Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9e17dda31f2d6d3c…

MALICIOUS

Office (OOXML)

336.2 KB Created: 2017-08-24 23:40:34 UTC Authoring application: Microsoft Excel 16.0300
MD5: de5a245637af4f85fd3479ea45c95e36 SHA-1: 2c99fe4cbd291a15148e5ae6f564cd81c47b4e45 SHA-256: 9e17dda31f2d6d3c6ff3a59c84b7c135a123ad4eaaffab392cdf032616278e87
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols T1566.001 Spearphishing Attachment

The sample is an Excel file containing a Workbook_Open macro that attempts to download and install a malicious add-in. It uses VBA functions like Shell(), CreateObject(), GetObject(), and CallByName() to achieve this. The macro also includes logic to prompt the user to visit a URL, likely to download a malicious payload or further compromise the system.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://api.github.com/repos/finboxio/xlam/releases
    • https://github.com/finboxio/xlam/releases/download
    • https://github.com/timhall/VBA-Dictionary
    • https://github.com/VBA-tools/VBA-Web
    • https://api.example/com/v1/messages/123
    • https://github.com/VBA-tools/VBA-Web/wiki/XML-Support-in-4.0
    • https://github.com/VBA-tools/VBA-Web/wiki/Url-Encoding
    • http://www.di-mgt.com.au/src/basMD5.bas.html
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • https://github.com/finboxio/xlam/releases/download�
    • https://github.com/VBA-tools/VBA-Webm
    • https://github.com/VBA-tools/VBA-WebO
    • https://github.com/VBA-tools/VBA-Weba
    • https://appsource.microsoft.com/en-us/product/office/WA200001556?tab=Overview
    • http://www.opensource.org/licenses/mit-license.php
    • http://msdn.microsoft.com/en-us/library/office/gg278481(v=office.15).aspx
    • https://www.example.com/api/
    • https://api.example.com/v1/messages
    • https://api.example.com/v1/users/id
    • https://api.example.com/v1/
    • https://msdn.microsoft.com/en-us/library/aa383770(VS.85).aspx
    • http://curl.haxx.se/libcurl/c/libcurl-errors.html
    • https://api.example.com/v1/messages/1
    • http://msdn.microsoft.com/en-us/library/windows/desktop/aa384059(v=vs.85).aspx
    • https://api.example.com/
    • https://api.example.com/messages
    • https://api.example.com/messages/123?a=1&b=2
    • https://tools.ietf.org/html/rfc6265
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • https://api.example.com/v1/peeple/{id
    • https://tools.ietf.org/html/rfc3986
    • https://www.w3.org/TR/html5/forms.html#application/x-www-form-urlencoded-encoding-algorithm
    • https://www.w3.org/International/URLUTF8Encoder.java
    • https://www.google.com/a/b/c.html?a=1&b=2#hash
    • http://stackoverflow.com/questions/8246340/does-vba-have-a-hash-hmac
    • http://code.google.com/p/vba-json/
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://groups.google.com/d/msg/microsoft.public.winhttp/ZeWN2Xig82g/jgHIBDSfBwsJ
    • https://stackoverflow.com/questions/10612502/error-when-closing-an-opened-workbook-in-vba-userform
    • http://www.opensource.org/licenses/mit-license.php�
    • http://msdn.microsoft.com/en-us/library/office/gg278481(v=office.15).aspx�
    • http://www.opensource.org/licenses/mit-license.php)�
    • https://tools.ietf.org/html/rfc6265�
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5ed020d411a7880c48e42ac2c36bd3bed6c2517df1629633df9069c505e6b7f4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 279333 bytes
vbaProject_00.bin
29b0e8ab836b025f03402898e24229bfc302e0288e2fa90a7ec801b66b744f01		 vba-project OOXML VBA project: xl/vbaProject.bin 797184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.