Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5d0ff139014480fd…

MALICIOUS

Office (OOXML)

128.3 KB Created: 2006-09-13 11:21:51 UTC Authoring application: Microsoft Excel 12.0000
MD5: ec71195768c47feb33672a24f140880c SHA-1: 8f420a55dea84e8f90f0f9423c6778c48f3288f2 SHA-256: 5d0ff139014480fd4913616f15e6d7ff2a1f03b8ef950cd8ffd06be0e0213c22
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a Workbook_Open VBA macro that utilizes the Shell function to execute external code. This macro is designed to prompt the user to download a tool from a provided Baidu link, likely a secondary payload. The presence of the Shell() call and the Workbook_Open auto-execution strongly suggests a malicious intent to download and run additional malware.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/vbaProjectSignature.bin)
  • VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTED
    The VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.wujip.com
    • http://ipxigua.com
    • http://127.0.0.1:8008/SmWeb.html
    • http://bbs.������.com
    • http://www.NewXing.com
    • http://ipxigua.com������������������������������
    • http://www.wujip.com0
    • http://www.wujip.com�
    • http://bbs.����.com
    • http://127.0.0.1:8008/SmWeb.html�
    • http://www.wujip.com���
    • http://www.NewXing.com�
    • http://ipxigua.com������������
    • http://www.wujip.comX
    • http://pan.baidu.com/s/1dESHf8X
    • http://www.w3school.com.cn/jsref/dom_obj_event.asp
    • http://pan.baidu.com/s/1dESHf8X------�

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e613e2325491c6850a0a618045a493b8d21f99ebe18a279010d6865486084088		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 97992 bytes
vbaProject_00.bin
a73ec76249e4171dde12e9343fc6b176d5adcfbb8e4be2bd322fba5ed90197a3		 vba-project OOXML VBA project: xl/vbaProject.bin 263680 bytes
vbaProject_01.bin
976c0cb5d8991ac36622a347931de7e3a0a06c19cf08459a4c3b567c5eb9cb81		 vba-project OOXML VBA project: xl/vbaProjectSignature.bin 1892 bytes
emf_00.emf
3e520dcb921ed07a30301a1f34c5c410d86efd8bacd793a877c18168aa178de1		 ooxml-emf OOXML EMF part: xl/media/image8.emf 1572 bytes
emf_01.emf
3609620490d6d87d96e4ec20612c76ff88065d276cba5f935c06f248fdf6e52b		 ooxml-emf OOXML EMF part: xl/media/image7.emf 2648 bytes
emf_02.emf
63d83c41d07523ac6b7c8ac58e482914df9d600b7ed63f601238ce01684d3105		 ooxml-emf OOXML EMF part: xl/media/image6.emf 2648 bytes
emf_03.emf
d5aadb7d640836d2d9afe088311790d76a3e88b24e6a3204412559f5f731c19f		 ooxml-emf OOXML EMF part: xl/media/image5.emf 2672 bytes
emf_04.emf
e80962aff95efdda2fb9c85b4010bb712ad010081b4498b7194dfdb186c73d1b		 ooxml-emf OOXML EMF part: xl/media/image2.emf 2648 bytes
emf_05.emf
59281b252736472d8b2cf81287cfe70b3c2798e3a047c1dedf445930b36fd7bc		 ooxml-emf OOXML EMF part: xl/media/image3.emf 2648 bytes
emf_06.emf
6e602f205cb73b1e9990f10004b7e9f304d18d9180d32f9fc09a0e4aacc923c5		 ooxml-emf OOXML EMF part: xl/media/image4.emf 1788 bytes
emf_07.emf
62a6a7ed6f1cb3968354a09ae21f8572fc978f4197aa3dcbc3d11364f8b02571		 ooxml-emf OOXML EMF part: xl/media/image1.emf 2672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.