Office (OOXML) malware analysis — malicious · 33a8481db72deee0

MALICIOUS

Office (OOXML)

222.6 KB Created: 2006-09-12 15:06:44 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-02

MD5: c40f53379cfebfbc7e8de6d39ae9dff6 SHA-1: 59e9d8d1b2af1310e1e0221eee9df4f763bcfc5e SHA-256: 33a8481db72deee013992bac18222ff4b64c0d7914e71267820b879dd77e5329

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel document containing VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The presence of protected worksheets suggests an attempt to hide malicious content. ClamAV detections confirm the malicious nature of the file.

Heuristics 6

ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
External relationship medium OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: /Users/laurent_caillet/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/YVDLIL2O/LS0106 Outil audit systèmes v1
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 6 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	72444 bytes
SHA-256: `941e87159fa5b51aa0a576af283e77e6a0347debdf6aad995971c9a726397d25`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Sub Workbook_Open() Dim wSheet As Worksheet 'Permet aux macros de fonctionner sur des onglets protégés : shtFormulaireAudit.Protect Password:="Secret", UserInterFaceOnly:=True shtSite_Iso9001.Protect Password:="Secret", UserInterFaceOnly:=True shtSite_Ohsas18001.Protect Password:="Secret", UserInterFaceOnly:=True shtSite_Iso14001.Protect Password:="Secret", UserInterFaceOnly:=True shtSite_Iso45001.Protect Password:="Secret", UserInterFaceOnly:=True shtTabSynthese.Protect Password:="Secret", UserInterFaceOnly:=True shtResultat.Protect Password:="Secret", UserInterFaceOnly:=True shtSaisieEffectif.Protect Password:="Secret", UserInterFaceOnly:=True End Sub Attribute VB_Name = "shtResultat" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "modFacteurs" Option Explicit Public Enum gTYPE_FACTEUR TYPE_FACTEUR_Augmentation = 1 TYPE_FACTEUR_Reduction = 2 End Enum Public Function CancelCarPdbFormatFacteur(tbx As Object, intLimite As Integer) As Boolean Dim strValeur As String strValeur = tbx.Text If Len(Trim$(strValeur)) = 0 Then 'On ne fait rien Exit Function End If If Application.DecimalSeparator = "," Then strValeur = Replace(strValeur, ".", Application.DecimalSeparator) End If If Not IsNumeric(strValeur) And Len(Trim$(strValeur)) > 0 Then MsgBox "Veuillez saisir une valeur numérique.", vbExclamation, "Valeur incorrecte" CancelCarPdbFormatFacteur = True Else If intLimite < 0 And strValeur > 0 Then MsgBox "Veuillez saisir une réduction négative.", vbExclamation, "Réduction incorrecte" CancelCarPdbFormatFacteur = True ElseIf intLimite > 0 And strValeur < 0 Then MsgBox "Veuillez saisir une augmentation positive.", vbExclamation, "Augmentation incorrecte" CancelCarPdbFormatFacteur = True ElseIf intLimite > 0 And strValeur > intLimite Then MsgBox "Veuillez ne pas dépasser la valeur Max. de l'augmentation (" & intLimite & ".)", vbExclamation, "Limite dépassée" CancelCarPdbFormatFacteur = True ElseIf intLimite < 0 And strValeur < intLimite Then MsgBox "Veuillez ne pas dépasser la valeur Max. de la réduction (" & intLimite & ".)", vbExclamation, "Limite dépassée" CancelCarPdbFormatFacteur = True Else CancelCarPdbFormatFacteur = False End If End If If CancelCarPdbFormatFacteur = False Then tbx.Text = strValeur 'Est utile s'il faut changer le point en virgule End If End Function Attribute VB_Name = "modUtilitaire" Option Explicit 'Renvoie vrai si la valeur passée en argument est un entier Public Function IsInteger(varValeur As Variant) As Boolean IsInteger = False If IsNumeric(varValeur) Then IsInteger = CLng(varValeur) = CDbl(varValeur) End If End Function Public Function SiVide(varValeurNonVide As Variant, varValeurSiVide As Variant) As Variant If Len(varValeurNonVide & "") = 0 Then SiVide = varValeurSiVide Else SiVide = varValeurNonVide End If End Function Public Function SiNumerique(varValeurNonNumerique As Variant, varValeurSiNumerique As Variant) As Variant If Not IsNumeric(varValeurNonNumerique) Then SiNumerique = varValeurSiNumerique Else SiNumerique = varValeurNon ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	274944 bytes
SHA-256: `dae70ab884a875908daa1a1588331c519a120b450d3a4aaf4665a0056eafb004`
Detection ClamAV: Xls.Virus.Valyria-10004391-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.