Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7ea99e5fd4648d5e…

MALICIOUS

Office (OOXML)

236.8 KB Created: 2020-11-29 02:01:40 UTC Authoring application: Microsoft Excel 16.0300
MD5: 50bc3b035e6d2f563fd26d5780955b9b SHA-1: 9264ff492fa048cb0f963ff5fb7f0be13c3d545e SHA-256: 7ea99e5fd4648d5e5a7bf62eecacd606aa2ef1dfd3221a7927398f2cbf7f5434
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Office document containing VBA macros. Critical heuristics indicate the use of Shell(), URLDownloadToFile, and an obfuscated shell command containing a URL. This suggests the macro is designed to download and execute a second-stage payload from the URL http://www.ssitools.com/helpandsuport/ipmdar/. The document body content appears to be related to project management data, likely a lure.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ssitools.com/helpandsuport/ipmdar/
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • https://ssitools.com/ssitoolsupdates/IPMDARTools/
    • https://ssitools.com/ssitoolsupdates/IPMDARTools/SSI_IPMDAR_SPD_ToolsV12-13-2020.xlsm
    • http://schemas.microsoft.com/office/2009/07/customui
    • http://www.opensource.org/licenses/mit-license.php
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://www.acq.osd.mil/evm/#/resources
    • http://www.opensource.org/licenses/mit-license.php)�
    • https://www.acq.osd.mil/evm/assets/tools/IPMDAR%20SPD%20Validator.zip
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://www.iec.ch

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
67a836200eebc0ed2f9b51b6316a44d5e1a66d15b56b9a3cc23bc3990f62f558		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 161804 bytes
vbaProject_00.bin
8c77e341c0aeffd499146ab35a22a7116901aea16af7db34de98184dc374ebd0		 vba-project OOXML VBA project: xl/vbaProject.bin 599552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.