Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9b90971692e1db88…

MALICIOUS

Office (OOXML)

711.2 KB Created: 2014-07-04 09:40:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-02
MD5: 8cb76036126a59aad73b666ae1da986d SHA-1: 9c10d87e64b82f4bdfa3ca6348fe5bb9ed2569b9 SHA-256: 9b90971692e1db88ee748e1491c57afcab59b08d92f3e7200adee8baebc69519
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with a Document_Open subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes CreateObject and Shell() calls, indicating an attempt to run external commands or processes. While the specific payload is not directly visible, the presence of these indicators suggests a downloader or initial execution stage. The external hyperlink to 'www.mdpi.com' is noted but flagged as benign.

Heuristics 9

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.mdpi.com
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/00b0/index.htmIn document text (OOXML body / shared strings)
    • http://creativecommons.org/licenses/by-nc-sa/2.0/l���In document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/00b1/index.htm����In document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/2020/index.htm�h��In document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/03b2/index.htm���In document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/2032/index.htmIn document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/0052/index.htm,�In document text (OOXML body / shared strings)
    • http://www.fileformat.info/info/unicode/00b5/index.htmM*�WIn document text (OOXML body / shared strings)
    • http://www.mdpi.comDocument hyperlink
    • http://redmine.mdpi.com/projects/production-editing/wiki/MDPI_Formatting_Rules#ReferencesIn document text (OOXML body / shared strings)
    • http://search.crossref.org/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 227148 bytes
SHA-256: 1177f9a13a1a21f0f09a6a6440b57696d189685d35ad27b008a2898013836fa4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private WithEvents App As Word.Application
Attribute App.VB_VarHelpID = -1
Private Sub Document_Open()
Set App = Word.Application

End Sub

Private Sub App_DocumentBeforeSave(ByVal doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
Dim a
a = ActiveDocument.ComputeStatistics(Statistic:=wdStatisticWords, IncludeFootnotesAndEndnotes:=True)

End Sub

Attribute VB_Name = "article_metadata"
Attribute VB_Base = "0{97E050F3-F0FB-43EE-B047-7E6A7C334893}{222F4F2F-B1E4-45E5-816B-54B9A9B0A727}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False







Private Sub abstract_Change()

End Sub

Private Sub submit_metadata_Click()

    Word.ActiveDocument.BuiltInDocumentProperties("Author") = authors
    Word.ActiveDocument.BuiltInDocumentProperties("Title") = title
    Word.ActiveDocument.BuiltInDocumentProperties("Subject") = abstract 'Left(abstract, 254)
    Word.ActiveDocument.BuiltInDocumentProperties("Keywords") = keywords


    Dim strpdfname As String
    
    Application.PrintOut FileName:="", Range:=wdPrintAllDocument, Item:= _
                         wdPrintDocumentWithMarkup, Copies:=1, Pages:="", PageType:= _
                         wdPrintAllPages, Collate:=True, Background:=True, PrintToFile:=False, _
                         PrintZoomColumn:=0, PrintZoomRow:=0, PrintZoomPaperWidth:=0, _
                         PrintZoomPaperHeight:=0
    
    ' strpdfname = ActiveDocument.path & "\" & Left(ActiveDocument.Name, InStrRev(ActiveDocument.Name, ".") - 1) & ".pdf"

    '   ActiveDocument.ExportAsFixedFormat OutputFileName:= _
    '   strpdfname, _
    '    ExportFormat:=wdExportFormatPDF, OpenAfterExport:=False, OptimizeFor:= _
    '   wdExportOptimizeForPrint, Range:=wdExportAllDocument, from:=1, To:=1, _
    '  Item:=wdExportDocumentContent, IncludeDocProps:=True, KeepIRM:=True, _
    '  CreateBookmarks:=wdExportCreateNoBookmarks, DocStructureTags:=True, _
    ' BitmapMissingFonts:=True, UseISO19005_1:=True

    '''' below are codes to manipulate Acrobat.
    '''' single quotes are genuine codes, double or more quotes are comments

    ''Set pdapp = CreateObject("AcroExch.App")
    'Set pddoc = CreateObject("AcroExch.pddoc")
    '
    'pddoc.Open (strpdfname)
    ''pddoc.openavdoc (strpdfname)
    '
    'pddoc.SetPageMode (2)
    '
    ''====probably use pddoc.setinfo here to write author and keywords data to remove the quotation marks
    '' but syntax need to be researched
    '
    'Set jso = pddoc.getjsobject
    '
    ''msgbox jso.zoomtype.fitw gives fitwidth, but jso.zoomtype.fitw itself gives exception,
    ''and jso.zoomtype = jso.zoomtype.fitw does not work. maybe because vba mix upper case with lower case?
    ''consider use shell or command line to execute javascript if necessary? 'jso.layout also not working
    '
    'a = pddoc.Save(PDSaveIncremental, "")
    'pddoc.Close
    '
    'Dim strPrompt As String, editor_action As Integer
    '
    'strPrompt = "your pdf file has been generated at " & vbNewLine & strpdfname & vbNewLine & "please open the file and change magnification to fit width"
    'editor_action = MsgBox(strPrompt, vbOKCancel, "save as pdf done")
    '
    'If editor_action = 1 Then
    ''MsgBox (strpdfname)
    ''pdapp.Show
    'Else
    ''pdapp.exit
    'End If
    '
    'Set pddoc = Nothing

    MsgBox "Your pdf file has been generated at " & vbNewLine & strpdfname & vbNewLine, vbInformation
    article_metadata.hide
End Sub



Attribute VB_Name = "doi_pub_date"
Attribute VB_Base = "0{07FC4EE5-9C25-4573-BD8C-B233BCE43C10}{332BEB95-322F-4F74-8
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 901632 bytes
SHA-256: f0cd3cfd153d92695136ebbcd554437d100fd4da12de912a8d22ecf160e8de6f

Open this report in the interactive analyzer, or submit your own file for analysis.