Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0c581327b192c2f9…

MALICIOUS

Office (OOXML)

17.0 KB Created: 2021-03-14 02:05:13 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-07-10
MD5: 32886bd2f34dd3e4c4b1b7dc418a2a2a SHA-1: d02d7140d20e38b80858e4f8067740365f17f90e SHA-256: 0c581327b192c2f952886208846ce4366661e716799d6f99e664dbc4d3d803d0
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a Workbook_Open VBA macro. This macro is designed to execute a function that decodes and likely executes a secondary payload. The VBA code contains functions 'Itago' and 'Ilabas' which perform character-by-character XOR-like operations, suggesting obfuscation of a malicious command or URL. The presence of a Workbook_Open macro strongly indicates an attempt to automatically execute malicious code upon opening the document, typical of a phishing attachment.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1123 bytes
SHA-256: 52137aa900a29ed58a06df62f64f29f305a3046008e77321ff540595ff5e8700
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()





End Sub





Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Module1"
Function Itago(a As String) As String

Dim i As Integer
Dim s As String
For i = 1 To Len(a)
    s = Mid(a, i, 1)
    s = Chr(Asc(s) + 2)
    
    Itago = Itago & s
        
Next i

End Function
Function Ilabas(a As String) As String

Dim i As Integer
Dim s As String

For i = 1 To Len(a)
    s = Mid(a, i, 1)
    
    s = Chr(Asc(s) - 2)
    
    Ilabas = Ilabas & s
    
Next i




End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
SHA-256: 04c6d9bddba04d6d678610abbc7d9758b43a84d216076485b1654518660fee2a