Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dba6dda3ec8ab1be…

MALICIOUS

Office (OOXML)

1.59 MB Created: 2020-06-26 17:58:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-23
MD5: 847f87a9501a656f473aa78a8189cafd SHA-1: a2740db12be29bc00c33b4943686352622b8151b SHA-256: dba6dda3ec8ab1beffdd3278915f93367d5a638f50e5d160f8dd31781727a165
644 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the use of `Shell()`, `WScript.Shell`, and `URLDownloadToFile`, suggesting the macro's purpose is to download and execute a second-stage payload. The presence of `auto-exec` and `obfuscated_autoexec_loader` firings further supports this, indicating a dropper functionality.

Heuristics 14

  • ClamAV: Doc.Dropper.Generic-6834355-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-6834355-0
  • VBA project inside OOXML medium 9 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureAgile.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADER
    VBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Motobit.cz Referenced by macro
    • http://qvidian.com/communityReferenced by macro
    • http://www.frez.co.ukReferenced by macro
    • http://localhost/Qvidian/Qvidian.asmxReferenced by macro
    • http://qvidian.com/webservices/Referenced by macro
    • http://qvidian.com/communityAReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://ns.adobe.com/tiff/1.0/Referenced by macro
    • http://ns.adobe.com/exif/1.0/Referenced by macro
    • http://schemas.microsoft.com/office/2006/01/customuiReferenced by macro
    • http://www.w3.org/2001/XMLSchemaReferenced by macro
    • http://www.w3.org/2001/XMLSchema-instanceReferenced by macro
    • http://schemas.xmlsoap.org/soap/envelope/Referenced by macro
    • http://certs.godaddy.com/repository/1301Referenced by macro
    • http://ocsp.godaddy.com/05Referenced by macro
    • http://crl.godaddy.com/gdroot-g2.crl0FReferenced by macro
    • https://certs.godaddy.com/repository/0Referenced by macro
    • http://crl.godaddy.com/gdig2s5-5.crl0Referenced by macro
    • http://certificates.godaddy.com/repository/0Referenced by macro
    +2 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1025837 bytes
SHA-256: 56516976c20d15fef5bcf095cc7fc166adef8e89092637908447037e658a17dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "thisApplication"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit

Public WithEvents oApp As Word.Application
Attribute oApp.VB_VarHelpID = -1
Const bTestEvents As Boolean = False
Public ignoreDocChange As Boolean
Public doAfterEvent As Boolean

Public Sub RunOpenCodeOnActiveDocument()
    RunOpenCode ActiveDocument
End Sub

Private Sub RunOpenCode(ByRef thisDoc As Document)
    Dim sMode As String
    Dim sProcessStarted As String
    Dim saveFile As String
    Dim sMappingInfo As String
    
    On Error GoTo ExitCode
    
    'DS: some files had sant template mode properties and when used in build it blows up if we run the other actions as well
    'so skip the processing if we have an active build going on.
    If bActiveBuild Then
        DebugMsgBox "Not running code on [" & thisDoc.FullName & "] due to build process", "RunOpenCode:"
        Exit Sub
    End If
    
    Dim stubMode As String
    stubMode = GetPropertyText("QvidianStubMode", thisDoc)
    DebugMsgBox "Stub Operation [" & stubMode & "]", "RunOpenCode:"
    gOpenViaNewEdit = False
    If stubMode <> "" Then
        modDocProperties.WriteProperty "QvidianStubMode", "Processed", thisDoc

        Dim sServer As String
        'Dim sUserID As String
        Dim sJobFile As String
        Dim contentCount As Integer
        sServer = GetPropertyText("Server", thisDoc)
        DebugMsgBox "Server in stub file is [" & sServer & "]", "RunOpenCode:"
        Select Case stubMode
            Case "MultiEdit"
                ' MAJOR BUG FOR Office 2013!!!!
                ActiveWindow.View.ReadingLayout = False
                
                ' Before we do anything else, hide the text that is only required
                ' when the add-in is NOT installed.
                ActiveWindow.Selection.WholeStory
                ActiveWindow.Selection.Delete
                ActiveDocument.Saved = True
                sJobFile = GetPropertyText("QvidianJobFile", thisDoc)
                contentCount = CInt(GetPropertyText("ContentCount", thisDoc))
                DebugMsgBox "sJobFile [" & sJobFile & "] and count of [" & contentCount & "]", "RunOpenCode:"
                If sJobFile <> "" Then
                    If processJobFile(sJobFile, contentCount) Then
                        MsgBox "Failed to download the Job File."
                    End If
                Else
                    MsgBox "The seed file does not contain a Job File!"
                End If
            Case "SantWordEdit"
            Case "Processed"
                'already ran on this doc, ignore
                'was causing multiple open requests with lots of errors associated.
        End Select
        DebugMsgBox "DONE WITH STUB OPERATION STUFF, WE'RE OUT OF HERE.", "RunOpenCode:"
        Exit Sub
    End If
    
    sMode = GetPropertyText("SantTemplateMode", thisDoc)
    sProcessStarted = GetPropertyText("ProcessStarted", thisDoc)
    DebugMsgBox "Template Mode [" & sMode & "], Process Started [" & sProcessStarted & "], File [" & thisDoc.FullName & "]", "RunOpenCode:"

    burstMode = False

    Select Case sMode
        Case "SantWordBulkLoad"
            'Check if existing bookmarks are ok.
            DebugMsgBox "CheckForExistingBookmarks", "RunOpenCode:"
            modTools.CheckForExistingBookmarks thisDoc
    End Select

    Select Case sMode
        Case "BulkloadLaunch", "SantWordBulkLoadActive"
            'Do nothing
        Case "SantR
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 4431872 bytes
SHA-256: cdcc5246b393b7ad2c6cebfa7f4882b1cba1a73906da26d5ed3525c9f7981f46
Detection
ClamAV: Doc.Dropper.Generic-6834355-0
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 5835 bytes
SHA-256: aab90304d9e8ea3472e82b45bd86f0be6e3c1a73a8b39b61565adffff9a2b64f
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 5720 bytes
SHA-256: 04b0c0454b4f9ce68b3903a8ad84b3fbd80e0dfbfbc2dac97755d5a11cbc8450