Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0ba23d43edd2d11c…

MALICIOUS

Office (OOXML)

7.16 MB Created: 2016-06-27 09:21:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-12-09
MD5: 4cd82626b9e6bc55a13d90d6053ba5fb SHA-1: 5b4ebb5d2a8ac0525fb94ff68c22aa018673d4e8 SHA-256: 0ba23d43edd2d11c39729897845bc4be0946e8a3cedf345fbba70e5c76778ebe
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates an obfuscated auto-executing VBA loader, further supported by the 'Workbook_Open macro' and 'Shell() call in VBA' firings. The Workbook_Open subroutine is designed to store client settings and then likely execute malicious code, potentially involving PowerShell, as suggested by the presence of T1059.001. The presence of a VBA project and macro code points to a macro-based attack, commonly delivered via spearphishing attachments.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 168546 bytes
SHA-256: f8288c0a85c102df63ea42d7acf3e737814bddd37bac5574eba12b265654482e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' v6.0 - 25072018 - 1621IST

Dim CalculationSetting As Integer
Dim ScreenUpdating As Boolean
Dim DisplayStatusBar  As Boolean
Dim EnableEvents  As Boolean

Private Sub Workbook_BeforeClose(Cancel As Boolean)
        On Error GoTo ErrorHandler
        Application.Calculation = xlCalculationAutomatic
        'Call LogEventTest
        ' Restore Client Settings
10      'Application.Calculation = CalculationSetting
20      'Application.ScreenUpdating = ScreenUpdating
30      'Application.DisplayStatusBar = DisplayStatusBar
40      'Application.EnableEvents = EnableEvents
            Exit Sub
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_BeforeClose", Erl)
60          Call Module33.ErrorHandler
End Sub

Private Sub LogEventTest()
    On Error GoTo ErrorHandler
10    Dim t As Integer
20      t = 7 / 0
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.TestLog", Erl)
 End Sub
 
Private Sub Workbook_Open()
        On Error GoTo ErrorHandler
        
        ' Store Client Settings
70      CalculationSetting = Application.Calculation
80      ScreenUpdating = Application.ScreenUpdating
90      DisplayStatusBar = Application.DisplayStatusBar
100      EnableEvents = Application.EnableEvents
        
            'Sheet2.CommandButton1_Click
110    Application.Calculation = xlCalculationManual
111         Call Module31.FreezePane
        '    Sheet1.Visible = xlSheetHidden
        '    Sheet8.Visible = xlSheetHidden
120     If Sheet2.Cells(1, 30) = "1" Then
130         Call Module33.OptimizeCode_End_ExceptCalculation
                End
            End If
140     Call Module32.RunInitialMacros
            Exit Sub
ErrorHandler:
150         Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_Open", Erl)
160         Call Module33.ErrorHandler
        End Sub
        
        Sub FillSupplyLOSCB()
            On Error GoTo ErrorHandler
            Dim startTime As Date
170     startTime = Now()

180         If ThisWorkbook.sheetExists("Sheet9") And Range("Sheet3!A3") > "" Then
         'Call FillComboFromSheet(Sheet9.CB_Supply_LOS, "listLOS1")
190          Call Module8.FillDropDownFromSheet(Sheet9, Sheet9.Shapes("dd_Supply_LOS"), "listLOS1", ThisWorkbook.Settings("SupplyLOS"))
        '    Dim val As String
        '    val = Sheet1.Cells(5, 1)
        '    If val > "" Then
        '        Sheet9.CB_Supply_LOS.Clear
        '        Sheet9.CB_Supply_LOS.List = Split(val, ",")
        '        Sheet9.CB_Supply_LOS.Text = Sheet9.CB_Supply_LOS.List(0)
        '    End If
        End If
200      Call Module33.LogTime("FillSupplyLOSCB", startTime, Now())
            Exit Sub
ErrorHandler:
210          Call Module33.LogEvent(Err, "ThisWorkbook.FillSupplyLOSCB", Erl)
220          Call Module33.ErrorHandler
        End Sub
        
        Sub FillOverviewLOSCB()
             On Error GoTo ErrorHandler
            Dim startTime As Date
230      startTime = Now()
240          If ThisWorkbook.sheetExists("Sheet4") And Range("Sheet3!A3") > "" Then
            
250      Call Module8.FillDropDownFromSheet(Sheet4, Sheet4.Shapes("dd_Overvw_LOS"), "listLOS1", ThisWorkbook.Settings("OverviewLOS"))
        'Call FillComboFromSheet(Sheet4.cb_Overvw_LOS, "listLOS1")
            
        '    Dim val As String
        '    val = Sheet4.cb_Overvw_LOS.value
        '    If val = "" Then
        '        Sheet4.cb_Overvw_LOS.ListFillRange = ""
        '        Sheet4.cb_Overvw_LOS.ListFillRange = "ListLOS"
        '        Sheet4.cb_Overvw_LOS.Text = Sheet4.cb_Overvw_LOS.List(0)
        '    End If
            
            Dim val2 As String
260          val2 = Sheet4.Cells(10, 1)
270          If val2 = "" Then
280    
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 663552 bytes
SHA-256: 5d9248a6bedd9b207be29078a80c2a670b4e1a6f940b56ab1de62bd029a4f413

Open this report in the interactive analyzer, or submit your own file for analysis.