Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3753a171e2907e15…

MALICIOUS

Office (OOXML)

13.9 KB Created: 2021-06-09 07:05:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-11-02
MD5: 6fd23d27043f5c1b7d3d3d8ce9dc56e4 SHA-1: 91503b19462b2fa3bf9905c4fc9d2194cf5d4633 SHA-256: 3753a171e2907e15ba6473cad1bfe5ec0b4365d91d44d5d976fbf58188a51db7
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains a VBA project with an AutoOpen macro that executes a shell command. The document body suggests a lure related to a 'Facebook One Million Database', likely intended to trick the user into enabling macros. No specific IOCs beyond the presence of VBA macros were extracted.

Heuristics 3

  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://raw.githubusercontent.com/X.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 190 bytes
SHA-256: 8a4c05d0faeb63f0d059c73d0ba9eb1cde2cfafc49081e19c97fb3593738467a
Preview script
First 1,000 lines of the extracted script
Sub hello ()
MsgBox "Satinfo y Hornetsecurity os dan la bienvenida a este evento."
End Sub

Sub hello ()
MsgBox "Satinfo y Hornetsecurity os dan la bienvenida a este evento."
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 12288 bytes
SHA-256: 9b3e5d3127b74f045c2a72ac58ee7c9ead03dfcd8687510cfbbddf4099228110