Office (OOXML) malware analysis — malicious · 0edda0400aaed4d5

MALICIOUS

Office (OOXML)

137.7 KB Created: 2017-09-22 01:14:00 UTC Authoring application: Microsoft Excel First seen: 2021-09-22

MD5: 041917ce658417a6d68aff3740a5251b SHA-1: 29a7350bb749f782f0eb4525b5eede06c8413685 SHA-256: 0edda0400aaed4d5c69d48a927956a761f6c26b22b077c563753c42e78e0351c

418 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1059.003 Windows Command Shell

The sample is an Excel document containing VBA macros that utilize WScript.Shell and CreateObject to download and execute a second-stage payload from the URL http://hk.r34.cc/index.php/Qwadmin/Rwxy/echoteacherdbnep?conall=%E6%95%B0%E6%8D%AE%E8%A1%A8%E5%90%8D%E7%AD%89%E4%BA%8E%E7%8E%8B%E8%BF%9B%E5%88%A9%E6%96%87%E4%BB%B6%E7%AE%A1%E7%90%86IJ%3B%E6%9F%A5%E7%9C%8B%E5%AF%86%E7%A0%81%E7%AD%89%E4%BA%8Eadmin%3B. The VBA code also references cmd.exe and uses the Shell() function, indicating a high likelihood of malicious activity. The document body contains what appears to be financial transaction data and login credentials, suggesting a potential credential harvesting or data exfiltration motive.

Heuristics 12

VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
External relationship medium OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: 数据第一行开始2.xlsm
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://hk.r34.cc/
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://hk.r34.cc/index.php/Qwadmin/Rwxy/echoteacherdbnep?conall=%E6%95%B0%E6%8D%AE%E8%A1%A8%E5%90%8D%E7%AD%89%E4%BA%8E%E7%8E%8B%E8%BF%9B%E5%88%A9%E6%96%87%E4%BB%B6%E7%AE%A1%E7%90%86IJ%3B%E6%9F%A5%E7%9C%8B%E5%AF%86%E7%A0%81%E7%AD%89%E4%BA%8Eadmin%3B Referenced by macro
- http://hk.r34.ccReferenced by macro
- http://hk.r34.cc/Referenced by macro
- http://demon.tw/Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	82815 bytes
SHA-256: `cad64c2f721253981e0f82269676b7b5b72648500fc3f98da81f4048a6114899`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "模块1" Public Const STARTROW As Integer = 1 '声明一个公共常量 Public Const startcell As String = "A1" '起始单元格 Public Const conrow As Integer = 17 '条件个数 Public Const conmaxline As Integer = conrow '条件个数 Public Const softfolder As String = "\基础软件\" '声明一个公共常量 Public Const downurl As String = "/index.php/Qwadmin/Rwxy/echoteacherdbnep?" '下载的地址串 Public Const downurlcom As String = "/index.php/Qwadmin/RwxyCom/echoteacherdbnep?" '下载的地址串Com Public Const upurl As String = "/index.php/Qwadmin/Rwxy/phpupload?" '上传的地址串 Public Const upurlcom As String = "/index.php/Qwadmin/RwxyCom/phpupload?" '上传的地址串Com Public Const uponefileurlcom As String = "/index.php/Qwadmin/RwxyCom/phpuploadonefile" '上传的地址串Com Public Const uponefileurl As String = "/index.php/Qwadmin/Rwxy/phpuploadonefile" '上传的地址串" '这里有两套写法，如果要改，都一起改 Public Const rpwcell As String = "F1" '查看密码列 Public Const wrpwcell As String = "F2" '上传密码列 Public Const sheetnamecell As String = "C1" '数据表所在列 '密码区 Public Const website As String = "F5" '网站网址 Public Const siteuer As String = "F3" '网站的用户名 Public Const sitepassword As String = "F4" '网站的密码 '本地参数 Public Const downurldebugcell As String = "M1" '下载字符串生成 Public Const delpasswordcell As String = "M8" '自动清空上传密码、用户密码 Public Const cellsheetnname As String = "M3" '复制到新的数据表的名字 Public Const cellplace As String = "M4" '复制到新的位置的单元格位置 Public Const cellautodownloadfile As String = "M5" '是否自动下载文件，一般建议否 Public Const cellfilenamecol As String = "M6" '文件名规则所在的单元格文件名及文件夹的命名方式变更要全删了 Public Const cellfoldercol As String = "M7" '文件名规则所在的单元格文件名及文件夹的命名方式变更要全删了 Public Const FileChar As String = "文件" '文件上传的标志符 Public Const SepChar As String = "_" '文件上传的标志符 Public Const popupdatecell As String = "M2" '覆盖提示 '真正的常量 Public Const FILESAVEPATHCELL As String = "M9" '声明一个公共常量 Public Const download1 As String = "B" '下载的第一列文件 Public Const download1filename As String = "A" '第一列文件对应的文件名 Public Const ZDYCHAR As String = "自定义" '自定义文件名 Public Const GLWY As String = "_管理网页.html" '管理网页名称 Public Const TEMPTXTFILE As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.txt" '临时文件路径 Public Const TEMPMDFILE As String = "D:\老黄牛小工具\ExcelQuery\temp\md.md" '临时md文件路径 Public Const TEMPMDIMG As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.jpg" '临时jpg文件路径 Public Const CURLPATH As String = "D:\老黄牛小工具\ExcelQuery" 'curl.exe Public Const PZNAME As String = "配置" '上传的地址串" Public Const FZFLOLDER As String = "基础软件" '辅助文件夹 '引用下载文件的api，如果出错，换一下即可 #If VBA7 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Integer, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr) As LongPtr #Else Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Integer, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Integer, ByVal lpfnCB As Long) As Integer #End If Sub 下载数据() ConSName = ActiveSheet.Name ConSName = Replace(ConSName, PZNAME, "") Sheets(ConSName).Select UpdateBySheet End Sub Sub 上传数据() ConSName = ActiveSheet.Name ConSName = Replace(ConSName, PZNAME, "") Sheets(ConSName).Select UploadExcel End Sub '点击单元格的数据 Sub 点击单元格的数据() ConSName = ActiveSheet.Name & PZNAME Set fso = CreateObject("scripting.filesystemobject") Dim weburl, content As String i = ActiveCell.row S = ActiveCell.Column content = Cells(i, S) ext = fso.GetExtensionName(content) filename = renamefilename(i, S) savePath = ThisWorkbook.path & Mkcelldir2nodel(i, S) savename = filename & "." & ext NewFile = Replace(savePath & "\" & savename, "\\", "\") If Mid(content, 1, 1) = "\" Then If IsFileExists(NewFile) Then ActiveWorkbook.FollowHyperlink NewFile End If ElseIf isurl(content) Then If IsFileExists(NewFile) And filename <> "" Then ActiveWorkbook.FollowHyperlink ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	198656 bytes
SHA-256: `cf19054708c6b82ff1fd0e98121769f0d141f84cb352b376ea3067459a9f7328`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.