Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4aa0c51f3efe2675…

MALICIOUS

Office (OOXML)

27.7 KB Created: 2016-11-30 07:07:35 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-16
MD5: abf911c572dbe1def093748a30ef74c2 SHA-1: b532950c133cb39d9c3ae9280d2fbe4b4280cc77 SHA-256: 4aa0c51f3efe26757c632a9c7728aecb78d899716134eb29106dab62fdeb0998
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML document contains a Workbook_Open VBA macro that utilizes WScript.Shell and cmd.exe to execute arbitrary code. This macro is designed to download and execute a second-stage payload, as indicated by the critical OLE_VBA_SHELL and OLE_VBA_WSCRIPT heuristic firings. The VBA code is obfuscated and truncated, preventing a full analysis of its actions, but the intent to execute external code is clear.

Heuristics 7

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        log "C:\WINDOWS\prelog.log", "启动..."
        Shell "taskkill /f /im presdisp.exe", vbHide
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    'Set yx = CreateObject("WScript.Shell")
    'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    'Set yx = CreateObject("WScript.Shell")
    'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
                '运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框
                Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide
                log "C:\WINDOWS\prelog.log", "使用默认配方人配置--彩蛋"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Workbook_Open()
        'Application.DisplayFullScreen = True

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7665 bytes
SHA-256: f6a9fec87896329f1c8ee1bbb1eea17b742fc6fc0382b1ccbaeb6964c897f5a6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    'Application.DisplayFullScreen = True
    Call show
    Call test
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
    'Call xlen
    Call info
End Sub

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "模块1"
Option Explicit

Dim Peifangren
Dim PathName As String
Dim PrescriptPath As String

Public Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal ReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long


Public Declare Function WritePrivateProfileString Lib "kernel32" Alias "WritePrivateProfileStringA" _
(ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpString As Any, ByVal lpFileName As String) As Long

Public Const MAXCOUNT As Long = 256

Public Function ReadStringFromIni(ByVal FileName As String, ByVal Section As String, ByVal Key As String) As String
    Dim x As Long
    Dim xBuff As String * MAXCOUNT
    GetPrivateProfileString Section, Key, "", xBuff, MAXCOUNT, FileName
    x = InStr(xBuff, Chr(0))
    ReadStringFromIni = Trim(Left(xBuff, x - 1))
End Function

Public Sub WriteStringToIni(ByVal FileName As String, ByVal Section As String, ByVal Key As String, ByVal Value As String)
    Dim xBuff As String * MAXCOUNT
    xBuff = Value + Chr(0)
    WritePrivateProfileString Section, Key, xBuff, FileName
End Sub

Function IsFileExists(ByVal strFileName As String) As Boolean
    '判断文件或目录是否存在
    If Dir(strFileName, 16) <> Empty Then
        IsFileExists = True
    Else
        IsFileExists = False
    End If
    
End Function



Function isPureHanzi(ByVal Str As String) As Boolean
'判断字符患是否为纯汉字

    Dim i As Integer
    Dim SigleChar As String
    
    isPureHanzi = True
    
    For i = 1 To Len(Str)
        SigleChar = Mid(Str, i, 1)
        
        If (LenB(StrConv(SigleChar, vbFromUnicode)) Mod 2) = 1 Then
            'MsgBox SigleChar
            isPureHanzi = False
            Exit For
        End If
    Next i
    
End Function

Function log(ByVal FilePath As String, ByVal Str As String)
    '日志
    'Open FilePath For Input As #100
    'Close #100
    
    Open FilePath For Append As #100
        Print #100, Date & " " & Time & " **** "; Str
    Close #100
End Function



Sub test()
    log "C:\WINDOWS\prelog.log", "启动..."
    Shell "taskkill /f /im presdisp.exe", vbHide
    
    
    PathName = Application.ThisWorkbook.Path '把本excel文件放在发药系统同一目录,在桌面建立本文件的快捷方式即可

If IsFileExists(PathName & "\presdisp.ini") And IsFileExists(PathName & "\presdisp.exe") Then
        
        
        MsgBox "当前配药人是:" & ReadStringFromIni(PathName & "\presdisp.ini", "DEPARTMENT", "drug_maker_str"), vbOKOnly, "急诊药房-power by vba"
        
coin:
        Peifangren = Application.InputBox("请输入配药人姓名(中文):", "急诊药房发药系统-配药人信息", "")
        
        If Peifangren = "/d" Then '输入命令"/d"则默认不更改配方人
            '运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框
            Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide
            log "C:\WINDOWS\prelog.log", "使用默认配方人配置--彩蛋"
            Application.Quit
        Else
            If Peifangren = "" Then
                MsgBox "配药人姓名不能为空!", vbCritical, "急诊药房提醒您!"
                log "C:\WINDOWS\prelog.log", "姓名为空"
                GoTo coin
            Else
                If Peifangren = "False" Then
                    MsgBox "必须输入配药人姓名,不能取消!", vbCritical, "急诊药房提醒您!"
                    log "C:\WINDOWS\prelog.log", "取消动作"
                    GoTo coin
                Else
                    If isPureHanzi(Peifangren) = False Then
                        MsgBox "请输入正确的配药人姓名且必须为中文", vbCritical, "急诊药房提醒您!"
                        log "C:\WINDOWS\prelog.log", "输入带有半角字符XXX " & Peifangren & " XXX"
                        GoTo coin
                    Else
                        If LenB(StrConv(Peifangren, vbFromUnicode)) < 4 Or LenB(StrConv(Peifangren, vbFromUnicode)) > 6 Then
                            MsgBox "配药人姓名字数错误!", vbCritical, "急诊药房提醒您!"
                            log "C:\WINDOWS\prelog.log", "配方人字数不对"
                            GoTo coin
                        End If
                    End If
                End If
            End If
            
            Call WriteStringToIni(PathName & "\presdisp.ini", "DEPARTMENT", "drug_maker_str", Peifangren & ";")
            '运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框
            Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide
            log "C:\WINDOWS\prelog.log", "+++成功更改配方人姓名为[" & Peifangren & "]并运行"
            Application.Quit
        End If
Else
    MsgBox "本Excel文件不在发药系统目录下," & Chr(13) & "请移至发药系统目录下才可使用!", vbOKOnly, "急诊药房提醒您!"
    log "C:\WINDOWS\prelog.log", "不在发药系统目录下运行"
    Application.Quit
End If
    
End Sub

Sub show()
    Application.Visible = False
End Sub


'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'Rem Hide Run File
'Rem for presdisp.exe create lnk "pres.lnk" at directory
'建立vbs文件隐藏excel程序启动过程

'Set yx = CreateObject("WScript.Shell")
'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Sub xlen() 'test sub
    Dim i
    Dim a As Long
    i = Asc(Mid("agb", 2, 1))
    For a = 1 To 5
     MsgBox a
    Next
    
End Sub



Sub info()  'test sub
Dim i As String
i = "a在df"
MsgBox StrPtr(i)
 'MsgBox isPureHanzi("方是a")
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 40448 bytes
SHA-256: 144e4f48470dce0b3d97a1b8b1b5fccbb5d997f3c1028fe2bed1232f3ed474d1
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2684 bytes
SHA-256: 270b02e7e2ea6b5a4f66f9181561204112794729a062f03afb34a0b080f6d65e