Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 08a1259090d5bf01…

MALICIOUS

Office (OOXML) / .XLSX

166.8 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 84f8c5535ae82dc22b230d475d177427 SHA-1: 747a0e213670aaf91b761a0cca0ab3e23b415d2b SHA-256: 08a1259090d5bf015cfd80caa7ac3ff5060ad503825ea5a5f010cec03178c157
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The Excel file contains a Workbook_Open VBA macro that is obfuscated using string concatenation. The macro reconstructs the string 'Shell.Application' and uses CallByName to execute the ShellExecute method. This method is likely used to download and execute a second-stage payload from a remote source, indicated by the heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The specific command executed is not fully discernible due to obfuscation, but the intent is to run an external process.

Heuristics 7

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b8e4258cddc6e3e978c66f852d02535b47586923ee4255420df72dd2f8a091c2		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1238 bytes
vbaProject_00.bin
d64a1ccaa2e33a0b10b240b07fc431dbb19b71ca8a1ac5691bda19606d16c6c6		 vba-project OOXML VBA project: xl/vbaProject.bin 14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.