Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2d9a6067d629e04d…

MALICIOUS

Office (OOXML)

1.13 MB Created: 2014-02-14 15:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-17
MD5: 9949c2458c74f9aab7e9bb7d6b56a9a1 SHA-1: d8fa42fd6f4142c2b9e2e6108fa2da898b66a766 SHA-256: 2d9a6067d629e04d58b8a1314925c28b02f172e2b4d532e1fd590cc8e5b6b28b
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros. Heuristics indicate the presence of a renamed VBA project and a critical finding of a Shell() call within the VBA code, which is also auto-executed. This strongly suggests the macro is designed to download and execute a secondary payload. The presence of multiple VBA project files and a .bas macro file are included as IOCs.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.i4i.com In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/attribute-valuesIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/spl/r4inputIn document text (OOXML body / shared strings)
    • http://i4i.com/s4ent/core/In document text (OOXML body / shared strings)
    • http://localhostIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/data_hubIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/keywordsIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/eulm/infozoneIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/propfindIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/cxp/proppatchIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/propextractIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/ccxmlIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/configIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/schemaIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/schemaxmlIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/densemarkupIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/keywordsIn document text (OOXML body / shared strings)
    • http://i4i.com/s4ent/A4LIn document text (OOXML body / shared strings)
    • http://www.i4i.com/In document text (OOXML body / shared strings)
    • http://www.susandoreydesigns.com/software/WordVBATechniques.pdfIn document text (OOXML body / shared strings)
    • http://i4i.com/s4ent/DocumentManagement/In document text (OOXML body / shared strings)
    • https://raw.githubusercontent.com/HealthCanada/HPFB/master/product-monograph/style-sheet/spl_canada.xslIn document text (OOXML body / shared strings)
    • http://www.fiddler2.com1In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/spl/r4input�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/ccxmlxtractIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/attribute-values(In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/configes(In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/schemaoppatc#In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/schemaxmlropIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/configxmlcxm%In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/densemarkuprIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/keywordskup/In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/data_hub/ns/In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/keywords�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/propfind�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/attriIn document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/config�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4w/schema�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/keywords�In document text (OOXML body / shared strings)
    • http://www.i4i.com/ns/x4o/data_hub�In document text (OOXML body / shared strings)
    • http://i4i.com/s4ent/core/�In document text (OOXML body / shared strings)
    • http://i4i.com/s4ent/A4L�In document text (OOXML body / shared strings)
    • http://www.vaers.hhs.gov�In document text (OOXML body / shared strings)
    • http://@www.ac��sIn document text (OOXML body / shared strings)
    • http://ocsp.digicert.com0OIn document text (OOXML body / shared strings)
    • http://ocsp.digicert.com0CIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    +46 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1226107 bytes
SHA-256: 04a573ddcc20191fc8a2a803d120630d5daa1547211cadb507ccb02f82ef77e7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'Company:          Infrastructures For Information - i4i(www.i4i.com)
'Comment:          Holds document level events
'Date Created:     2010.10.15
'Developer:        Rob Southon
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Private Sub Document_ContentControlAfterAdd(ByVal NewContentControl As ContentControl, ByVal InUndoRedo As Boolean)
    On Error Resume Next
    'Fixed to #20888, #20890
    If InUndoRedo Then
        g_bSkipEvents = True
        Exit Sub
    End If

    Dim oDoc As Document
    Set oDoc = NewContentControl.Parent

    'Remove myself if I'm not allowed - don't allow creation of a CO, CC, HD, ST inside of a CO - 12457
    If NewContentControl.Tag <> "" Then 'Don't act on CCs without a tag
        Dim sMyPrefix As String
        Dim sParentPrefix As String
        sMyPrefix = Left(NewContentControl.Tag, 3)
        sParentPrefix = Left(NewContentControl.ParentContentControl.Tag, 3)
        If (sMyPrefix = gc_sCCPrefixPCData Or sMyPrefix = gc_sCCPrefixStructure Or sMyPrefix = gc_sCCPrefixHighlight Or sMyPrefix = gc_sCCPrefixHeading Or sMyPrefix = gc_sCCPrefixStandardText Or sMyPrefix = gc_sCCPrefixHighlight) And (sParentPrefix = gc_sCCPrefixKeyword Or sParentPrefix = gc_sCCPrefixPCData Or sParentPrefix = gc_sCCPrefixHeading Or sParentPrefix = gc_sCCPrefixStandardText) Then
            'i4i internal: defect12556
            'if parent content control is "st:adverse_highlight", it shouldn't be deleted - special description in highlight for section 6
            If NewContentControl.ParentContentControl.Tag <> gc_sCCPrefixStandardText + "adverse_highlight" Then
                NewContentControl.Delete False
            End If
            Exit Sub
        End If
    End If
    'For moving sections so we don't duplicate IDs
    If g_bSkipIds = True Then Exit Sub

    'Add in our GUID attributes
    If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttGuid, gc_sXmlnsX4wAttVals) = "" Then
        g_CAttribute.SetAttributeValue NewContentControl, gc_sAttGuid, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals
    End If
    '16583 - set our permanent ID attribute values
    If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttPermId, gc_sXmlnsX4wAttVals) = "" Then
        g_CAttribute.SetAttributeValue NewContentControl, gc_sAttPermId, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals
    End If
    
End Sub

Private Sub Document_ContentControlOnEnter(ByVal ContentControl As ContentControl)
    On Error GoTo PROC_ERR
        
    If g_bSkipEvents = True Then Exit Sub
    'for densemarkup - autoselect
    If ContentControl.Tag = "ct:DenseMarkup" Then
        selectDenseMarkupNode ContentControl
    End If
    If ContentControl.Tag = "cv:Materials" Then
        CleanUpMaterialListEntries
    End If
    Dim oDoc As Document
    Set oDoc = ContentControl.Parent
   
    'i4i internal: defect12631
    'Keep a flag to remember if the doc was saved because setting locks dirties the document and we don't want it to
    Dim bDocSaved As Boolean
    bDocSaved = oDoc.Saved
                
    'i4i internal: defect12087
    'this would cause "can't execute code in break mode" error after close IE browser
    If IsError(g_ox4oRibbon) = False Then
        If Not g_ox4oRibbon Is Nothing Then
            g_ox4oRibbon.Invalidate
        End If
    Else
        'We don't have control of the menus! Inform the user and close the document
        If MsgBox(g_CLocalization.GetMessage("c_X4O_NOT_CONNECTED_CONFIRM_SAVE", gc_sAppName), vbYesNo + vbCritical, gc_sAppName) = vbYes Then
            oDoc.Close True
        Else
            
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 2643456 bytes
SHA-256: d11d94f69fb11bd52fe5bdc1153ff69cd56183e7b1c23413a0baa322a1dc4980
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureV3.bin 9079 bytes
SHA-256: 005e4f177784cad024a57e8d81f586a8395bdd4ed49b54d80eeb80be3ce31ab9
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 9079 bytes
SHA-256: fdf2c3a2922ea5532192af745fc110790590bf51d4878d277d6667a11b74e2d3
vbaProject_03.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 8964 bytes
SHA-256: a8dd7fbc94142462dcbb13f6e9ef78f0d16c32aa2703187ec91a3d2a3063104c

Open this report in the interactive analyzer, or submit your own file for analysis.