Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f70cd5b33d49f8e2…

MALICIOUS

Office (OOXML)

3.69 MB Created: 2021-07-14 15:35:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-09-27
MD5: 75ab86163e6a399a6359516c38e02a8e SHA-1: a0146339c1770597d2138f5398e49eb2e5757db0 SHA-256: f70cd5b33d49f8e271cc2425ad221eb595d353cd19dd7cc67dd3e3eea1ad642c
536 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample contains VBA macros that attempt to trick the user into believing a required font is not installed, prompting them to install it. The macros also contain calls to WScript.Shell and URLDownloadToFile, indicating an intent to download and execute a second-stage payload from the URL http://www.npes.org/pdfx/ns/id/. The VBA project part has been renamed to evade detection.

Heuristics 17

  • VBA project inside OOXML medium 11 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://key-design-share.com/FHG_Erscheinungsbild/01_Grundelemente/1_1_Logos/ Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://www.npes.org/pdfx/ns/id/Referenced by macro
    • https://info-archiv.fraunhofer.de/cd-2009/Fraunhofer_Erscheinungsbild/01_Grundelemente/1_1_Logos/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/pdf/1.3/Referenced by macro
    • http://ns.adobe.com/pdfx/1.3/Referenced by macro
    • http://ocsp.globalsign.com/rootr30Referenced by macro
    • http://secure.globalsign.com/cacert/root-r3.crt06Referenced by macro
    • http://crl.globalsign.com/root-r3.crl0GReferenced by macro
    • https://www.globalsign.com/repository/0Referenced by macro
    • http://ocsp.globalsign.com/codesigningrootr450FReferenced by macro
    • http://secure.globalsign.com/cacert/codesigningrootr45.crt0AReferenced by macro
    • http://crl.globalsign.com/codesigningrootr45.crl0VReferenced by macro
    • http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=Referenced by macro
    • http://ocsp.globalsign.com/gsgccr45codesignca20200VReferenced by macro
    • http://crl.globalsign.com/gsgccr45codesignca2020.crl0Referenced by macro

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 42005 bytes
SHA-256: 8824bd6d44a10d094f214a789c2bf9d575b89bf5d7da3a041be4e2d16f1919bd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim WithEvents appWord As Application
Attribute appWord.VB_VarHelpID = -1

Sub Document_New()
    Set appWord = Application
    
    '## schrift überprüfen
    Dim strFontName As String

    strFontName = "Frutiger LT Com 45 Light"
        If IsFontInstalled(strFontName) Then
            
        Else
            MsgBox strFontName & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If

    Dim strFontName2 As String

    strFontName2 = "Frutiger LT Com 55 Roman"
        If IsFontInstalled(strFontName2) Then
            
        Else
            MsgBox strFontName2 & " ist  n i c h t  installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
            
            Documents.Close
            Exit Sub
        End If
End Sub

Sub document_open()
    Set appWord = Application
End Sub

Private Sub appWord_DocumentBeforeSave(ByVal Doc As Document, SaveAsUI As Boolean, Cancel As Boolean)
    If (SaveAsUI) Then
        Cancel = True
        
        Set fd = Dialogs(wdDialogFileSaveAs)
        With fd
            .Format = wdFormatXMLDocument
            If .Show Then
                If (.Format = wdFormatXMLDocument) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocument, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                ElseIf (.Format = wdFormatXMLDocumentMacroEnabled) Then
                    ActiveDocument.SaveAs2 FileName:=.Name, _
                        FileFormat:=wdFormatXMLDocumentMacroEnabled, _
                        AddToRecentFiles:=True, _
                        SaveFormsData:=False, _
                        SaveAsAOCELetter:=False, _
                        CompatibilityMode:=14
                Else
                    ActiveDocument.SaveAs2 FileName:=.Name, FileFormat:=.Format
                End If
            End If
        End With
        Set fd = Nothing
        
        'Application.OnTime Now, "DocumentAfterSave"
    End If
End Sub

Sub DocumentAfterSave()
End Sub



Attribute VB_Name = "Logotausch"
Public checkLNG As Boolean

Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
    szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    
Function Stream_BinaryToString(Binary, CharSet)
  Const adTypeText = 2
  Const adTypeBinary = 1
  
  'Create Stream object
  Dim BinaryStream 'As New Stream
  Set BinaryStream = CreateObject("ADODB.Stream")
  
  'Specify stream type - we want To save text/string data.
  BinaryStream.Type = adTypeBinary
  
  'Open the stream And write text/string data To the object
  BinaryStream.Open
  BinaryStream.Write Binary
  
  
  'Change stream type To binary
  BinaryStream.Position = 0
  BinaryStream.Type = adTypeText
  
  'Specify charset For the source text (unicode) data.
  If Len(CharSet) > 0 Then
    BinaryStream.CharSet = CharSet
  Else
    BinaryStream.CharSet = "us-ascii"
  End If
  
  'Open the stream And get binary data from the object
  Stream_BinaryToString = BinaryStream.ReadText
End Function

Function Logo_einstellen(pfad, eps)
'    Selection.SetRange 0, 0
    ActiveDocument.ActiveWindow.View.SeekView = wdSeekCurrentPageHeader
        For Each sect In ActiveDocument.Sections
            For Each head In sect.Headers
                For Each shp In head.Shapes
'           
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 2810880 bytes
SHA-256: 2d352e6a783f45f64b769301cfcc38adbf232711e1c9994f7d5a0ca52ae3855a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 181248 bytes
SHA-256: 0abdfcf440a966929d7c3a4eeea79100ab9d8f5c9b91b4413298f3b6e5bbca94
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignatureV3.bin 8993 bytes
SHA-256: a8d8a581b595458f24648b63e9a79fc0f063391a80fdf369cd8c776b9532ea14
vbaProject_02.bin vba-project OOXML VBA project: word/vbaProjectSignatureAgile.bin 8993 bytes
SHA-256: 5117a92fa2d77648166af5de8e96ed0c234e3f5ac6452191fc8a825820d4ce78
vbaProject_03.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 8878 bytes
SHA-256: f33a0683de7fb258d435e0672a2f1c575b98b12942e4cf16f0e5bafb346e117b
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 18516 bytes
SHA-256: 1c2deedc3575abff3f48432c0522c1a2d470b5085559e5b5a18ac3db12cfd69f
emf_01.emf ooxml-emf OOXML EMF part: word/media/image1.emf 4376 bytes
SHA-256: b93d66b76d538f7e64b9ffeb40c33212007fe8139748f8721bd93b1ac061d1b0

Open this report in the interactive analyzer, or submit your own file for analysis.