Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1eb25dd66bd926ab…

MALICIOUS

Office (OOXML)

104.7 KB Created: 2021-07-26 05:40:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 58b51d9d71f67d52ea1229ef72ede2ea SHA-1: dd9bc190ca74acfe4d4f0d7ec46b877696a619ce SHA-256: 1eb25dd66bd926ab3aaf52c1cfb6c29d11348a9462740e3b864efc38371bef0b
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro that executes upon opening. The macro is obfuscated but appears to use CreateObject and CallByName to download and execute a second-stage payload. The document body mimics an Amazon order confirmation to socially engineer the user into opening the malicious file. The embedded URL and reconstructed registry key are indicators of compromise.

Heuristics 8

  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://divine-bar-3d75.visual-candy.workers.dev/colorful.png
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • https://divine-bar-3d75.visual-candy.workers.dev/colorful.png

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
85fef7928dea70bbcbac2700a3af9d238dc7aec846ad00515d57bb14e3d6563d		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 117485 bytes
vbaProject_00.bin
6e2cba722fa9a584428804726280ce673e7f59a75d70b4f55079f5fea72c189c		 vba-project OOXML VBA project: word/vbaProject.bin 113664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.