Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 eb2e03ba4a098c10…

MALICIOUS

Office (OOXML)

3.69 MB Created: 2021-07-14 15:34:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-25
MD5: 916b558369b243407b2686c842f3887c SHA-1: 72300bb33898c4d05c93a4fc41fe1fbf0dcd084c SHA-256: eb2e03ba4a098c10adc80fefa222f67092a8d37ff8a8c61ce8804a8cf305cab8
536 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros with critical firings for Shell(), WScript.Shell usage, and URLDownloadToFile, indicating it attempts to download and execute a payload. The macro's Document_New subroutine checks for specific fonts and closes the document if they are not installed, suggesting a social engineering lure. The URL http://www.npes.org/pdfx/ns/id/ was recovered from an embedded OLE object and is likely the source of the second-stage payload.

Heuristics 17

  • VBA project inside OOXML medium 11 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://key-design-share.com/FHG_Erscheinungsbild/01_Grundelemente/1_1_Logos/ Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://www.npes.org/pdfx/ns/id/Referenced by macro
    • https://info-archiv.fraunhofer.de/cd-2009/Fraunhofer_Erscheinungsbild/01_Grundelemente/1_1_Logos/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/pdf/1.3/Referenced by macro
    • http://ns.adobe.com/pdfx/1.3/Referenced by macro
    • http://ocsp.globalsign.com/rootr30Referenced by macro
    • http://secure.globalsign.com/cacert/root-r3.crt06Referenced by macro
    • http://crl.globalsign.com/root-r3.crl0GReferenced by macro
    • https://www.globalsign.com/repository/0Referenced by macro
    • http://ocsp.globalsign.com/codesigningrootr450FReferenced by macro
    • http://secure.globalsign.com/cacert/codesigningrootr45.crt0AReferenced by macro
    • http://crl.globalsign.com/codesigningrootr45.crl0VReferenced by macro
    • http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=Referenced by macro
    • http://ocsp.globalsign.com/gsgccr45codesignca20200VReferenced by macro
    • http://crl.globalsign.com/gsgccr45codesignca2020.crl0Referenced by macro

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 40995 bytes
SHA-256: 67c6ff7e8572a6ee4fbffa5ff2ca851b43954f0f7dfc4c6a3c601a251c7f01ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim WithEvents appWord As Application
Attribute appWord.VB_VarHelpID = -1

Sub Document_New()
    Set appWord = Application
    
    '## schrift überprüfen
    Dim strFontName As String

    strFontName = "Frutiger LT Com 45 Light"
        If IsFontInstalled(strFontName) Then
            
        Else
            MsgBox strFontName & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If

    Dim strFontName2 As String

    strFontName2 = "Frutiger LT Com 55 Roman"
        If IsFontInstalled(strFontName2) Then
            
        Else
            MsgBox strFontName2 & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If
End Sub

Sub document_open()
    Set appWord = Application
End Sub

Private Sub appWord_DocumentBeforeSave(ByVal Doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
    If (SaveAsUI) Then
        Cancel = True
        
        Set fd = Dialogs(wdDialogFileSaveAs)
        With fd
            .Format = wdFormatXMLDocument
            If .Show Then
                If (.Format = wdFormatXMLDocument) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocument, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                ElseIf (.Format = wdFormatXMLDocumentMacroEnabled) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocumentMacroEnabled, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                Else
                    ActiveDocument.SaveAs2 FileName:=.Name, FileFormat:=.Format
                End If
            End If
        End With
        Set fd = Nothing
        
        'Application.OnTime Now, "DocumentAfterSave"
    End If
End Sub

Sub DocumentAfterSave()
End Sub


Attribute VB_Name = "Logotausch"
Public checkLNG As Boolean

Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
    szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    
Function Stream_BinaryToString(Binary, CharSet)
  Const adTypeText = 2
  Const adTypeBinary = 1
  
  'Create Stream object
  Dim BinaryStream 'As New Stream
  Set BinaryStream = CreateObject("ADODB.Stream")
  
  'Specify stream type - we want To save text/string data.
  BinaryStream.Type = adTypeBinary
  
  'Open the stream And write text/string data To the object
  BinaryStream.Open
  BinaryStream.Write Binary
  
  
  'Change stream type To binary
  BinaryStream.Position = 0
  BinaryStream.Type = adTypeText
  
  'Specify charset For the source text (unicode) data.
  If Len(CharSet) > 0 Then
    BinaryStream.CharSet = CharSet
  Else
    BinaryStream.CharSet = "us-ascii"
  End If
  
  'Open the stream And get binary data from the object
  Stream_BinaryToString = BinaryStream.ReadText
End Function

Function Logo_einstellen(pfad, eps)
'    Selection.SetRange 0, 0
    ActiveDocument.ActiveWindow.View.SeekView = wdSeekCurrentPageHeader
        For Each sect In ActiveDocument.Sections
            For Each head In sect.Headers
                For Each shp In head.Shapes
'             
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 2810880 bytes
SHA-256: 2d352e6a783f45f64b769301cfcc38adbf232711e1c9994f7d5a0ca52ae3855a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 179712 bytes
SHA-256: 76e90a9f1e9aadfbf56d3ef29e2ca88b9f1eec4b8d1b8986098716baa8860585
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureV3.bin 8993 bytes
SHA-256: f3666cf42a69480a435bbe95a33d98c32701fe5d545603fda109d88a71cb895b
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 8993 bytes
SHA-256: b5fdeb59e35d4e047813308732a47680eed53039d3558713324a3697926d211b
vbaProject_03.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 8878 bytes
SHA-256: 0a0a9068917f8ef5dae66c7ec37f849ab7ecfabdc8d0c162128f03956a6551f0
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 18516 bytes
SHA-256: 1c2deedc3575abff3f48432c0522c1a2d470b5085559e5b5a18ac3db12cfd69f
emf_01.emf ooxml-emf OOXML EMF part: word/media/image1.emf 4376 bytes
SHA-256: b93d66b76d538f7e64b9ffeb40c33212007fe8139748f8721bd93b1ac061d1b0

Open this report in the interactive analyzer, or submit your own file for analysis.