Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 86428e81d4b4cecb…

MALICIOUS

Office (OOXML)

113.0 KB Created: 2016-08-25 13:15:01 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-06-13
MD5: cc6aecc0c9221081a34ed94a1f12635b SHA-1: 5f988c9995c3894c10fb7739de1b9c0e21b0b3e2 SHA-256: 86428e81d4b4cecbb3791ca96433dd4b6f1ca0af6756be595be3b6753da8f062
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OOXML document containing VBA macros, indicated by the 'OOXML_VBA' heuristic. The 'OOXML_EXTERNAL_REL' heuristic flags an external relationship to a local file path, which is suspicious. The VBA code includes a `Worksheet_Change` event that triggers `UpdateMap`, which in turn manipulates shape transparencies based on cell values. While the document body contains tabular data, the primary malicious indicator is the presence and execution of VBA macros, suggesting an attempt to execute code within the spreadsheet environment.

Heuristics 2

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///E:\Relatório de Alerta de Garantia.xlsx
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1492 bytes
SHA-256: 81b189d767181b7e5a1d5be1e73ac80f46f57062298b4365aea0920eb353592d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Change(ByVal Target As Range)
Application.Run "UpdateMap"
End Sub


Attribute VB_Name = "Plan2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Módulo1"


Sub UpdateMap()
Dim myCell As Range
 
  Application.ScreenUpdating = False
 For Each myCell In _
 Range("MapShapeToTransparency").Columns(1).Cells
 Sheets("Brasil Mapa").Shapes(myCell.Value).Fill.Transparency = _
 Application.WorksheetFunction.VLookup(myCell.Value, _
 Range("MapShapeToTransparency"), 2, False)
 Next myCell
 Application.ScreenUpdating = True
  
End Sub

Sub Atualizar()

Application.Run "UpdateMap"

End Sub



Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 21504 bytes
SHA-256: 4305b5f86e8dedc1de239244a0b5c202ba35ed1412a9389e5dc786e745f3e8ca

Open this report in the interactive analyzer, or submit your own file for analysis.