Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4c7295cba76b6ecb…

MALICIOUS

Office (OOXML)

25.7 KB Created: 2021-09-09 09:22:47 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-18
MD5: 0308eb9bd90c76a733612a805a51190b SHA-1: 57548ac228a325ecc629c71dfd1c147d15879b5a SHA-256: 4c7295cba76b6ecb842af1b42ee673cb0295eb1eb2d5c4679a5c198630bba094
298 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1036 Masquerading T1204.002 Malicious File

The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from an HTTP URL and saves it to disk. The 'Workbook_Open' subroutine and the 'CreateObject' call, along with obfuscated code, suggest an automated execution flow. The macro attempts to download a payload from 'http://127.0.0.1:8000/api/get_hashes', which is then likely executed.

Heuristics 9

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            aBody = .responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        With CreateObject("ADODB.Stream")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                            .DeleteLines 1, .CountOfLines
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        With CreateObject("ADODB.Stream")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    GetWorkDir = Environ("Temp") & "\macroav"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://127.0.0.1:8000/api/get_hashes Referenced by macro
    • http://127.0.0.1:8000/api/get_hashes�Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 13317 bytes
SHA-256: eddbe01b05da73b19cc6818a9845b001754b6c36329060e4646691be43bf0863
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1

Private Sub Workbook_Open()
AppEventsInit
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "MacroAV"
' Version 2.6
Public AppEvent As New wbCloser
Const user_feedback As Boolean = False
Const debug_mode As Boolean = False
Const use_cloud As Boolean = False
Const cloud_address As String = "http://127.0.0.1:8000/api/get_hashes"
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr
Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
Dim HookBytes(0 To 11) As Byte
Dim OriginBytes(0 To 11) As Byte
Dim pFunc As LongPtr
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As LongPtr) As LongPtr
GetPtr = Value
End Function
Private Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 12
End Sub
Private Function Hook() As Boolean
Dim TmpBytes(0 To 11) As Byte
Dim p As LongPtr, osi As Byte
Dim OriginProtect As LongPtr
Hook = False
#If Win64 Then
    osi = 1
#Else
    osi = 0
#End If
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
If VirtualProtect(ByVal pFunc, 12, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
    MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, osi + 1
    If TmpBytes(osi) <> &HB8 Then
        MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 12
        p = GetPtr(AddressOf MyDialogBoxParam)
        If osi Then HookBytes(0) = &H48
        HookBytes(osi) = &HB8
        osi = osi + 1
        MoveMemory ByVal VarPtr(HookBytes(osi)), ByVal VarPtr(p), 4 * osi
        HookBytes(osi + 4 * osi) = &HFF
        HookBytes(osi + 4 * osi + 1) = &HE0
        MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 12
        Flag = True
        Hook = True
    End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _
    ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
    ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
If pTemplateName = 4070 Then
    MyDialogBoxParam = 1
Else
    RecoverBytes
    MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
        hWndParent, lpDialogFunc, dwInitParam)
    Hook
End If
End Function
Sub UnlockVBAProject()
If Hook Then
    MsgBox "VBA Project is unlocked!", vbInformation, "*****"
End If
End Sub
Sub AppEventsInit()
    Set AppEvent.App = Application
End Sub
Private Function VBComponentExists(VBCompName As String, Optional VBProj As VBIDE.VBProject = Nothing) As Boolean
    If debug_mode = 0 Then
        On Error Resume Next
    End If
    Dim VBP As VBIDE.VBProject
    If VBProj Is Nothing Then
        Set VBP = ActiveWorkbook.VBProject
    Else
        Set VBP = VBProj
    End If
    VBComponentExists = CBool(Len(VBP.VBComponents(VBCompName).Name))
End Function
Private Function GetFileBytes(strPath As String) As Byte()
    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Open
        .LoadFromFile (strPath)
        GetFileBytes = .Read()
    End With
End Function
Private Function GetWorkDir() As String
GetWorkDir = Environ("Temp") & "\macroav"
End Function
Private Function GetSignaturesDir() As String
GetSignaturesDir = Environ("Temp") & "\macroav\signatures.xml"
End Function
Private Function FileToSHA1Hex(sFileName As String) As String
    On Error GoTo ErrorHandler
    Dim enc
    Dim bytes
    Dim outstr As String
    Dim pos As Integer
    Set enc = CreateObject("System.Security.Cryptography.SHA1CryptoServiceProvider")
    'Convert the string to a byte array and hash it
    bytes = GetFileBytes(sFileName)
    bytes = enc.ComputeHash_2((bytes))
    'Convert the byte array to a hex string
    For pos = 1 To LenB(bytes)
        outstr = outstr & LCase(Right("0" & Hex(AscB(MidB(bytes, pos, 1))), 2))
    Next
    FileToSHA1Hex = outstr 'Returns a 40 byte/character hex string
    Set enc = Nothing
Exit Function
ErrorHandler:
    MsgBox ("MACROAV - An error occurred during hash extraction. This usually means that .NET 3.5 was not succesfully installed. Please enable it by Windows Start Button ==> Type - Turn Windows Features On or Off ==> Enable the checbox for .NET Framework 3.5 ==> Click OK")
    Err.Clear
    Exit Function
End Function
Private Sub create_work_folder()
Dim workfolder_ As String
workfolder_ = GetWorkDir()
If Dir(workfolder_, vbDirectory) = "" Then
    MkDir workfolder_
End If
End Sub
Private Function get_hashes_from_cloud(sURL As String, sPath As String)
    Dim aBody() As Byte
    With CreateObject("MSXML2.XMLHTTP")
        .Open "GET", sURL, False
        .send
        aBody = .responseBody
    End With
    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Open
        .Write aBody
        .SaveToFile sPath, 2 ' adSaveCreateOverWrite
        .Close
    End With
End Function
Sub export_hashes()
If debug_mode = 0 Then
    On Error Resume Next
End If
Dim Sheet As Worksheet
Dim I As Integer
I = 2
Set Sheet = ActiveWorkbook.Sheets.Add(After:=ActiveWorkbook.Worksheets(ActiveWorkbook.Worksheets.Count))
Sheet.Name = "Exported Hashes"
Sheet.Range("A1").Value = "Name"
Sheet.Range("B1").Value = "Hash"
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Set VBProj = ActiveWorkbook.VBProject
For Each VBComp In VBProj.VBComponents
    Sheet.Range("A" & I).Value = VBComp.Name
    VBComp.Export GetWorkDir() & "\tempfile"
    Hash = FileToSHA1Hex(GetWorkDir() & "\tempfile")
    Sheet.Range("B" & I).Value = Hash
    I = I + 1
Next VBComp
End Sub
Private Function is_this_bad_hash(hash_to_check As String) As Boolean
    Dim objXML As MSXML2.DOMDocument60
    Dim intResult As Integer
    Set objXML = New MSXML2.DOMDocument60
    objXML.async = False
    objXML.validateOnParse = True
    If Not objXML.Load(GetSignaturesDir()) Then
        Err.Raise objXML.parseError.ErrorCode, , objXML.parseError.reason, objXML.parseError.srcText
    End If
    Dim entry_point As IXMLDOMNode
    Set entry_point = objXML
    Dim myNodes As IXMLDOMNodeList
    Dim myElement As IXMLDOMElement
    Dim childNode As IXMLDOMNode
    Dim node As IXMLDOMNode
    Set myNodes = entry_point.SelectNodes("//django-objects/object")
    For Each node In myNodes
    If (StrComp(hash_to_check, node.FirstChild.Text, vbTextCompare) = 0) Then
    is_this_bad_hash = True
    Exit For
    End If
    Next node
End Function
Private Sub DeleteFile(ByVal FileToDelete As String)
   If (Dir(FileToDelete) <> "") Then
      ' First remove readonly attribute, if set
      SetAttr FileToDelete, vbNormal
      ' Then delete the file
      Kill FileToDelete
   End If
End Sub
Private Sub LogInformation(LogMessage As String)
    Dim LogFileName As String
    LogFileName = GetWorkDir() & "\macroav.log"
    Dim FileNum As Integer
    FileNum = FreeFile ' next file number
    Open LogFileName For Append As #FileNum ' creates the file if it doesn't exist
    Print #FileNum, Now, LogMessage ' write information at the end of the text file
    Close #FileNum ' close the file
End Sub
Sub Scan_for_malware()
If debug_mode = 0 Then
    On Error Resume Next
End If
Call create_work_folder
If use_cloud Then
get_hashes_from_cloud cloud_address, GetSignaturesDir()
End If
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Dim Hash As String
Dim bad_hash As Boolean
Dim I As Integer

'Kangtang Hashes
KangtangHashes = Array("ED2C44F08ED36175CFAEBC529341061D8D4C01A7", "533358B092E82BDDFC145B7A74470DB8ACDE22CA", "61B75553FBB4E12E506D16E02561674431111A28", "62CA8149A8387B6B99EE420C17DF187B80533558", "612798E6C2A04B9D1E418BBD0C7AC99964ED04C8", "4028808E37AFA9E299358B2D696CCCD180247E20", "75746FA1E6311DBCB28223C66677279BD6F60FCD", "F7BF683AD5FDD2CA2E9FB30059D64720437880D9", "30FF169D0F593F242EFE55C6FFA00C433B17C693", "C8B981FEEC8A8FDCDFAC47EBE2EC0257F75FBB31", "01B48CB5D637C452606E96CE6F6398D4ECECF73E", "b33d87ef0b1d475d2c3bd0984ed08f8ef5494bff", "2bc4f3ddee495291378531e1505efcd562ecb098", "64a67ccaad7094ef2c7d96ea8c1f197e614d4d69", "c89bd60780b4daeb4c33ab594a158ac9d51c2aee", "32f3458371f8d89e744c10611ce2a2a4ac27797a", "d620b0f84643e155b8b6e1352a5c8e4f4bad380a", "fba1d92d34e545bb40a8b48adcde3c9c3ab5187a", "d173133c1cbbf07047ba224e429a3d0c720c2575")

'ToDole Hashes
TodoleHashes = Array("0A452A9D8A2CC0B3BDF69151C6ED1343C3BD4673", "B7003D25B59AF47F30FCC2CA6E57DE64442B02EC", "7B1AF4843E3B5EEE2F674702DA87DCC4F1E6285A", "74c9b7396ec04a2fd63a8c0e586bc7eb5f87fd7f")

'Results.xl Hashes
ResultzHashes = Array("0FD53FC8AE6F66DDC9788C0EE8F644CB1C1EA0A7")


'KING.xls Hashes
KingHashes = Array("bc77ab7e5340d07d2a3d48325f2f44daaf7ce029")
LogInformation ("Scanning workbook " & ActiveWorkbook.Name & " residing in " & ActiveWorkbook.Path)
Set VBProj = ActiveWorkbook.VBProject
For Each VBComp In VBProj.VBComponents
    bad_hash = False
    If Not VBComp Is Nothing Then
        VBComp.Export GetWorkDir() & "\tempfile"
        Hash = FileToSHA1Hex(GetWorkDir() & "\tempfile")
        If VBComp.Name = "ToDOLE" Or VBComp.Name = "ToDole" Then
            If user_feedback Then
                MsgBox ("Found ToDole Module ! Removing it")
            End If
            LogInformation ("Found ToDole Module ! Removing it")
            Workbooks("k4.xls").Close SaveChanges:=False
            DeleteFile (Application.StartupPath & "\k4.xls")
            VBProj.VBComponents.Remove VBComp
        Else
            If use_cloud Then
            bad_hash = is_this_bad_hash(Hash)
            ' Kangtang Malware
            ElseIf Not IsError(Application.Match(Hash, KangtangHashes, 0)) Then
            bad_hash = True
            Workbooks("mypersonnel.xls").Close SaveChanges:=False
            DeleteFile (Application.StartupPath & "\mypersonnel.xls")
            ' ToDole Malware
            ElseIf Not IsError(Application.Match(Hash, TodoleHashes, 0)) Then
            bad_hash = True
            Workbooks("k4.xls").Close SaveChanges:=False
            DeleteFile (Application.StartupPath & "\k4.xls")
            ' Resultz Malware
            ElseIf Not IsError(Application.Match(Hash, ResultzHashes, 0)) Then
            bad_hash = True
            Workbooks("RESULTS.xls").Close SaveChanges:=False
            DeleteFile (Application.StartupPath & "\RESULTS.xls")
            ' KING Malware
            ElseIf Not IsError(Application.Match(Hash, KingHashes, 0)) Then
            bad_hash = True
            Workbooks("KING.xls").Close SaveChanges:=False
            DeleteFile (Application.StartupPath & "\KING.xls")
            End If
            If bad_hash Then
                If user_feedback Then
                    MsgBox ("Found Malicious Macro with Hash - " & Hash & " inside " & VBComp.Name & "! Removing it.")
                End If
                LogInformation ("Found Malicious Macro with Hash - " & Hash & " inside " & VBComp.Name & "! Removing it")
                If VBComp.Type = vbext_ct_StdModule Then
                    VBProj.VBComponents.Remove VBComp
                Else
                    Set CodeMod = VBComp.CodeModule
                    With CodeMod
                        .DeleteLines 1, .CountOfLines
                    End With
                End If
            End If
        End If
    End If
Next VBComp
End Sub


Attribute VB_Name = "wbCloser"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Sub App_WorkbookBeforeClose(ByVal wb As Workbook, Cancel As Boolean)
Call Scan_for_malware
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 36864 bytes
SHA-256: a5c53ced51fb2be4925cb77f9eb6948fa744c8db651c29f4b0d408f5f76769c0