Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 0d0a3eb77bfb50a6…

MALICIOUS

Office (OOXML) / .DOC

55.2 KB Created: 2013-11-29 02:18:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 4f05e940e6f042567647407db90bb8ec SHA-1: 94f10830f45eb42297943b1c76583ec1b2ece922 SHA-256: 0d0a3eb77bfb50a6ba4b3667b72a94b974a3f65c25b95f25d83d52ef3fd022bc
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro within the document utilizes WScript.Shell and CreateObject to download a file named 'All.txt' from either 'http://199.103.63.221/progsKK/All.txt' or 'http://www.scuolaelementarediorziveccho.191.it/Public/All.txt'. This downloaded file is then saved as 'C:\tpm\All.exe' and subsequently executed. The AutoOpen macro and the use of Shell() and CreateObject point to a downloader functionality.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://199.103.63.221/progsKK/All.txt
    • http://www.scuolaelementarediorziveccho.191.it/Public/All.txt
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e598a211ef993e98b2c1d2ac511549c9bc1ac538c054b3b42af23a9a053d39c6		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1567 bytes
ooxml_oleobject_00.bin
b42b7c2b64d3fc5dcd4d7c48aabf3db636bab28e61f7e6098859c9362577c018		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 4096 bytes
ooxml_oleobject_00_ole10native_00.bin
2dbcb3a64fde4f26c6158f639b9a22fdffcd0ac87a8ddbc22ea0041bcdc3925c		 ole-package OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 1081 bytes
ooxml_oleobject_01.bin
3b885d27303056e6757047bec3d047b4de0bcb3ced1c49848fdca80e6819d96d		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4096 bytes
ooxml_oleobject_01_ole10native_00.bin
f3d1e90c28fa0fd95327fa66bcb58b53c4123e223976ced526d4683f9f512769		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1089 bytes
ooxml_oleobject_02.bin
2672b76ce7937419b081ffe2f6be8bcae47ff7cc06ff2a608a099d1c8d788ac8		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 4096 bytes
ooxml_oleobject_02_ole10native_00.bin
35a955d2ecb9400bd61428915b4d5edef4520495b262b6785ebc67835a5d5276		 ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1075 bytes
vbaProject_00.bin
4cc88c526abd542e48f9c0516586a5f2420c851cba7adceabf99bfcbd7ac1e52		 vba-project OOXML VBA project: word/vbaProject.bin 13824 bytes
emf_00.emf
b3d3c88ebce4635326f573e7dcc1471bd4389a76d1edcf2987dc7f9dde5d02f0		 ooxml-emf OOXML EMF part: word/media/image4.emf 5432 bytes
emf_01.emf
a693faf7210ab2f6e7b78f4620b394c25e40ad8f9e10343bb29093f7a516e0f6		 ooxml-emf OOXML EMF part: word/media/image3.emf 5408 bytes
emf_02.emf
ac8145e9614fbb4fda9b1ab32f03533ee9b8a2d8861b3932c83af3305e3ed69e		 ooxml-emf OOXML EMF part: word/media/image2.emf 5476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.