Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 58fb11dc51c7f939…

MALICIOUS

Office (OOXML)

33.8 KB Created: 2018-02-09 06:03:26 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-01
MD5: c56099489433b8771ec1258bf8d14c51 SHA-1: ab94d284af96208d119118f78e65f564fb7c9b0e SHA-256: 58fb11dc51c7f93943070051e5df5fa2448985ce9628a8be7869256d870c7d0c
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro utilizes the URLDownloadToFile function to download a file from a remote source and ShellExecuteA to execute it. This indicates a downloader or droppper functionality, aiming to fetch and run a secondary payload. The presence of WScript.Shell and CreateObject calls further supports the execution of arbitrary code.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oShell = CreateObject("Wscript.Shell")
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Declare PtrSafe Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        myURL = WinHttpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set XMLhttp = CreateObject("MSXML2.ServerXMLHTTP")
  • External hyperlinks (16) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 16 external hyperlinks — clickable URLs are stored as external relationships. First target: https://endic.naver.com/enkrIdiom.nhn?idiomId=bae20a8e61a543eea230739ac50bb18b&query=ride+a+bike
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://some.web.address/ Referenced by macro
    • https://endic.naver.com/enkrIdiom.nhn?idiomId=bae20a8e61a543eea230739ac50bb18b&query=ride+a+bikeReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=1600b3d6e64943479b20fa251af8e5a9&query=cafeteriaReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=935a3ad1252b485dadee63586491a2dd&query=expressReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=4f488a8363354e8c99daebada370592a&query=crosswalkReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=75c0745f90104e5c9feb5d49c4540305&query=caterpillarReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=4ceef5c751254152b7bf662bcd9ddaec&query=defenderReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=da00e929669f4fc298b71296129c9133&query=devastateReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=4816e71ce85f4ff5bed0693ce760bdd2&query=achievementReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=4e6234ea9a0246d78368d8be41270666&query=safetyReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=aa3741149f0b49799ccebc003dab2b48&query=learnReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=9fdbeecefd644d6389fa112e4266df0e&query=wornReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=8ec9d977d25849c1963ab104567eaabd&query=americaReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=ed602497c0444c34928cdbb0d8cbc4c4&query=pedestrian+crossingReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=a7f0470341374cd099a664b1276ac2a2&query=diversityReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=f953fafb6f33494e8654ce891d5a96ee&query=hazardReferenced by macro
    • https://endic.naver.com/enkrEntry.nhn?entryId=501f8e2b9ea74aee80c5503df4b7ac46&query=spaghettiReferenced by macro
    • https://endic.naver.com/search.nhn?sLn=kr&query=Referenced by macro
    • https://endic.naver.comReferenced by macro
    • https://YourWebSite.com/?your_query_parametersReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10456 bytes
SHA-256: 19dfa5a79eb81d7f222ea0c8181bc944b17bd76c754986da60759154ed792521
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "현재_통합_문서"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_FollowHyperlink(ByVal Target As Hyperlink)
    Dim TargetF As String
    Application.ScreenUpdating = False
    Mp3AlPha = True
    If Target.Range.Column = 3 Then 'MsgBox Target.SubAddress
        TargetF = ActiveWorkbook.Path & "\" & MP3PATH & "\"
        If Mp3AlPha Then
            TargetF = TargetF & Left(Sheet1.Range(Target.SubAddress).Offset(, -1).Value, 1) & "\"
        End If
        TargetF = TargetF & Sheet1.Range(Target.SubAddress).Offset(, -1).Value & ".mp3"
        If Len(Dir(TargetF)) Then MCIAudioPlay TargetF
    End If
    Application.ScreenUpdating = True
End Sub


Attribute VB_Name = "Module1"
Option Explicit
#If VBA7 Then
    Declare PtrSafe Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _
        (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, _
        ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

    Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal hwnd As Long, ByVal lpszOp As String, _
         ByVal lpszFile As String, ByVal lpszParams As String, _
         ByVal LpszDir As String, ByVal FsShowCmd As Long) _
         As Long
    
    Declare PtrSafe Function MCISendString Lib "winmm.dll" Alias _
       "mciSendStringA" (ByVal lpstrCommand As String, ByVal _
       lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
       hwndCallback As Long) As Long
#Else
    Declare Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _
        (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, _
        ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

    Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal hwnd As Long, ByVal lpszOp As String, _
         ByVal lpszFile As String, ByVal lpszParams As String, _
         ByVal LpszDir As String, ByVal FsShowCmd As Long) _
         As Long
    
    Declare Function MCISendString Lib "winmm.dll" Alias _
       "mciSendStringA" (ByVal lpstrCommand As String, ByVal _
       lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
       hwndCallback As Long) As Long
#End If

Public MCIPlay As Long
Public Mp3AlPha As Boolean  ' True이면 알파벳별로 Mp3를 Mp3\a, Mp3\b, Mp3\c ...에 저장
Public Const MP3PATH = "Mp3"

Sub GetWordList()

    Dim sht As Worksheet
    Dim i As Long
    Dim LastRow As Long
    Dim Rng As Range
    
    Dim XMLhttp As Object   'ServerXMLHTTP  'WinHttpRequest
    Dim Html As HTMLDocument, Html2 As HTMLDocument
    Dim Result As IHTMLElementCollection
    Dim Url As String, str As String
    Dim wordlist As Object
    Dim TargetUrl As String, LocalFile As String, LocalPath As String
    
    Set XMLhttp = CreateObject("MSXML2.ServerXMLHTTP")
    'Set XMLhttp = CreateObject("Microsoft.XMLHTTP")
    'Set XMLhttp = New ServerXMLHTTP ' WinHttpRequest
    Set Html = New HTMLDocument
    Set Html2 = New HTMLDocument
    
    On Error Resume Next
    Mp3AlPha = True '알파벳 폴더에 저장
        
    Set sht = ActiveSheet
    sht.Hyperlinks.Delete
    
    'UserForm1.Show vbModeless   'progress bar
    'Application.ScreenUpdating = False
    
    LastRow = sht.Cells(sht.Rows.Count, 2).End(xlUp).Row
    
    For Each Rng In sht.Range("B2:B" & LastRow)
        str = vbNullString
        Url = "https://endic.naver.com/search.nhn?sLn=kr&query=" & Rng.Value
    
        With XMLhttp
            .Open "Get", Url
            .setRequestHeader "User-Agent", "Mobile"
            .send
            .WaitForResponse
            Html.body.innerHTML = .responseText
        End With
        
        '인덱스
        i = i + 1
        Rng.Offset(, -1).Value = i
        
        '단어에 웹링크
        Set Result = Html.getElementsByClassName("fnt_e30")
        If Result.Length Then
            'str = Html.getElementsByClassName("N=a:wrd.entry")(0).getAttribute("href")
            Html2.body.innerHTML = Result(0).innerHTML
            str = Html2.getElementsByTagName("a")(0).getAttribute("href")
            str = Replace(str, "about:/", "/")  'about: 삭제
            sht.Hyperlinks.Add anchor:=Rng, _
                                    Address:="https://endic.naver.com" & str, _
                                    ScreenTip:="단어검색(외부브라우저)"
            Rng.Font.Underline = xlUnderlineStyleNone
            Rng.Font.Color = rgbDarkBlue
            Rng.Font.Bold = True
        End If
        
        '폴더가 없을 때 생성
        LocalPath = ActiveWorkbook.Path & "\" & MP3PATH
        If Len(Dir(LocalPath, vbDirectory)) = 0 Then MkDir LocalPath
        '알파벳첫글자 폴더에 저장
        If Mp3AlPha Then
            LocalPath = LocalPath & "\" & Left(Rng.Value, 1)
            If Len(Dir(LocalPath, vbDirectory)) = 0 Then MkDir LocalPath
        End If
        
        '발음파일
        Set Result = Html.getElementsByClassName("btn_side_play _soundPlay")
        If Result.Length Then
            TargetUrl = Result(0).getAttribute("playlist")
            LocalFile = LocalPath & "\" & Rng.Value & ".mp3"
            'DownloadFile TargetUrl, LocalFile
            URLDownloadToFile 0, TargetUrl, LocalFile, 0, 0
            
            '발음기호
            Rng.Offset(, 1).Value = Html.getElementsByClassName("fnt_e25")(0).innerText
            '발음파일에 하이퍼링크 추가
            sht.Hyperlinks.Add anchor:=Rng.Offset(, 1), _
                                     Address:="", _
                                     SubAddress:=Rng.Offset(, 1).Address, _
                                    ScreenTip:=LocalFile
            Rng.Offset(, 1).Font.Underline = xlUnderlineStyleNone
            'Rng.Offset(, 1).Font.Color = rgbBlack
            
            '뜻
            Rng.Offset(, 2).Value = Html.getElementsByClassName("fnt_k05")(0).innerText
            
            '예문
            Rng.Offset(, 3).IndentLevel = 1
            Rng.Offset(, 3).Value = Html.getElementsByClassName("fnt_e07")(0).innerText
            Rng.Offset(, 3).ShrinkToFit = True  '셀크기에 맞게 글자 줄이기
            
            '예문해석
            Rng.Offset(, 4).IndentLevel = 1
            Rng.Offset(, 4).Value = Html.getElementsByClassName("fnt_k10")(0).innerText
            Rng.Offset(, 4).ShrinkToFit = True
            
        End If
        
        Application.StatusBar = "(" & i & "/ " & (LastRow - 1) & ") " & _
                                CInt(i * 100 / (LastRow - 1)) & " %"
        'UserForm1.Caption = "Processing " & i & "/ " & (LastRow - 1) & "..."
        'UserForm1.ProgressBar1.Value = CInt(i * 100 / (LastRow - 1))
        
    Next Rng
    
    Set Html2 = Nothing
    Set Html = Nothing
    Set XMLhttp = Nothing
    
    Application.StatusBar = False
    'Unload UserForm1
    'Application.ScreenUpdating = True

End Sub

'//not used
Sub DownloadFile(myURL As String, saveFILE As String)

    'myURL = "https://YourWebSite.com/?your_query_parameters"
    'saveFILE = "C:\file.csv"
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", myURL, False, "username", "password"
    WinHttpReq.send
    
    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Dim oStream As Object
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile saveFILE, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

End Sub

Sub URLDownload(myURL As String, DownloadFile As String)
    Dim LocalFilename$
    
    'DownloadFile$ = "someFile.ext" 'here the name with extension
    'Url$ = "http://some.web.address/" & DownloadFile 'Here is the web address
    LocalFilename$ = "C:\Some\Path" & DownloadFile
    'here the drive and download directory
    MsgBox "Download Status : " & URLDownloadToFile(0, myURL, LocalFilename, 0, 0) = 0
End Sub

'//not used
Function killHyperlinkWarning()
    Dim oShell As Object
    Dim strReg As String

    strReg = "Software\Microsoft\Office\11.0\Common\Security\DisableHyperlinkWarning"

    Set oShell = CreateObject("Wscript.Shell")
    oShell.RegWrite "HKCU\" & strReg, 1, "REG_DWORD"
End Function

'// Not used
Public Sub ShellEx(ByVal Path As String, Optional ByVal Parameters As String, Optional ByVal HideWindow As Boolean)

    If Dir(Path) > "" Then
        ShellExecute 0, "open", Path, Parameters, "", IIf(HideWindow, 0, 1)
    End If

End Sub

Sub MCIAudioPlay(TargetFile As String)
   
    'If MusicOff Then Exit Sub
    'TargetFile should not include any space like "program files\~"
    'send the audio start signal
    MCIPlay = MCISendString("close myAudio", Nothing, 0, 0)
    'MCIPlay = mciSendString("play " & Track, 0&, 0, 0)
    MCIPlay = MCISendString("open " & Chr$(34) & TargetFile & Chr$(34) & " alias myAudio wait", Nothing, 0, 0)
    MCIPlay = MCISendString("setaudio myWAudio volume to 150", Nothing, 0, 0)
    MCIPlay = MCISendString("play myAudio", Nothing, 0, 0)  ' repeat
End Sub

Sub MCIAudioStop()
    If MCIPlay Then
        MCIPlay = MCISendString("stop myAudio", Nothing, 0, 0)
        MCIPlay = MCISendString("close myAudio", Nothing, 0, 0)
    End If
End Sub

'// not used
'Sub RemoveReference()
'    Dim refs As References
'    Dim rf As Reference
'
'    Set refs = ThisWorkbook.VBProject.References
'    On Error Resume Next
'    Set rf = refs("MSForms")
'    Err.Clear
'    If Not rf Is Nothing Then refs.Remove rf
'
'End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 44032 bytes
SHA-256: 12b81fe0f1493f4f632f01adb2be58ff774accc72c5c189336931e3c93e105e0