Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 25597a54ba757172…

MALICIOUS

Office (OOXML)

5.05 MB Created: 2017-03-22 17:33:09 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-30
MD5: bcbe234ed8772dc7769f96d0ede58e52 SHA-1: 4d5e630cf0b9a0b497b716be836a9545d8296355 SHA-256: 25597a54ba7571727521e0a3166754dd5113ef2dcd295c2de7eda8a1d607e93c
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros. A critical heuristic indicates the use of URLDownloadToFile, a common function for downloading payloads. The embedded URL http://butik.zebra.as:55577/ItemImages/ is likely used to fetch a malicious second-stage payload. The presence of hidden sheets and external relationships further suggests an attempt to conceal malicious activity.

Heuristics 5

  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Private Declare PtrSafe Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///Y:\Indkøb\Til Gregers\Prisændringer August 2016\August Campaign (16081, 16082, 16083).xlsm
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://butik.zebra.as:55577/ItemImages/ Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7297 bytes
SHA-256: 633757f2db97887398c0ce844691b0578a6c11cd9bd744ffed98af28be994c2b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Change(ByVal Target As Range)
Application.EnableEvents = False
    stRow = Range("A:A").Find(What:="Item", _
                            After:=Range("A:A").Cells(Range("A:A").Cells.Count), _
                            LookIn:=xlValues, _
                            LookAt:=xlWhole, _
                            SearchOrder:=xlByRows, _
                            SearchDirection:=xlNext, _
                            MatchCase:=False).Row + 1

If Not Intersect(Target, Range("A:A")) Is Nothing Then
Dim cell As Range
    For Each cell In Intersect(Target, Range("A:A"))
        Call newPics(cell)
    Next cell
    Application.EnableEvents = True
    Application.StatusBar = ""
End If
End Sub

Attribute VB_Name = "Module1"
#If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Private Declare PtrSafe Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
    Private Declare PtrSafe Function InternetCloseHandle Lib "wininet" (ByVal hInet As Long) As Integer
    Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "wininet.dll" (ByVal lpszUrlName As String) As Long
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
    Private Declare Function InternetCloseHandle Lib "wininet" (ByVal hInet As Long) As Integer
    Private Declare Function DeleteUrlCacheEntry Lib "wininet.dll" (ByVal lpszUrlName As String) As Long
#End If



'Purpose     :  Retreview text from a web site
'Inputs      :  sURLFileName            The URL and file name to download.
'               sSaveToFile             The filename to save the file to.
'               [bOverwriteExisting]    If True overwrites the file if it existings
'Outputs     :  Returns True on success.


Function InternetGetFile(sURLFileName As String, sSaveToFile As String, Optional bOverwriteExisting As Boolean = False) As Boolean
    Dim lRet As Long
    Const S_OK As Long = 0, E_OUTOFMEMORY = &H8007000E
    Const INTERNET_OPEN_TYPE_PRECONFIG = 0, INTERNET_FLAG_EXISTING_CONNECT = &H20000000
    Const INTERNET_OPEN_TYPE_DIRECT = 1, INTERNET_OPEN_TYPE_PROXY = 3
    Const INTERNET_FLAG_RELOAD = &H80000000
    
    On Error Resume Next
    'Create an internet connection
    lRet = InternetOpen("", INTERNET_OPEN_TYPE_DIRECT, vbNullString, vbNullString, 0)
    
    If bOverwriteExisting Then
        If Len(Dir$(sSaveToFile)) Then
            VBA.Kill sSaveToFile
        End If
    End If
    'Check file doesn't already exist
    If Len(Dir$(sSaveToFile)) = 0 Then
        'Download file
        lRet = URLDownloadToFile(0&, sURLFileName, sSaveToFile, 0&, 0)
        If Len(Dir$(sSaveToFile)) Then
            'File successfully downloaded
            InternetGetFile = True
        Else
            'Failed to download file
            If lRet = E_OUTOFMEMORY Then
                Debug.Print "The buffer length is invalid or there was insufficient memory to complete the operation."
            Else
'                Debug.Assert False
                Debug.Print "Error occurred " & lRet & " (this is probably a proxy server error)."
            End If
            InternetGetFile = False
        End If
    End If
    On Error GoTo 0
    
End Function


Function FileExists(fname) As Boolean
    FileExists = Dir(fname) <> ""
End Function

Function PathExists(pname) As Boolean
'   Returns TRUE if the path exists
    On Error Resume Next
    PathExists = (GetAttr(pname) And vbDirectory) = vbDirectory
End Function
Public Sub newPics(Target As Range)
Dim p As Object, link As String, filename As String
    If Target.Value = "" Then
        On Error Resume Next
        ActiveSheet.Shapes("Picture" & Target.Row).Delete
        On Error GoTo 0
'        Application.EnableEvents = True
        Exit Sub
    End If
    SKU = Target.Value
    DirPath = ThisWorkbook.Path
    filename = DirPath & "\" & SKU & ".jpg"
    Application.StatusBar = "Loading picture " & SKU & ".jpg"
    link = "http://butik.zebra.as:55577/ItemImages/" & SKU & ".jpg"
    If Not FileExists(filename) Then
        ttt = InternetGetFile(link, filename, True)
        If ttt = True Then
        Else
            On Error Resume Next
            ActiveSheet.Shapes("Picture" & Target.Row).Delete
            On Error GoTo 0
            MsgBox "Picture " & SKU & ".jpg" & " couldn't be downloaded." & Chr(10) & _
                "Plase check the SKU and/or if the picture file exists.", vbOKOnly, "None picture downloaded"
'            Application.EnableEvents = True
            Exit Sub
        End If
    End If
    r = Target.Row
    col = 6
    Target.Offset(0, 4).Select
    With ActiveCell
        t = .Top
        l = .Left
        .RowHeight = 87
        .ColumnWidth = 15.7
    End With
    On Error Resume Next
    ActiveSheet.Shapes("Picture" & Target.Row).Delete
    On Error GoTo 0
    'Set p = ActiveSheet.Pictures.Insert(filename)
    Set p = ActiveSheet.Shapes.AddPicture(filename, msoFalse, msoTrue, l + 1, t + 1, -1, -1)
    ActiveSheet.Shapes(p.Name).LockAspectRatio = False
    With p
        .Top = t + 1
        .Left = l + 1
        h = .Height
        w = .Width
        
        If h > w Then
            .Height = Application.CentimetersToPoints(3)
            .Width = Application.CentimetersToPoints(2)
            ActiveCell.RowHeight = 87
        End If
        If w > h Then
            .Height = Application.CentimetersToPoints(2)
            .Width = Application.CentimetersToPoints(3)
            ActiveCell.RowHeight = 58
        End If
        If h = w Then
            .Height = Application.CentimetersToPoints(3)
            .Width = Application.CentimetersToPoints(3)
            ActiveCell.RowHeight = 87
        End If
        .Name = "Picture" & Target.Row
    End With
    Set p = Nothing
    Kill filename
Application.StatusBar = ""

End Sub
Sub XXX()
Application.EnableEvents = True
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 40448 bytes
SHA-256: 0f11746227958f7baab519e43fc698e93e4fe4b77a5ca38ebc5d8e55fd5d9f1f

Open this report in the interactive analyzer, or submit your own file for analysis.