Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 686a6079def8688d…

MALICIOUS

Office (OOXML)

3.55 MB Created: 2007-12-12 18:55:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23
MD5: 4408e0e589cd6ab3e9f9abb4b7690dfd SHA-1: 4f0b5c095aebdb648ec4c40c821c734d5b91b779 SHA-256: 686a6079def8688df0c3e58e1a16546d467524352f916a1abb9ad059635c030e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel document containing VBA macros. The macros primarily manipulate row visibility within the spreadsheet, suggesting a potential lure or preparation for a malicious action. The presence of a CreateObject call and an external relationship pointing to a local file path indicates suspicious activity, though no direct payload execution or network communication was observed in the provided script.

Heuristics 4

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Users\Paul\Infinity Control Solutions\Stuart King - Quotes\01 Quotation Info\Distech\EclypseSelection_v1_22.x
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/2000/svg OOXML external relationship
    • http://www.w3.org/1999/xlinkOOXML external relationship

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12474 bytes
SHA-256: 48a749747ac18080d8bdd77bc2fe0d3bfb48ff59d4e7ba2f1c7c7fecfa2314ff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"

Sub sbCHP()
Rows("3:182").EntireRow.Hidden = True
Rows("211:1000").EntireRow.Hidden = True
End Sub

Sub sbUnHideAll()
Rows("3:1000").EntireRow.Hidden = False
End Sub

Sub sbMetering()
Rows("3:519").EntireRow.Hidden = True
Rows("556:1000").EntireRow.Hidden = True
End Sub

Sub sbFCU()
Rows("3:668").EntireRow.Hidden = True
Rows("709:1000").EntireRow.Hidden = True
End Sub

Sub sbHomePage()
Rows("1:32").EntireRow.Hidden = False
Rows("34:108").EntireRow.Hidden = True
End Sub

Sub sbPriceOverview()
Rows("34:109").EntireRow.Hidden = False
Rows("43:54").EntireRow.Hidden = True
Rows("62:72").EntireRow.Hidden = True
Rows("79:89").EntireRow.Hidden = True
Rows("96:106").EntireRow.Hidden = True
Rows("1:32").EntireRow.Hidden = True
End Sub
Sub sbSummaryController()
Rows("34:109").EntireRow.Hidden = False
Rows("62:72").EntireRow.Hidden = True
Rows("79:89").EntireRow.Hidden = True
Rows("96:106").EntireRow.Hidden = True
Rows("1:32").EntireRow.Hidden = True
End Sub

Sub sbHoneywellFD()
Rows("62:72").EntireRow.Hidden = False
End Sub
Sub sbHoneywellHide()
Rows("55:72").EntireRow.Hidden = True
End Sub

Sub sbDistechFD()
Rows("79:89").EntireRow.Hidden = False
End Sub
Sub sbDistechHide()
Rows("73:89").EntireRow.Hidden = True
End Sub

Sub sbTrendFD()
Rows("96:106").EntireRow.Hidden = False
End Sub
Sub sbTrendHide()
Rows("90:106").EntireRow.Hidden = True
End Sub

Sub sbTaskBreakDownHide()
Rows("43:54").EntireRow.Hidden = True
End Sub
Sub sbTaskBreakDownShow()
Rows("43:54").EntireRow.Hidden = False
End Sub



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub GetFileNames()
Dim xRow As Long
Dim xDirect$, xFname$, InitialFoldr$
InitialFoldr$ = "C:\"
With Application.FileDialog(msoFileDialogFolderPicker)
.InitialFileName = Application.DefaultFilePath & "\"
.Title = "Please select a folder to list Files from"
.InitialFileName = InitialFoldr$
.Show
If .SelectedItems.Count <> 0 Then
xDirect$ = .SelectedItems(1) & "\"
xFname$ = Dir(xDirect$, 7)
Do While xFname$ <> ""
ActiveCell.Offset(xRow) = xFname$
xRow = xRow + 1
xFname$ = Dir
Loop
End If
End With
End Sub


Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub EquipHide()
LastRow = 200 'Let's say you have 500 rows in the data
For i = 15 To LastRow 'Now we loop through each row and check for required criteria
'to hide all the rows with the values as 0 in Column A
If Range("E" & i) = 0 Then Rows(i).EntireRow.Hidden = True
Next
End Sub

Sub EquipUnHideAll()
Rows("1:200").EntireRow.Hidden = False
End Sub

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-000
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 66048 bytes
SHA-256: dca7989fa2fa7f8153e40b0d82d44fc00076d92d2c583b1b290fca6aa0bd40f5
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2660 bytes
SHA-256: 6861e8ecad0087c2410567fb84f735d5d19e6804ee7d8ebc68dd4065cd5ef809
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2676 bytes
SHA-256: 19c8a237a9e648c68fd5abac0e5b0c07ac8e0811527405e8f8417a3b359a9304