Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0bc7656e71daef12…

MALICIOUS

Office (OOXML)

299.4 KB Created: 2020-04-29 06:30:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-09-27
MD5: 12d12cd1de88c49d3b4ef1a4f74ad620 SHA-1: af8ae9656d30c030f41e231b40f652e4bf53e2f0 SHA-256: 0bc7656e71daef12c2447b2fd44b6e84cb75ff6d8e331fc0534f6f6a892e1d26
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample contains VBA macros, including an AutoOpen macro that uses Shell() and CreateObject() calls, indicating malicious intent. The document body presents a deceptive 'Request for Proposal' for maintenance services, aiming to trick the user into interacting with the malicious content. The VBA script likely attempts to download and execute a second-stage payload or harvest information.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignature.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://cdp.pki.niedersachsen.de/niedersachsen-ca-internal.crl0H�F�D�Bhttp://cdp1.pca.dfn.de/niedersachsen-internal-ca/pub/crl/cacrl.crl0H�F�D�Bhttp://cdp2.pca.dfn.de/niedersachsen-internal-ca/pub/crl/cacrl.crl0��In document text (OOXML body / shared strings)
    • http://ocsp.pca.dfn.de/OCSP-Server/OCSP0RIn document text (OOXML body / shared strings)
    • http://cdp1.pca.dfn.de/niedersachsen-internal-ca/pub/cacert/cacert.crt0RIn document text (OOXML body / shared strings)
    • http://cdp2.pca.dfn.de/niedersachsen-internal-ca/pub/cacert/cacert.crt0In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12954 bytes
SHA-256: 38bdd7314c596442b3b939a9830d0384d265fab22d986188f93283bdaa43a0c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TB99, 9, 9, MSForms, TextBox"
Attribute VB_Control = "OB3, 8, 10, MSForms, OptionButton"
Attribute VB_Control = "OB2, 7, 11, MSForms, OptionButton"
Attribute VB_Control = "OB1, 6, 12, MSForms, OptionButton"
Attribute VB_Control = "AN_pruefen, 5, 13, MSForms, CommandButton"
Attribute VB_Control = "AG_pruefen, 4, 14, MSForms, CommandButton"
Attribute VB_Control = "TB4, 3, 15, MSForms, TextBox"
Attribute VB_Control = "TB3, 2, 16, MSForms, TextBox"
Attribute VB_Control = "TB2, 1, 17, MSForms, TextBox"
Attribute VB_Control = "TB1, 0, 18, MSForms, TextBox"
Dim leer$
Dim Fehlertext$
Dim i As Integer
Dim fehler As Boolean
Dim ok As Boolean
Sub FelderAktualisieren()
   ActiveWindow.View.Type = wdNormalView
   ActiveWindow.View.Type = wdReadingView
   ActiveWindow.View.Type = wdPrintView
End Sub
Dim Start As Integer

Private Sub AG_Pruefen_Click()
Dim Fragewert
Dim Merkauswahl
Start = 1
Fragewert = MsgBox("Bitte prüfen Sie, ob Sie das Dokument jetzt sperren wollen!" & Chr$(13) & Chr$(13) & _
"Sie können dann keine weiteren Eingaben tätigen." & Chr(13) & Chr(13) & _
"Wollen Sie das Dokument jetzt sperren?", 292, "Elektronische Angebotsaufforderung Wartung 2018")
If Fragewert <> 6 Then
  Exit Sub
End If
ok = True
Fehlertext$ = ""
leer$ = TB1.Text: i = 1: Datum_Test leer$, i, fehler: If fehler = True Then TB1.BackColor = &HFF& Else TB1.BackColor = &HE0E0E0
leer$ = TB2.Text: i = 2: Leerprüfung leer$, i, fehler: If fehler = True Then TB2.BackColor = &HFF& Else: TB2.BackColor = &HE0E0E0
leer$ = TB4.Text: i = 3: Leerprüfung leer$, i, fehler: If fehler = True Then TB4.BackColor = &HFF& Else: TB4.BackColor = &HE0E0E0
Merkauswahl = 0
If OB1.Value = True Then Merkauswahl = 1
If OB2.Value = True Then Merkauswahl = 1
If OB3.Value = True Then Merkauswahl = 1
If Merkauswahl = 0 Then
  MsgBox "Deckblatt: Keine Angebotsart ausgewählt!" & Chr(13) & Chr(13) & "Dokument kann nicht gesperrt werden!", 48, " Elektronisches Vertragsmuster Wartung 2014"
  ok = False
  Fehlertext$ = Fehlertext$ + "Deckblatt: Sie haben keine Angebotsart ausgewählt" & vbCrLf
  OB1.BackColor = &HFF&: OB2.BackColor = &HFF&: OB3.BackColor = &HFF&
  
Else 'ok
  OB1.BackColor = &HE0E0E0: OB2.BackColor = &HE0E0E0: OB3.BackColor = &HE0E0E0
End If
If ok = False Then
  MsgBox "Felder enthielten Fehler. Diese Felder wurden rot markiert" & Chr(13) & Chr(13) & _
  "Dokument kann nicht gesperrt werden!" & Chr(13) & Chr(13) & "Die Fehler sind in der folgenden Fehlerdatei <Fehlermeldung.txt.>  aufgelistet.", 48, "Elektronische Angebotsaufforderung Wartung 2018"
  Dim Start1 As Variant
  Dim Datei As String
  Dim Dat_Pfad As String
  Dim fso As Object
  Dim ts As Object
  Dat_Pfad = ActiveDocument.Path
  Datei = Dat_Pfad & "\Fehlermeldung.txt"
  Set fso = CreateObject("Scripting.FileSystemObject")
  Set ts = fso.OpenTextFile(Datei, 2)
    ts.write Fehlertext$
    ts.Close
  Start1 = Shell("Notepad.exe  " & Datei, 3)
  Exit Sub
End If
If ok = False Then Exit Sub
  AG_pruefen.BackColor = &HE0E0E0
  AG_pruefen.ForeColor = &HFFFFFF
  AG_pruefen.Locked = True
  AG_pruefen.Caption = "Auftraggeber-Felder gesperrt"
  AG_pruefen.Enabled = False
  AN_pruefen.Enabled = True
  AN_pruefen.Locked = False
  AN_pruefen.BackColor = &H80FF&
  Schliesse_AG 'Ruft das Makro zum Sperren auf
  Oeffne_AN 'Ruft das Makro zum Freigeben auf
 Start = 0
 End Sub
Function Schliesse_AG()
xxx = Format(TB1.Text, "DD.MM.YYYY"): TB1.Text = xxx
TB1.Locked = True: TB1.BackColor = &HE0E0E0
TB2.Locked = True: TB2.BackColor = &HE0E0E0
TB4.Locked = True: TB4.BackColor = &HE0E0E0
OB1.Locked = True: OB1.BackColor = &HE0E0E0
OB2.Locked = True: OB2.BackColor = &HE0E0E0
OB3.Locked = True: OB3.BackColor = &HE0E0E0

End Function
Function Oeffne_A
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 43520 bytes
SHA-256: e905ba2840ebfe0cb88620331a00f47d3131ddce7778d362e064ea6b1abccec8
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 3658 bytes
SHA-256: c05a7c7bebdd8f8f7992d69aec4e162b291b6b8afe772e2b1b028003b7313ab3

Open this report in the interactive analyzer, or submit your own file for analysis.