Office (OOXML) malware analysis — malicious · 3753a171e2907e15

MALICIOUS

Office (OOXML)

13.9 KB Created: 2021-06-09 07:05:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-11-02

MD5: 6fd23d27043f5c1b7d3d3d8ce9dc56e4 SHA-1: 91503b19462b2fa3bf9905c4fc9d2194cf5d4633 SHA-256: 3753a171e2907e15ba6473cad1bfe5ec0b4365d91d44d5d976fbf58188a51db7

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains a VBA project with an AutoOpen macro that executes a shell command. The document body suggests a lure related to a 'Facebook One Million Database', likely intended to trick the user into enabling macros. No specific IOCs beyond the presence of VBA macros were extracted.

Heuristics 3

VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://raw.githubusercontent.com/X.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	190 bytes
SHA-256: `8a4c05d0faeb63f0d059c73d0ba9eb1cde2cfafc49081e19c97fb3593738467a`
Preview script First 1,000 lines of the extracted script Sub hello () MsgBox "Satinfo y Hornetsecurity os dan la bienvenida a este evento." End Sub Sub hello () MsgBox "Satinfo y Hornetsecurity os dan la bienvenida a este evento." End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	12288 bytes
SHA-256: `9b3e5d3127b74f045c2a72ac58ee7c9ead03dfcd8687510cfbbddf4099228110`

Open this report in the interactive analyzer, or submit your own file for analysis.