Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 50e50429d5d8958d…

MALICIOUS

Office (OOXML)

15.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8206c9b1f2c30423bb96c8d74971e0ec SHA-1: 3d8381b9acc31d2c04f192e5f101eb6067b79bbd SHA-256: 50e50429d5d8958d2514586c20982eb1c6e7c10e0d30744ca63962a248c76103
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains a VBA macro with an Auto_Open subroutine that executes a File_Downloader function. This function constructs the URL "http://192.168.1.106:8080/revshell.exe" and downloads the executable to the temporary directory as "revshell.exe". Subsequently, it executes the downloaded file using Shell(). The document body, in Turkish, instructs the user to enable content to view the document, which is a common lure for macro-enabled malicious documents.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.106:8080/revshell.exe

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
00256cc6914ad25c51ac21622ceeb04910262f063c433ef16a2d2c8803eac9fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1368 bytes
vbaProject_00.bin
1580a5a12e48a4031e0c1e5e2a17fd02720ada590aa3faa27b560f4931660927		 vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.