi4hjroigh"
#If VBA7 Then
Declare PtrSafe Function ActivateKeyboardLayout Lib "user32" (ByVal HKL As LongPtr, ByVal flags As LongPtr) As LongPtr
Declare PtrSafe Function AnyPopup Lib "user32" () As LongPtr
Declare PtrSafe Function AppendMenu Lib "user32" Alias "AppendMenuA" (ByVal hMenu As LongPtr, ByVal wFlags As LongPtr, ByVal wIDNewItem As LongPtr, ByVal lpNewItem As String) As LongPtr
Declare PtrSafe Function ArrangeIconicWindows Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function AttachThreadInput Lib "user32" (ByVal idAttach As LongPtr, ByVal idAttachTo As LongPtr, ByVal fAttach As LongPtr) As LongPtr
Declare PtrSafe Function BeginDeferWindowPos Lib "user32" (ByVal nNumWindows As LongPtr) As LongPtr
Declare PtrSafe Function BringWindowToTop Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function BroadcastSystemMessage Lib "user32" (ByVal dw As LongPtr, pdw As LongPtr, ByVal un As LongPtr, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
Declare PtrSafe Function CharPrev Lib "user32" Alias "CharPrevA" (ByVal lpszStart As String, ByVal lpszCurrent As String) As String
Declare PtrSafe Function CharToOem Lib "user32" Alias "CharToOemA" (ByVal lpszSrc As String, ByVal lpszDst As String) As LongPtr
Declare PtrSafe Function CharToOemBuff Lib "user32" Alias "CharToOemBuffA" (ByVal lpszSrc As String, ByVal lpszDst As String, ByVal cchDstLength As LongPtr) As LongPtr
'Declare PtrSafe Function CharUpper Lib "user32" Alias "CharUpperA" (ByVal lpsz As String) As String
'Declare PtrSafe Function CharUpperBuff Lib "user32" Alias "CharUpperBuffA" (ByVal lpsz As String, ByVal cchLength As LongPtr) As LongPtr
'Declare PtrSafe Function CheckDlgButton Lib "user32" Alias "CheckDLGButtonA" (ByVal hDlg As LongPtr, ByVal nIDButton As LongPtr, ByVal wCheck As LongPtr) As LongPtr
'Declare PtrSafe Function CheckMenuItem Lib "user32" (ByVal hMenu As LongPtr, ByVal wIDCheckItem As LongPtr, ByVal wCheck As LongPtr) As LongPtr
'Declare PtrSafe Function CheckMenuRadioItem Lib "user32" (ByVal hMenu As LongPtr, ByVal un1 As LongPtr, ByVal un2 As LongPtr, ByVal un3 As LongPtr, ByVal un4 As LongPtr) As Boolean
Declare PtrSafe Function CheckRadioButton Lib "user32" Alias "CheckRadioButtonA" (ByVal hDlg As LongPtr, ByVal nIDFirstButton As LongPtr, ByVal nIDLastButton As LongPtr, ByVal nIDCheckButton As LongPtr) As LongPtr
Declare PtrSafe Function ChildWindowFromPoint Lib "user32" (ByVal hWnd As LongPtr, ByVal xPoint As LongPtr, ByVal yPoint As LongPtr) As LongPtr
Declare PtrSafe Function ClipCursor Lib "user32" (lpRect As Any) As LongPtr
Declare PtrSafe Function CloseClipboard Lib "user32" () As LongPtr
Declare PtrSafe Function CloseDesktop Lib "user32" (ByVal hDesktop As LongPtr) As Boolean
'Declare PtrSafe Function CloseWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
'Declare PtrSafe Function CloseWindowStation Lib "user32" (ByVal hWinSta As LongPtr) As Boolean
'Declare PtrSafe Function CopyCursor Lib "user32" (ByVal hcur As LongPtr) As LongPtr
'Declare PtrSafe Function CopyIcon Lib "user32" (ByVal hIcon As LongPtr) As LongPtr
Declare PtrSafe Function CopyImage Lib "user32" (ByVal Handle As LongPtr, ByVal un1 As LongPtr, ByVal n1 As LongPtr, ByVal n2 As LongPtr, ByVal un2 As LongPtr) As LongPtr
Declare PtrSafe Function CountClipboardFormats Lib "user32" () As LongPtr
Declare PtrSafe Function CreateCaret Lib "user32" (ByVal hWnd As LongPtr, ByVal hBitmap As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr) As LongPtr
Declare PtrSafe Function CreateIcon Lib "user32" (ByVal hInstance As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal nPlanes As Byte, ByVal nBitsPixel As Byte, lpANDbits As Byte, lpXORbits As Byte) As LongPtr
Declare PtrSafe
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 210944 bytes
SHA-256: 67c158ee9ad3b7e72c8fab2b967d08ae8b096e8ecde85795373ec66756e25eaf
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.