Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6c4b6b18d03f9f53…

MALICIOUS

Office (OOXML)

15.1 KB Created: 2021-02-10 16:52:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-02-19
MD5: 1459594f2f79bfea3458e1500299c356 SHA-1: 4e210ec2a60841ee4436f020add792df3f02a266 SHA-256: 6c4b6b18d03f9f536224bbd274a45bd53e14cd612e12367116652e5239ccf444
98 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADER
    VBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.
    Matched line in script
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AUToOpEN()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub aUTo_OpEN()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 921 bytes
SHA-256: 751a342dc356683f8fa1b5da9b8aafa3817e6f176b4fac6235b879587f4de36c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long











Sub aUTo_OpEN()
    main
End Sub


Sub AUToOpEN()
    main
End Sub



Sub main()

    MsgBox (CStr(AddressOfCreateThread))

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 1ea5af37fdcb8f0114fa2b89000169ce76294eebfb9c0354bf9625d8571bcc4e