Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7c5c37896ade3681…

MALICIOUS

Office (OOXML)

82.1 KB Created: 2021-07-13 12:00:46 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0b08c71a2e5f4cd9f5441f5cdc9745b2 SHA-1: 3998bfd591cb500f003665b1dfdee3f14b879832 SHA-256: 7c5c37896ade36815d25fe7cdb33c90215314a371b64e98694af6942360b5637
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The OOXML document contains a Workbook_Open macro that references PowerShell and cmd.exe, and uses CreateObject. This suggests the macro is designed to execute a command, likely to download and run a second-stage payload. The presence of the 'VBA RunPE' script further supports this, indicating an intent to execute external code. The URLs found point to resources related to RunPE implementations, reinforcing the malicious nature.

Heuristics 7

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/itm4n/VBA-RunPE
    • https://github.com/hasherezade/
    • https://www.codestack.net/visual-basic/algorithms/data/encoding/base64/
    • https://www.codestack.net/license/
    • https://www.codestack.net/visual-basic/algorithms/data/encoding/base64/�
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
    • https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
    • https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspx
    • https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
17520e413bebd7a2b274a18c8bfb1780b46b93e30b7bf043e4a8cefe423c78de		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 55432 bytes
vbaProject_00.bin
88604d76812e1d47caa15d81131fbde63fb88f96b7a1a11d24eb652ea0dab277		 vba-project OOXML VBA project: xl/vbaProject.bin 167424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.