Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2e15eaf90fe9cbfc…

MALICIOUS

Office (OOXML)

198.5 KB Created: 2019-07-10 05:39:14 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-20
MD5: 20c15691dfb91899cddd05ccec36a885 SHA-1: c402e88b3f3c6fccd0049d8d16b743e0f56cdc3d SHA-256: 2e15eaf90fe9cbfc7fe6182b708a7ea43eb21b42cc3554dd464c4b94b796a2b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel document contains a Workbook_Open macro that is designed to execute code upon opening. The macro likely attempts to download and execute a second-stage payload, as indicated by the presence of external hyperlinks and embedded artifacts. The macro's functionality includes referencing 'scrrun.dll' and attempting to read files from a network path, suggesting an attempt to establish a foothold or download further malicious content.

Heuristics 8

  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: https://bekaert.sharepoint.com/sites/BPR/Prod_Group/Concrete_Reinf/Packaging/Unit Label_4D8060BGP_60x20_Czech.png
  • External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://pdf2png.com/
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pdf2png.com/ Document hyperlink
    • http://strokescribe.com/en/ECI.htmlIn document text (OOXML body / shared strings)
    • https://bekaert.sharepoint.com/sites/BPR/Prod_Group/Concrete_Reinf/Packaging/Unit%20Label_4D8060BGP_60x20_Czech.pngIn document text (OOXML body / shared strings)
    • https://bekaert.sharepoint.com/sites/BPR/Prod_Group/Concrete_Reinf/Packaging/OOXML external relationship
    • https://bekaert.sharepoint.com/sites/BPR/Prod_Group/Concrete_Reinf/Packaging/UnitDocument hyperlink
    • https://bekaert.sharepoint.com/OOXML external relationship
    • https://bekaert.sharepoint.com/sites/BPR/Prod_Group/Concrete_Reinf/Packaging/Unit%20Label_203_3D4530GG_60%20x%2020_Czech%20Republic.PDFIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 111027 bytes
SHA-256: 91687e7a44dd27f48123f83e7ae2b1f49b4e499d8be66571de4eaa3f4a815a4f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Option Explicit

Public NextArea() As Variant

Sub Create()
    EnableReference
    CreateList
End Sub
Private Sub EnableReference()
    On Error Resume Next
    ThisWorkbook.VBProject.References.AddFromFile "C:\Windows\system32\scrrun.dll"
    On Error GoTo 0
End Sub
Function GetURL(cell As Range, Optional default_value As Variant)
    'Lists the Hyperlink Address for a Given Cell
    'If cell does not contain a hyperlink, return default_value
    If (cell.Range("A1").Hyperlinks.Count <> 1) Then
        GetURL = default_value
    Else
        GetURL = cell.Range("A1").Hyperlinks(1).Address & "" & cell.Range("A1").Hyperlinks(1).SubAddress
    End If
End Function
Public Sub ReadFileList()
    Dim bkp As String
    Dim FileArray() As Variant
    Dim FileCount As Integer
    Dim fileName As String
    Dim Idx As Integer
    Dim Rng As Range
    
    bkp = "\\bekaert.sharepoint.com\sites\BPR\Prod_Group\Concrete_Reinf\Packaging\Dramix\"
    If bkp <> "" Then
        FileCount = 0
        fileName = Dir(bkp)
        Do While fileName <> ""
            Debug.Print fileName
            FileCount = FileCount + 1
            ReDim Preserve FileArray(1 To FileCount)
            FileArray(FileCount) = fileName
            fileName = Dir()
        Loop
    End If
End Sub
Sub DeleteAllShapes()
    'PURPOSE: Remove All Shape Objects From The Active Worksheet (Excludes Charts/Comments)
    'SOURCE: www.TheSpreadsheetGuru.com/the-code-vault
    Dim shp As Shape
    
    For Each shp In ActiveSheet.Shapes
      If shp.Type = msoLinkedPicture Then shp.Delete
    Next shp
End Sub
Sub SaveText()
    Dim fileName As String
    Dim lineText As String
    Dim myrng As Range
    Dim I As Variant
    Dim J As Variant
    
    fileName = ThisWorkbook.Path & "\LastPrinted.txt"
    Open fileName For Output As #1
    Set myrng = Range("LastPrintedValue")
    For I = 1 To myrng.Rows.Count
        For J = 1 To myrng.Columns.Count
            lineText = IIf(J = 1, "", lineText & ",") & myrng.Cells(I, J)
        Next J
        Print #1, lineText
    Next I
    Close #1
End Sub
Sub ReadText()
    Dim fileName As String
    Dim textData As String
    Dim fileNo As Integer
    
    fileName = ThisWorkbook.Path & "\LastPrinted.txt"
    fileNo = FreeFile 'Get first free file number
    Open fileName For Input As #fileNo
    textData = Input$(LOF(fileNo), fileNo)
    Close #fileNo
    Sheets("Main").Range("LastPrintedValue") = textData
End Sub
Sub FormShow()
    Aktualizace
    UsfDramixMesLabelPrinting.Show
End Sub
Sub Print_Selected_Sheets()
    Application.ScreenUpdating = False
    ShtMain.PrintOut , , 1
    Application.ScreenUpdating = True
End Sub
Sub ChangeLocalyNumberPrintedOld()
    Dim Sap As String
    Dim WS As Worksheet
    Dim lcArea() As Variant
    Dim I As Long
    Dim lnRow As Long
    Dim Prefix As Integer
    Dim LocalyLastPrinted As Variant
    Dim lcLocalyLastPrinted As String
    Dim lcNul As String
    
    Application.Calculation = xlAutomatic
    Prefix = "100"
    LocalyLastPrinted = "00000000001"
    Sap = ShtMain.Range("Material")
    Set WS = ThisWorkbook.Worksheets("Tables")
    With WS
        I = .Cells(.Rows.Count, 7).End(xlUp).Row - 1
        If I > 0 Then lcArea = .Cells(2, 7).Resize(I, 9).Value
    End With
    For I = LBound(lcArea) To UBound(lcArea)
        If lcArea(I, 1) = Sap Then
            lnRow = I
            Prefix = lcArea(I, 2)
            LocalyLastPrinted = lcArea(I, 3)
            LocalyLastPrinted = LocalyLastPrinted + 1
            Select Case LocalyLastPrinted
                Case Is < 10: lcNul = "0000000000"
                Case Is < 100: lcNul = "000000000"
                Case Is < 1000: lcNul = "00000000"
                Case Is < 10000: lcNul = "0000000"
                Case Is < 100000: lcNul = "000000"
                Case Is < 1000000: lcNul = "00000"
                Case Is < 10000000: lcNul = "0000"
                Case Is < 100000000: lcNul
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 385536 bytes
SHA-256: dacdcc2762483a050998947c82080b44983c32845a3c855645167744efd65207
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 7 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.