Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 730540d235c2cd87…

MALICIOUS

Office (OOXML)

2.46 MB Created: 2014-01-06 11:01:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2018-01-08
MD5: a547a33cef9b66f556ce3eac8e2e306f SHA-1: d324ca3c059d464142184b0cc1ad381cf1c4ddbf SHA-256: 730540d235c2cd878ad10f1d56f698234d132496837426f54dd8c9bc57b16ae3
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing multiple VBA macros, including auto-executing ones like AutoOpen and Document_Open. Critical heuristics indicate the use of Shell() and CreateObject calls, along with obfuscated code, strongly suggesting the execution of malicious code. The presence of these elements points to a macro-based attack designed to download and execute a secondary payload, a common tactic for initial compromise.

Heuristics 10

  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.allapi.net/ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2662308 bytes
SHA-256: cbc65b8879ee1632967909cf0784d8ef6856ffa73c4590581eac9dcaf27c372a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ChkPage"
Attribute VB_Base = "0{DA289408-08F0-4E1F-AFBE-FEBA38DC9DAD}{6706B64B-CF8C-437F-849D-B6FF3E0BC081}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
'Application.Run MacroName:="مراجعةأرقام_صفحات_الفهارس"
Ch = 1
ChkPage.HIDE
End Sub
Private Sub CommandButton2_Click()
Ch = 2
ChkPage.HIDE
'Application.Run MacroName:="مراجعةأرقام_صفحات_الفهارس2"
End Sub
Private Sub CommandButton4_Click()
End
End Sub

Attribute VB_Name = "copy"
Attribute VB_Base = "0{BF7978E8-492C-4461-981A-9DD48322620A}{9F5534B8-8D8A-485E-B9B8-98808E3FB30D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub CheckBox3_Click()
If CheckBox3 = True Then fn2 = 2
If CheckBox3 = False Then fn2 = 0
End Sub
Private Sub CommandButton1_Click()
sors = Selection
Selection.copy
If fn2 = 2 Then
Selection.MoveRight Unit:=wdCharacter, Count:=1
Selection.MoveLeft Unit:=wdCharacter, Count:=1
'Selection.TypeText Text:=" "
'Selection.MoveLeft Unit:=wdCharacter, Count:=1
Selection.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"PAGE  \* Arabic ", PreserveFormatting:=True
Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdExtend
'Selection.MoveLeft Unit:=wdCharacter, Count:=2, Extend:=wdExtend
'Selection.Fields.Unlink
Pg = Selection
Selection.Delete Unit:=wdCharacter, Count:=1
End If
Nc = Nc + 1
mysource2.Activate
Selection.TypeText Text:=sors
Selection.Find.Execute FindText:=sors, Forward:=False, Wrap:=wdFindStop
Selection.MoveRight Unit:=wdCharacter, Count:=1
Selection.TypeText Text:=" " + Pg
'Selection.Paste
Selection.RtlRun
'Selection.TypeText Text:=vbTab + pg
Selection.TypeParagraph
Selection.WholeStory
Selection.copy
Selection.EndKey Unit:=wdStory
mysource1.Activate
End Sub
Private Sub CommandButton2_Click()
mysource2.Activate
Selection.WholeStory
Selection.copy
mysource1.Activate
Selection.Paste
'Selection = ""
'mysource2.Close SaveChanges:=wdDoNotSaveChanges
End Sub
Private Sub CommandButton3_Click()
On Error Resume Next
Selection = ""
mysource2.Close SaveChanges:=wdDoNotSaveChanges
End
End Sub
Private Sub CommandButton4_Click()
mysource2.Close SaveChanges:=wdDoNotSaveChanges
End
End Sub

Attribute VB_Name = "FrmRef1"
Attribute VB_Base = "0{0D4B8977-1804-4631-83CA-5BE6C2465BC6}{C409C76F-3123-4C7A-B95C-C651C58A5063}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Dim FileLoaded As Boolean
Dim OldKey As String
Dim Ref As Collection
Private Sub CommandButton1_Click()
Open "c:\saudmac2007-13\Obt\FrmRef1TrueOrFalse.txt" For Output As #9
Write #9, "FrmRef1"
Write #9, FrmRef1.CheckBox5.Value
Write #9, FrmRef1.CBHash.Value
Write #9, FrmRef1.CheckBox4.Value
Close (9)
End
End Sub
Private Sub CommandButton2_Click()
Dim Sp
If Hash = 1 Then

End If
If FrmRef1.CheckBox5 = False Then Sp = " "
If FrmRef1.CBHash = True Then
Selection.TypeText Text:="<"
End If
If FrmRef1.CheckBox5 = True Then
Selection.TypeText Text:="+["
End If
Selection.Text = ListResult.Text & Sp
Selection.MoveRight Unit:=wdCharacter, Count:=1
If FrmRef1.CheckBox5 = True Then
Selection.TypeText Text:="]"
End If
If FrmRef1.CBHash = True Then
Selection.TypeText Text:=">"
End If

End Sub
Private Sub ListResult_Click()
Me.Caption = ListResult.Text
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 7399424 bytes
SHA-256: 7956da48d494cde8e35879e07162d5db971363781ce86a4fb39f08fd49e9b51b