Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 55edc430f7ae98b2…

MALICIOUS

Office (OOXML)

37.1 KB Created: 2012-01-09 22:44:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: db979b17369ea43e3f62edbfae90666c SHA-1: 4359a0559bedf2a591f1188be459eb8fc4a47197 SHA-256: 55edc430f7ae98b23feb4c5fc292ba2eb08c2d58f53734ef139b201f314c6375
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The OOXML document contains VBA macros, indicated by the 'OOXML_VBA' and 'OOXML_VBA_PROJECT_RENAMED' heuristics. The VBA script attempts to insert an OLE object of type 'FXStat.Graph', suggesting a potential attempt to exploit vulnerabilities or execute arbitrary code. The document body text also mentions that the file should be placed in Word's startup directory, which could be an attempt to establish persistence.

Heuristics 4

  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureAgile.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.usertrust.com1 In document text (OOXML body / shared strings)
    • http://ocsp.usertrust.com0In document text (OOXML body / shared strings)
    • https://secure.comodo.net/CPS0CIn document text (OOXML body / shared strings)
    • http://ocsp.comodoca.com0In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/01/customuiIn document text (OOXML body / shared strings)
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl05In document text (OOXML body / shared strings)
    • http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn document text (OOXML body / shared strings)
    • http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In document text (OOXML body / shared strings)
    • http://crl.usertrust.com/AddTrustExternalCARoot.crl05In document text (OOXML body / shared strings)
    • http://crl.comodoca.com/COMODORSACertificationAuthority.crl0qIn document text (OOXML body / shared strings)
    • http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$In document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1933 bytes
SHA-256: 2b37fbc4b05b95056d1ea6f03a5ee88a542b950388982a38609c6585a2ecbeba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "RibbonControl"
Option Explicit
Public myRibbon As IRibbonUI

'Callback for FXGFloat onAction
Sub FXSFloatingStub(control As IRibbonControl)
    InsertFXSObject.FXStatFloating
End Sub

'Callback for FXGInLine onAction
Sub FXSInlineStub(control As IRibbonControl)
    InsertFXSObject.FXStatInline
End Sub

Attribute VB_Name = "InsertFXSObject"
Public Sub FXStatFloating()
Rem Copyright 2010 Efofex Software ABN 49 009 428 380
On Error GoTo Err_Handler
    ActiveDocument.Shapes.AddOLEObject Anchor:=Selection.Range, ClassType:= _
        "FXStat.Graph", FileName:="", LinkToFile:=False, DisplayAsIcon:=False
Exit Sub
Err_Handler:
  If Err.Number = 4198 Then
    If iErrCounter <= 5 Then
      'Debug.Print iErrCounter & vbCrLf
      For iWait = 1 To 1000
        DoEvents
      Next iWait
      iErrCounter = iErrCounter + 1
      Resume
    End If
  End If
  'MsgBox Err.Description, vbInformation, "VBA Error " & Err.Number & "Not Handled"
  Exit Sub
End Sub

Public Sub FXStatInline()
Rem Copyright 2010 Efofex Software ABN 49 009 428 380
On Error GoTo Err_Handler
    Selection.InlineShapes.AddOLEObject ClassType:="FXStat.Graph", _
        FileName:="", LinkToFile:=False, DisplayAsIcon:=False
Exit Sub
Err_Handler:
  If Err.Number = 4198 Then
    If iErrCounter <= 5 Then
      'Debug.Print iErrCounter & vbCrLf
      For iWait = 1 To 1000
        DoEvents
      Next iWait
      iErrCounter = iErrCounter + 1
      Resume
    End If
  End If
  'MsgBox Err.Description, vbInformation, "VBA Error " & Err.Number & "Not Handled"
  Exit Sub
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 22016 bytes
SHA-256: 3d983daed7c95d37c669eab77595fb9a9f80fb2cdedd27659da9a13108dcf116
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 9916 bytes
SHA-256: 3930f6b2693c55081c23275eb20ef4e6f39f488434bd8209c7f9b7a819f94203
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 9801 bytes
SHA-256: 7bdf7068cc2490baa47667c40a45e2a5ef96ba55ce9a3d7af19ecd1def5cc1f7

Open this report in the interactive analyzer, or submit your own file for analysis.