Office (OOXML) malware analysis — malicious · 6c6ce61ae45e10c0

MALICIOUS

Office (OOXML)

618.2 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23

MD5: 319435f01eed36b3cbeceeb821f8a7fa SHA-1: 5e9985cadea10987f8ee3354bf59f42b6b0b68b9 SHA-256: 6c6ce61ae45e10c072985e02ff4de15df60fa2871d084ffb4fa395bd037fc10c

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a Workbook_Open macro that executes a PowerShell script. The script's name suggests it's designed to download content, potentially a second-stage payload. The document body, while appearing to be a technical guide for web scraping using Wget, contains embedded URLs and references that are likely part of the lure. The presence of Shell() and PowerShell references in the VBA code strongly indicates malicious intent.

Heuristics 8

VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    inputDataPath = folderPath & "\input"
    retval = Shell("powershell -ExecutionPolicy Bypass  " & batchName & " " & nowtime & """ -Env """ & Env & """ -inputPath """ & inputDataPath & """ -outputPath """ & outputPath & """", vbNormalNoFocus)

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

    inputDataPath = folderPath & "\input"
    retval = Shell("powershell -ExecutionPolicy Bypass  " & batchName & " " & nowtime & """ -Env """ & Env & """ -inputPath """ & inputDataPath & """ -outputPath """ & outputPath & """", vbNormalNoFocus)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
    With Sheet3.ComboBox1

LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.gnu.org/software/wget/
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://pt2ph.rnn.raftel In document text (OOXML body / shared strings)
- http://pt3ph.rnn.raftelIn document text (OOXML body / shared strings)
- http://siph.rnn.raftelIn document text (OOXML body / shared strings)
- http://si2ph.rnn.raftelIn document text (OOXML body / shared strings)
- http://ptphcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://pt2phcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://pt3phcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://siphcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://si2phcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://rtphcc.rnn.raftelIn document text (OOXML body / shared strings)
- http://ptphcm.rnn.raftelIn document text (OOXML body / shared strings)
- http://pt2phcm.rnn.raftelIn document text (OOXML body / shared strings)
- http://pt3phcm.rnn.raftelIn document text (OOXML body / shared strings)
- http://siphcm.rnn.raftelIn document text (OOXML body / shared strings)
- http://si2phcm.rnn.raftelIn document text (OOXML body / shared strings)
- http://rtphcm.rnn.raftelIn document text (OOXML body / shared strings)
- https://www.gnu.org/software/wget/Document hyperlink
- https://next.rikunabi.comIn document text (OOXML body / shared strings)
- http://ptph.rnn.x.recruit.co.jpIn document text (OOXML body / shared strings)
- http://rtph.rnn.x.recruit.co.jpIn document text (OOXML body / shared strings)
- https://saiyo.rikunabi.comIn document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	5039 bytes
SHA-256: `814e55e9c10fc76640a7cc651b820360d4360dfe7e75251cb7edd0dfbed7cec5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "CheckBox1, 11, 2, MSForms, CheckBox" Attribute VB_Control = "CommandButton4, 1, 3, MSForms, CommandButton" Attribute VB_Control = "ComboBox1, 3, 4, MSForms, ComboBox" Attribute VB_Control = "ComboBox2, 4, 5, MSForms, ComboBox" Private Sub CommandButton4_Click() Dim Screen As String Dim Env As String Dim SourceFolder As String Dim pathFileHtml As String Dim SubSystem As String Dim batchName As String Dim folderPath As String Dim outputPath As String Dim inputDataPath As String Dim nowtime As String SubSystem = ComboBox1.Value EnvSelect = ComboBox2.Value isWget = CheckBox1.Value Dim fso As New FileSystemObject Dim fileName As String If (isWget) Then batchName = "saveScreenLocal_wget.ps1" Else batchName = "saveScreenLocalmMulti_PH.ps1" End If If (SubSystem = "個人") Then If (EnvSelect = "商用") Then Env = "https://next.rikunabi.com" ElseIf (EnvSelect = "PT") Then Env = "http://ptph.rnn.x.recruit.co.jp" ElseIf (EnvSelect = "PT2") Then Env = "http://pt2ph.rnn.raftel" ElseIf (EnvSelect = "PT3") Then Env = "http://pt3ph.rnn.raftel" ElseIf (EnvSelect = "SI") Then Env = "http://siph.rnn.raftel" ElseIf (EnvSelect = "SI2") Then Env = "http://si2ph.rnn.raftel" ElseIf (EnvSelect = "RT") Then Env = "http://rtph.rnn.x.recruit.co.jp" End If ElseIf (SubSystem = "企業") Then If (EnvSelect = "商用") Then Env = "https://saiyo.rikunabi.com" ElseIf (EnvSelect = "PT") Then Env = "http://ptphcc.rnn.raftel" ElseIf (EnvSelect = "PT2") Then Env = "http://pt2phcc.rnn.raftel" ElseIf (EnvSelect = "PT3") Then Env = "http://pt3phcc.rnn.raftel" ElseIf (EnvSelect = "SI") Then Env = "http://siphcc.rnn.raftel" ElseIf (EnvSelect = "SI2") Then Env = "http://si2phcc.rnn.raftel" ElseIf (EnvSelect = "RT") Then Env = "http://rtphcc.rnn.raftel" End If ElseIf (SubSystem = "入稿") Then If (EnvSelect = "商用") Then Env = "https://next.rikunabi.com" ElseIf (EnvSelect = "PT") Then Env = "http://ptphcm.rnn.raftel" ElseIf (EnvSelect = "PT2") Then Env = "http://pt2phcm.rnn.raftel" ElseIf (EnvSelect = "PT3") Then Env = "http://pt3phcm.rnn.raftel" ElseIf (EnvSelect = "SI") Then Env = "http://siphcm.rnn.raftel" ElseIf (EnvSelect = "SI2") Then Env = "http://si2phcm.rnn.raftel" ElseIf (EnvSelect = "RT") Then Env = "http://rtphcm.rnn.raftel" End If End If nowtime = Format(Now, "yyyymmddHHMMSS") folderPath = Application.ActiveWorkbook.Path batchName = folderPath & "\shell\" & batchName outputPath = folderPath & "\output\" & nowtime Screen = SubSystem & "_" & EnvSelect inputDataPath = folderPath & "\input" retval = Shell("powershell -ExecutionPolicy Bypass " & batchName & " " & nowtime & """ -Env """ & Env & """ -inputPath """ & inputDataPath & """ -outputPath """ & outputPath & """", vbNormalNoFocus) End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() With Sheet3.ComboBox1 .AddItem "個人" .AddItem "企業" .AddItem "入稿" End With With Sheet3.ComboBox2 .AddItem "商用" .AddItem "PT" .AddItem "PT2" .AddItem "PT3" .AddItem "SI" .AddItem "SI2" .AddItem "RT" End With End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	30720 bytes
SHA-256: `5aff4ed7f3078ce2f4a31de1ec69bc0b9a2fde85fa517f0045de36fa9043b444`
`emf_00.emf`	ooxml-emf	OOXML EMF part: xl/media/image4.emf	4240 bytes
SHA-256: `111f5e501e01e7ecb0263f7ca01c49fb3b9d7a25f2520760aad56296b0055e4b`
`emf_01.emf`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	2688 bytes
SHA-256: `3c5d4bcee76443f80a05983576d068e07ceef500277b3cf6b6ec9673ac10a90a`
`emf_02.emf`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	2656 bytes
SHA-256: `16d83ea32ecadaaaeb309bf791b2aabbece20a4dd33f097f6ab20bcfe87bc8a6`
`emf_03.emf`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	4252 bytes
SHA-256: `3906e4e2200eed03c3e5b3eb6c4131169f719cf61a2e83c10d859bcf28b28144`

Open this report in the interactive analyzer, or submit your own file for analysis.