Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1c1618f70d150903…

MALICIOUS

Office (OOXML)

256.0 KB Created: 2021-09-14 11:14:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-25
MD5: 7072f8cc0ecbe81c828ed8ade374fb06 SHA-1: a914504c14579782a79b384178b54967dcc5eb6d SHA-256: 1c1618f70d150903e532a0ce20b1433aacf4e3fbd9767cd8808685e831d498ca
412 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing VBA macros. These macros utilize WScript.Shell and PowerShell, indicating an intent to download and execute a second-stage payload. The presence of these commands strongly suggests a downloader or droppper functionality, aiming to further compromise the system.

Heuristics 10

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://intranet/Holmanet/fileopening/nontransactional.htm In document text (OOXML body / shared strings)
    • http://intranet/Holmanet/fileopening/transactional.htmIn document text (OOXML body / shared strings)
    • http://intranet/Holmanet/fileopening/singapore.htmIn document text (OOXML body / shared strings)
    • http://ocsp.sectigo.com0In document text (OOXML body / shared strings)
    • http://ocsp.comodoca.com0In document text (OOXML body / shared strings)
    • http://ocsp.usertrust.com0In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2009/07/customuiIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/01/customuiIn document text (OOXML body / shared strings)
    • http://crl.comodoca.com/AAACertificateServices.crl06�4�2�0http://crl.comodo.net/AAACertificateServices.crl0In document text (OOXML body / shared strings)
    • https://sectigo.com/CPS0In document text (OOXML body / shared strings)
    • http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sIn document text (OOXML body / shared strings)
    • http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#In document text (OOXML body / shared strings)
    • http://crl.comodoca.com/AAACertificateServices.crl04In document text (OOXML body / shared strings)
    • http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vIn document text (OOXML body / shared strings)
    • http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 63856 bytes
SHA-256: 71c93f276a819c415bf20e5b785ac5bf213d347fb431a34d388f94a667357966
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Duplex"
Option Explicit

Private Type PRINTER_DEFAULTS
   pDatatype As LongPtr
   pDevmode As LongPtr
   DesiredAccess As Long
End Type

Private Type PRINTER_INFO_2
   pServerName As LongPtr
   pPrinterName As LongPtr
   pShareName As LongPtr
   pPortName As LongPtr
   pDriverName As LongPtr
   pComment As LongPtr
   pLocation As LongPtr
   pDevmode As LongPtr               ' Pointer to DEVMODE
   pSepFile As LongPtr
   pPrintProcessor As LongPtr
   pDatatype As LongPtr
   pParameters As LongPtr
   pSecurityDescriptor As LongPtr    ' Pointer to SECURITY_DESCRIPTOR
   Attributes As Long
   Priority As Long
   DefaultPriority As Long
   StartTime As Long
   UntilTime As Long
   Status As Long
   cJobs As Long
   AveragePPM As Long
End Type

Private Type DEVMODE
   dmDeviceName As String * 32
   dmSpecVersion As Integer
   dmDriverVersion As Integer
   dmSize As Integer
   dmDriverExtra As Integer
   dmFields As Long
   dmOrientation As Integer
   dmPaperSize As Integer
   dmPaperLength As Integer
   dmPaperWidth As Integer
   dmScale As Integer
   dmCopies As Integer
   dmDefaultSource As Integer
   dmPrintQuality As Integer
   dmColor As Integer
   dmDuplex As Integer
   dmYResolution As Integer
   dmTTOption As Integer
   dmCollate As Integer
   dmFormName As String * 32
   dmUnusedPadding As Integer
   dmBitsPerPel As Integer
   dmPelsWidth As Long
   dmPelsHeight As Long
   dmDisplayFlags As Long
   dmDisplayFrequency As Long
   dmICMMethod As Long
   dmICMIntent As Long
   dmMediaType As Long
   dmDitherType As Long
   dmReserved1 As Long
   dmReserved2 As Long
End Type

Private Const DM_ORIENTATION = &H1
Private Const DM_PAPERSIZE = &H2
Private Const DM_PAPERLENGTH = &H4
Private Const DM_PAPERWIDTH = &H8
Private Const DM_DEFAULTSOURCE = &H200
Private Const DM_PRINTQUALITY = &H400
Private Const DM_COLOR = &H800
Private Const DM_DUPLEX = &H1000

Private Const DM_IN_BUFFER = 8
Private Const DM_OUT_BUFFER = 2
Private Const PRINTER_ACCESS_USE = &H8
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const PRINTER_NORMAL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or _
                PRINTER_ACCESS_USE)

Private Const PRINTER_ENUM_CONNECTIONS = &H4
Private Const PRINTER_ENUM_LOCAL = &H2

Private Declare PtrSafe Function ClosePrinter Lib "winspool.drv" _
      (ByVal hPrinter As LongPtr) As Long
Private Declare PtrSafe Function DocumentProperties Lib "winspool.drv" _
      Alias "DocumentPropertiesA" (ByVal hwnd As LongPtr, _
      ByVal hPrinter As LongPtr, ByVal pDeviceName As String, _
      ByVal pDevModeOutput As LongPtr, ByVal pDevModeInput As LongPtr, _
      ByVal fMode As LongPtr) As Long
Private Declare PtrSafe Function GetPrinter Lib "winspool.drv" Alias _
      "GetPrinterA" (ByVal hPrinter As LongPtr, ByVal Level As Long, _
      pPrinter As Byte, ByVal cbBuf As LongPtr, pcbNeeded As Long) As Long
Private Declare PtrSafe Function OpenPrinter Lib "winspool.drv" Alias _
      "OpenPrinterA" (ByVal pPrinterName As String, phPrinter As LongPtr, _
      pDefault As PRINTER_DEFAULTS) As Long
Private Declare PtrSafe Function SetPrinter Lib "winspool.drv" Alias _
      "SetPrinterA" (ByVal hPrinter As LongPtr, ByVal Level As Long, _
      pPrinter As Byte, ByVal Command As Long) As Long
Private Declare PtrSafe Function EnumPrinters Lib "winspool.drv" _
      Alias "EnumPrintersA" _
      (ByVal flags As Long, ByVal name As String, ByVal Level As Long, _
      pPrinterEnum As LongPtr, ByVal cdBuf As Long, pcbNeeded As LongPtr, _
      pcReturned As LongPtr) As Long

Private Declare PtrSafe Function PtrToStr Lib "kernel32" Alias "lstrcpyA" _
      (ByVal retVal As String, ByVa
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 265728 bytes
SHA-256: 062d6315517e4338cb68952fdb38fa5052cd6e64187cc165b0f8fdf1371dd592
Detection
ClamAV: Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload: unlikely
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureV3.bin 7722 bytes
SHA-256: 73d91f95ccecf0a624ed8fcde6e1cece9001f3e3c0a94843200b0c95d936226b
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 7722 bytes
SHA-256: 49cbf8df7c7c5f06a9fcb49dd8d5c96d5dfd055e86577ccba7bff7e616c18a4e
vbaProject_03.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 7607 bytes
SHA-256: 848bf6a69d691fd64602074b3599dcad52022105097e44352066951f56c6ddd0

Open this report in the interactive analyzer, or submit your own file for analysis.