Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2ef6061005a4dd60…

MALICIOUS

Office (OOXML)

95.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-24
MD5: 1f130a1c5e9e93c82c1ee5a1a5645c79 SHA-1: 6cc9e87424872478abf9203e7d233e72e667ac66 SHA-256: 2ef6061005a4dd6031d7cd90dd1f4f5d422ab11542f5a54a6ba18af90eb71dfa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OOXML document containing VBA macros, indicated by multiple heuristic firings including `OOXML_VBA` and `OLE_VBA_CREATEOBJ`. The VBA code appears to be obfuscated and uses `CreateObject` and `GetObject` calls, suggesting it attempts to execute malicious code. The presence of an external hyperlink to `https://instruction.adscreator.ru/rules/?utm_source=Excel_YouTube` further supports a malicious intent, likely to download and execute a second-stage payload. The overall behavior points to a macro-based attack, commonly delivered via spearphishing attachments.

Heuristics 6

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION
    VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://instruction.adscreator.ru/rules/?utm_source=Excel_YouTube
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://instruction.adscreator.ru/rules/?utm_source=Excel_YouTube Document hyperlink
    • http://cm36971.tmweb.ru/test.txtIn document text (OOXML body / shared strings)
    • http://cm36971.tmweb.ruIn document text (OOXML body / shared strings)
    • http://j588921.myjino.ru/test.txtIn document text (OOXML body / shared strings)
    • http://j588921.myjino.ruIn document text (OOXML body / shared strings)
    • http://cm36971.tmweb.ru/test.txt$In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16788 bytes
SHA-256: 3b96528e2750b368cb19018e53618f26c98897b9fcdb4c8665cd0a610d5b8a6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Sync(ByVal SyncEventType As Office.MsoSyncEventType)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)
On Error Resume Next
If ActiveSheet.Name = "Правила подмены" Then
        With Worksheets("Правила подмены")
        Dim s
        s = 1895
        Do While .Cells(s, 1) <> ""
            s = s + 1
        Loop
  
       ' Sheets("Правила подмены").Select
        Application.GoTo Worksheets("Правила подмены").Cells(s - 10, 1), True
        Application.GoTo Worksheets("Правила подмены").Cells(s, 1)
  
        End With
        End If
        Call Resize
End Sub


Attribute VB_Name = "wsPP"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Worksheet_Activate()
On Error Resume Next
wsPP.Shapes.Range(Array("MenuPointer")).TextFrame.TextRange.Characters.Text = ""
        With Worksheets("Правила подмены")
        Dim s
        s = 1895
        Do While .Cells(s, 1) <> ""
            s = s + 1
        Loop
  
       ' Sheets("Правила подмены").Select
        Application.GoTo Worksheets("Правила подмены").Cells(s - 10, 1), True
        Application.GoTo Worksheets("Правила подмены").Cells(s, 1)
  
        End With
       Call Resize
 Call MenuPodmen
End Sub

Private Sub Worksheet_Change(ByVal Target As Range)
On Error Resume Next
    If Not Application.Intersect(Range("A:B"), Range(Target.Address)) Is Nothing Then
        Dim i As Integer
        
        For i = 1 To Cells(Worksheets("Правила подмены").Rows.Count, "A").End(xlUp).Row
        If Not Application.Intersect(Range("A" & i), Range(Target.Address)) Is Nothing Then
        Range("L1").Value = Now 'Время изменения ПП
        Cells(i, 5) = ""
        Range("B" & i).Activate
        ElseIf Not Application.Intersect(Range("B" & i), Range(Target.Address)) Is Nothing Then
        Range("L1").Value = Now 'Время изменения ПП
        Cells(i, 5) = ""
        Range("A" & i + 1).Activate
        End If
        Next
    End If
wsPP.Shapes.Range(Array("MenuPointer")).TextFrame.TextRange.Characters.Text = ""
End Sub








Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "HTTP"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
'============================================
' Author: nerv
' Last Update: 13/08/2012
' E-mail: nerv-net@yandex.ru
'============================================


'---------------------------------------------
' Name: newHTML Method
' Return: The HTML document
' Last Update: 13/08/2012
'---------------------------------------------
Public Property Get newHTML() As Object
    Set newHTML = CreateObject("HTMLFile")
End Property


'---------------------------------------------
' Name: newXML Method
' Retur
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 67072 bytes
SHA-256: be7bab38475f8223520b0e557278e079e14677b99cf3618bc04e5bc3fbaebddf

Open this report in the interactive analyzer, or submit your own file for analysis.