Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 05f9b86188cd1436…

MALICIOUS

Office (OOXML) / .XLSM

110.2 KB Created: 2014-08-27 08:01:16 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-27
MD5: 58f4a5737c63e7a1b52df3c69e308c07 SHA-1: d6e14107bd0c5b1f0ffee86e3cf43c05bfa0a4bf SHA-256: 05f9b86188cd1436e7344abe26f5cfe69ea62eb681b64d2df0234515a2385e94
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an XLSM file containing VBA macros. The critical heuristic 'OLE_VBA_EMAIL_WORM_SELF_REPLICATION' indicates that the VBA code attempts to send the document as an email attachment to a hardcoded list of recipients using Outlook. This behavior suggests a self-propagation mechanism, characteristic of email worms. The VBA script explicitly constructs the email with a subject 'Schichtbericht Chemion' and attaches the current workbook.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION
    VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
    Matched line in script
    Set Nachricht = OutlookApplication.CreateItem(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set OutlookApplication = CreateObject("Outlook.Application")

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2739 bytes
SHA-256: 3cdf93c0b5cb6c649693fbd8aa4a2af7021d5732b442bd1e7f600240560be455
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Schaltfläche_Klicken()
Dim Nachricht As Object, OutlookApplication As Object
Set OutlookApplication = CreateObject("Outlook.Application")
Dim Anhang As String
Anhang = ThisWorkbook.FullName
Set Nachricht = OutlookApplication.CreateItem(0)
With Nachricht
.To = "claus-werner.fleischhauer@lyondellbasell.com; udo.eulenstein@lyondellbasell.com; frank.senior@lyondellbasell.com; sarah.marx@lyondellbasell.com; dagmar.berg@lyondellbasell.com"
.Subject = "Schichtbericht Chemion"
.attachments.Add Anhang
.Body = ""
.Display
'.Mail.Send
End With
Set OutlookApplication = Nothing
Set Nachricht = Nothing
End Sub

Private Sub Senden_Click()

End Sub

Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle21"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Modul3"
Sub Speichern()
'
' Speichern Makro
'

'
    
    ActiveWorkbook.Save
End Sub

Attribute VB_Name = "Modul2"
Sub Speichern()
ActiveWorkbook.SaveAs Filename:="J:\Schichtberichte\2021\Schichtbericht " & Format(Date, "YYYY.MM.DD") & ".xlsm"
End Sub

Attribute VB_Name = "Modul1"
Sub Schaltfläche_Klicken()
Dim Nachricht As Object, OutlookApplication As Object
Set OutlookApplication = CreateObject("Outlook.Application")
Dim Anhang As String
Anhang = ThisWorkbook.FullName
Set Nachricht = OutlookApplication.CreateItem(0)
With Nachricht
.To = "claus-werner.fleischhauer@lyondellbasell.com; udo.eulenstein@lyondellbasell.com; frank.senior@lyondellbasell.com; sarah.marx@lyondellbasell.com; dagmar.berg@lyondellbasell.com; roland.lacalli@chemion.de; rolf.bierekoven@lyondellbasell.com; holger.schwingen@lyondellbassell.com; Marko.Beckmann@chemion.de; jonathan.titz@lyondellbasell.com"
.Subject = "Schichtbericht " & Range("C4")
.attachments.Add Anhang
.Body = ""
.Display
'.Mail.Send
End With
Set OutlookApplication = Nothing
Set Nachricht = Nothing
End Sub

Private Sub Senden_Click()

End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 27648 bytes
SHA-256: 9c6f1e0e6ea6686898e39cef4d9e88571ae6fdd7c8283d20c28d42fd4b064d98

Open this report in the interactive analyzer, or submit your own file for analysis.