Office (OOXML) malware analysis — malicious · 260d44fb5894f698

MALICIOUS

Office (OOXML)

46.1 KB Created: 2020-04-04 15:10:15 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-01

MD5: 82e132f3f28839723bb400a430c5ea94 SHA-1: 42e12e3635e9006ba377ad24f8dff9db559fe3af SHA-256: 260d44fb5894f698bbe890bebcfffe3f14efc1640ce044db1f679c219bd23cea

116 Risk Score

Heuristics 5

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
7  Set xmlObj = CreateObject("MSXML2.DOMDocument")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    localTempPath = Environ("Temp") & "\xvba_files"
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	13200 bytes
SHA-256: `34d25372c0e0a5306d1885489f729845e33adcd159b6f07e654e946ec264554b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EstaPastaDeTrabalho" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Call BootStrapController End Sub Attribute VB_Name = "Planilha1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "autoload" ' Excel "Live Server" ' Created By Alberto Eduardo ' email: alberto.aeraph@gmail.com ' Create at 04/04/2020 ' Update 22/08/2020 ' Configuration Dim env As New Scripting.Dictionary Public Function BootStrap() As Scripting.Dictionary Set env = getActionFromXML.getActionFromXML Set BootStrap = env End Function Public Sub AutoloadModules() On Error GoTo Oops Dim wkbTarget As Excel.Workbook Dim objFSO As Scripting.FileSystemObject Dim objFile As Scripting.File Dim szTargetWorkbook As String ' Path to user vba files Dim szImportPath As String 'Path to XVBA Third Modules Files Dim xvbaModulesPath As String 'Path to XVBA Unit Test Files Dim xvbaUnitTestPath As String Dim szFileName As String Dim cmpComponents As VBIDE.VBComponents On Error Resume Next Workbooks.Open (env("WorkspacePath") & "\" & env("WorkbookName")) ''' NOTE: This workbook must be open in Excel. On Error Resume Next Set wkbTarget = Application.Workbooks(env("WorkbookName")) ''' NOTE: Path where the code modules are located. szImportPath = env("WorkspacePath") & "\" & env("FolderVBA") ''' XVBA Modules Path xvbaModulesPath = env("WorkspacePath") & "\xvba_modules" ''' XVBA Unit Test files Path xvbaUnitTestPath = env("WorkspacePath") & "\xvba_unit_test" Set objFSO = New Scripting.FileSystemObject 'Delete all modules/Userforms from the ActiveWorkbook Call DeleteVBAModulesAndUserForms ''' Import all user VBA files ImportFiles objFSO.GetFolder(szImportPath) ''' Import all Thir Packages VBA files from xvba_modules folder ImportFiles objFSO.GetFolder(xvbaModulesPath) ''' Import all XVBA Unit Test Files from xvba_unit_test folder ImportFiles objFSO.GetFolder(xvbaUnitTestPath) Call LogMessages(1, env("WorkspacePath") + "\logs\" + "excel_server.log", "Load Files Finish") If env("State") = "CLOSE" Then ThisWorkbook.Close SaveChanges:=True Else ThisWorkbook.Save End If Oops: Call ErrorHandller(env("WorkspacePath") + "\logs\" + "excel_server.log", "AutoloadModules") Exit Sub End Sub Public Sub ImportFiles(folder) Dim cmpComponents As VBIDE.VBComponents Dim wkbTarget As Excel.Workbook ''' NOTE: This workbook must be open in Excel. szTargetWorkbook = ActiveWorkbook.Name Set wkbTarget = Application.Workbooks(env("WorkbookName")) Set objFSO = New Scripting.FileSystemObject Set cmpComponents = wkbTarget.VBProject.VBComponents On Error Resume Next For Each objFile In objFSO.GetFolder(folder).Files If (objFSO.GetExtensionName(objFile.Name) = "cls") Or _ (objFSO.GetExtensionName(objFile.Name) = "frm") Or _ (objFSO.GetExtensionName(objFile.Name) = "bas") Then cmpComponents.Import objFile.path End If Next objFile On Error Resume Next For Each Subfolder In folder.SubFolders ImportFiles Subfolder Next Set folder = Nothing Set objFile = Nothing Set Subfolder = Nothing End Sub Function DeleteVBAModulesAndUserForms() Dim VBProj As VBIDE.VBProject Dim VBComp As VBIDE.VBComponent Set VBProj = ActiveWorkbook.VBProject For Each VBComp In VBProj.VBComponents If VBComp.Type = vbext_ct_Document Then 'Thisworkbook or worksheet module 'We do nothing Else VBProj.VBComponents.Remove VBComp End If Next VBComp End Function 'Export modules to file Public Sub ExportModules() On Error GoTo Oops Dim bExport As Boolean Dim wkbSource As Excel.Workbook Dim szSourceWorkbook As String Dim szFileName As String Dim cmpComponent As VBIDE.VBComponent On Error Resume Next Set wkbSource = Workbooks.Open(env("WorkspacePath") & "\" & env("WorkbookName")) ''' NOTE: This workbook must be open in Excel. On Error Resume Next Set wkbSource = Application.Workbooks(env("WorkbookName")) 'Create temp folder for vba files Dim localTempPath As String localTempPath = Environ("Temp") & "\xvba_files" Call TestForDir(localTempPath) For Each cmpComponent In wkbSource.VBProject.VBComponents bExport = True szFileName = cmpComponent.Name ''' Concatenate the correct filename for export. Select Case cmpComponent.Type Case vbext_ct_ClassModule szFileName = szFileName & ".cls" Case vbext_ct_MSForm szFileName = szFileName & ".frm" Case vbext_ct_StdModule szFileName = szFileName & ".bas" Case vbext_ct_Document ''' This is a worksheet or workbook object. ''' Don't try to export. bExport = False End Select If bExport Then ''' Export the component to a text file. cmpComponent.Export localTempPath & "\" & szFileName ''' remove it from the project if you want '' wkbSource.VBProject.VBComponents.Remove cmpComponent End If Next cmpComponent If env("State") = "CLOSE" Then Call LogMessages(1, env("WorkspacePath") + "\logs\" + "excel_import.log", "Export Files Finish") 'Create Log file when excel finish create all vba files on user folder Call finishExportModules ThisWorkbook.Close SaveChanges:=True Else Call LogMessages(1, env("WorkspacePath") + "\logs\" + "excel_import.log", "Export Files Finish") 'Create Log file when excel finish create all vba files on user folder Call finishExportModules ThisWorkbook.Save End If Oops: Call ErrorHandller(env("WorkspacePath") + "\logs\" + "excel_import.log", "ImportFiles") Exit Sub End Sub Sub TestForDir(strDir As String) If Dir(strDir, vbDirectory) = "" Then MkDir strDir End If End Sub 'Create Log file when excel finish create all vba files on user folder 'Change 20/10/2020 - folder path to os temp folder Public Sub finishExportModules() Dim szExportPath As String Dim localPath As String localPath = Environ("Temp") szExportPath = localPath & "\xvba_exported_file.log" ' The advantage of correctly typing fso as FileSystemObject is to make autocompletion ' (Intellisense) work, which helps you avoid typos and lets you discover other useful ' methods of the FileSystemObject Dim fso As FileSystemObject Set fso = New FileSystemObject Dim fileStream As TextStream ' Here the actual file is created and opened for write access Set fileStream = fso.CreateTextFile(szExportPath) ' Write something to the file fileStream.WriteLine Now & " - Exported" ' Close it, so it is not locked anymore fileStream.Close End Sub Attribute VB_Name = "AutoLoadFormEnd" Attribute VB_Base = "0{E0F2292B-DF57-4E3E-AD35-27AE26AFAD5A}{40F38A1F-2FCE-42C1-B6EE-FF41806B9C07}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub Label2_Click() End Sub Private Sub Label3_Click() End Sub Private Sub LabelLoadInfo_Click() End Sub Private Sub UserForm_Click() With AutoLoadForm LabelLoadInfo.Caption = "Teste" End With LabelLoadInfo.Caption = "Teste" End Sub Attribute VB_Name = "clsReadEnv" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Function ReadEnv() As Scripting.Dictionary Dim myFile As String, textline As String Dim LArray() As String Dim env As New Scripting.Dictionary myFile = ThisWorkbook.path & "\values.txt" Open myFile For Input As #1 Do Until EOF(1) Line Input #1, textline LArray = Split(textline, "=") env.Add LArray(0), RTrim(LTrim(Replace(LArray(1), Chr(34), ""))) Loop Close #1 Set ReadEnv = env End Function Attribute VB_Name = "AutoLoadForm" Attribute VB_Base = "0{A319B801-C1B9-44FD-A014-061C2BAD5093}{4C86799A-EBC0-4AD5-A402-0045BFA5BBE1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub Label3_Click() End Sub Private Sub LabelLoadInfo_Click() End Sub Private Sub UserForm_Click() With AutoLoadForm LabelLoadInfo.Caption = "Teste" End With LabelLoadInfo.Caption = "Teste" End Sub Attribute VB_Name = "controlerBootstrapModule" Public Function BootStrapController() Dim envOpt As Scripting.Dictionary Set envOpt = BootStrap If envOpt("Command") = "RUN_AUTO" Then Call AutoloadModules Else Call ExportModules End If End Function Attribute VB_Name = "ExtractFilesForm" Attribute VB_Base = "0{2392468C-39B5-4462-AE84-C3A93D36C4F8}{1847DE64-5D53-43F2-8488-69A63EF196E7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub LabelLoadInfo_Click() End Sub Attribute VB_Name = "Log" 'Log Messages '@author Alberto Eduardo '@since 21/04/2020 Public Function LogMessages(messageType As Integer, filePath As String, message As String) Dim FileNum As Integer FileNum = FreeFile Dim PREFIX As String PREFIX = Now & " - " Open filePath For Append As #FileNum Select Case messageType Case 0 'Error Message Print #FileNum, PREFIX & "Error:" & message Case 1 'Success Print #FileNum, PREFIX & "DEBUG:" & message Case Else 'No Type Set Print #FileNum, PREFIX & "INFO:" & message End Select Close #FileNum End Function Public Function ErrorHandller(filePath As String, macro As String) Dim messageLog As String messageLog = Err.Description & " [" & Err.Number & "] Macro:" & macro Call LogMessages(0, filePath, messageLog) ThisWorkbook.Close SaveChanges:=False End Function Attribute VB_Name = "getActionFromXML" 'This function read a XML file and get 'VSCode Workspace path and the controller to run in Excel '@create: Alberto Eduardo '@Since: 18/04/2020 '@Version: 0.1 '@Return getConfig: Scripting.Dictionary Public Function getActionFromXML() As Scripting.Dictionary 1 2 'Declare Config Dictionary 3 Dim ConfigDict As New Scripting.Dictionary 4 5 'Declare XML Object 6 Dim xmlObj As Object 7 Set xmlObj = CreateObject("MSXML2.DOMDocument") 8 'Set XML params 9 xmlObj.async = False 10 xmlObj.validateOnParse = False 11 xmlObj.Load (ThisWorkbook.path & "\live_server.xml") 12 13 'Set variable for get document Root Node 14 Dim docNodes As Object 15 'Get Root Node "Xvba" 16 Set docNodes = xmlObj.SelectNodes("//Xvba") 17 'Set varibles for parse document nodes 18 Dim rootNode As Object 19 Dim configNode As Object 20 Dim controllerNode As Object 21 22 23 For Each rootNode In docNodes 24 For Each configNode In rootNode.ChildNodes 25 'Get VSCode workspace path 26 ConfigDict.Add "WorkspacePath", configNode.SelectSingleNode("WorkspacePath").text 27 ConfigDict.Add "WorkbookName", configNode.SelectSingleNode("WorkbookName").text 28 ConfigDict.Add "State", configNode.SelectSingleNode("State").text ConfigDict.Add "FolderVBA", configNode.SelectSingleNode("FolderVBA").text 29 ConfigDict.Add "Command", configNode.SelectSingleNode("Command").text 32 Next 33 Next 34 35 'Return Config Dictionary Values 36 Set getActionFromXML = ConfigDict 37 38 39 40 End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	83456 bytes
SHA-256: `d61a7d0c4bfcca9baa14c0d4c7f9b10050060ccd909f7c2181bc24b1d4498183`

Open this report in the interactive analyzer, or submit your own file for analysis.