Office (OOXML) malware analysis — malicious · bf0d0449f05fb513

MALICIOUS

Office (OOXML)

1.20 MB Created: 2014-02-14 15:22:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-17

MD5: 3fc568f51006865be8750f7f53b0f186 SHA-1: fb927b1e58bb49ea6f82098b809d6fca7470e59c SHA-256: bf0d0449f05fb513afbe827a02aed6ce98c23b91cbe7e29965d8754d19e03e2b

272 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an OOXML document containing VBA macros. Critical heuristics indicate the use of Shell() and WScript.Shell, and a high-severity heuristic points to VBA p-code auto-execution with Shell() for payload execution. The VBA code appears to be designed to execute commands, likely for downloading and running a secondary payload, which is a common technique for malware delivery.

Heuristics 9

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED

The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED

The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.i4i.com In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-valuesIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/spl/r4inputIn document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-JSONIn document text (OOXML body / shared strings)
- http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspIn document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-JSON/pull/82In document text (OOXML body / shared strings)
- https://github.com/VBA-tools/VBA-UtcConverterIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/core/In document text (OOXML body / shared strings)
- http://localhostIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hubIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/keywordsIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/eulm/infozoneIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propfindIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/cxp/proppatchIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propextractIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/ccxmlIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaxmlIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/densemarkupIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywordsIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/A4LIn document text (OOXML body / shared strings)
- http://www.i4i.com/In document text (OOXML body / shared strings)
- http://www.susandoreydesigns.com/software/WordVBATechniques.pdfIn document text (OOXML body / shared strings)
- http://i4i.com/s4ent/DocumentManagement/In document text (OOXML body / shared strings)
- https://raw.githubusercontent.com/HealthCanada/HPFB/master/product-monograph/style-sheet/spl_canada.xslIn document text (OOXML body / shared strings)
- http://www.fiddler2.com1In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/spl/r4input�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propfind(In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/ccxmlxtractIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-values(In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configes(In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaesIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schemaxml$In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/configxml��%In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywordskupIn document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hubkup�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/keywords�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/propfind�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/attribute-values�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/config�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4w/schema�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/keywords�In document text (OOXML body / shared strings)
- http://www.i4i.com/ns/x4o/data_hub�In document text (OOXML body / shared strings)
- http://i4i.com/s4ent/core/�In document text (OOXML body / shared strings)
- http://i4i.com/s4ent/A4L�In document text (OOXML body / shared strings)
- http://www.vaers.hhs.gov�In document text (OOXML body / shared strings)
- http://@www.ac��sIn document text (OOXML body / shared strings)
- http://ocsp.digicert.com0OIn document text (OOXML body / shared strings)
+61 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1310954 bytes
SHA-256: `8b80c5d97576fb55490dcfce9d55c24187f9ddfdf76108c3df07e663dcc49300`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 'Company: Infrastructures For Information - i4i(www.i4i.com) 'Comment: Holds document level events 'Date Created: 2010.10.15 'Developer: Rob Southon ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Private Sub Document_ContentControlAfterAdd(ByVal NewContentControl As ContentControl, ByVal InUndoRedo As Boolean) On Error Resume Next 'Fixed to #20888, #20890 If InUndoRedo Then g_bSkipEvents = True Exit Sub End If Dim oDoc As Document Set oDoc = NewContentControl.Parent 'Remove myself if I'm not allowed - don't allow creation of a CO, CC, HD, ST inside of a CO - 12457 If NewContentControl.Tag <> "" Then 'Don't act on CCs without a tag Dim sMyPrefix As String Dim sParentPrefix As String sMyPrefix = Left(NewContentControl.Tag, 3) sParentPrefix = Left(NewContentControl.ParentContentControl.Tag, 3) If (sMyPrefix = gc_sCCPrefixPCData Or sMyPrefix = gc_sCCPrefixStructure Or sMyPrefix = gc_sCCPrefixHighlight Or sMyPrefix = gc_sCCPrefixHeading Or sMyPrefix = gc_sCCPrefixStandardText Or sMyPrefix = gc_sCCPrefixHighlight) And (sParentPrefix = gc_sCCPrefixKeyword Or sParentPrefix = gc_sCCPrefixPCData Or sParentPrefix = gc_sCCPrefixHeading Or sParentPrefix = gc_sCCPrefixStandardText) Then 'i4i internal: defect12556 'if parent content control is "st:adverse_highlight", it shouldn't be deleted - special description in highlight for section 6 If NewContentControl.ParentContentControl.Tag <> gc_sCCPrefixStandardText + "adverse_highlight" Then NewContentControl.Delete False End If Exit Sub End If End If 'For moving sections so we don't duplicate IDs If g_bSkipIds = True Then Exit Sub 'Add in our GUID attributes If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttGuid, gc_sXmlnsX4wAttVals) = "" Then g_CAttribute.SetAttributeValue NewContentControl, gc_sAttGuid, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals End If '16583 - set our permanent ID attribute values If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttPermId, gc_sXmlnsX4wAttVals) = "" Then g_CAttribute.SetAttributeValue NewContentControl, gc_sAttPermId, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals End If End Sub Private Sub Document_ContentControlOnEnter(ByVal ContentControl As ContentControl) On Error GoTo PROC_ERR If g_bSkipEvents = True Then Exit Sub 'for densemarkup - autoselect If ContentControl.Tag = "ct:DenseMarkup" Then selectDenseMarkupNode ContentControl End If If ContentControl.Tag = "cv:Materials" Then CleanUpMaterialListEntries End If Dim oDoc As Document Set oDoc = ContentControl.Parent 'i4i internal: defect12631 'Keep a flag to remember if the doc was saved because setting locks dirties the document and we don't want it to Dim bDocSaved As Boolean bDocSaved = oDoc.Saved 'i4i internal: defect12087 'this would cause "can't execute code in break mode" error after close IE browser If IsError(g_ox4oRibbon) = False Then If Not g_ox4oRibbon Is Nothing Then g_ox4oRibbon.Invalidate End If Else 'We don't have control of the menus! Inform the user and close the document If MsgBox(g_CLocalization.GetMessage("c_X4O_NOT_CONNECTED_CONFIRM_SAVE", gc_sAppName), vbYesNo + vbCritical, gc_sAppName) = vbYes Then oDoc.Close True Else ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	2820096 bytes
SHA-256: `4ed19374f6ed8778a52e3d285dc111b13f0ff7c352ad9c6b15d49d836278dccd`
`vbaProject_01.bin`	vba-project	OOXML VBA project: word/vbaProjectSignatureV3.bin	9079 bytes
SHA-256: `9282f5860f2ca1aa75fbd245c6647b3deb5565e42d1de74c4477e530abc6a340`
`vbaProject_02.bin`	vba-project	OOXML VBA project: word/vbaProjectSignatureAgile.bin	9079 bytes
SHA-256: `f834d850b66ad9bc42ce13e238b2f29e441cfda642cd25c8de0fecae85f04758`
`vbaProject_03.bin`	vba-project	OOXML VBA project: word/vbaProjectSignature.bin	8964 bytes
SHA-256: `bc3c21413f701209574eb1006e95a5be4e83f530464122454ba96862ec5ce62a`

Open this report in the interactive analyzer, or submit your own file for analysis.