Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7caa280384cad4dc…

MALICIOUS

Office (OOXML)

3.93 MB Created: 2017-08-15 07:24:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-01-07
MD5: 4229fb0c0d7cfe1743de282a4050bd12 SHA-1: c7b9c4fefb90c5125496413694d0a11221158053 SHA-256: 7caa280384cad4dc042f06e4c35636400661f8dd20b15ba45c6b52ad1fb12590
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Malware.Valyria-10032137-0. Static analysis revealed the presence of VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of hidden worksheets further suggests an attempt to conceal malicious components.

Heuristics 4

  • ClamAV: Xls.Malware.Valyria-10032137-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10032137-0
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 362345 bytes
SHA-256: 9f2e17c77d7c52e2ef3c2e2b6fc17abf59a3f36ede5501a5b61d013898e57f7b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "shtScreenCommon"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

'******************************************************************************
'*** 変更履歴
'***  Ver9.99 yyyy/mm/dd name 追加/変更/削除 NNNNNNNNNN
'***  Ver2.10 2019/03/03 tsutsumi 変更 改元対応
'******************************************************************************

'------------------------------------------------------------------------------
'
' ボタン押下
'
'------------------------------------------------------------------------------
'
'入力内容チェック
Public Sub ButtonClick_CheckInput()

    '前処理
    Call BeforeProcessing
    
    '入力チェック
    Call CheckInputMain(False)

    '後処理
    Call AfterProcessing
    
End Sub

'明細入力画面へ
Public Sub ButtonClick_TransitionInputIndividual()

    '前処理
    Call BeforeProcessing
    
    '保護解除
    Call SheetUnProtection(shtScreenIndividual)
    
    '入力チェック+画面遷移
    Call CheckInputMain(True)
       
    '保護設定
    Call SheetProtection(shtScreenIndividual)
    
    '後処理
    Call AfterProcessing

End Sub

'メニュー画面へ
Public Sub ButtonClick_TransitionMenu()

    '前処理
    Call BeforeProcessing
    
    'メニュー画面へ
    Call ScreenTransition(shtScreenCommon, shtScreenMenu)
    
    '後処理
    Call AfterProcessing
    
End Sub

'------------------------------------------------------------------------------
'
' メイン処理
'
'------------------------------------------------------------------------------
'
'入力チェックメイン
Private Sub CheckInputMain(transition As Boolean)

    On Error GoTo ErrRtn
    
    '入力チェック
    If CheckInput = False Then Exit Sub
    
    '明細入力画面へ(個別項目入力)
    If transition = True Then
        
        '初期処理
        Call shtScreenIndividual.Init
        
        '画面遷移
        Call ScreenTransition(shtScreenCommon, shtScreenIndividual)
        
        'ボタン文言設定
        Call shtScreenIndividual.SetButtonString
    End If
    
    Exit Sub
    
ErrRtn:
    MsgBox (GOTO_ERROR_MSG & vbCrLf & Err.Number & Err.Description)

End Sub

'------------------------------------------------------------------------------
'
' Public関数
'
'------------------------------------------------------------------------------
'
'データセット
Public Sub SetData()

    Dim tmp As String
    Dim l As Long
    
    '証券番号
    shtScreenCommon.Range(SHT_COMMON_RG_証券番号).Value = _
        "証券番号:" & shtDataSystem.Range(SHT_SYSTEM_RG_証券番号).Value
        
    '契約者名
    shtScreenCommon.Range(SHT_COMMON_RG_契約者名).Value = _
        "契約者名:" & shtDataSystem.Range(SHT_SYSTEM_RG_契約者名).Value
        
    '保険期間・払込方法
    shtScreenCommon.Range(SHT_COMMON_RG_保険期間_払込方法).Value = _
        "保険期間:" & shtDataSystem.Range(SHT_SYSTEM_RG_保険期間).Value & GetPayment
        
    '満期日
    tmp = shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, enSHT_CONTRACT_COM_CL.e満期).Value
'Ver02.20 2019/03/22 TSUTUSMI Add S
'Ver02.10 2019/03/03 TSUTUSMI Add S
'    l = CLng(Mid$(tmp, 1, 4))
'    l = l - 1988
    tmp = Mid$(tmp, 1, 4) & Mid$(tmp, 5, 2) & Mid$(tmp, 7, 2)
    tmp = ChangeDateSlash(tmp)
    If IsDate(tmp) = True Then
        tmp = Format$(tmp, "geemmdd")
        'tmp = Format$(tmp, "gemmdd")'
    End If
'Ver02.10 2019/03/03 TSUTUSMI Add E
'Ver02.20 2019/03/22 TSUTUSMI Add E
    shtScreenCommon.Range(SHT_COMMON_RG_満期日).Value = tmp
'    shtScreenCommon.Range(SHT_COMMON_RG_満期日).Value = _
'         Trim$(Right$(Space(6) & shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, _
'         enSHT_CONTRACT_COM_CL.e満期).Value, 6))
    
    '期末一括精算区分
    shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value = _
         shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, enSHT_CONTRACT_COM_CL.e期末一括精算区分).Value
    If Trim$(shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value) = "1" Then
        shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value = "2"
 
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 595968 bytes
SHA-256: 307c869ec5212b8cf21701dccb3b902311b25b41babddab1eed3e4a8b76f80f3
Detection
ClamAV: Xls.Malware.Valyria-10032137-0
Obfuscation or payload: unlikely