Office (OOXML) malware analysis — malicious · 00627edeb9ce2f53

MALICIOUS

Office (OOXML)

8.2 KB

MD5: c524d4e39fa7d7e4f4c3813b0cf009d0 SHA-1: 9a3d3e6756e41c631ec18d1b2dbd3a525f3afeaa SHA-256: 00627edeb9ce2f53fa615e6670ee58415be60f9a04c483b788e0e7add2992aba

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with Auto_open and Auto_close subroutines. The Auto_open subroutine uses URLDownloadToFileA to download two files: 'http://updatewin32.xyz/3.txt' and 'http://edc.com.ly/index/wp.txt'. These downloaded files are saved as '%PUBLIC%\msi.ps1' and '%PUBLIC%\ComeCome.vbs' respectively, indicating an attempt to download and execute a second-stage payload. The use of Environ("Public") to construct the save path is noted.

Heuristics 6

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `23aca0464ff56e9793b15590a51e2268f00bc29197ba28c83a382c441890e183`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	637 bytes
`vbaProject_00.bin` `349a5be4b9a7475882abe7ded8c587ddec5ba9d5b1de66eb227ef3a409c23dc2`	vba-project	OOXML VBA project: ppt/vbaProject.bin	18432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.