Office (OOXML) malware analysis — malicious · 3149a8fcd468aaea

MALICIOUS

Office (OOXML)

1.17 MB Created: 2021-09-09 14:39:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-17

MD5: 03f62ba78eaaa5a33d8d10c156f46f05 SHA-1: 76b4a7fd44d7ff34a48a935db7783bb978960b5e SHA-256: 3149a8fcd468aaeaa18d4bb81431268eb466ed063e58f41f9b922f8d6dd88799

372 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing heavily obfuscated VBA macros. Critical heuristics indicate the use of `Shell()` and `WScript.Shell` for executing arbitrary code, likely to download and run a second-stage payload. The `AutoOpen` macro is present and configured as an obfuscated auto-exec loader, strongly suggesting malicious intent.

Heuristics 11

VBA project inside OOXML medium 8 related findings OOXML_VBA

Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED

The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED

The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.i4i.com In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-valuesIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/spl/r4inputIn document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-JSONIn document text (OOXML body / shared strings)
- http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspIn document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-JSON/pull/82In document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-UtcConverterIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/core/In document text (OOXML body / shared strings)
- http://localhostIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hubIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/keywordsIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/eulm/infozoneIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propfindIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/cxp/proppatchIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propextractIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/ccxmlIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaxmlIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/densemarkupIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywordsIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/A4LIn document text (OOXML body / shared strings)
- http://www.i4i.com/In document text (OOXML body / shared strings)
- http://www.susandoreydesigns.com/software/WordVBATechniques.pdfIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/DocumentManagement/In document text (OOXML body / shared strings)
- https://raw.githubusercontent.com/HealthCanada/HPFB/master/product-monograph/style-sheet/spl_canada.xslIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/keywords��%In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propfind�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/ccxmlxtractIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-values(In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configesIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaxml��In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configxmlIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywordskup�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hub��In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/keywords�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-values�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/config�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schema�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywords�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hub�In document text (OOXML body / shared strings)
- http://i4i.com/s4ent/core/�In document text (OOXML body / shared strings)
- http://i4i.com/s4ent/A4L�In document text (OOXML body / shared strings)
- http://w�ww.i4i.p�In document text (OOXML body / shared strings)
- http://ocsp.digicert.com0OIn document text (OOXML body / shared strings)
- http://ocsp.digicert.com0CIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
+56 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1318817 bytes
SHA-256: `681681821ae52ba1f02b17dc91cd168d238344ce662f7332dce003f468cca9a3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 'Company: Infrastructures For Information - i4i(www.i4i.com) 'Comment: Holds document level events 'Date Created: 2010.10.15 'Developer: Rob Southon ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Private Sub Document_ContentControlAfterAdd(ByVal NewContentControl As ContentControl, ByVal InUndoRedo As Boolean) On Error Resume Next 'Fixed to #20888, #20890 If InUndoRedo Then g_bSkipEvents = True Exit Sub End If Dim oDoc As Document Set oDoc = NewContentControl.Parent 'Remove myself if I'm not allowed - don't allow creation of a CO, CC, HD, ST inside of a CO - 12457 If NewContentControl.Tag <> "" Then 'Don't act on CCs without a tag Dim sMyPrefix As String Dim sParentPrefix As String sMyPrefix = Left(NewContentControl.Tag, 3) sParentPrefix = Left(NewContentControl.ParentContentControl.Tag, 3) If (sMyPrefix = gc_sCCPrefixPCData Or sMyPrefix = gc_sCCPrefixStructure Or sMyPrefix = gc_sCCPrefixHighlight Or sMyPrefix = gc_sCCPrefixHeading Or sMyPrefix = gc_sCCPrefixStandardText Or sMyPrefix = gc_sCCPrefixHighlight) And (sParentPrefix = gc_sCCPrefixKeyword Or sParentPrefix = gc_sCCPrefixPCData Or sParentPrefix = gc_sCCPrefixHeading Or sParentPrefix = gc_sCCPrefixStandardText) Then 'i4i internal: defect12556 'if parent content control is "st:adverse_highlight", it shouldn't be deleted - special description in highlight for section 6 If NewContentControl.ParentContentControl.Tag <> gc_sCCPrefixStandardText + "adverse_highlight" Then NewContentControl.Delete False End If Exit Sub End If End If 'For moving sections so we don't duplicate IDs If g_bSkipIds = True Then Exit Sub 'Add in our GUID attributes If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttGuid, gc_sXmlnsX4wAttVals) = "" Then g_CAttribute.SetAttributeValue NewContentControl, gc_sAttGuid, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals End If '16583 - set our permanent ID attribute values If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttPermId, gc_sXmlnsX4wAttVals) = "" Then g_CAttribute.SetAttributeValue NewContentControl, gc_sAttPermId, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals End If End Sub Private Sub Document_ContentControlOnEnter(ByVal ContentControl As ContentControl) On Error GoTo PROC_ERR If g_bSkipEvents = True Then Exit Sub 'for densemarkup - autoselect If ContentControl.Tag = "ct:DenseMarkup" Then selectDenseMarkupNode ContentControl End If If ContentControl.Tag = "cv:Materials" Then CleanUpMaterialListEntries End If Dim oDoc As Document Set oDoc = ContentControl.Parent 'i4i internal: defect12631 'Keep a flag to remember if the doc was saved because setting locks dirties the document and we don't want it to Dim bDocSaved As Boolean bDocSaved = oDoc.Saved 'i4i internal: defect12087 'this would cause "can't execute code in break mode" error after close IE browser If IsError(g_ox4oRibbon) = False Then If Not g_ox4oRibbon Is Nothing Then g_ox4oRibbon.Invalidate End If Else 'We don't have control of the menus! Inform the user and close the document If MsgBox(g_CLocalization.GetMessage("c_X4O_NOT_CONNECTED_CONFIRM_SAVE", gc_sAppName), vbYesNo + vbCritical, gc_sAppName) = vbYes Then oDoc.Close True Else ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	2781696 bytes
SHA-256: `32e3412ae89f76e3bbb25ff2ae7acbd4ab4711fc2bfc972f31be4e8699d93cc6`
`vbaProject_01.bin`	vba-project	OOXML VBA project: word/vbaProjectSignatureV3.bin	9079 bytes
SHA-256: `9e9a5458a10ffde78c911b3212a7edd8e4e6c107db963a5f7df3d08407df72a0`
`vbaProject_02.bin`	vba-project	OOXML VBA project: word/vbaProjectSignatureAgile.bin	9079 bytes
SHA-256: `b0dca0997bdd36be6b3ee5522d76ad85598d5662201eb42ca201b309f6ffd77c`
`vbaProject_03.bin`	vba-project	OOXML VBA project: word/vbaProjectSignature.bin	8964 bytes
SHA-256: `396fdd0e348fca371d7a153ecb6fd963a63953d20b478739f4b5bb1101fe4cb9`

Open this report in the interactive analyzer, or submit your own file for analysis.