Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1f5cd83bffc75cc6…

MALICIOUS

Office (OOXML)

82.6 KB Created: 2017-09-22 01:14:00 UTC Authoring application: Microsoft Excel First seen: 2021-09-22
MD5: 06ed7650dcd21405201d3146a8b7d307 SHA-1: 4cfcdedc96a10375bf5022e2605a83eecbf55274 SHA-256: 1f5cd83bffc75cc64ba1253957010635dacded7b35f8478dc1fbdf912e89601f
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The Excel document contains VBA macros that utilize WScript.Shell and cmd.exe to execute commands, indicating an attempt to download and run a secondary payload. The embedded URLs, specifically http://hk.r34.cc, are likely associated with the command and control infrastructure for this malicious activity. The document body's content, referencing financial transactions and file management, suggests a pretext for the malicious operation.

Heuristics 10

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: 数据第一行开始2.xlsm
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://hk.r34.cc/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hk.r34.cc/index.php/Qwadmin/Rwxy/echoteacherdbnep?conall=%E6%95%B0%E6%8D%AE%E8%A1%A8%E5%90%8D%E7%AD%89%E4%BA%8E%E7%8E%8B%E8%BF%9B%E5%88%A9%E6%96%87%E4%BB%B6%E7%AE%A1%E7%90%86IJ%3B%E6%9F%A5%E7%9C%8B%E5%AF%86%E7%A0%81%E7%AD%89%E4%BA%8Eadmin%3B OOXML external relationship
    • http://hk.r34.ccOOXML external relationship
    • http://hk.r34.cc/OOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 26156 bytes
SHA-256: f93681f94cc7207c22c7a6d03cf32c312983949d642cd625c226240a2fe688be
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "调用脚本及常用函数"
'copyright:lilyhcn<lilyhcn1@upsir.com>
'日    期:2020
'版    本:V1.0/1.0
Public Const STARTROW As Integer = 21      '开始行
Public Const FIRSTCONTENT As String = "F1"  '前置脚本内容
Public Const ENDCONTENT As String = "H1"  '前置脚本内容
Public Const JBVBSCELL As String = "B3"  '脚本内容
Public Const MYFILENAMECELL As String = "B1"  '生成的文件
Public Const TEMPFILECOL As Integer = "5"  '临时文件名所在列
Public Const COUNTCOL As Integer = "10"  '记录点击次数的列
Public Const JBCOL As Integer = "1"  '脚本所在的列

Public Const REPLACENUM As Integer = 50  '可以替换几个参数
Public Const PASSWORDREPLACENUM As Integer = 30  '可以替换几个参数
Public Const INTERTIEM As Integer = 10000  '脚本执行间隔
Public Const FZFLOLDER As String = "辅助文件夹"  '辅助文件夹
Public Const GENFOLDER As String = "生成文件夹"  '生成文件夹
Public Const JSONSTART As Integer = 11  'json回写时从哪一列开始


Public Const LISTSTARTCOL As Integer = 11      '第几列开始
Public Const LISTSTARTROW As Integer = 21      '第几行开始
Public Const LISTFIRSTCOLS As Integer = 7     '几级目录前有几列
Public Const LISTFIRSTCOLNAME As String = "K"     '几级目录前有几列
Public Const JSON2CELLCOLS As String = 2     'json写入从第几列开始

'真正的常量
Public Const FILESAVEPATH   As String = "\"      '声明一个公共常量
Public Const download1 As String = "B"  '下载的第一列文件
Public Const download1filename As String = "A"  '第一列文件对应的文件名
Public Const GLWY As String = "_管理网页.html"  '管理网页名称
Public Const TEMPTXTFILE   As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.txt"      '临时文件路径
Public Const TEMPJSON   As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.json"      '临时json文件路径
Public Const TEMPMDFILE   As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.md"      '临时md文件路径
Public Const TEMPEXCELFILE   As String = "D:\老黄牛小工具\ExcelQuery\temp\temp.xlsx"      '临时xlsx文件路径
Public Const NOTEPAD2EXE As String = "D:\老黄牛小工具\小工具\notepad2\Notepad2.exe" 'notepad2的路径
Public Const AHKEXE As String = "D:\老黄牛小工具\小工具\AutoHotkey.exe" 'autohotkey
Public Const CURLPATH   As String = "D:\老黄牛小工具\ExcelQuery"     'curl.exe
Public Const VBSPATH   As String = "D:\老黄牛小工具\脚本文件"     '脚本文件
Public Const WORDPATH   As String = "D:\老黄牛小工具\word模板"     '脚本文件
Public Const GJPATH   As String = "D:\老黄牛小工具\小工具"     '脚本文件
Public Const PZNAME As String = "配置" '上传的地址串"
Public Const ALLKEYNAME As String = "全部" '全部输出的关键词"


'Sub 执行按钮对应的脚本(Optional btname As String = "", Optional btname2 As String = "", Optional btname3 As String = "")
Sub 执行按钮对应的脚本()
On Error Resume Next
If btname = "" Then
    '获取按钮名
    btnametemp = getbuttonname()
    btnamearr = VBA.Split(btnametemp, "_")
    '单行执行
    If InStr(btnametemp, "全部") = 0 Or InStr(btnametemp, "调试") = 0 Then
        btname = btnamearr(0)
        btname2 = btnamearr(1)
        btname3 = btnamearr(2)
    Else   '所有都执行
        keyname = btnamearr(0)
        btname = btnamearr(1)
        btname2 = btnamearr(2)
        btname3 = btnamearr(3)
    End If
End If

'获取对应的路径,执行外
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 72704 bytes
SHA-256: 8ddcb5279670aa04f0f8171c16a8cbad402aa45fd5847c7edbb60d462298a792
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.