Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 10742b0fceb20203…

MALICIOUS

Office (OOXML)

1.53 MB Created: 2019-09-18 08:43:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 0b034f5783c2a5a9622b8f29db4c498b SHA-1: d3054bbd801a2ff0c5105fb0ecc8192eefd1934c SHA-256: 10742b0fceb20203def48880d32f1391882286f39b944ad32f16a5d352e8127c
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that utilize WScript.Shell to execute cmd.exe. The script attempts to ping two IP addresses, 163.172.147.127 and 185.112.146.165, and subsequently opens Firefox to http://163.172.147.127/XVFDRE/Hack.png. This behavior suggests the macro is designed to download and execute a second-stage payload, likely a form of ransomware or trojan.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://163.172.147.127/XVFDRE/Hack.png
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
70fc7745aa4eab3e2919cd4de72950284a4c6bbb9fcd840bd4c6127c8e49c1a7		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1693 bytes
vbaProject_00.bin
9602c5f53b8067ef655105cc2265e8abdd5d5dd61f99799fdcc15604d2f08944		 vba-project OOXML VBA project: word/vbaProject.bin 21504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.