Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1d48aa232e6535fd…

MALICIOUS

Office (OOXML)

217.2 KB Created: 2017-07-10 07:24:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-12-25
MD5: b924ff83d9120d934bb49a7a2e3c4292 SHA-1: bb10ed5d59672fbc6178e35d0feac0562513e9f0 SHA-256: 1d48aa232e6535fd9344f0f0b1741dbef2bdbc137a06fe5f2caa15ed36811c70
190 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6334612-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6334612-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///G:\Templates\Steering Board templates\SB Document.dotm
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://www.eda.europa.eu
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
    • http://www.eda.europa.euDocument hyperlink

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 320 bytes
SHA-256: 42bca1ea71067a4ac0f136efc08a661ef9bc6bf36fd54f8b4fdb61ddc6869fee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Word_Document1.docx 16142 bytes
SHA-256: 9a4c5ab14951faf158c15a0892cce318abfbe8546cd3e33ec06c4feb9623dbf6
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 31744 bytes
SHA-256: 0b42322a126a69efb5734a41b1a8b6746225462dd0d06e6680d924ca51ffe4c9
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 100212 bytes
SHA-256: 2a70b395de77141f2fa4962d604771c1e6ca0775a01781f74930db91862ad864