Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 647cf62e6ce89a10…

MALICIOUS

Office (OOXML)

26.92 MB Created: 2021-03-16 17:21:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-26
MD5: 7194d1d8e82f25b6c056a374cd29445c SHA-1: f156122b540620a982ed93ffa42f7cd67cd6d9c5 SHA-256: 647cf62e6ce89a10fda49663e306708d8fc420693078905b36c6a040c526e70a
214 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a VBA macro with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening an Office document. The macro attempts to open a remote Excel file and copy its content, indicating a likely downloader or dropper functionality. The presence of embedded OLE objects and ClamAV detection further supports its malicious nature.

Heuristics 8

  • ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Payload URL recovered from embedded OLE object (3 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://secure-web.cisco.com/1kEfSbdahD8fj64KAjlcCyw31gRyDxI4QaP20gy_ZWP_QZDzJUqo6Hl8_qI8PETI-FJPTFvlraP7_s9mgq-gNqZT2cNhNdJoa4DnAFPhvwjhUXfZasqiHGhCks7T_qfofSFh-LdkQGLI2w6m3BLZ9MomdPb-BiV3elwYrQiPFzRIwTvnP4C3P26Xp3DSinK0cx2pHlcNB6dpo21FHGn_V39V81GC7T8dMZ7U-NQRWYKWR2QSMsFfVbIw1maqdp9CgzNK0wGePPeKSVimatFBdjUJVoqe1TpC818vYFQn4Q0SC-N_nkjxZWcskmzAex2z2CSEM_XxQDH9j4wLCGtfNFg/http%3A%2F%2Fwww.vodacom.co.za%2F In document text (OOXML body / shared strings)
    • http://schema.microsoft.comIn document text (OOXML body / shared strings)
    • http://schema.orgIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/pdf/1.3/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5193 bytes
SHA-256: c18f48dae3b6c9c4ec0018d4e20044e502e2f7c1dc92ed3887ee904d585230dc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Insert_cover_page()

Workbooks.Open "C:\Users\llingenfelder\Desktop\Clients\Vodacom\Clean Copy of Welkom VS Mar19 _Feb20.xlsb.xlsx"

Workbooks("Clean Copy of Welkom VS Mar19 _Feb20.xlsb.xlsx").Sheets("Cover Page").Range("A1:Z100").Copy ThisWorkbook.Sheets("Cover Page").Range("A1")

Workbooks("Clean Copy of Welkom VS Mar19 _Feb20.xlsb.xlsx").Close

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP1, 1, 0, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"

Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP10, 98, 1, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP9, 97, 2, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP8, 96, 3, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP7, 95, 4, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP6, 94, 5, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP5, 90, 6, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP4, 93, 7, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP3, 99, 8, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPapersCPP2, 100, 9, DeloitteDAEMSClientUIWorkingPapersCPPLib, DeloitteDAEMSClientUIWorkingPapersCPP"
Attribute VB_Control = "DeloitteDAEMSClientUIWorkingPaper
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 3353600 bytes
SHA-256: 2e74947be5ee3bf0a572c09a8b852c16dc2dfc0af6798b1ef8cfeeffec7257c3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.82, consistent with packed or encrypted content.
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 179200 bytes
SHA-256: 74e3f759a3c4d578ce8ac304dfe595978659546af118428208101a3a5d615549
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 175546 bytes
SHA-256: f3f70c907048533cadf97c4928903629a13786b19e8752dd5b22c09e80f25a41
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1960448 bytes
SHA-256: c864c07ba934f73759aec96239675b13a47c69e5f731549f950520f78c472b71
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 43008 bytes
SHA-256: c3d9c1a9288641364ac769e2e996e7432063a1c5617760dd3dfdee2e8dcd6dd8
Detection
ClamAV: Xls.Virus.Valyria-10004391-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2484 bytes
SHA-256: d1c4a85e334aba5e0511996347dce356bfdac725472922b8ba125bede6940bf4
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 5340 bytes
SHA-256: 4dbe07cd4c5c63d83de984dab8fed50573aa5c97baf4a7c0c4b669bad19d759e
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image7.emf 8496 bytes
SHA-256: 28798b77cd2afe8cfd306b19ecc218d7bf2b508bfea212588c62e2a0bff9a92a
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 8372 bytes
SHA-256: 2492914091c6a669a891d2f74adc644575992c756ef03350fb5c393bb1e56314
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 2484 bytes
SHA-256: d15ff0cd4a202fe35fd4ca208c301cddf2be8cc3c90d0cf3740be30e3710c047
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 2484 bytes
SHA-256: 76039f0bce5546406d7a7a6287b8ec4acd3606391045dc89272d7d785ba80d01
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 2484 bytes
SHA-256: a2bd2000d9971507216fb178282558d3bf0147ed0f1c2c0d4c0c2dadd48c1905
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 3804 bytes
SHA-256: a11d1e385429d9ff3a10d58c9831e1bf1dc138e3c48298a82d347a9888a3f548
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 1948 bytes
SHA-256: ec89d379edb57017e18a9171ed262afec2313dd0dc5501e73fa100dbb6e2d95d
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 1948 bytes
SHA-256: 6aa529b57f200dca177274780b2dbca786bf1c35f8d9daea99a0dd0db7b21c07
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 1948 bytes
SHA-256: f3dd2c180d07c1c93f0a1623abcd8cab4049bc8acf57a929e9919ccc2e57ce7b
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image16.emf 2484 bytes
SHA-256: 986299b2901fceaec5f05735a6311a9b53c245369fb02fe2a033fbddcf272c41

Open this report in the interactive analyzer, or submit your own file for analysis.