Office (OOXML) malware analysis — malicious · 941e6a2ecbb9f833

MALICIOUS

Office (OOXML)

26.4 KB Created: 2021-08-18 02:04:39 UTC Authoring application: Microsoft Excel 16.0300

MD5: ecf02070905a51a531a4dc4292787689 SHA-1: 8b77c26aba727a696aa5037a29b0b712fb42a67e SHA-256: 941e6a2ecbb9f833dc64e53bc8b4ee814d633359bf4baafb408c8edeefa6c414

610 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1071.001 Web Protocols

The sample is an Office document containing a VBA macro with an Auto_Open subroutine. This macro utilizes WScript.Shell and CreateObject to download a file from the specified URL and save it to the temporary directory as 'Details.dat'. It also attempts to create 'LeakDetails.dat' and 'leakdetails.log'. The presence of Shell() calls, WMI process creation, and HTTP download/save functionality strongly indicates a downloader or credential harvesting payload.

Heuristics 14

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d703a26ef28ec81ce3cf63cc7220871fe64bc94efc81b0cfffa1e445170e477f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	4717 bytes
`vbaProject_00.bin` `f5018d8ef3652fa7ee12ed3d74c8acdefa8bea542d99e8c9e715359971556e01`	vba-project	OOXML VBA project: xl/vbaProject.bin	18432 bytes
Detection ClamAV: Doc.Downloader.Valyria-10026858-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.