Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 892d2d135aaf8122…

MALICIOUS

Office (OOXML)

2.20 MB Created: 2001-09-21 19:06:58 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-22
MD5: 6ffc82d4d6538c7ba4839b31addd9d56 SHA-1: d1a8329489aec5b8614957aa42a8b0b332eeb80e SHA-256: 892d2d135aaf8122365ee4b191d91576d7d7a166364840d556666f4ed9460521
410 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The file is an OOXML document containing a highly obfuscated VBA macro loader. The macro utilizes `WScript.Shell` and `CreateObject` to execute commands, indicative of a dropper. The presence of an `Auto_Open` macro and the use of `Shell()` strongly suggest it's designed to execute a secondary payload upon opening. The embedded URLs are likely C2 servers or download locations for this payload. The ClamAV detection 'Doc.Dropper.Agent-7202253-0' further supports its malicious nature.

Heuristics 11

  • ClamAV: Doc.Dropper.Agent-7202253-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7202253-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 17 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.rockportsys.com/ExcelServices/ In document text (OOXML body / shared strings)
    • https://www.rockportsystem.comIn document text (OOXML body / shared strings)
    • https://www.rockportsys.com/In document text (OOXML body / shared strings)
    • http://www.therockportgroup.com/In document text (OOXML body / shared strings)
    • https://www.rockportsystem.com9In document text (OOXML body / shared strings)
    • https://www.rockportsys.com/�In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 1495421 bytes
SHA-256: 4dfa58d8c85613b620dca2c30f96c9d1ff8543253100ef8833fdaefb5db5a8e8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Const WKSSPECSNAME = "PAbookMarks"
Const RNGSPECSNAME = "MenuSpecs"

Dim rngSpecs As Excel.Range

'2013-03-22 Added 'Hide' parameter to procudures to hide from outside Macro box.

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
    'CreateRightClickMenu sh
    CreateGenericMenu Sh, "", True
End Sub

Sub Workbook_Activate() 'JDL 7/12/11
    
    SaveRestrictionOverride = False
    
    If Not Custom_Menus_Enabled() Then Add_Custom_Menu
    
'    If RunningOnHostServer() Then DisableMenusAndButtons

    If Application.CutCopyMode = False Then Application.Calculate
End Sub

'Private Sub Workbook_BeforeClose(Cancel As Boolean)
'    If RunningOnHostServer() Then Me.Saved = True
'End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    
    If SaveAsUI Then
    
        Dim saveAsName As String

        If ThisWorkbook.fileFormat = 52 Then
            saveAsName = Application.GetSaveAsFilename(fileFilter:="Underwriting Model (*.xlsm), *.xlsm")
        Else
            saveAsName = Application.GetSaveAsFilename(fileFilter:="Underwriting Model (*.xls), *.xls")
        End If
        
        If saveAsName <> "False" Then
        
            On Error GoTo SaveErrorHandler
                    
            'Application.DisplayAlerts = False      ' Disable alerts
                      
            ThisWorkbook.SaveAs fileName:=saveAsName, fileFormat:=ThisWorkbook.fileFormat

            'Application.DisplayAlerts = True       ' Enable alerts
        End If
        
        Cancel = True
    End If
    
    Exit Sub
    
SaveErrorHandler:
    If Err.Number = 1004 Then
        ' The user decided to click on No or Cancel, just abort the save process
        'Application.DisplayAlerts = True
        Cancel = True
    End If
End Sub

Private Sub Workbook_Deactivate()   'JDL 7/12/11
    On Error GoTo Deactivate_End
    With Excel.Application
        .CommandBars("Worksheet Menu Bar").Reset
        .OnKey "^+i", ""
        .OnKey "^+d", ""
        .OnKey "^+a", ""
        .OnKey "^+s", ""
        .OnKey "^+r", ""
        .OnKey "^+p", ""
        .OnKey "^+{PGDN}", ""
        .OnKey "^+{PGUP}", ""
        .OnKey "^+m", ""
    End With
    DeleteRightClickMenu
Deactivate_End:
End Sub

Sub Add_Custom_Menu(Optional Hide As Boolean = True)

    Dim mnuTemp As Object
    Dim j As Long
    Dim x1 As String
    Dim x2 As String
    Dim x3 As String
    Dim x4 As String
    Dim x5 As Boolean
    Dim x6 As Boolean
    Dim x7 As String
    
    'Create custom menu
    '------------------
    Excel.Application.CommandBars("Worksheet Menu Bar").Reset
    
    'Excel.Application.CommandBars("Worksheet Menu Bar").Reset
    'Copied form Add_Custom_Menu - worked in my environment
    
    On Error Resume Next
    Excel.Application.CommandBars("Rockport").Delete
    Set mnuTemp = Excel.Application.CommandBars.Add("Rockport", msoBarPopup, False, True)
    On Error GoTo 0
    
    Set mnuTemp = Excel.Application.CommandBars("Worksheet Menu Bar").Controls.Add( _
        Type:=msoControlPopup, _
        before:=10, _
        Temporary:=True)
    
    With mnuTemp
        .Caption = "&Rockport"
        .Tag = "tag_Main"
    End With

    'Create submenus
    '------------------
    Set rngSpecs = ThisWorkbook.Worksheets(WKSSPECSNAME).Range(RNGSPECSNAME)

    For j = 1 To rngSpecs.Rows.Count
    
        x1 = CStr(rngSpecs.Cells(j, 1).value)
        x2 = CStr(rngSpecs.Cells(j, 2).value)
        x3 = CStr(rngSpecs.Cells(j, 3).value)
        x4 = CStr(rngSpecs.Cells(j, 4).value)
        x5 = CBool(rngSpecs.Cells(j, 5).value)
      
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 3256320 bytes
SHA-256: 4e9f15a9d06d197cf8333ac79277168eb671095293cf15a2968b408ccb2b9059